Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(deps): upgrade swagger-ui-react to latest 4.x.x #12058

Merged

Conversation

agilgur5
Copy link

@agilgur5 agilgur5 commented Oct 21, 2023

Follow-up to #12036, where the last vulnerable UI dep was unable to be auto-fixed due to being pinned by swagger-ui-react

Motivation

  • there are still some build issues to resolve in order to move to 5.x.x, but in the interim, can move to latest 4.x.x
  • in particular, this upgrade fixes an XSS CVE in a pinned dep of swagger-ui-react, @braintree/santize-url: https://security.snyk.io/vuln/SNYK-JS-BRAINTREESANITIZEURL-3330766
    • see that it is pinned here, so we could not independently upgrade it without upgrading swagger-ui-react itself:
      "@braintree/sanitize-url" "=6.0.0"
    • note that it is still pinned in latest 4.x.x of swagger-ui-react, but it is at least a newer patch version not susceptible to the CVE

Modifications

upgrade swagger-ui-react from 4.12.0 -> 4.19.1, latest of 4.x.x

  • this adds a lot of new deps, which I am not a fan of, seemingly because it moves to @swagger libraries for some behaviors
  • but on the bright side, the actual Swagger UI seems to lag / freeze less and work a little bit better now!

Verification

Tested the /apidocs route myself locally, see below screenshot:
Screenshot 2023-10-21 at 11 37 41 AM

Future Work

I would still like to code-split out the /apidocs page as a separate bundle, since it is rarely used yet has a lot of deps, and I believe includes the full Swagger file as well. That should help with issues like #11970

- there are still some build issues to resolve in order to move to 5.x.x, but in the interim, can move to latest 4.x.x
- in particular, this upgrade fixes an XSS CVE in a pinned dep of `swagger-ui-react`, `@braintree/santize-url`: https://security.snyk.io/vuln/SNYK-JS-BRAINTREESANITIZEURL-3330766
  - see that it is pinned here, so we could not independently upgrade it without upgrading `swagger-ui-react` itself: https://github.com/argoproj/argo-workflows/blob/5c264c094104645a4c917a9a23615424d564d1e4/ui/yarn.lock#L7702
    - note that it is _still_ pinned in latest 4.x.x of `swagger-ui-react`, but it is at least a newer patch version not susceptible to the CVE

- this adds a lot of new deps, which I am not a fan of, seemingly because it moves to `@swagger` libraries for some behaviors
- but on the bright side, the actual Swagger UI seems to lag / freeze less and work a little bit better now!

Signed-off-by: Anton Gilgur <agilgur5@gmail.com>
@agilgur5 agilgur5 added type/dependencies PRs and issues specific to updating dependencies area/ui javascript Pull requests that update Javascript dependencies type/security Security related labels Oct 21, 2023
@terrytangyuan terrytangyuan merged commit 8f09108 into argoproj:master Oct 21, 2023
15 checks passed
@agilgur5 agilgur5 deleted the deps-upgrade-swagger-ui-minor branch October 22, 2023 00:16
sarabala1979 pushed a commit that referenced this pull request Jan 10, 2024
Signed-off-by: Anton Gilgur <agilgur5@gmail.com>
@agilgur5 agilgur5 changed the title chore(deps): upgrade swagger-ui-react to latest 4.x.x fix(deps): upgrade swagger-ui-react to latest 4.x.x Apr 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/ui javascript Pull requests that update Javascript dependencies type/dependencies PRs and issues specific to updating dependencies type/security Security related
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants