-
Notifications
You must be signed in to change notification settings - Fork 114
Conversation
2534d20
to
e6617bc
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See comments...
package.json
Outdated
@@ -72,6 +72,7 @@ | |||
"cytoscape-dagre": "2.2.2", | |||
"cytoscape-popper": "1.0.7", | |||
"deep-freeze": "0.0.1", | |||
"dot-prop": "^4.2.1", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should pin to exact version instead of ^
"dot-prop": "^4.2.1", | |
"dot-prop": "4.2.1", |
I don't think this is the correct approach to add this as a direct dependency since the UI doesn't use it directly. It is only used by some other packages:
=> Found "dot-prop@4.2.0"
info Reasons this module exists
- "snyk#configstore" depends on it
- Hoisted from "snyk#configstore#dot-prop"
- Hoisted from "react-scripts#optimize-css-assets-webpack-plugin#cssnano#cssnano-preset-default#postcss-merge-rules#postcss-selector-parser#dot-prop"
- Hoisted from "react-scripts#optimize-css-assets-webpack-plugin#cssnano#cssnano-preset-default#postcss-minify-selectors#postcss-selector-parser#dot-prop"
- Hoisted from "react-scripts#optimize-css-assets-webpack-plugin#cssnano#cssnano-preset-default#postcss-merge-longhand#stylehacks#postcss-selector-parser#dot-prop"
And even the indirect use of the library is only for dev build stuff (non-runtime). So I think the better way is to add it to the resolutions
clause.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
right, thanks for taking a look
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Smoke test pass. |
Address a vulnerability detected by github in the 3rd party libraries.
I've addressed this in k-charted as well kiali/k-charted#110.
I'd require more testing, smoke tests seem ok, but these changes may be good if are tested by anyone else as they can easily introduce side effects.