Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump to adaptivecards@1.1.2 #1558

Merged
merged 11 commits into from
Jan 8, 2019
Merged

Bump to adaptivecards@1.1.2 #1558

merged 11 commits into from
Jan 8, 2019

Conversation

compulim
Copy link
Contributor

@compulim compulim commented Jan 8, 2019
edited
Loading

Background

Due to a security vulnerability issue found recently, we are bumping to adaptivecards@1.1.2.

Web Chat has 2 bundles: minimal and full. Minimal bundle does not include Adaptive Cards. And the full bundle have Adaptive Cards pre-configured with Markdown-It engine.

The security vulnerability only affect users who is using Adaptive Cards without any Markdown engine. By default, Web Chat ship and pre-configured with Adaptive Cards and Markdown-It, thus, the security vulnerability does not affect our default configurations. Only advanced users who manually configure Adaptive Cards explicitly without Markdown is affected.

Changelog

Changed

Design considerations

Inclusion of css-loader and style-loader

Adaptive Cards 1.1.2 requires css-loader. The code here read import "./adaptivecards-default.css";. Thus, in order to pack Adaptive Cards inside Web Chat, we have to add css-loader and style-loader in our pipeline.

Web Chat prefer bundler-independent:

  • We reserve the flexibility to switch between Webpack, rollup.js and other bundlers we see fit
  • We prefer not to bundle any non-JavaScript assets in the bundle
    • Non-JavaScript assets usually assume the bundled code is running inside a browser (with a window object and corresponding functions to load different assets into memory)
    • Web Chat prefer to be platform-independent and reserve the flexibility to run on headless device

But since Adaptive Cards 1.1.2 requires css-loader and style-loader, we have to give up our bundler-independent flexibility. We have filed bug #2279 to Adaptive Cards team and see if they could remove the CSS or pre-compile it into JavaScript code before publishing their project to NPM to preserve their purity.

@compulim compulim added 4.3 p0 Must Fix. Release-blocker labels Jan 8, 2019
@compulim compulim added this to the v4.2.1 (Accessibility red) milestone Jan 8, 2019
cwhitten
cwhitten reviewed Jan 8, 2019
View reviewed changes
packages/playground/package.json Outdated Show resolved Hide resolved
packages/component/package.json Outdated Show resolved Hide resolved
@coveralls
Copy link

coveralls commented Jan 8, 2019
edited
Loading

Pull Request Test Coverage Report for Build 699

  • 0 of 5 (0.0%) changed or added relevant lines in 2 files are covered.
  • 1 unchanged line in 1 file lost coverage.
  • Overall coverage decreased (-0.06%) to 45.091%
Changes Missing Coverage Covered Lines Changed/Added Lines %
packages/component/src/Utils/AdaptiveCardBuilder.ts 0 1 0.0%
packages/component/src/Attachment/AdaptiveCardRenderer.js 0 4 0.0%
Files with Coverage Reduction New Missed Lines %
packages/component/src/Utils/AdaptiveCardBuilder.ts 1 0.0%
Totals Coverage Status
Change from base Build 677: -0.06%
Covered Lines: 730
Relevant Lines: 1450
💛 - Coveralls

@compulim compulim merged commit 83b9956 into microsoft:master Jan 8, 2019
@compulim compulim deleted the bump-ac-1.1.2 branch January 8, 2019 17:59
@corinagum corinagum added this to Done in 4.3 Prioritization Jan 8, 2019
compulim added a commit to compulim/BotFramework-WebChat that referenced this pull request Jan 10, 2019
@compulim
Bump to adaptivecards@1.1.2 (microsoft#1558)
7dd38d1 
* Bump to Adaptive Cards 1.1.2

* Move to onProcessMarkdown handler

* Update package-lock.json

* Bump AC@1.1.2 on bundle

* Fix column width

* Bump to AC@1.1.2 in playground

* Update package-lock.json

* Use percentage column width

* Handle no Markdown case

* Update CHANGELOG.md

* Lock adaptivecards on minor version
@compulim compulim mentioned this pull request Jan 11, 2019
Closed
@corinagum corinagum mentioned this pull request Jan 16, 2019
Closed
This was referenced Jan 16, 2019
Closed
Closed
@corinagum corinagum mentioned this pull request Jan 18, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cwhitten cwhitten cwhitten left review comments

@a-b-r-o-w-n a-b-r-o-w-n a-b-r-o-w-n approved these changes

@corinagum corinagum corinagum approved these changes

@justinwilaby justinwilaby Awaiting requested review from justinwilaby

@tonyanziano tonyanziano Awaiting requested review from tonyanziano

Assignees
No one assigned
Labels
p0 Must Fix. Release-blocker
Projects
No open projects
4.3 Prioritization
  
Done
Milestone
v4.2.1 (Accessibility red)
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@compulim @coveralls @cwhitten @a-b-r-o-w-n @corinagum