Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

build(package.json): Upgrade jquery to 3.4.0 to address downstream CVE alert #1174

Closed
wants to merge 1 commit into from

Conversation

@mturley
Copy link
Contributor

commented May 15, 2019

Description

In ManageIQ, we are seeing an alert in GitHub for a CVE describing a vulnerability in jquery versions below 3.4.0: https://access.redhat.com/security/cve/cve-2019-11358

Because we depend on patternfly-react, which depends on patternfly, we're depending indirectly on jquery@3.2.1 which is causing this alert. This PR upgrades the jquery version in patternfly, so that we can upgrade it in patternfly-react by upgrading patternfly, so that we can upgrade it in ManageIQ repos by upgrading patternfly-react.

According to https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/, this is a safe upgrade:

There should be no compatibility issues if upgrading from jQuery 3.0+.

Changes

  • Upgrades the jquery dependency in package.json from ~3.2.1 to ~3.4.0.
@mturley mturley closed this May 15, 2019
@mturley mturley reopened this May 15, 2019
@droideck

This comment has been minimized.

Copy link

commented May 29, 2019

Looks like the issue is here

jQuery 3.4.0 changelog has information that :first was depricated. .first(); should be used now.
Also, the issue described in Radio elements: expected state in event handlers can be related to the failure too...
Hope it helps.

@ddelabru

This comment has been minimized.

Copy link
Contributor

commented Jun 12, 2019

jQuery 3.4.0 changelog has information that :first was depricated. .first(); should be used now.

Seems like changing that alone isn't enough to get the unit test to pass; I tried tweaking that with: #1178

Same test is failing on my own unrelated PR: #1177

I'd like to work on fixing this unit test but when I run npm test locally all of the unit tests fail, and that makes it a more daunting problem; it might be easier if I could use a container to replicate the environment Travis CI is using and isolate what's making this particular test fail there.

@droideck

This comment has been minimized.

Copy link

commented Jul 15, 2019

The issue is fixed in #1180
Probably, this one can be closed.

@mturley

This comment has been minimized.

Copy link
Contributor Author

commented Jul 16, 2019

Thanks @droideck. Closing.

@mturley mturley closed this Jul 16, 2019
@mturley mturley deleted the mturley:upgrade-jquery-to-3.4.0 branch Jul 16, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.