Bug 1824018: Force update of jquery in deps

[zherman0]

Force update of jquery for our dependencies to address security issue in CVE-2019-11358.

Used the "resolutions" feature so I did not have to manually update yarn.lock file.

@benjaminapetersen @spadgett - Please review this as I want to be sure I have tested this appropriately to make sure I did not unknowingly break something.

[openshift-ci-robot]

@zherman0: This pull request references Bugzilla bug 1824018, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target release (4.5.0) matches configured target release for branch (4.5.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

In response to this:

Bug 1824018: Force update of jquery in deps

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[zherman0]

/assign @benjaminapetersen @spadgett

[dtaylor113]

lgtm

[spadgett]

I'm surprised we have jQuery at all. It looks like it's getting pulled in via Patternfly.

cc @jcaianirh

├─ @patternfly/react-catalog-view-extension@1.4.58
│  ├─ @patternfly/patternfly@2.71.5
│  ├─ @patternfly/react-core@^3.153.13
│  ├─ @patternfly/react-styles@^3.7.13
│  ├─ bootstrap@3.4.1
│  ├─ classnames@^2.2.5
│  ├─ d3@3.5.17
│  ├─ jquery@3.4.1
│  ├─ patternfly-bootstrap-treeview@2.1.10
│  │  ├─ bootstrap@^3.4.1
│  │  └─ jquery@^3.4.1
│  ├─ patternfly@^3.59.4
│  └─ patternfly@3.59.4
│     ├─ @types/c3@^0.6.0
│     ├─ bootstrap-datepicker@^1.7.1
│     ├─ bootstrap-sass@^3.4.0
│     ├─ bootstrap-select@1.12.2
│     ├─ bootstrap-slider@^9.9.0
│     ├─ bootstrap-switch@3.3.4
│     ├─ bootstrap-touchspin@~3.1.1
│     ├─ bootstrap@~3.4.1
│     ├─ c3@~0.4.11
│     ├─ d3@~3.5.17
│     ├─ datatables.net-colreorder-bs@~1.3.2
│     ├─ datatables.net-colreorder@^1.4.1
│     ├─ datatables.net-select@~1.2.0
│     ├─ datatables.net@^1.10.15
│     ├─ drmonty-datatables-colvis@~1.1.2
│     ├─ eonasdan-bootstrap-datetimepicker@^4.17.47
│     ├─ font-awesome-sass@^4.7.0
│     ├─ font-awesome@^4.7.0
│     ├─ google-code-prettify@~1.0.5
│     ├─ jquery-match-height@^0.7.2
│     ├─ jquery@~3.4.1
│     ├─ moment-timezone@^0.4.1
│     ├─ moment@^2.19.1

[spadgett]

├─ patternfly@3.59.1
│  ├─ @types/c3@^0.6.0
│  ├─ bootstrap-datepicker@^1.7.1
│  ├─ bootstrap-sass@^3.4.0
│  ├─ bootstrap-select@1.12.2
│  ├─ bootstrap-slider@^9.9.0
│  ├─ bootstrap-switch@~3.3.4
│  ├─ bootstrap-touchspin@~3.1.1
│  ├─ bootstrap@~3.4.0
│  ├─ bootstrap@3.4.0
│  ├─ c3@~0.4.11
│  ├─ d3@~3.5.17
│  ├─ d3@3.5.17
│  ├─ datatables.net-colreorder-bs@~1.3.2
│  ├─ datatables.net-colreorder@^1.4.1
│  ├─ datatables.net-select@~1.2.0
│  ├─ datatables.net@^1.10.15
│  ├─ drmonty-datatables-colvis@~1.1.2
│  ├─ eonasdan-bootstrap-datetimepicker@^4.17.47
│  ├─ font-awesome-sass@^4.7.0
│  ├─ font-awesome@^4.7.0
│  ├─ google-code-prettify@~1.0.5
│  ├─ jquery-match-height@^0.7.2
│  ├─ jquery@~3.2.1
│  ├─ jquery@3.2.1
│  ├─ moment-timezone@^0.4.1
│  ├─ moment@^2.19.1
│  ├─ patternfly-bootstrap-combobox@~1.1.7
│  └─ patternfly-bootstrap-treeview@~2.1.0

[zherman0]

@spadgett - Patternfly does use it and it is PF3 that is cause the CVE issues. Specifically:
jquery@3.5.1
│ └─ jquery@>= 2.1.x
│ ├─ bootstrap-slider-without-jquery@^10.0.0
│ │ ├─ jquery-match-height@^0.7.2
│ │ ├─ jquery@~3.2.1
│ ├─ jquery-match-height@^0.7.2
│ ├─ jquery@~3.2.1

I just updated it to 3.5.1, but the PF3 dep still uses 3.2.1. I am not sure we are on the hook to correct that level of sub dependencies.

[zherman0]

patternfly-react:2.32.3 uses patternfly 3.58.0. PF 3.58.0 and 3.59.1 have jquery set as ~3.2.1, PF3.59.3 has jquery set to ~3.4.1

[jcaianirh]

@spadgett @zherman0 i know we have very few pf3 dependencies...if we could knock them out, could we then just get rid of pf3 in package.json? They are:

"Button": 1,
"FormGroup": 3,
"Checkbox": 1,
"HelpBlock": 3,
"FormControl": 4,
"Form": 1,

just saw @rhamilto's comment in forum about pf3 core and not react that may be causing the dependence on jquery...

[zherman0]

I have updated patternfly and patternfly-react (PF3) to latest version which takes us to 3.5.1 or 3.4.1 if explicitly defined.

[benjaminapetersen]

/approve

Small changes for bug fixes at this point. Any last thoughts before lgtm?

[spadgett]

/lgtm

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: benjaminapetersen, dtaylor113, jcaianirh, spadgett, zherman0

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• frontend/OWNERS [benjaminapetersen,spadgett]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@zherman0: All pull requests linked via external trackers have merged: openshift/console#5524. Bugzilla bug 1824018 has been moved to the MODIFIED state.

In response to this:

Bug 1824018: Force update of jquery in deps

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.