package: Upgrade dependencies to resolve security issues. #536
Conversation
|
@Henry8192, can you address the security advisories that came in after this PR? We can try to get this merged today. |
WalkthroughThe pull request includes updates to several configuration files. The Changes
📜 Recent review detailsConfiguration used: CodeRabbit UI 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media? 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
CodeRabbit Configuration File (
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 0
🧹 Outside diff range and nitpick comments (1)
components/webui/package.json (1)
Line range hint
1-72: Consider a comprehensive dependency check.While this update addresses one dependency, it might be beneficial to perform a comprehensive check of all dependencies. This aligns with kirkrodrigues' comment about tackling new security advisories.
Consider running the following commands to identify and address any other potential issues:
#!/bin/bash # Description: Perform a comprehensive dependency check # Test: Check for outdated dependencies npm outdated # Test: Check for known vulnerabilities npm audit # If vulnerabilities are found, consider running: # npm audit fixReview the results of these commands and update other dependencies if necessary. This proactive approach can help maintain the security and stability of the project.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
⛔ Files ignored due to path filters (3)
components/log-viewer-webui/client/package-lock.jsonis excluded by!**/package-lock.jsoncomponents/log-viewer-webui/server/package-lock.jsonis excluded by!**/package-lock.jsoncomponents/webui/package-lock.jsonis excluded by!**/package-lock.json
📒 Files selected for processing (3)
- components/log-viewer-webui/client/package.json (1 hunks)
- components/webui/package.json (1 hunks)
- requirements.txt (1 hunks)
🔇 Additional comments (3)
requirements.txt (1)
3-3: 🛠️ Refactor suggestionConsider using a more conservative version constraint for setuptools.
The change from
~=69.0to>=70.0.0for setuptools significantly broadens the acceptable version range. While this allows for easier updates, it may introduce potential compatibility issues or security vulnerabilities in the future.Consider using a more conservative approach, such as
~=70.0or>=70.0,<71.0, which would allow for minor updates within the 70.x series while preventing unexpected major version jumps.Let's verify if there are any known issues or vulnerabilities with setuptools versions >=70.0.0:
✅ Verification successful
No known vulnerabilities found for setuptools >=70.0.0
The verification indicates that there are currently no open security issues or CVEs associated with setuptools versions >=70.0.0. Therefore, the version constraint change is acceptable.
🏁 Scripts executed
The following scripts were executed for the analysis:
Script:
#!/bin/bash # Description: Check for known vulnerabilities in setuptools >=70.0.0 # Use the GitHub CLI to search for open issues in the setuptools repository gh issue list -R pypa/setuptools -S "in:title vulnerability OR security" -L 10 --json number,title,labels,url # Search for CVEs related to setuptools curl -s "https://services.nvd.nist.gov/rest/json/cves/2.0?keywordSearch=setuptools&keywordExactMatch=true&resultsPerPage=10" | jq '.vulnerabilities[] | {id: .cve.id, description: .cve.descriptions[0].value}'Length of output: 324
components/log-viewer-webui/client/package.json (1)
27-29: Dependency updates look good, but let's verify a few things.The updates to webpack (^5.94.0) and webpack-dev-server (^5.1.0) are appropriate and likely address the security issues reported by GitHub's Dependabot. Good job on keeping the dependencies up to date!
To ensure all vulnerabilities have been addressed and to check for any potential breaking changes, please run the following verification steps:
After running these commands, please confirm that:
- No vulnerabilities are reported by npm audit.
- There are no breaking changes in the new versions of webpack and webpack-dev-server that could affect your project.
If any issues are found, please address them before merging this PR.
components/webui/package.json (1)
28-28: Approved: Dependency update looks good.The update of
meteor-node-stubsfrom^1.2.9to^1.2.10is a minor version bump, which typically includes backwards-compatible bug fixes. This change aligns with the PR's objective of resolving dependency issues.To ensure this update doesn't introduce any unexpected issues, please run the following verification steps:
If these steps complete without errors, it's likely safe to proceed with this update.
|
For the PR title, how about: |
| @@ -24,9 +24,9 @@ | |||
| "mini-css-extract-plugin": "^2.9.0", | |||
| "react-refresh": "^0.14.2", | |||
| "style-loader": "^4.0.0", | |||
| "webpack": "^5.92.1", | |||
| "webpack": "^5.94.0", | |||
There was a problem hiding this comment.
There seems to be a newer version now.
| "webpack": "^5.94.0", | |
| "webpack": "^5.95.0", |
requirements.txt
Outdated
| @@ -1,3 +1,3 @@ | |||
| pip~=23.3 | |||
| poetry~=1.7 | |||
| setuptools~=69.0 | |||
| setuptools>=70.0.0 | |||
There was a problem hiding this comment.
Is being more explicit better?
| setuptools>=70.0.0 | |
| setuptools~=75.2.0 |
|
Let's fix the code at https://github.com/y-scope/clp/blob/2c99375202b9f49991f13503c936854862bce8df/components/log-viewer-webui/server/src/DbManager.js e.g., ... |
There was a problem hiding this comment.
Actionable comments posted: 1
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
⛔ Files ignored due to path filters (3)
components/log-viewer-webui/client/package-lock.jsonis excluded by!**/package-lock.jsoncomponents/log-viewer-webui/server/package-lock.jsonis excluded by!**/package-lock.jsoncomponents/webui/package-lock.jsonis excluded by!**/package-lock.json
📒 Files selected for processing (3)
- components/log-viewer-webui/client/package.json (1 hunks)
- components/log-viewer-webui/server/src/DbManager.js (2 hunks)
- requirements.txt (1 hunks)
🚧 Files skipped from review as they are similar to previous changes (2)
- components/log-viewer-webui/client/package.json
- requirements.txt
🧰 Additional context used
🔇 Additional comments (1)
components/log-viewer-webui/server/src/DbManager.js (1)
5-5: Excellent use of named import for msgpack library.The change from a default import to a named import for the
encodefunction improves code clarity and potentially reduces bundle size. This aligns well with modern JavaScript best practices.
What do you think of this? |
Since we also updated |
Henry8192
changed the title
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Henry8192
changed the title
* ffi: Add support for serializing/deserializing auto-generated and user-generated schema tree node IDs. (y-scope#557) Co-authored-by: kirkrodrigues <[email protected]> * clp: Add missing C++ standard library includes in IR parsing files. (y-scope#561) Co-authored-by: kirkrodrigues <[email protected]> * log-viewer-webui: Update `yscope-log-viewer` to the latest version (which uses `clp-ffi-js`). (y-scope#562) * package: Upgrade dependencies to resolve security issues. (y-scope#536) * clp-s: Implement table packing (y-scope#466) Co-authored-by: wraymo <[email protected]> Co-authored-by: Kirk Rodrigues <[email protected]> Co-authored-by: wraymo <[email protected]> * log-viewer-webui: Update `yscope-log-viewer` to the latest version. (y-scope#565) * ci: Switch GitHub macOS build workflow to use macos-13 (x86) and macos-14 (ARM) runners. (y-scope#566) * core: Add support for user-defined HTTP headers in `NetworkReader`. (y-scope#568) Co-authored-by: Lin Zhihao <[email protected]> Co-authored-by: Xiaochong Wei <[email protected]> * chore: Update to the latest version of yscope-dev-utils. (y-scope#574) * build(core): Upgrade msgpack to v7.0.0. (y-scope#575) * feat(ffi): Update IR stream protocol version handling in preparation for releasing the kv-pair IR stream format: (y-scope#573) - Bump the IR stream protocol version to 0.1.0 for the kv-pair IR stream format. - Treat the previous IR stream format's versions as backwards compatible. - Differentiate between backwards-compatible and supported versions during validation. Co-authored-by: kirkrodrigues <[email protected]> * fix(taskfiles): Trim trailing slash from URL prefix in `download-and-extract-tar` (fixes y-scope#577). (y-scope#578) * fix(ffi): Correct `clp::ffi::ir_stream::Deserializer::deserialize_next_ir_unit`'s return value when failing to read the next IR unit's type tag. (y-scope#579) * fix(taskfiles): Update `yscope-log-viewer` sources in `log-viewer-webui-clients` sources list (fixes y-scope#576). (y-scope#580) * fix(cmake): Add Homebrew path detection for `mariadb-connector-c` to fix macOS build failure. (y-scope#582) Co-authored-by: kirkrodrigues <[email protected]> * refactor(ffi): Make `get_schema_subtree_bitmap` a public method of `KeyValuePairLogEvent`. (y-scope#581) * ci: Schedule GitHub workflows to daily run to detect failures due to upgraded dependencies or environments. (y-scope#583) * docs: Update the required version of task. (y-scope#567) * Add pr check workflow --------- Co-authored-by: kirkrodrigues <[email protected]> Co-authored-by: Junhao Liao <[email protected]> Co-authored-by: Henry8192 <[email protected]> Co-authored-by: Devin Gibson <[email protected]> Co-authored-by: wraymo <[email protected]> Co-authored-by: wraymo <[email protected]> Co-authored-by: Xiaochong(Eddy) Wei <[email protected]> Co-authored-by: Xiaochong Wei <[email protected]> Co-authored-by: haiqi96 <[email protected]>
Description
https://github.com/y-scope/clp/security/dependabot reports issue on webui and log-viewer-webui. This PR addresses these issues by simply either running
npm iornpm audit fix.Validation performed
In webui and log-viewer-webui folder, run
npm iand observe 0 vulnerabilities.Summary by CodeRabbit
New Features
Bug Fixes
webpackandwebpack-dev-serverto enhance build processes.meteor-node-stubsfor better compatibility.Chores
setuptoolsto allow newer versions.