Address Critical Vulnerabilities from Dependencies (#19901)

* cleans up dependencies with critical warnigns * adds changelog entry * updates dockerfiles and ci github workflow to use node 16 * removes ui gh workflow not being used
2023-04-03 15:24:38 -06:00 · 2023-04-03 15:24:38 -06:00 · 3f0620ce2c
parent 985b016da5
commit 3f0620ce2c
7 changed files with 28 additions and 69 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -204,14 +204,14 @@ jobs:
    # Setup node.js without caching to allow running npm install -g yarn (next step)
    - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c
      with:
-        node-version: 14
+        node-version: 16
    - id: install-yarn
      run: |
        npm install -g yarn
    # Setup node.js with caching using the yarn.lock file
    - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c
      with:
-        node-version: 14
+        node-version: 16
        cache: yarn
        cache-dependency-path: ui/yarn.lock
    - id: install-browser-libraries
--- a/changelog/19901.txt
+++ b/changelog/19901.txt
@ -0,0 +1,3 @@
+```release-note:improvement
+ui: Updates UI javascript dependencies
+```
--- a/scripts/cross/Dockerfile
+++ b/scripts/cross/Dockerfile
@ -15,7 +15,7 @@ RUN apt-get update -y && apt-get install --no-install-recommends -y -q \
                         libltdl-dev \
                         libltdl7

-RUN curl -sL https://deb.nodesource.com/setup_14.x | bash -
+RUN curl -sL https://deb.nodesource.com/setup_16.x | bash -
 RUN curl -sL https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add -
 RUN echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list

--- a/scripts/docker/Dockerfile.ui
+++ b/scripts/docker/Dockerfile.ui
@ -19,7 +19,7 @@ RUN apt-get update -y && apt-get install --no-install-recommends -y -q \
                         libltdl-dev \
                         libltdl7

-RUN curl -sL https://deb.nodesource.com/setup_14.x | bash -
+RUN curl -sL https://deb.nodesource.com/setup_16.x | bash -
 RUN curl -sL https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add -
 RUN echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list

--- a/ui/.github/workflows/ci.yml
+++ b/ui/.github/workflows/ci.yml
@ -1,48 +0,0 @@
-# Copyright (c) HashiCorp, Inc.
-# SPDX-License-Identifier: MPL-2.0
-
-name: CI
-
-on:
-  push:
-    branches:
-      - main
-      - master
-  pull_request: {}
-
-concurrency:
-  group: ci-${{ github.head_ref || github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  lint:
-    name: "Lint"
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-      - name: Install Node
-        uses: actions/setup-node@v3
-        with:
-          node-version: 12.x
-          cache: yarn
-      - name: Install Dependencies
-        run: yarn install --frozen-lockfile
-      - name: Lint
-        run: yarn lint
-
-  test:
-    name: "Test"
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-      - name: Install Node
-        uses: actions/setup-node@v3
-        with:
-          node-version: 12.x
-          cache: yarn
-      - name: Install Dependencies
-        run: yarn install --frozen-lockfile
-      - name: Run Tests
-        run: yarn test
--- a/ui/package.json
+++ b/ui/package.json
@ -211,17 +211,11 @@
    "eslint-utils": "^1.4.1",
    "ember-basic-dropdown": "6.0.1",
    "growl": "^1.10.0",
-    "handlebars": "^4.3.0",
    "highlight.js": "^10.4.1",
    "https-proxy-agent": "^2.2.3",
    "ini": "^1.3.6",
-    "js-yaml": "^3.13.1",
    "kind-of": "^6.0.3",
-    "lodash.defaultsdeep": "^4.6.1",
-    "lodash.merge": "^4.6.2",
-    "lodash": "^4.17.13",
    "minimatch": "^3.0.2",
-    "minimist": "^1.2.2",
    "node-notifier": "^8.0.1",
    "prismjs": "^1.21.0",
    "qs": "^6.3.0",
@ -232,7 +226,7 @@
    "@hashicorp/ember-flight-icons": "2.0.3"
  },
  "engines": {
-    "node": "12.* || 14.* || >= 16"
+    "node": ">= 16"
  },
  "ember": {
    "edition": "octane"
@ -252,10 +246,8 @@
    ]
  },
  "dependencies": {
-    "handlebars": "^4.3.0",
+    "handlebars": "4.7.7",
    "highlight.js": "^10.4.1",
-    "js-yaml": "^3.13.1",
-    "lodash": "^4.17.13",
    "node-notifier": "^8.0.1",
    "uuid": "^9.0.0"
  }
--- a/ui/yarn.lock
+++ b/ui/yarn.lock
@ -12146,7 +12146,7 @@ growly@^1.3.0:
  resolved "https://registry.yarnpkg.com/growly/-/growly-1.3.0.tgz#f10748cbe76af964b7c96c93c6bcc28af120c081"
  integrity sha1-8QdIy+dq+WS3yWyTxrzCivEgwIE=

-handlebars@^4.0.11, handlebars@^4.0.13, handlebars@^4.0.4, handlebars@^4.3.0, handlebars@^4.3.1, handlebars@^4.4.2, handlebars@^4.7.3:
+handlebars@4.7.7, handlebars@^4.0.11, handlebars@^4.0.13, handlebars@^4.0.4, handlebars@^4.3.1, handlebars@^4.4.2, handlebars@^4.7.3:
  version "4.7.7"
  resolved "https://registry.yarnpkg.com/handlebars/-/handlebars-4.7.7.tgz#9ce33416aad02dbd6c8fafa8240d5d98004945a1"
  integrity sha512-aAcXm5OAfE/8IXkcZvCepKU3VzW1/39Fb5ZuqMtgI/hT8X2YgoMvBY5dLhq/cpOvw7Lk1nK/UF71aLG/ZnVYRA==
@ -13162,7 +13162,7 @@ js-tokens@^3.0.2:
  resolved "https://registry.yarnpkg.com/js-tokens/-/js-tokens-3.0.2.tgz#9866df395102130e38f7f996bceb65443209c25b"
  integrity sha1-mGbfOVECEw449/mWvOtlRDIJwls=

-js-yaml@^3.13.1, js-yaml@^3.14.0, js-yaml@^3.2.5, js-yaml@^3.2.7, js-yaml@^4.1.0:
+js-yaml@^3.13.1, js-yaml@^3.14.0, js-yaml@^3.2.5, js-yaml@^3.2.7:
  version "3.14.1"
  resolved "https://registry.yarnpkg.com/js-yaml/-/js-yaml-3.14.1.tgz#dae812fdb3825fa306609a8717383c50c36a0537"
  integrity sha512-okMH7OXXJ7YrN9Ok3/SXrnu4iX9yOk+25nqX4imS2npuvTYDmo/QEZoqwZkYaIDk3jVvBOTOIEgEhaLOynBS9g==
@ -13170,6 +13170,13 @@ js-yaml@^3.13.1, js-yaml@^3.14.0, js-yaml@^3.2.5, js-yaml@^3.2.7, js-yaml@^4.1.0
    argparse "^1.0.7"
    esprima "^4.0.0"

+js-yaml@^4.1.0:
+  version "4.1.0"
+  resolved "https://registry.yarnpkg.com/js-yaml/-/js-yaml-4.1.0.tgz#c1fb65f8f5017901cdd2c951864ba18458a10602"
+  integrity sha512-wpxZs9NoxZaJESJGIZTyDEaYpl0FKSA+FB9aJiyemKhMwkxQg63h4T1KJgUGHpTqPDNRcmmYLugrRjJlBtWvRA==
+  dependencies:
+    argparse "^2.0.1"
+
 jsbn@~0.1.0:
  version "0.1.1"
  resolved "https://registry.yarnpkg.com/jsbn/-/jsbn-0.1.1.tgz#a5e654c2e5a2deb5f201d96cefbca80c0ef2f513"
@ -13844,7 +13851,7 @@ lodash.values@^4.3.0:
  resolved "https://registry.yarnpkg.com/lodash.values/-/lodash.values-4.3.0.tgz#a3a6c2b0ebecc5c2cba1c17e6e620fe81b53d347"
  integrity sha1-o6bCsOvsxcLLocF+bmIP6BtT00c=

-lodash@^4.0.0, lodash@^4.17.10, lodash@^4.17.11, lodash@^4.17.12, lodash@^4.17.13, lodash@^4.17.14, lodash@^4.17.15, lodash@^4.17.19, lodash@^4.17.21, lodash@^4.17.4, lodash@^4.5.1, lodash@^4.7.0, lodash@~4.17.10:
+lodash@^4.0.0, lodash@^4.17.10, lodash@^4.17.11, lodash@^4.17.12, lodash@^4.17.14, lodash@^4.17.15, lodash@^4.17.19, lodash@^4.17.21, lodash@^4.17.4, lodash@^4.5.1, lodash@^4.7.0, lodash@~4.17.10:
  version "4.17.21"
  resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.21.tgz#679591c564c3bffaae8454cf0b3df370c3d6911c"
  integrity sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==
@ -14490,10 +14497,15 @@ minimist-options@4.1.0:
    is-plain-obj "^1.1.0"
    kind-of "^6.0.3"

-minimist@^0.2.1, minimist@^1.1.1, minimist@^1.2.0, minimist@^1.2.2, minimist@^1.2.5, minimist@^1.2.6:
-  version "1.2.5"
-  resolved "https://registry.yarnpkg.com/minimist/-/minimist-1.2.5.tgz#67d66014b66a6a8aaa0c083c5fd58df4e4e97602"
-  integrity sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw==
+minimist@^0.2.1:
+  version "0.2.4"
+  resolved "https://registry.yarnpkg.com/minimist/-/minimist-0.2.4.tgz#0085d5501e29033748a2f2a4da0180142697a475"
+  integrity sha512-Pkrrm8NjyQ8yVt8Am9M+yUt74zE3iokhzbG1bFVNjLB92vwM71hf40RkEsryg98BujhVOncKm/C1xROxZ030LQ==
+
+minimist@^1.1.1, minimist@^1.2.0, minimist@^1.2.5, minimist@^1.2.6:
+  version "1.2.6"
+  resolved "https://registry.yarnpkg.com/minimist/-/minimist-1.2.6.tgz#8637a5b759ea0d6e98702cfb3a9283323c93af44"
+  integrity sha512-Jsjnk4bw3YJqYzbdyBiNsPWHPfO++UGG749Cxs6peCu5Xg4nrena6OVxOYxrQTqww0Jmwt+Ref8rggumkTLz9Q==

 minipass-collect@^1.0.2:
  version "1.0.2"