KEYCLOAK-8541: Admin console uses vulnerable AngularJS #5679
Conversation
|
@keycloak-ci-bot test |
|
@ssilvert Job is scheduled |
There was a problem hiding this comment.
I've build the distribution from your branch. Using Chrome's "incognito mode", I've logged in into the Admin Console. I can see that angular.min.js is loaded but looking at the header it's still v1.6.6.
@ssilvert Could you please review?
|
Glad you caught that. Looks like we now have two node_modules directories. It's possible that Stian added the second one by mistake, but it could have been intentional. I'm going to update the other one and be done for now. I'll create a separate JIRA to investigate. |
|
Now I see what he did. The second version is a "clean" directory with only the stuff that belongs in the distro. We really need to pull that stuff out automatically so we don't have two copies of the same file in the repo. But again, that's a task for another day. See KEYCLOAK-8700. |
ssilvert
force-pushed
the
kc8541-ngJS-vulnerable
branch
from
0235c37
to
e005190
Compare
|
@vmuzikar You should be able to retest this now. |
|
I remember now - you need to run mvn clean install -P npm-update in themes. That'll update the clean node_modules. I agree at some point we need to automate this. Probably move to just downloading everything from NPM. There's one thing I don't like about that and it's that I would have to run a Maven build before running KeycloakServer from IDE. I can easily see that becoming out of sync as at least personally I rarely do a Maven build locally for Keycloak. |
|
I don't think it makes a difference. The result is exactly the same. |
|
Ok, if we're sure the result is the same, I'll proceed with the testing... |
|
@keycloak-ci-bot test |
|
@ssilvert Job is scheduled |
No description provided.