[PR] optimize: fix frontend security vulnerabilities [incubator-seata]

[via GitHub]

slievrly opened a new pull request, #7704:
URL: https://github.com/apache/incubator-seata/pull/7704

   ## Overview
   
   This PR addresses frontend security vulnerabilities reported by GitHub 
Dependabot by upgrading webpack from version 4 to version 5 and updating 
related dependencies to their latest secure versions.
   
   ## Security Impact
   
   ### console-fe
   - **Before**: 23 vulnerabilities (7 high, 11 moderate, 5 low)
   - **After**: 5 vulnerabilities (0 high, 0 moderate, 5 low)
   - **Result**: ✅ 100% of high and moderate vulnerabilities resolved
   
   ### saga-designer
   - **Before**: 1 vulnerability (1 moderate)
   - **After**: 0 vulnerabilities
   - **Result**: ✅ 100% of all vulnerabilities resolved
   
   ## Key Vulnerabilities Fixed
   
   1. **webpack-dev-server** (Moderate - GHSA-9jgg-88mc-972h, 
GHSA-4v9v-hfq4-rm2v)
      - Source code theft vulnerability when accessing malicious websites
      - Fixed by upgrading from 4.15.1 to 5.2.2
   
   2. **serialize-javascript** (High - GHSA-h9rv-jmmf-4pgx, GHSA-hxcc-f52p-wc94)
      - Cross-Site Scripting (XSS) vulnerability
      - Insecure serialization leading to RCE
      - Fixed by replacing uglifyjs-webpack-plugin with built-in TerserPlugin
   
   3. **braces** (High - GHSA-grv7-fg5c-xmjg)
      - Uncontrolled resource consumption (ReDoS)
      - Fixed via package override to version 3.0.3
   
   4. **micromatch** (Moderate - GHSA-952p-6rrq-rcjv)
      - Regular Expression Denial of Service (ReDoS)
      - Fixed via package override to version 4.0.8
   
   5. **nanoid** (Moderate - GHSA-mwcw-c2x4-8c55)
      - Predictable results in generation
      - Fixed via package override to version 3.3.8
   
   6. **svelte/swiper** (Moderate - GHSA-8266-84wp-wv5c)
      - Potential mXSS vulnerability
      - Fixed via package override to version 6.5.9
   
   ## Changes Made
   
   ### Major Upgrade
   - **webpack**: 4.47.0 → 5.102.1 (required for webpack-dev-server security 
fix)
   
   ### Dependency Updates (console-fe)
   - **webpack-dev-server**: 4.15.1 → 5.2.2
   - **html-webpack-plugin**: 4.5.2 → 5.6.3
   - **copy-webpack-plugin**: 6.4.1 → 11.0.0
   - **mini-css-extract-plugin**: 1.6.2 → 2.9.2
   - **css-loader**: 5.2.7 → 6.11.0
   - **sass-loader**: 10.5.2 → 13.3.3
   - Replaced **uglifyjs-webpack-plugin** with built-in **TerserPlugin**
   - Replaced **optimize-css-assets-webpack-plugin** with 
**css-minimizer-webpack-plugin**
   
   ### Package Overrides (console-fe)
   Updated package.json overrides to enforce secure versions:
   - **nanoid**: 3.1.31 → 3.3.8
   - **swiper**: 6.5.1 → 6.5.9
   - **node-fetch**: 2.6.7 → 2.7.0
   - **braces**: → 3.0.3 (new)
   - **micromatch**: → 4.0.8 (new)
   - **serialize-javascript**: → 6.0.2 (new)
   
   ### Configuration Updates (console-fe)
   - Updated `webpack.prod.conf.js` to use TerserPlugin and CssMinimizerPlugin
   - Updated `webpack.base.conf.js` to use webpack 5 syntax (`resolve.fallback` 
instead of deprecated `node.fs`)
   
   ### Dependency Updates (saga-designer)
   - **webpack-dev-server**: 4.13.2 → 5.2.2
   
   ## Testing
   
   ✅ **npm install** successful on both projects  
   ✅ **npm run build** successful on both projects  
   ✅ **npm audit** confirms vulnerability reduction  
   ✅ Build output sizes within expected range  
   ✅ Webpack 5 configuration properly migrated  
   
   ## Remaining Issues
   
   5 low severity vulnerabilities remain in console-fe, all related to 
`@alicloud/console-components-console-menu` dependency:
   - min-document (prototype pollution)
   - global, dva-core, dva (dependent on min-document)
   
   These vulnerabilities have **no fix available** and require the vendor 
(@alicloud) to update their dependencies. Risk assessment: **LOW**.
   
   ## Breaking Changes
   
   This PR includes a major version upgrade from webpack 4 to webpack 5. While 
the build process has been tested and verified, it's recommended to:
   - Test the built applications in development and staging environments
   - Monitor for any runtime issues with the upgraded webpack
   - Verify dev server functionality with `npm run start`
   
   ## References
   
   - [GHSA-9jgg-88mc-972h](https://github.com/advisories/GHSA-9jgg-88mc-972h): 
webpack-dev-server source code theft
   - [GHSA-4v9v-hfq4-rm2v](https://github.com/advisories/GHSA-4v9v-hfq4-rm2v): 
webpack-dev-server source code theft
   - [GHSA-h9rv-jmmf-4pgx](https://github.com/advisories/GHSA-h9rv-jmmf-4pgx): 
XSS in serialize-javascript
   - [GHSA-hxcc-f52p-wc94](https://github.com/advisories/GHSA-hxcc-f52p-wc94): 
RCE in serialize-javascript
   - [GHSA-grv7-fg5c-xmjg](https://github.com/advisories/GHSA-grv7-fg5c-xmjg): 
ReDoS in braces
   - [GHSA-952p-6rrq-rcjv](https://github.com/advisories/GHSA-952p-6rrq-rcjv): 
ReDoS in micromatch
   
   https://github.com/slievrly/fescar/pull/7
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@seata.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscr...@seata.apache.org
For additional commands, e-mail: notifications-h...@seata.apache.org