Skip to content

Upgrade vis to 5.0.0 to avoid security violation#22765

Closed
sug-ghosh wants to merge 1 commit intotrinodb:masterfrom
sug-ghosh:upgrade_vis_component
Closed

Upgrade vis to 5.0.0 to avoid security violation#22765
sug-ghosh wants to merge 1 commit intotrinodb:masterfrom
sug-ghosh:upgrade_vis_component

Conversation

@sug-ghosh
Copy link
Copy Markdown
Contributor

@sug-ghosh sug-ghosh commented Jul 23, 2024

Vis.js is a dynamic, browser-based visualization library. It is designed to handle large amounts of dynamic data and to enable manipulation of and interaction with the data. The library consists of different components, including Network, Timeline, Graph2d, Graph3d, and DataSet.

Here are a few use cases for each:
Network: Used for visualizing and interacting with networked structures, like organizational structures or any sort of linked data.
Timeline: Used for interactive timelines.
Graph2d: Used for creating 2D graphs.
Graph3d: Used for creating 3D graphs.
DataSet: Used for handling and manipulating unstructured data.

upgraded vis version to 5.0.0.

Description

Additional context and related issues

Release notes

( ) This is not user-visible or is docs only, and no release notes are required.
( ) Release notes are required. Please propose a release note for me.
( ) Release notes are required, with the following suggested text:

# Section
* Fix some things. ({issue}`issuenumber`)

@cla-bot cla-bot bot added the cla-signed label Jul 23, 2024
@github-actions github-actions bot added the ui Web UI label Jul 23, 2024
@wendigo
Copy link
Copy Markdown
Contributor

wendigo commented Jul 23, 2024

This should be upgraded through package.json. This PR is invalid in that regard

@mosabua
Copy link
Copy Markdown
Member

mosabua commented Jul 23, 2024
edited
Loading

Only sorta related question @wendigo .. why are those files in git anyway?

@mosabua
Copy link
Copy Markdown
Member

mosabua commented Jul 23, 2024

also fyi @colebow and @emilysunaryo

@mosabua
Copy link
Copy Markdown
Member

mosabua commented Jul 23, 2024

This is gonna be a bigger task since you will probably have to figure out what dependency specifically must be added .. and maybe we can even get rid of the checked in code in the vendor folder. Also note .. latest version of vis varies across components.

For example https://www.npmjs.com/package/vis-data compared to https://www.npmjs.com/package/vis-network

I think you might need to either add them as declared dependencies in package.json or see from the transitive dependency tree where it is inherited from and upgrade that component.

Also note that the yarn.lock file already points as viz-data 5.0.0 .. so maybe the checked in file in dist should just be deleted and it might be correct then.

@wendigo
Copy link
Copy Markdown
Contributor

wendigo commented Jul 24, 2024

@mosabua idk. They were always checked in

@mosabua mosabua mentioned this pull request Jul 24, 2024
Merged
@mosabua
Copy link
Copy Markdown
Member

mosabua commented Jul 24, 2024

#22785 should resolve this issue.

@wendigo
Copy link
Copy Markdown
Contributor

wendigo commented Jul 26, 2024

Replaced by #22831

@wendigo wendigo closed this Jul 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

cla-signed ui Web UI

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sug-ghosh @wendigo @mosabua