flower icon indicating copy to clipboard operation
flower copied to clipboard

outdated embedded copies of JavaScript/CSS dependencies

Open pabs3 opened this issue 5 years ago • 11 comments

The files in the flower/static/js/ and flower/static/css/ directories contain outdated embedded copies of JavaScript/CSS dependencies.

Some of these have had a number of security issues in the past and some of those apply to the embedded copies. For example the jQuery security issues:

https://github.com/jquery/jquery/security/advisories https://security-tracker.debian.org/tracker/source-package/jquery

It would be good if the embedded copies of dependencies could be removed from the repository and then they could be installed using npm/yarn/bower/etc in a similar way to how pip is used to install the Python dependencies of flower. This would ensure everyone gets the latest versions of these dependencies with all the relevant security/etc bug fixes when they setup flower.

pabs3 avatar Mar 11 '21 09:03 pabs3

Related reports are #196 and #199.

pabs3 avatar Mar 17 '21 07:03 pabs3

Feel free to open a pull request to update the dependencies

mher avatar Mar 18 '21 00:03 mher

What about the idea to install them using npm/yarn/bower etc?

-- bye, pabs

https://bonedaddy.net/pabs3/

pabs3 avatar Mar 18 '21 01:03 pabs3

Sounds good but it may require updating bootstrap version

mher avatar Mar 18 '21 01:03 mher

Hi @mher , is there any plan / timeline to update the dependencies?

cuyu avatar Jul 07 '21 04:07 cuyu

I'm new to the Flower project, but our team uses it extensively. We also have issues with the old versions in Nexus IQ, which causes our build pipeline to fail.

Therefore I will create a PR where the js dependencies are installed with npm and upgrade all packages where possible.

johanvergeer avatar Nov 11 '21 15:11 johanvergeer

I'm working on it, but it is more work than I expected to update the packages.

Some of them are really ancient and can't even be pulled in through npm.

So what I've done so far:

  • Use npm as a package manager
  • Use Parcel.js as a bundler
  • Upgrade Bootstrap to v5.0 (This will also remove a lot of separate Bootstrap packages)
  • Replaced moment.js (which is no longer maintained) with dayjs.
  • Use es6 syntax instead of jQuery where changes are needed.

It does look like the upgrade from Bootstrap 2 to Bootstrap 5 will make some changes to the UI, but for now I would like to focus on making it work.

@mher It would be nice when we could have a look at this, because I don't want to do anything that is not in line with your plans. Could we have a call to talk about this?

johanvergeer avatar Nov 16 '21 09:11 johanvergeer

Status update:

Still working on it. I'm currently working on the "Broker" page and it's starting to come together nicely.

The "Dashboard" page is ready (if you guys agree with the styling)

image

For the "Broker" page I have finished these tabs:

image

image

image

image

All the rest is not too hard, so I should be able to finish all of it somewhere next week. 😄

@mher could you let me know what you think of the (Bootstrap 5) styling?

johanvergeer avatar Nov 21 '21 20:11 johanvergeer

@johanvergeer thanks for your work on this. It would be great if you could publish your fork of flower and link to the draft branch that you the work you have completed, so that @mher and other interested folks can look at the code changes that you have made.

-- bye, pabs

https://bonedaddy.net/pabs3/

pabs3 avatar Nov 21 '21 23:11 pabs3

Here is the branch to my work so far. I'll keep pushing until it is ready enoutgh to create is PR. https://github.com/johanvergeer/flower/tree/frontend-upgrade

I have also created a draft pull request #1165, so please let me know if you already have some comments.

johanvergeer avatar Nov 22 '21 17:11 johanvergeer

@pabs3 @mher (and others) The PR #1165 is finally ready for review 😄 I'm looking forward to your comments.

johanvergeer avatar Nov 28 '21 17:11 johanvergeer

It's been a year and this security issue is still present. I'm being told I'll have to disable this service until resolved as other posters have. This JS stuff is not my wheelhouse otherwise I'd offer to assist, but @johanvergeer seems to have done a ton of work already. Any update on merging his PR ?

rredburn avatar Nov 21 '22 14:11 rredburn

To be honest. I have given up on this issue since there is almost no response or feedback.

johanvergeer avatar Nov 21 '22 17:11 johanvergeer

Fixed by https://github.com/mher/flower/pull/1280

mher avatar May 12 '23 17:05 mher

@mher Please reopen this issue, #1280 updated the embedded code copies but did not remove them, which means they will get outdated again.

The right way to deal with this would be something more like #1165, which made flower depend on its dependencies, instead of embedding them.

pabs3 avatar May 12 '23 23:05 pabs3