Problem/Motivation
yarn audit
currently gives:
17 vulnerabilities found - Packages audited: 1278
Severity: 12 High | 5 Critical
Proposed resolution
yarn upgrade
on all the branches.
Remaining tasks
#3266912: Review version constraints for production yarn dependencies should probably be fixed prior to updating 9.3.x and 9.2.x, to avoid unnecessary minor version updates for the deps.
User interface changes
N/A
API changes
TBD
Data model changes
N/A
Release notes snippet
Drupal core’s JavaScript development dependencies have been updated to the latest allowed minor and patch versions to address a few security issues in those dependencies. This should have minimal impact on contributed or custom code and CI workflows. Core developers should completely remove their node_modules
directory and re-run yarn install
from within the core/
directory.
Comment | File | Size | Author |
---|---|---|---|
#18 | yarn-3278163-15-9.2.x.patch | 94.43 KB | xjm |
#18 | yarn-3278163-15-9.3.x.patch | 169.91 KB | xjm |
#18 | yarn-3278163-15-9.4.x.patch | 91.22 KB | xjm |
#18 | yarn-3278163-15-9.5.x.patch | 91.22 KB | xjm |
#16 | cke-build-diff.txt | 7.85 KB | lauriii |
Comments
Comment #2
xjmPostponing for now.
Comment #3
lauriii#3266912: Review version constraints for production yarn dependencies is in.
Comment #4
nod_do we really need 9.2 as well?
Comment #5
nod_All that's left in the 9.x branch is the nightwatch update which leaves the 11 high severity issues.
Comment #6
nod_Comment #7
lauriiiI think we need 9.2.x too since it's supported until June.
Comment #8
nod_Comment #9
xjmIs there a reason we are not just doing
yarn upgrade; yarn vendor-upgrade
? The whole point of #3266912: Review version constraints for production yarn dependencies is to be able to useyarn upgrade
safely when there is a security release. Doing a fullyarn upgrade
gets rid of all the vulnerabilities for me on most of the branches.Comment #10
xjmNW for #9; @lauriii also agreed we can do the full ugprade.
Comment #11
xjmSteps for patches:
10.0.x
Before
After
0 vulnerabilities found - Packages audited: 1040
9.5.x
Before
After
9.4.x
Before
After
0 vulnerabilities found - Packages audited: 1139
9.3.x
Before
After
9.2.x
Before
After
Comment #12
lauriiiIt looks like for 9.4.x we could still update
shepherd.js
,sortablejs
, andtabbable
which have new minor updates. Should we do this for beta or next alpha, or should we try to update these for the alpha1? This is unrelated to this issue but noticed as I was reviewing this.Comment #13
xjm@lauriii Good find. I would file separate issues for those. If they happen to land within the next 24h or so we can include them in alpha1; otherwise, we can update them between alpha1 and beta1.
Comment #14
lauriiiFiled a follow-up which we could work on after this has been committed: #3278786: Update production JavaScript dependencies to latest minors.
The steps in #11 are missing a step to run
yarn build
to ensure that any changes in the build tooling are reflected in the build files. At least some of the branches have changes as a result of these changes.Comment #15
xjmNot sure what happened to my comment... new steps:
Here's the 10.0.x patch; others forthcoming.
Comment #16
lauriiiWent through the changes to the build files and all looks fine. Didn't research what was triggering the changes. Posted diff in case someone else is curious and has time to do that.
Comment #18
xjmComment #19
xjmLooks like we're going to have to do some more de-Britifying here.... will be a followup.
Comment #20
lauriiiI went through all of the patches and verified that patches were created correctly with the following steps:
Except for 9.2.x I didn't run
yarn vendor-update
since it's a new command in 9.3.x.Comment #22
nod_ah sorry didn't make the connection between the 2 issues, went in that issue with my brain off :)
Thanks for picking that up
Comment #23
alexpottCommitted da0e89b and pushed to 10.0.x. Thanks!
Committed c0bad15 and pushed to 9.5.x. Thanks!
Committed ccd1565 and pushed to 9.4.x. Thanks!
Re the 9.3.x and 9.2.x builds I'm confused as to why 9.2.x is changing CSS and removing
-moz-appearance
but 9.3.x is not? It feels right that we're not change CSS in 9.3.x and wrong that we are in 9.2.xComment #27
lauriiiThat should have happened in #3262573: Update our yarn dev dependencies to the extent allowed by current constraints for 9.2.x too but I'm not sure why it didn't happen 🤔 Maybe the updates for different branches were made at different time or with different commands that led into small differences between the branches?
Comment #28
alexpottAh I see somehow 9.3.x got ahead of everyone else in #3262573: Update our yarn dev dependencies to the extent allowed by current constraints - funky.
Committed 46277de and pushed to 9.3.x. Thanks!
Committed 7f65d32 and pushed to 9.2.x. Thanks!
Comment #31
Wim LeersThanks for #16, I was very surprised that CKEditor 5 files had changed, but #16 put my mind at ease 👍🙏
Comment #32
lauriiiThe file in #16 was generated with the tooling and instructions created in #3233491: Create process for reviewing changes in 3rd party JavaScript dependencies by @hooroomoo ☺️