sardell opened a new pull request #1500: METRON-2243: [UI] Update npm dependencies to resolve audit warnings URL: https://github.com/apache/metron/pull/1500 ## Contributor Comments Link to ASF Jira ticket: https://issues.apache.org/jira/browse/METRON-2243 This PR updates a few direct dependencies and multiple nested dependencies in the Alerts and Management UIs due to vulnerabilities listed when running an `npm audit` report. I updated the dependencies using `npm audit fix`, which only updates to patch or minor versions of packages. In theory, this ensures we do not introduce breaking changes into the project. After using the command mentioned above, there is a single low severity vulnerability in a nested dependency for our unit test runner, Karma. You can read more about the vulnerability here: https://www.npmjs.com/advisories/786. Because of the low-risk nature of the issue, I chose not to bump this dependency to its next major version and risk the chance of introducing a breaking change. Whenever we update to Angular 8, this issue will be resolved (that version of Angular uses the next major version release of Karma). ## Testing Clone this branch and run `npm audit` in either of the UI application directories. The audit report should only show the low-level vulnerability mentioned above. Since this PR doesn't update anything but minor and patch releases of dependencies, there should be no changes in the appearance or behavior of either the Alerts or Management UI. Unit and e2e tests pass as expect, and a manual visual regression test will show no changes have been introduced into either UIs. ## Pull Request Checklist Thank you for submitting a contribution to Apache Metron. Please refer to our [Development Guidelines](https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=61332235) for the complete guide to follow for contributions. Please refer also to our [Build Verification Guidelines](https://cwiki.apache.org/confluence/display/METRON/Verifying+Builds?show-miniview) for complete smoke testing guides. In order to streamline the review of the contribution we ask you follow these guidelines and ask you to double check the following: ### For all changes: - [ ] Is there a JIRA ticket associated with this PR? If not one needs to be created at [Metron Jira](https://issues.apache.org/jira/browse/METRON/?selectedTab=com.atlassian.jira.jira-projects-plugin:summary-panel). - [ ] Does your PR title start with METRON-XXXX where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character. - [ ] Has your PR been rebased against the latest commit within the target branch (typically master)? ### For code changes: - [ ] Have you included steps to reproduce the behavior or problem that is being changed or addressed? - [ ] Have you included steps or a guide to how the change may be verified and tested manually? - [ ] Have you ensured that the full suite of tests and checks have been executed in the root metron folder via: ``` mvn -q clean integration-test install && dev-utilities/build-utils/verify_licenses.sh ``` - [ ] Have you written or updated unit tests and or integration tests to verify your changes? - [ ] If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under [ASF 2.0](http://www.apache.org/legal/resolved.html#category-a)? - [ ] Have you verified the basic functionality of the build by building and running locally with Vagrant full-dev environment or the equivalent? ### For documentation related changes: - [ ] Have you ensured that format looks appropriate for the output in which it is rendered by building and verifying the site-book? If not then run the following commands and the verify changes via `site-book/target/site/index.html`: ``` cd site-book mvn site ``` - [ ] Have you ensured that any documentation diagrams have been updated, along with their source files, using [draw.io](https://www.draw.io/)? See [Metron Development Guidelines](https://cwiki.apache.org/confluence/display/METRON/Development+Guidelines) for instructions. #### Note: Please ensure that once the PR is submitted, you check travis-ci for build issues and submit an update to your PR as soon as possible. It is also recommended that [travis-ci](https://travis-ci.org) is set up for your personal repository such that your branches are built there before submitting a pull request.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services