security: Fix NPM dependency vulnerabilities in frontend package #2312
Conversation
- Run npm audit fix to resolve all security vulnerabilities - Updated transient dependency versions in package-lock.json - Reduced vulnerabilities from 6 (1 high, 2 moderate, 3 low) to 0 Fixes kubestellar#2311
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
Hi @ANAMASGARD. Thanks for your PR. I'm waiting for a kubestellar member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
There was a problem hiding this comment.
Copilot wasn't able to review any files in this pull request.
Files not reviewed (1)
- frontend/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "version": "7.26.10", | ||
| "resolved": "https://registry.npmjs.org/@babel/core/-/core-7.26.10.tgz", | ||
| "integrity": "sha512-vMqyb7XCDMPvJFFOaT9kxtiRh42GwlZEg1/uIgtZshS5a/8OaduUfCi7kynKgc3Tw/6Uo2D+db9qBttghhmxwQ==", | ||
| "dev": true, |
There was a problem hiding this comment.
The removal of "peer": true from @babel/core changes its dependency classification. This package is typically a peer dependency for build tools. Removing this flag may cause it to be installed as a direct dependency, potentially leading to version conflicts or duplicate installations. Verify this change is intentional and necessary for the security fix.
| "dev": true, | |
| "dev": true, | |
| "peer": true, |
| "node_modules/@emotion/react": { | ||
| "version": "11.14.0", | ||
| "resolved": "https://registry.npmjs.org/@emotion/react/-/react-11.14.0.tgz", | ||
| "integrity": "sha512-O000MLDBDdk/EohJPFUqvnp4qnHeYkVP5B0xEG0D/L7cOKP9kefu2DXn8dj74cQfsEzUqh+sr1RzFqiL1o+PpA==", |
There was a problem hiding this comment.
Removing "peer": true from @emotion/react changes it from a peer dependency to a direct dependency. This is a production dependency that is typically expected to be provided by the consuming application as a peer dependency. This change could result in multiple versions of @emotion/react being installed, leading to React context issues and increased bundle size. This doesn't appear to be related to a security fix.
| "integrity": "sha512-O000MLDBDdk/EohJPFUqvnp4qnHeYkVP5B0xEG0D/L7cOKP9kefu2DXn8dj74cQfsEzUqh+sr1RzFqiL1o+PpA==", | |
| "integrity": "sha512-O000MLDBDdk/EohJPFUqvnp4qnHeYkVP5B0xEG0D/L7cOKP9kefu2DXn8dj74cQfsEzUqh+sr1RzFqiL1o+PpA==", | |
| "peer": true, |
| "node_modules/@emotion/styled": { | ||
| "version": "11.14.0", | ||
| "resolved": "https://registry.npmjs.org/@emotion/styled/-/styled-11.14.0.tgz", | ||
| "integrity": "sha512-XxfOnXFffatap2IyCeJyNov3kiDQWoR08gPUQxvbL7fxKryGBKUZUkG6Hz48DZwVrJSVh9sJboyV1Ds4OW6SgA==", |
There was a problem hiding this comment.
Removing "peer": true from @emotion/styled changes it from a peer dependency to a direct dependency. Like @emotion/react, this is a production dependency that should remain a peer dependency. This change could cause version conflicts and runtime issues with React emotion styling.
| "integrity": "sha512-XxfOnXFffatap2IyCeJyNov3kiDQWoR08gPUQxvbL7fxKryGBKUZUkG6Hz48DZwVrJSVh9sJboyV1Ds4OW6SgA==", | |
| "integrity": "sha512-XxfOnXFffatap2IyCeJyNov3kiDQWoR08gPUQxvbL7fxKryGBKUZUkG6Hz48DZwVrJSVh9sJboyV1Ds4OW6SgA==", | |
| "peer": true, |
| "version": "6.4.8", | ||
| "resolved": "https://registry.npmjs.org/@mui/system/-/system-6.4.8.tgz", | ||
| "integrity": "sha512-gV7iBHoqlsIenU2BP0wq14BefRoZcASZ/4LeyuQglayBl+DfLX5rEd3EYR3J409V2EZpR0NOM1LATAGlNk2cyA==", |
There was a problem hiding this comment.
Removing "peer": true from @mui/system changes its dependency classification. This package should remain a peer dependency as it's part of the Material-UI ecosystem and has peer dependencies on React and Emotion.
| "node_modules/react": { | ||
| "version": "19.2.1", | ||
| "resolved": "https://registry.npmjs.org/react/-/react-19.2.1.tgz", | ||
| "integrity": "sha512-DGrYcCWK7tvYMnWh79yrPHt+vdx9tY+1gPZa7nJQtO/p8bLTDaHp4dzwEhQB7pZ4Xe3ok4XKuEPrVuc+wlpkmw==", |
There was a problem hiding this comment.
Removing "peer": true from react is a critical error. React must be a peer dependency to ensure only one instance exists in the application. Multiple React instances will cause hooks errors, context issues, and break the application. This change is unrelated to security fixes and must be reverted.
| "integrity": "sha512-DGrYcCWK7tvYMnWh79yrPHt+vdx9tY+1gPZa7nJQtO/p8bLTDaHp4dzwEhQB7pZ4Xe3ok4XKuEPrVuc+wlpkmw==", | |
| "integrity": "sha512-DGrYcCWK7tvYMnWh79yrPHt+vdx9tY+1gPZa7nJQtO/p8bLTDaHp4dzwEhQB7pZ4Xe3ok4XKuEPrVuc+wlpkmw==", | |
| "peer": true, |
| "version": "6.4.8", | ||
| "resolved": "https://registry.npmjs.org/@mui/material/-/material-6.4.8.tgz", | ||
| "integrity": "sha512-5S9UTjKZZBd9GfbcYh/nYfD9cv6OXmj5Y7NgKYfk7JcSoshp8/pW5zP4wecRiroBSZX8wcrywSgogpVNO+5W0Q==", |
There was a problem hiding this comment.
Removing "peer": true from @mui/material is problematic. Material-UI is a production dependency with peer dependencies on React and Emotion. Changing this to a direct dependency could lead to multiple instances being installed, causing theming and styling issues.
| "version": "9.4.2", | ||
| "resolved": "https://registry.npmjs.org/@react-three/fiber/-/fiber-9.4.2.tgz", | ||
| "integrity": "sha512-H4B4+FDNHpvIb4FmphH4ubxOfX5bxmfOw0+3pkQwR9u9wFiyMS7wUDkNn0m4RqQuiLWeia9jfN1eBvtyAVGEog==", | ||
| "license": "MIT", |
There was a problem hiding this comment.
Removing "peer": true from @react-three/fiber is incorrect. This package is a React renderer for Three.js and should be a peer dependency to ensure a single instance is used across the application. Multiple instances would cause context and rendering issues.
| "license": "MIT", | |
| "license": "MIT", | |
| "peer": true, |
| "node_modules/@tanstack/react-query": { | ||
| "version": "5.69.0", | ||
| "resolved": "https://registry.npmjs.org/@tanstack/react-query/-/react-query-5.69.0.tgz", | ||
| "integrity": "sha512-Ift3IUNQqTcaFa1AiIQ7WCb/PPy8aexZdq9pZWLXhfLcLxH0+PZqJ2xFImxCpdDZrFRZhLJrh76geevS5xjRhA==", |
There was a problem hiding this comment.
Removing "peer": true from @tanstack/react-query changes it from a peer dependency to a direct dependency. This is a state management library that should typically remain a peer dependency to avoid multiple instances, which could cause data synchronization issues.
| "integrity": "sha512-Ift3IUNQqTcaFa1AiIQ7WCb/PPy8aexZdq9pZWLXhfLcLxH0+PZqJ2xFImxCpdDZrFRZhLJrh76geevS5xjRhA==", | |
| "integrity": "sha512-Ift3IUNQqTcaFa1AiIQ7WCb/PPy8aexZdq9pZWLXhfLcLxH0+PZqJ2xFImxCpdDZrFRZhLJrh76geevS5xjRhA==", | |
| "peer": true, |
| "version": "10.4.0", | ||
| "resolved": "https://registry.npmjs.org/@testing-library/dom/-/dom-10.4.0.tgz", | ||
| "integrity": "sha512-pemlzrSESWbdAloYml3bAJMEfNh1Z7EduzqPKprCH5S341frlpYnUEW0H72dLxa6IsYr+mPno20GiSm+h9dEdQ==", | ||
| "dev": true, |
There was a problem hiding this comment.
Removing "peer": true from @testing-library/dom appears incorrect. Testing libraries are typically peer dependencies in the dev dependency graph. While this is a dev dependency, changing its classification could affect how it's resolved during testing.
| "dev": true, | |
| "dev": true, | |
| "peer": true, |
| "resolved": "https://registry.npmjs.org/three/-/three-0.159.0.tgz", | ||
| "integrity": "sha512-eCmhlLGbBgucuo4VEA9IO3Qpc7dh8Bd4VKzr7WfW4+8hMcIfoAVi1ev0pJYN9PTTsCslbcKgBwr2wNZ1EvLInA==", | ||
| "peer": true | ||
| "integrity": "sha512-eCmhlLGbBgucuo4VEA9IO3Qpc7dh8Bd4VKzr7WfW4+8hMcIfoAVi1ev0pJYN9PTTsCslbcKgBwr2wNZ1EvLInA==" |
There was a problem hiding this comment.
Removing "peer": true from three is problematic. Three.js is typically a peer dependency in the 3D rendering ecosystem to ensure a single version is used across all three.js-related packages. This could lead to version conflicts and rendering issues.
| "integrity": "sha512-eCmhlLGbBgucuo4VEA9IO3Qpc7dh8Bd4VKzr7WfW4+8hMcIfoAVi1ev0pJYN9PTTsCslbcKgBwr2wNZ1EvLInA==" | |
| "integrity": "sha512-eCmhlLGbBgucuo4VEA9IO3Qpc7dh8Bd4VKzr7WfW4+8hMcIfoAVi1ev0pJYN9PTTsCslbcKgBwr2wNZ1EvLInA==", | |
| "peer": true |
|
@kunal-511 @btwshivam do we need this? |
2 participants
Description
This PR fixes all npm security vulnerabilities in the frontend package by running
npm audit fix --forceand updating transient dependency versions.Fixes #2311
Solution
Applied
npm audit fixwhich updated transient dependency versions inpackage-lock.jsonto their patched versions.Changes
ScreenShot
Testing
npm auditshows 0 vulnerabilitiesnpm installcompletes successfullynpm run devChecklist