Deal with security issues identified by npm audit #958
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
wincent
changed the title
This was referenced Jan 21, 2019
wincent
added a commit
that referenced
this pull request
Jan 21, 2019
After rebasing #958 I did one final `npm install` to ensure the package-lock.json was definitively up to date, resulting in this commit.
|
Given that I was able to merge #962, my prime suspicion now is that karma-sauce-launcher is at fault. So I just repushed a version of this that excludes that commit. We'll see if Travis likes it. |
wincent
added a commit
that referenced
this pull request
Jan 21, 2019
After rebasing #958 I did one final `npm install` to ensure the package-lock.json was definitively up to date, resulting in this commit.
wincent
force-pushed
the
pr-953
branch
2 times, most recently
from
478c263 to
e59bd63
Compare
wincent
added a commit
that referenced
this pull request
Jan 22, 2019
After rebasing #958 I did one final `npm install` to ensure the package-lock.json was definitively up to date, resulting in this commit.
`npm run test` still clean after this change. Tested that coverage
report is correctly generated by cleaning the output folder (`rm -r
coverage/*`) and then inspecting afterwards:
```
$ tree coverage
coverage
└── Chrome\ 71.0.3578\ (Mac\ OS\ X\ 10.13.6)
├── base.css
├── index.html
├── prettify.css
├── prettify.js
├── sort-arrow-sprite.png
└── sorter.js
1 directory, 6 files
```
The coverage report is empty, but that is a separate problem: it is
empty on the current HEAD of the 2.x-develop branch as well
(78486e1), and I suspect we're likely to move away from
Karma before getting to fix that issue.
Tracing all the way back to 5ac872e (in 2014) when this package was added, I can't find any actual use of it at any time.
|
It passed, so merging it. |
wincent
added a commit
that referenced
this pull request
Feb 11, 2019
In this commit we are effectively replacing the previous contents of the master branch with the current contents of the 2.x-develop branch (as of b4dd238). Done using: ``` git checkout master git merge --ff-only develop git merge 2.x-develop git rm -rf '*' git checkout 2.x-develop -- . ``` Confirmed that the result matches "2.x-develop" exactly with `git diff --cached 2.x-develop`. As explained in the related issue: the intention here is to streamline development by working on "master" from now on. From here on we'll have: * `master`: active, used to prepare next 2.x release * `stable`: sable, updates after every 2.x release * `1.x`: effectively becomes a legacy branch that we only touch for maintenance fixes * `1.x-stable`: most likely untouched unless we have to make maintenance fixes Before this commit, output of `git branch -v` shows: ``` 2.x-develop b4dd238 Merge pull request #1085 from wincent/unused-imports develop 78f39eb Merge pull request #959 from liferay/issue/issue_956 * master 9b98134 Updates CHANGELOG for v1.5.18 ``` After, it shows (something like): ``` 1.x 94936d9 Merge pull request #1060 from fortunatomaldonado/Issue1057 1.x-stable 9b98134 Updates CHANGELOG for v1.5.18 2.x-develop b4dd238 Merge pull request #1085 from wincent/unused-imports develop 78f39eb Merge pull request #959 from liferay/issue/issue_956 * master b6add93 Merge 2.x-develop into master stable 327ff97 Bump version to 2.0.0-alpha.5 ``` Closes: #1074 * 2.x-develop: Eliminate unused imports Teach new buttons to forget about the editor prop Kill empty propTypes declarations Update to React v16.8.1 Fixes #1081 - Make dev environment hot-reloading work Fixes #1079 - Eliminate misleading imports Get rid of remaining IIFEs and "use strict" declarations Remove unnecessary IIFEs and "use strict" declarations Remove unused PropTypes imports Fix bad variable name in button-accessibility-image-alt.jsx Fix no-unused-vars lint in button-embed-edit.jsx Make sure "key" gets propagated by EditorContext.toProps() Remove commented out code Fix copy-paste error found in JSDoc comment New translations language.json (Welsh) New translations language.json (Sinhala) New translations language.json (Gujarati) Remove unnecessary forwarding of editor prop Format changed files Fix issues with accessing context in constructors Use context to access editor in components/toolbars/* Use context in button-embed-edit.jsx as well Use context to get editor in all of src/components/buttons Don't pass editor prop to <ButtonIcon /> Get editor from React context in uibridge/* components Avoid anonymous classes to improve debugging experience Port remaining HOCs to use React.context Fix a couple of comments typos Show that context works with our HOCs too (<ToolbarButtons />) Prefer static class properties Use context to get editor instance in <ButtonIcon> Start using React context to share editor instance Test our debounce implementation instead of CKEDITOR's Remove unnecessary IIFE and 'use strict' from debounce module Add an extra assertion to the debounce tests Don't say "should" in tests Use fake timers in debounce tests Re-enable disabled debounce test Remove unnecessary intermediate functions in debounce tests Use arrow functions in debounce tests Use const instead of var in debounce tests Remove unnecessary IIFE and "use strict" from debounce tests Silence deprecation warnings during test runs Bump version to 2.0.0-alpha.5 Add the ae_dragresize_ie11 plugin for IE11 Remove straggling references to icon fonts Remove references to required imageTPL prop New translations language.json (Vietnamese) New translations language.json (Hindi) New translations language.json (Hebrew) New translations language.json (Greek) New translations language.json (German) New translations language.json (Georgian) New translations language.json (Galician) New translations language.json (French, Canada) New translations language.json (French) New translations language.json (Finnish) New translations language.json (Faroese) New translations language.json (Estonian) New translations language.json (Esperanto) New translations language.json (English, United Kingdom) New translations language.json (Hungarian) New translations language.json (English, Canada) New translations language.json (English) New translations language.json (Dutch) New translations language.json (Danish) New translations language.json (Czech) New translations language.json (Croatian) New translations language.json (Chinese Traditional) New translations language.json (Chinese Simplified) New translations language.json (Catalan) New translations language.json (Bulgarian) New translations language.json (Bosnian) New translations language.json (Bengali) New translations language.json (Basque) New translations language.json (Arabic) New translations language.json (English, Australia) New translations language.json (Albanian) New translations language.json (Icelandic) New translations language.json (Italian) New translations language.json (Uyghur) New translations language.json (Ukrainian) New translations language.json (Turkish) New translations language.json (Thai) New translations language.json (Tatar) New translations language.json (Swedish) New translations language.json (Spanish) New translations language.json (Slovenian) New translations language.json (Slovak) New translations language.json (Serbian (Latin)) New translations language.json (Serbian (Cyrillic)) New translations language.json (Russian) New translations language.json (Romanian) New translations language.json (Indonesian) New translations language.json (Portuguese, Brazilian) New translations language.json (Polish) New translations language.json (Persian) New translations language.json (Norwegian Bokmal) New translations language.json (Norwegian) New translations language.json (Mongolian) New translations language.json (Malay) New translations language.json (Macedonian) New translations language.json (Lithuanian) New translations language.json (Latvian) New translations language.json (Kurdish) New translations language.json (Korean) New translations language.json (Khmer) New translations language.json (Japanese) New translations language.json (Portuguese) New translations language.json (Afrikaans) Update Crowdin configuration file Modify github issue and pull request templates: Bump version to 2.0.0-alpha.4 Apply prettier Apply changes from #959 into 2.x-develop Apply changes from #1049 into 2.x-develop Apply changes from #1060 into 2.x-develop Bump version to 2.0.0-alpha.3 SF Bump version to 2.0.0-alpha.2 Fix reference error Add missing item selector buttons Fix button-link-edit-browse Rename "fix" to "lint:fix" to make it clear what is being fixed Update CONTRIBUTING.md based on 2.x.x-alpha.1 release Update .gitignore Add empty .npmignore Prepare for release 2.0.0-alpha.1 Temporarily disable randomly failing test Bump version Update globs in "lint:changed" script Add "npm run format:changed" Don't use process.env.PWD in build Fix last lint in dragresize_ie.js (no-unused-vars) Fix 6 lints in src/plugins/tableresize.js (no-var) Add support for running lints on changed files only Use 'modern' JS Implement callback in ButtonLinkEditBrowse Fix 11 lints in src/plugins/tabletools.js Fix last 4 lints in dragresize_ie11.js Fix last lint in src/plugins/dragresize.js (prefer-rest-params) Fix last lint in src/core/tools.js (prefer-rest-params) Apply Prettier's desired changes Eliminate React warnings when editing image alt attribute Fix 8 more lints, including last of the "no-unused-vars" Fix no-unused-vars lint in button-link-edit-browse.jsx Turn "babel/no-invalid-this" into a warning in plug-in files Fix no-undef lint in src/plugins/dragresize_ie11.js Deal with 12 remaining "no-used-vars" lints related to function arguments Fix bad variable name in button-link-browse.jsx (no-undef) Fix lint in core/selection-region.js (no-unused-vars) Disable failing test Fix bad identifier in button-embed-video-edit.jsx (no-undef) Fix lint in src/oop/oop.js (no-throw-literal) Fix lint in oop/attribute.js (prefer-spread) Fix 2 lints in core/debounce.js Fix 3 lints in src/core/uicore.js Fix spelling mistakes in code comments Fix 9 remaining "guard-for-in" lints Update CKEditor to v4.11.2 Fix lint error Fix lint in uibridge/menu.jsx (guard-for-in) Fix 1 lint in uibridge/uibridge.js (prefer-rest-params) Fix 3 lints by removing UNSUPPORTED_*_API variables Fix lint in button-separator.jsx (no-unused-vars) Fix 1 lint in button-paragraph-align.jsx (no-unused-vars) Fix 1 lint in button-link-autocomplete-list.jsx (no-unused-vars) Fix 6 no-useless-escape lints Fix lint in button-commands-list.jsx (react/no-find-dom-node) Remove stray ">" from button-embed-edit.jsx, fixing 1 lint Freshen formatting Reformat button-camera-image.jsx Fix 15 lints in src/components/buttons/button-camera-image.jsx Remove timeout in tests Fix lint in src/components/base/widget-exclusive.js Fix lints in src/plugins/embed.js Restore lint suppression in src/adapter/main.js Fix lints in plugins/Resizer.es.js Double build speed with parallel-webpack Switch from "exclude" blacklist to "include" whitelist Suppress expensive stats during webpack builds Updates lang files Removes unnecessary hashing so buildLanguages always runs and attempts to prettify the result a little bit Adds language.json as the default entry point for i18n for crowdin integration Fix bug in widget-dropdown.js identified by linter Add eslint-plugin-babel to resolve a bunch of errors Add explanation for why it is ok to suppress no-invalid-this lint Fix lints (and one bug) in src/adapter/main.js Reformat .eslintrc.js Specify React version in .eslintrc.js Add eslint-plugin-react to get rid of a bunch of errors Silence and fix lints about capital-case non-constructor functions Add "lint:quiet" to package.json scripts Silence new-cap lints about CKEDITOR constructors Apply lint autofixes to previously unparseable files Add babel-eslint to allow us to parse/lint JSX Fix for various buttons Also tone down valid-jsdoc rule from "error" to "warn" Turn require-jsdoc errors into warnings Teach ESLint about AlloyEditor global variable Teach ESLint about the CKEDITOR global variable Apply ESLint autofixes and Prettier updates to JSX files Run ESLint and Prettier against JSX files too Use SVG icon instead of missing font icon in toolbar-add.jsx Fix autofixable lint errors Add eslint-config-prettier Tweak ESLint settings to avoid a deprecation warning Add ESLint "lint" and "fix" tasks to package.json Add eslint-plugin-no-for-of-loops Synchronize .eslintrc.js with contents of .eslintrc from Clay Add eslint-config-liferay package Update "eslint" package to latest version Fixes #988 - Remove .editorconfig Add trailingComma to our Prettier config Fix broken package-lock.json Use a more recent Node in Travis Remove unused dir-compare dependency Remove unused gulp-consildate dependency Fixes #980 - Update to Gulp v4 Fixes #983 - Make sure code is correctly formatted before publishing Remove require-dir dependency Remove unused requires from scripts/build/gulp/tasks/css.js Remove unnecessary demo app templating Update mocha as recommended by `npm audit` Remove ununsed clean-fonts task Remove unused gulp-iconfont dependency Remove references to fonts in karma config Remove unused imports Remove unused font related resources and tasks Remove unused demo Update karma-sauce-launcher as recommended by `npm audit` Remove karma-safari-launcher Bump karma-coverage version as recommended by `npm audit` Turn on parallel minification Turn on Terser caching Speed up minification by massaging settings Switch from Uglify to Terser for minification Update webpack dependency Run webpack from inside gulp in parallel Remove an unused require Sort tasks.js requires Update browsers in saucelabs config Teach the `clean-dist` Gulp task to keep the .gitignore Switch package.json to whitelist included files Build so Travis has something to run Don't store dist/* contents in the repo Fix conflicts in package.json [gulp] Prefer promises over callbacks gulp: rename array of tasks: `task` -> `tasks` Remove never-used gulp-empty dependency [IFI-411] Add prettier support Remove create-react-class dependency Port uibridge/panel-menu-button.jsx from createReactClass Port uibridge/richcombo.jsx from createReactClass Port uibridge/button.jsx from createReactClass Port uibridge-menu-button.jsx from createReactClass Switch to karma-verbose-reporter Use ES6 features (let,const,arrow functions) Use object property shorthand Change forEach for some Fix wording in JSDoc comment Fix typo in JSDoc comment Fix indentation Replace var with let/const and instance properties Sort imports in default skin Sort imports Use constants and template strings for embed templates Add extra buttons from liferay-portal Update Karma dependency to resolve security issues Fixes #945 | Fix regexp for IE Regen package-lock Apply requested changes Update to React v16.6.3 Updates CHANGELOG for v1.5.17 Fix conflict for ffe6112 Fix conflict for 5aabd16 Fixes #906 | Reorder toolbar buttons for full mode Fix conflict for 1ab0230 Update ckeditor Fixes #853 | Updates toolbar position when changing image alignment Fixes #924 No longer need to add/remove CSS class based on image alignment Fixes #924 Add four drag handles to image resizer Fixes #924 Add styling for four drag handles of image resizer Fix conflict for 0139136 Fixes #931 | Fixes the saucelabs browser-matrix badge Fix conflict for abed0b1 Change dragresize implementation on IE to modify heigh and width inside the style attribute so as to be consistent with the standard AlloyEditor resizing behavior. Updates CHANGELOG for v1.5.16 Fix conflict for 7ea9e76 Fix conflict for 1d404b0 Fixes #908 Remove unwanted tags after paste Fixes #915 - Checks if selection data exists in linkSelectionTest Fix conflict for 192a163 Fixes #900 Add closing semi-colon in IE11 Fixes #911 Use correct CSS to place drag resize handle at the corner Try to fix autolink test Fix conflict for 0afdb5e Fix #898 | Added center align css interaction between IE11 and other browsers Updates CHANGELOG for v1.5.15 Fix conflicts for 885782f Fix conflicts for 6189e19 Fix #845 - Remove resizer everytime the cursor gets out of the pillar. Keeping the resizer there without any reason creates a black hole where the CKEditor's mousemove event is never triggered Updates CHANGELOG for v1.5.14 Fix conflicts for 43348fb Fix conflict for 1108584 Fix conflict for b61bd0b Fixes #885 | Fix editor.on paste function and enhance REGEX_URL Updates CHANGELOG for v1.15.13 Fix conflict for 0fa7e4c Fix conflict for 1fab086 Fix conflicts for 3f7a0da If we found < it means that most likely there's some tag and we don't want to touch it. Fix conflicts for 2c0a76e 1.5.12 Fix conflict for c7a5948 Runs only on paste actions Adjust toolbar placement on right side to prevent overflow Fix conflict for 031ae20 1.5.11 Controls the placement of the toolbar Fix conflicts for 6aa8bc0 1.5.10 Removes contenteditable attribute from image element when downcasting to html Fix conflict for b2e3a7e 1.5.9 #858 getChildren is not filtering 'a' Fix conflict for 4e8e54e 1.5.8 Prevents defaulting uiNode to body if unset Use uiNode in dragresize plugin Fix conflicts for f1d775e 1.5.7 Uses proper uiNode default Fix conflict for 40a797c Fix conflict for 02f0274 1.5.6 SF | Fixes #958 #858 getting right element for IE Fix conflict for c1d3663 1.5.5 Fixes image selection test refactor Fix conflict for c9ed24c Fix conflict for 77c835a 1.5.4 Adds support for URLs that are using ports Adds a way to correct paste behavior of an URL Enhance url regular expression check if selection is an image Resolve b400c59 Resolve conflict for cherry-pick 1658a12 1.5.3 Resolve conflict for cherry-pick cad4c7a 1.5.2 Resolve conflict for cherry-pick 126f2ec Regen package-lock.json Update gulp-iconfont Removes unnecessary exposure from OOP.extend, Attribute and Lang for the tests since we already have in the main Build files (auto-generated) Exports the bundle without React to UMD. Expose OOP.extend, Lang and Attribute to API Update webpack to v4.6.0 Remove unnecessary import in dragresize_ie.js Build files (auto-generated) Remove Core and SelectionSetPosition exposed for testing since they are already in the AlloyEditor API Expose SelectionSetPosition to API Expose SelectionGetArrowBoxClasses to API Expose Selections to API Expose Core to API Build files (auto-generated) Update demo template Fixes the build in mode dev Removes karma configs from plugins and core in favor of just global karma Build files (auto-generated) SF Fixes path of generate languages Minimize css when generating build for release Generate the dev build along with the build for the release Fix arguments to generate a release demo Add gulp tasks to generate icons, css and languages Remove support the IE 9 and IE 10 Build files (auto-generated) Remove the prepublish script from package.json Remove npm run dev script to run on travis SF Add targets to presets-env Show only webpack information when there is an error Build files (auto-generated) SF Skip some tests Fixes ButtonDropdown imports on uibridge components Fixes tests of WidgetInteractionPoint to use WidgetPosition mock Remove WidgetPositionComponent inside WidgetPosition to only improve readability and use static method Install transform-class-properties for static use in class Create a simple WidgetPosition mock for testing Fix the initial state implementation of the component in ButtonLinkEdit Fixes ButtonLinkTargetEdit tests Fixes ButtonTargetList tests Fixes ButtonStylesList tests Fixes ButtonTableHeading tests Fixes ButtonTableRow tests Change ButtonTableEdit that uses old refs API to new API from the latest version of React Fixes ButtonTableColumn tests Fixes ButtonTableCell tests Fix import the ButtonLinkTargetEdit in ButtonLinkEdit tests Change ButtonLinkEdit that uses old refs API to new API from the latest version of React Change ButtonEmbedEdit that uses old refs API to new API from the latest version of React Change ButtonImage that uses old refs API to new API from the latest version of React Replace React.addons with ReactTestUtils in assertDropdownCommandButtonResult Update React version to 16.3.1 Remove use of PropTypes Exposes SelectionSetPosition for the tests Exposes Lang for the tests Add scripts to travis.yml Fix ButtonImageAlignRight import Fix Selections import on the core Add ReactTestUtils and ReactDOM to dragresize_ie.js Fix import on the test button-target-list Update test configuration of core and plugins Set singleRun true in karma.common.js Remove use of the gulp and start tests with karma cli Export list with src files of the UI Use karma.common.js config Adds Karma common config Update Demo Build files (auto-generated) Install createReactClass and use in uibridge components Provides for extend, Attribute and Core tests in window.AlloyEditor Import your respective components and use ReactTestUtils in the UI tests Simplify gulp-file to run only the tests Create useful for loader of React, ReactDOM, ReactTestUtils and AlloyEditor for tests Move the test utils to the scripts/test path Build files (auto-generated) Fix builds and generate all builds with webpack SF Exposes SelectionTests to AlloyEditor Build files (auto-generated) Fixes state override using class in ButtonEmbedEdit Fixes ButtonCameraImage import Pass bind the handles clicks Replace AlloyEditor.ButtonTargetList to ButtonTargetList Converts calls to React.createElement into JSX elements Regen alloy-edit-all-min.js and alloy-edit-all-min.js.map Add webpack 4.0 compatibility and create .babelrc Update webpack to 4.0 Initial refactor for AlloyEditor 2.0 - Simplifies build step (webpack) - Removes UI layers and keeps only react - Updates to react 16 Update gulp-iconfont
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.