Skip to content

fix(deps): upgrade swagger-ui-react to latest 4.x.x #12058

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
terrytangyuan merged 1 commit into from
Oct 21, 2023
Merged

fix(deps): upgrade swagger-ui-react to latest 4.x.x #12058

terrytangyuan merged 1 commit into from
Oct 21, 2023

Conversation

@agilgur5
Copy link

@agilgur5 agilgur5 commented Oct 21, 2023
edited
Loading

Follow-up to #12036, where the last vulnerable UI dep was unable to be auto-fixed due to being pinned by swagger-ui-react

Motivation

  • there are still some build issues to resolve in order to move to 5.x.x, but in the interim, can move to latest 4.x.x
  • in particular, this upgrade fixes an XSS CVE in a pinned dep of swagger-ui-react, @braintree/santize-url: https://security.snyk.io/vuln/SNYK-JS-BRAINTREESANITIZEURL-3330766
    • see that it is pinned here, so we could not independently upgrade it without upgrading swagger-ui-react itself:

      argo-workflows/ui/yarn.lock

      Line 7702 in 5c264c0

      "@braintree/sanitize-url" "=6.0.0"
    • note that it is still pinned in latest 4.x.x of swagger-ui-react, but it is at least a newer patch version not susceptible to the CVE

Modifications

upgrade swagger-ui-react from 4.12.0 -> 4.19.1, latest of 4.x.x

  • this adds a lot of new deps, which I am not a fan of, seemingly because it moves to @swagger libraries for some behaviors
  • but on the bright side, the actual Swagger UI seems to lag / freeze less and work a little bit better now!

Verification

Tested the /apidocs route myself locally, see below screenshot:
Screenshot 2023-10-21 at 11 37 41 AM

Future Work

I would still like to code-split out the /apidocs page as a separate bundle, since it is rarely used yet has a lot of deps, and I believe includes the full Swagger file as well. That should help with issues like #11970

@agilgur5
chore(deps): upgrade swagger-ui-react to latest 4.x.x
7c5af9d 
- there are still some build issues to resolve in order to move to 5.x.x, but in the interim, can move to latest 4.x.x
- in particular, this upgrade fixes an XSS CVE in a pinned dep of `swagger-ui-react`, `@braintree/santize-url`: https://security.snyk.io/vuln/SNYK-JS-BRAINTREESANITIZEURL-3330766
  - see that it is pinned here, so we could not independently upgrade it without upgrading `swagger-ui-react` itself: https://github.com/argoproj/argo-workflows/blob/5c264c094104645a4c917a9a23615424d564d1e4/ui/yarn.lock#L7702
    - note that it is _still_ pinned in latest 4.x.x of `swagger-ui-react`, but it is at least a newer patch version not susceptible to the CVE

- this adds a lot of new deps, which I am not a fan of, seemingly because it moves to `@swagger` libraries for some behaviors
- but on the bright side, the actual Swagger UI seems to lag / freeze less and work a little bit better now!

Signed-off-by: Anton Gilgur <[email protected]>
@terrytangyuan terrytangyuan merged commit 8f09108 into argoproj:master Oct 21, 2023
@terrytangyuan terrytangyuan mentioned this pull request Nov 22, 2023
Closed
sarabala1979 pushed a commit that referenced this pull request Jan 10, 2024
@sarabala1979
chore(deps): upgrade swagger-ui-react to latest 4.x.x (#12058)
9b3951c 
Signed-off-by: Anton Gilgur <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@terrytangyuan terrytangyuan terrytangyuan approved these changes

Assignees

No one assigned

Labels

area/ui javascript Pull requests that update Javascript dependencies type/dependencies PRs and issues specific to updating dependencies type/security Security related

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@agilgur5 @terrytangyuan