Address Critical Vulnerabilities from Dependencies (#19901)

* cleans up dependencies with critical warnigns * adds changelog entry * updates dockerfiles and ci github workflow to use node 16 * removes ui gh workflow not being used
2025-10-31 02:28:09 +00:00 · 2023-04-03 15:24:38 -06:00
parent d824381312
commit 439a16a093
7 changed files with 28 additions and 69 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -204,14 +204,14 @@ jobs:
    # Setup node.js without caching to allow running npm install -g yarn (next step)
    - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c
      with:
-        node-version: 14
+        node-version: 16
    - id: install-yarn
      run: |
        npm install -g yarn
    # Setup node.js with caching using the yarn.lock file
    - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c
      with:
-        node-version: 14
+        node-version: 16
        cache: yarn
        cache-dependency-path: ui/yarn.lock
    - id: install-browser-libraries
--- a/changelog/19901.txt
+++ b/changelog/19901.txt
@@ -0,0 +1,3 @@
 ```release-note:improvement
 ui: Updates UI javascript dependencies
 ```
--- a/scripts/cross/Dockerfile
+++ b/scripts/cross/Dockerfile
@@ -15,7 +15,7 @@ RUN apt-get update -y && apt-get install --no-install-recommends -y -q \
                         libltdl-dev \
                         libltdl7
-RUN curl -sL https://deb.nodesource.com/setup_14.x | bash -
+RUN curl -sL https://deb.nodesource.com/setup_16.x | bash -
 RUN curl -sL https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add -
 RUN echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list
--- a/scripts/docker/Dockerfile.ui
+++ b/scripts/docker/Dockerfile.ui
@@ -19,7 +19,7 @@ RUN apt-get update -y && apt-get install --no-install-recommends -y -q \
                         libltdl-dev \
                         libltdl7
-RUN curl -sL https://deb.nodesource.com/setup_14.x | bash -
+RUN curl -sL https://deb.nodesource.com/setup_16.x | bash -
 RUN curl -sL https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add -
 RUN echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list
--- a/ui/.github/workflows/ci.yml
+++ b/ui/.github/workflows/ci.yml
@@ -1,48 +0,0 @@
 # Copyright (c) HashiCorp, Inc.
 # SPDX-License-Identifier: MPL-2.0
 name: CI
 on:
  push:
    branches:
      - main
      - master
  pull_request: {}
 concurrency:
  group: ci-${{ github.head_ref || github.ref }}
  cancel-in-progress: true
 jobs:
  lint:
    name: "Lint"
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Install Node
        uses: actions/setup-node@v3
        with:
          node-version: 12.x
          cache: yarn
      - name: Install Dependencies
        run: yarn install --frozen-lockfile
      - name: Lint
        run: yarn lint
  test:
    name: "Test"
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Install Node
        uses: actions/setup-node@v3
        with:
          node-version: 12.x
          cache: yarn
      - name: Install Dependencies
        run: yarn install --frozen-lockfile
      - name: Run Tests
        run: yarn test
--- a/ui/package.json
+++ b/ui/package.json
@@ -211,17 +211,11 @@
    "eslint-utils": "^1.4.1",
    "ember-basic-dropdown": "6.0.1",
    "growl": "^1.10.0",
    "handlebars": "^4.3.0",
    "highlight.js": "^10.4.1",
    "https-proxy-agent": "^2.2.3",
    "ini": "^1.3.6",
    "js-yaml": "^3.13.1",
    "kind-of": "^6.0.3",
    "lodash.defaultsdeep": "^4.6.1",
    "lodash.merge": "^4.6.2",
    "lodash": "^4.17.13",
    "minimatch": "^3.0.2",
    "minimist": "^1.2.2",
    "node-notifier": "^8.0.1",
    "prismjs": "^1.21.0",
    "qs": "^6.3.0",
@@ -232,7 +226,7 @@
    "@hashicorp/ember-flight-icons": "2.0.3"
  },
  "engines": {
-    "node": "12.* || 14.* || >= 16"
+    "node": ">= 16"
  },
  "ember": {
    "edition": "octane"
@@ -252,10 +246,8 @@
    ]
  },
  "dependencies": {
-    "handlebars": "^4.3.0",
+    "handlebars": "4.7.7",
    "highlight.js": "^10.4.1",
    "js-yaml": "^3.13.1",
    "lodash": "^4.17.13",
    "node-notifier": "^8.0.1",
    "uuid": "^9.0.0"
  }
--- a/ui/yarn.lock
+++ b/ui/yarn.lock
@@ -12146,7 +12146,7 @@ growly@^1.3.0:
  resolved "https://registry.yarnpkg.com/growly/-/growly-1.3.0.tgz#f10748cbe76af964b7c96c93c6bcc28af120c081"
  integrity sha1-8QdIy+dq+WS3yWyTxrzCivEgwIE=
-handlebars@^4.0.11, handlebars@^4.0.13, handlebars@^4.0.4, handlebars@^4.3.0, handlebars@^4.3.1, handlebars@^4.4.2, handlebars@^4.7.3:
+handlebars@4.7.7, handlebars@^4.0.11, handlebars@^4.0.13, handlebars@^4.0.4, handlebars@^4.3.1, handlebars@^4.4.2, handlebars@^4.7.3:
  version "4.7.7"
  resolved "https://registry.yarnpkg.com/handlebars/-/handlebars-4.7.7.tgz#9ce33416aad02dbd6c8fafa8240d5d98004945a1"
  integrity sha512-aAcXm5OAfE/8IXkcZvCepKU3VzW1/39Fb5ZuqMtgI/hT8X2YgoMvBY5dLhq/cpOvw7Lk1nK/UF71aLG/ZnVYRA==
@@ -13162,7 +13162,7 @@ js-tokens@^3.0.2:
  resolved "https://registry.yarnpkg.com/js-tokens/-/js-tokens-3.0.2.tgz#9866df395102130e38f7f996bceb65443209c25b"
  integrity sha1-mGbfOVECEw449/mWvOtlRDIJwls=
-js-yaml@^3.13.1, js-yaml@^3.14.0, js-yaml@^3.2.5, js-yaml@^3.2.7, js-yaml@^4.1.0:
+js-yaml@^3.13.1, js-yaml@^3.14.0, js-yaml@^3.2.5, js-yaml@^3.2.7:
  version "3.14.1"
  resolved "https://registry.yarnpkg.com/js-yaml/-/js-yaml-3.14.1.tgz#dae812fdb3825fa306609a8717383c50c36a0537"
  integrity sha512-okMH7OXXJ7YrN9Ok3/SXrnu4iX9yOk+25nqX4imS2npuvTYDmo/QEZoqwZkYaIDk3jVvBOTOIEgEhaLOynBS9g==
@@ -13170,6 +13170,13 @@ js-yaml@^3.13.1, js-yaml@^3.14.0, js-yaml@^3.2.5, js-yaml@^3.2.7, js-yaml@^4.1.0
    argparse "^1.0.7"
    esprima "^4.0.0"
 js-yaml@^4.1.0:
  version "4.1.0"
  resolved "https://registry.yarnpkg.com/js-yaml/-/js-yaml-4.1.0.tgz#c1fb65f8f5017901cdd2c951864ba18458a10602"
  integrity sha512-wpxZs9NoxZaJESJGIZTyDEaYpl0FKSA+FB9aJiyemKhMwkxQg63h4T1KJgUGHpTqPDNRcmmYLugrRjJlBtWvRA==
  dependencies:
    argparse "^2.0.1"
 jsbn@~0.1.0:
  version "0.1.1"
  resolved "https://registry.yarnpkg.com/jsbn/-/jsbn-0.1.1.tgz#a5e654c2e5a2deb5f201d96cefbca80c0ef2f513"
@@ -13844,7 +13851,7 @@ lodash.values@^4.3.0:
  resolved "https://registry.yarnpkg.com/lodash.values/-/lodash.values-4.3.0.tgz#a3a6c2b0ebecc5c2cba1c17e6e620fe81b53d347"
  integrity sha1-o6bCsOvsxcLLocF+bmIP6BtT00c=
-lodash@^4.0.0, lodash@^4.17.10, lodash@^4.17.11, lodash@^4.17.12, lodash@^4.17.13, lodash@^4.17.14, lodash@^4.17.15, lodash@^4.17.19, lodash@^4.17.21, lodash@^4.17.4, lodash@^4.5.1, lodash@^4.7.0, lodash@~4.17.10:
+lodash@^4.0.0, lodash@^4.17.10, lodash@^4.17.11, lodash@^4.17.12, lodash@^4.17.14, lodash@^4.17.15, lodash@^4.17.19, lodash@^4.17.21, lodash@^4.17.4, lodash@^4.5.1, lodash@^4.7.0, lodash@~4.17.10:
  version "4.17.21"
  resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.21.tgz#679591c564c3bffaae8454cf0b3df370c3d6911c"
  integrity sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==
@@ -14490,10 +14497,15 @@ minimist-options@4.1.0:
    is-plain-obj "^1.1.0"
    kind-of "^6.0.3"
-minimist@^0.2.1, minimist@^1.1.1, minimist@^1.2.0, minimist@^1.2.2, minimist@^1.2.5, minimist@^1.2.6:
+minimist@^0.2.1:
-  version "1.2.5"
+  version "0.2.4"
-  resolved "https://registry.yarnpkg.com/minimist/-/minimist-1.2.5.tgz#67d66014b66a6a8aaa0c083c5fd58df4e4e97602"
+  resolved "https://registry.yarnpkg.com/minimist/-/minimist-0.2.4.tgz#0085d5501e29033748a2f2a4da0180142697a475"
-  integrity sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw==
+  integrity sha512-Pkrrm8NjyQ8yVt8Am9M+yUt74zE3iokhzbG1bFVNjLB92vwM71hf40RkEsryg98BujhVOncKm/C1xROxZ030LQ==
 minimist@^1.1.1, minimist@^1.2.0, minimist@^1.2.5, minimist@^1.2.6:
  version "1.2.6"
  resolved "https://registry.yarnpkg.com/minimist/-/minimist-1.2.6.tgz#8637a5b759ea0d6e98702cfb3a9283323c93af44"
  integrity sha512-Jsjnk4bw3YJqYzbdyBiNsPWHPfO++UGG749Cxs6peCu5Xg4nrena6OVxOYxrQTqww0Jmwt+Ref8rggumkTLz9Q==
 minipass-collect@^1.0.2:
  version "1.0.2"