apache
chore(hail mary): Update package-lock.json via npm-audit-fix
SUMMARY
Just thought this was worth a shot to see if it can pass CI. This removes our dependency warnings from: (37 moderate, 33 high, 14 critical) to (31 moderate, 28 high, 1 critical)
BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF
TESTING INSTRUCTIONS
Good luck, CI.
ADDITIONAL INFORMATION
- [ ] Has associated issue:
- [ ] Required feature flags:
- [ ] Changes UI
- [ ] Includes DB Migration (follow approval process in SIP-59)
- [ ] Migration is atomic, supports rollback & is backwards-compatible
- [ ] Confirm DB migration upgrade and downgrade tested
- [ ] Runtime estimates and downtime expectations provided
- [ ] Introduces new feature or API
- [ ] Removes existing feature or API
Codecov Report
Attention: 4 lines in your changes are missing coverage. Please review.
Comparison is base (
753ef69) 67.16% compared to head (2e681c8) 67.18%. Report is 5 commits behind head on master.
| Files | Patch % | Lines |
|---|---|---|
| ...ns/plugin-chart-word-cloud/src/chart/WordCloud.tsx | 0.00% | 4 Missing :warning: |
Additional details and impacted files
@@ Coverage Diff @@
## master #26693 +/- ##
==========================================
+ Coverage 67.16% 67.18% +0.01%
==========================================
Files 1902 1902
Lines 74454 74528 +74
Branches 8304 8327 +23
==========================================
+ Hits 50009 50070 +61
- Misses 22391 22397 +6
- Partials 2054 2061 +7
| Flag | Coverage Δ | |
|---|---|---|
| javascript | 56.90% <55.55%> (+0.04%) |
:arrow_up: |
Flags with carried forward coverage won't be shown. Click here to find out more.
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
![codecov[bot] avatar](https://avatars.githubusercontent.com/in/254?v=4 "Published by a pub.dev verified publisher"){kind=small}
It seems this is mostly blocked by typescript problems... this might be fixable, which would be fantastic from a security perspective.
Rekindling this effort, now that storybook is in. This will probably break a whole slew of things, but I'll try to patch what I spot...
Here's the good news, if we can pull this off:
@mistercrunch @michael-s-molina this finally passed CI! With this, vm2 is the only critical dependency, but removing it is a breaking change (killing JS tooltips) so we'll have to punt that to 5.0.
This will need testing, so I'm spinning up a test environment. I'm most worried about things that use Airbnb dependencies (data-ui, visx, vx) since those are not well maintained, and their use is not well tested. Legacy charts that use them may be quietly broken by this PR. Let me know if you want to join in on the testing effort, and we can coordinate a bit.
Now I'm curious to pull this branch and run npm audit, this is great progress! Now if we can fix https://github.com/apache/superset/pull/26944 on the Python side we'll be golden
Tempting as it is, I won't click merge yet... I strongly suspect this PR breaks some charts, and they won't be easily fixable without some pretty deep rewrites... particularly the histogram.
If we're willing to kill off some charts that have no replacement due to package vulnerabilities, we can take that route, but it sure seems like it'd need official consensus, and that ship has sailed for 4.0.
If we're willing to kill off some charts that have no replacement due to package vulnerabilities, we can take that route, but it sure seems like it'd need official consensus, and that ship has sailed for 4.0.
Yep, that would have been a great 4.0 proposal 😢 I do think we should do that in 5.0 though given the security implications.
Impacted things to test:
- Sparkline cell (Timeseries Table)
- Histogram
- ...and more?
Results:
Histogram seems to work (even if it is giving me the finger)
Sparkline seems to work, too!
I think the data-ui problem I was thinking of was part of the React 17 upgrade effort, and this PR doesn't break it. I'll merge this if/when CI passes.