mher
outdated embedded copies of JavaScript/CSS dependencies
The files in the flower/static/js/ and flower/static/css/ directories contain outdated embedded copies of JavaScript/CSS dependencies.
Some of these have had a number of security issues in the past and some of those apply to the embedded copies. For example the jQuery security issues:
https://github.com/jquery/jquery/security/advisories https://security-tracker.debian.org/tracker/source-package/jquery
It would be good if the embedded copies of dependencies could be removed from the repository and then they could be installed using npm/yarn/bower/etc in a similar way to how pip is used to install the Python dependencies of flower. This would ensure everyone gets the latest versions of these dependencies with all the relevant security/etc bug fixes when they setup flower.
What about the idea to install them using npm/yarn/bower etc?
-- bye, pabs
https://bonedaddy.net/pabs3/
I'm new to the Flower project, but our team uses it extensively. We also have issues with the old versions in Nexus IQ, which causes our build pipeline to fail.
Therefore I will create a PR where the js dependencies are installed with npm and upgrade all packages where possible.
I'm working on it, but it is more work than I expected to update the packages.
Some of them are really ancient and can't even be pulled in through npm.
So what I've done so far:
- Use npm as a package manager
- Use Parcel.js as a bundler
- Upgrade Bootstrap to v5.0 (This will also remove a lot of separate Bootstrap packages)
- Replaced moment.js (which is no longer maintained) with dayjs.
- Use es6 syntax instead of jQuery where changes are needed.
It does look like the upgrade from Bootstrap 2 to Bootstrap 5 will make some changes to the UI, but for now I would like to focus on making it work.
@mher It would be nice when we could have a look at this, because I don't want to do anything that is not in line with your plans. Could we have a call to talk about this?
Status update:
Still working on it. I'm currently working on the "Broker" page and it's starting to come together nicely.
The "Dashboard" page is ready (if you guys agree with the styling)
For the "Broker" page I have finished these tabs:
All the rest is not too hard, so I should be able to finish all of it somewhere next week. 😄
@mher could you let me know what you think of the (Bootstrap 5) styling?
@johanvergeer thanks for your work on this. It would be great if you could publish your fork of flower and link to the draft branch that you the work you have completed, so that @mher and other interested folks can look at the code changes that you have made.
-- bye, pabs
https://bonedaddy.net/pabs3/
Here is the branch to my work so far. I'll keep pushing until it is ready enoutgh to create is PR. https://github.com/johanvergeer/flower/tree/frontend-upgrade
I have also created a draft pull request #1165, so please let me know if you already have some comments.
@pabs3 @mher (and others) The PR #1165 is finally ready for review 😄 I'm looking forward to your comments.
It's been a year and this security issue is still present. I'm being told I'll have to disable this service until resolved as other posters have. This JS stuff is not my wheelhouse otherwise I'd offer to assist, but @johanvergeer seems to have done a ton of work already. Any update on merging his PR ?
To be honest. I have given up on this issue since there is almost no response or feedback.
@mher Please reopen this issue, #1280 updated the embedded code copies but did not remove them, which means they will get outdated again.
The right way to deal with this would be something more like #1165, which made flower depend on its dependencies, instead of embedding them.