Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[full-ci] remove outdated and unused cldr dep from kpop in idp package #7988

Merged
merged 1 commit into from Dec 21, 2023
Merged

[full-ci] remove outdated and unused cldr dep from kpop in idp package #7988

merged 1 commit into from Dec 21, 2023

Conversation

kulmann
Copy link
Member

@kulmann kulmann commented Dec 15, 2023
edited

Description

The idp ui uses kpop (opinionated react component library), which declares an outdated cldr version without even using it. Since that currently has a security issue, we're patching the idp ui to remove the cldr dependency from kpop entirely.

Asked upstream, if we can safely remove the dependency. Kopano-dev/kpop#40

Related Issue

Motivation and Context

Security

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Technical debt
  • Tests only (no source changes)

Checklist:

  • Code changes
  • Unit tests added
  • Acceptance tests added
  • Documentation ticket raised:

@update-docs Update Docs
Copy link

update-docs bot commented Dec 15, 2023

Thanks for opening this pull request! The maintainers of this repository would appreciate it if you would create a changelog item based on your changes.

@kulmann kulmann force-pushed the override-cldr-kpop-dep branch 2 times, most recently from debf5d4 to fdb6e80 Compare December 16, 2023 05:35
@kulmann kulmann self-assigned this Dec 16, 2023
AlexAndBear
AlexAndBear reviewed Dec 16, 2023
View reviewed changes
services/idp/package.json
},
"pnpm": {
"overrides": {
"kpop>cldr": ""
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you please add a comment or link this pr for now ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Douglas Crockford:

I removed comments from JSON because I saw people were using them to hold parsing directives, a practice which would have destroyed interoperability. I know that the lack of comments makes some people sad, but it shouldn't.

Suppose you are using JSON to keep configuration files, which you would like to annotate. Go ahead and insert all the comments you like. Then pipe it through JSMin before handing it to your JSON parser.

TL;DR: no comments in json. Vscode and TS allow it, but it's non-standard and pnpm doesn't.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's in fact why I didn't add a comment :-)

JammingBen
JammingBen approved these changes Dec 18, 2023
View reviewed changes
Copy link
Contributor

@JammingBen JammingBen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. I restarted the pipeline, looked unrelated at a first glance.

@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Dec 18, 2023

Quality Gate Passed Quality Gate passed

Kudos, no new issues were introduced!

0 New issues
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

@rhafer
Copy link
Contributor

rhafer commented Dec 18, 2023

@kulmann Hm, upstream completely removed the kpop dependency itself (See: libregraph/lico#5). Shouldn't we just do that as well? Especially as kpop is originally coming from kopano as well. In general it would be nice to stay in sync with https://github.com/libregraph/lico as much as possible.

@kulmann kulmann merged commit 14e46c4 into master Dec 21, 2023
3 checks passed
@delete-merged-branch delete-merged-branch bot deleted the override-cldr-kpop-dep branch December 21, 2023 21:23
@kulmann
Copy link
Member Author

kulmann commented Dec 21, 2023

@kulmann Hm, upstream completely removed the kpop dependency itself (See: libregraph/lico#5). Shouldn't we just do that as well? Especially as kpop is originally coming from kopano as well. In general it would be nice to stay in sync with https://github.com/libregraph/lico as much as possible.

For a security patch the PR should be ok... I'm not in favour of the "busy work" to stay in sync with upstream lico, especially since it's supposed to go away. Could you post your comment again to this issue, so that we can continue discussing it? #7957

ownclouders pushed a commit that referenced this pull request Dec 21, 2023
@kulmann
Merge pull request #7988 from owncloud/override-cldr-kpop-dep
bd48a89 
[full-ci] remove outdated and unused cldr dep from kpop in idp package
@kulmann kulmann mentioned this pull request Dec 21, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AlexAndBear AlexAndBear AlexAndBear approved these changes

@JammingBen JammingBen JammingBen approved these changes

@dschmidt dschmidt Awaiting requested review from dschmidt

@micbar micbar Awaiting requested review from micbar

Assignees

@kulmann kulmann

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@kulmann @rhafer @dschmidt @AlexAndBear @JammingBen