New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug 1824018: Force update of jquery in deps #5524
Conversation
@zherman0: This pull request references Bugzilla bug 1824018, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/assign @benjaminapetersen @spadgett |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
I'm surprised we have jQuery at all. It looks like it's getting pulled in via Patternfly. cc @jcaianirh
|
|
@spadgett - Patternfly does use it and it is PF3 that is cause the CVE issues. Specifically: I just updated it to 3.5.1, but the PF3 dep still uses 3.2.1. I am not sure we are on the hook to correct that level of sub dependencies. |
patternfly-react:2.32.3 uses patternfly 3.58.0. PF 3.58.0 and 3.59.1 have jquery set as ~3.2.1, PF3.59.3 has jquery set to ~3.4.1 |
@spadgett @zherman0 i know we have very few pf3 dependencies...if we could knock them out, could we then just get rid of pf3 in package.json? They are: "Button": 1, just saw @rhamilto's comment in forum about pf3 core and not react that may be causing the dependence on jquery... |
I have updated patternfly and patternfly-react (PF3) to latest version which takes us to 3.5.1 or 3.4.1 if explicitly defined. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
Small changes for bug fixes at this point. Any last thoughts before lgtm?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: benjaminapetersen, dtaylor113, jcaianirh, spadgett, zherman0 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@zherman0: All pull requests linked via external trackers have merged: openshift/console#5524. Bugzilla bug 1824018 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Force update of jquery for our dependencies to address security issue in CVE-2019-11358.
Used the "resolutions" feature so I did not have to manually update yarn.lock file.
@benjaminapetersen @spadgett - Please review this as I want to be sure I have tested this appropriately to make sure I did not unknowingly break something.