Skip to content

Solve critical vulnerability of Presto UI from @babel/traverse npm package#21322

Merged
tdcmeehan merged 1 commit intoprestodb:masterfrom
yhwang:update-babel-version
Nov 13, 2023
Merged

Solve critical vulnerability of Presto UI from @babel/traverse npm package#21322
tdcmeehan merged 1 commit intoprestodb:masterfrom
yhwang:update-babel-version

Conversation

@yhwang
Copy link
Member

@yhwang yhwang commented Nov 6, 2023
edited
Loading

Ref: #21319

Description

Update @babel and related packages to newer versions to solve the critical vulnerability issue reported by yarn audit: GHSA-67hx-6x53-jw92

Motivation and Context

The critical vulnerability issue reported by yarn audit may impact servers that run the babel to compile the Presto UI code or developers' machines. Although there is no path.evaluate() or path.evaluateTruthy() in the current code base, it's good to fix it.

Impact

Most of the JS files are not changed, except query.js.

Test Plan

Manually run the Presto UI and verify the query page.

Contributor checklist

  • Please make sure your submission complies with our development, formatting, commit message, and attribution guidelines.
  • PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
  • Documented new properties (with its default value), SQL syntax, functions, or other functionality.
  • If release notes are required, they follow the release notes guidelines.
  • Adequate tests were added if applicable.
  • CI passed.

Release Notes

Please follow release notes guidelines and fill in the release notes below.

== RELEASE NOTES ==

General Changes
* Update Babel and related npm packages to solve critical vulnerability: https://github.com/advisories/GHSA-67hx-6x53-jw92
  The Babel packages are used to generate the JavaScript files for Presto UI. The update prevents the build servers
  or developers' machines from running arbitrary code while building the JavaScript files.

@yhwang
Solve critical vulnerability of Presto UI
0bb82f5 
Update @babel and related packages to newer versions to
solve the critical vulnerability issue reported by
`yarn audit`: https://www.npmjs.com/advisories/1094446

Signed-off-by: Yihong Wang <yh.wang@ibm.com>
@yhwang yhwang requested a review from a team as a code owner November 6, 2023 19:08
@yhwang yhwang requested a review from presto-oss November 6, 2023 19:08
@yhwang
Copy link
Member Author

yhwang commented Nov 6, 2023

Below, it's a screenshot of the query page, I don't see any issue of this page.
query-1

@yhwang
Copy link
Member Author

yhwang commented Nov 6, 2023

Here is another screenshot which has a successful query:
query-2

@skairali skairali self-requested a review November 9, 2023 15:05
skairali
skairali approved these changes Nov 9, 2023
View reviewed changes
Copy link
Member

@skairali skairali left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a good change and required one from security perspective.

@steveburnett
Copy link
Contributor

steveburnett commented Nov 10, 2023

If this is a "critical vulnerability" as described in the title, consider adding a release note to this PR for the Security section of the next release notes.

@yhwang
Copy link
Member Author

yhwang commented Nov 13, 2023

@steveburnett thanks for the feedback. update the description of this PR to include the release node.

@tdcmeehan tdcmeehan merged commit 6c48ec5 into prestodb:master Nov 13, 2023
@yhwang yhwang deleted the update-babel-version branch November 13, 2023 19:55
@wanglinsong wanglinsong mentioned this pull request Dec 8, 2023
Closed
26 tasks
@tdcmeehan tdcmeehan mentioned this pull request Dec 20, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tdcmeehan tdcmeehan tdcmeehan approved these changes

@presto-oss presto-oss Awaiting requested review from presto-oss presto-oss is a code owner automatically assigned from prestodb/committers

+1 more reviewer

@skairali skairali skairali approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

Security

Projects

Security
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@yhwang @steveburnett @tdcmeehan @skairali