From 9bef83b6fe2256a480dfdc76167b3e56d6b8c77b Mon Sep 17 00:00:00 2001 From: Benjamin Franzke Date: Wed, 24 Aug 2022 08:35:20 +0200 Subject: [PATCH] [TASK] Update vulnerable build dependencies MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Update (most) vulnerable dependencies/packages found by `npm audit fix --force --dry-run`. Notes redarding package changes: * The outdated grunt-postcss plugin is replaced by a (maintained) fork for compatibility with newer grunt versions. * karma is updated to v6 and pulls in @types/node which conflicts with TypeScript type definitions by @types/requirejs. Therefore 3rd party type declarations from packages (@types/*) are now explicitly enabled in tsconfig.json – note that there is no other way to exclude from typeRoots: https://github.com/microsoft/TypeScript/issues/18588 * grunt-lintspaces and grunt-contrib-imagemin are replaced as these packages have been not been updated to not depend on vulnerabe dependencies, while grunt-lintspaces and grunt-contrib-imagemin would cause downgrades to older version when running `npm audit fix --force` (because only the older versions do not depend on vulnerable software). * (grunt-contrib-)imagemin is replaced by squoosh (by google) as a) imagemin dependencies ("bin-build" > "download") rely on vulnerable versions of "got". Neither of these packages is currently updated,see https://github.com/kevva/download/issues/224 b) imagemin is unmaintained: https://github.com/imagemin/imagemin/issues/385 and suggests squoosh as replacement * stylefmt is replaced by a maintained fork. There is one remaining packages that pulls in a vulnerability alerts: * jquery-ui is marked as vulnerable (severity: high), but worked on in a separate patch #96497. (We don't actually use the vulnerable library parts though). Vulnerability report before this patch: 74 vulnerabilities (1 low, 30 moderate, 38 high, 5 critical) Vulnerability report after this patch: 1 high severity vulnerability (this is jquery-ui) Commands executed: # Supposed to be non breaking, but broke grunt-css npm audit fix npm remove grunt-postcss npm install @lodder/grunt-postcss # Preparation for `npm audit fix --force` (breaking changes) npm install grunt@^1.5 npm install grunt-lintspaces@^0.10.0 npm remove grunt-lintspaces npm install --save-dev lintspaces-cli npm remove grunt-contrib-imagemin npm install --save-dev npm remove stylefmt npm install --save-dev @ronilaukkarinen/stylefmt npm audit fix --force Releases: main Resolves: #98198 Change-Id: I09df87fe131a499790e6c5f95f1c51e9216b71c2 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75539 Tested-by: core-ci Tested-by: Georg Ringer Tested-by: Stefan Bürk Tested-by: Benjamin Franzke Reviewed-by: Georg Ringer Reviewed-by: Stefan Bürk Reviewed-by: Benjamin Franzke --- Resources/Public/JavaScript/toolbar/opendocs-menu.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Resources/Public/JavaScript/toolbar/opendocs-menu.js b/Resources/Public/JavaScript/toolbar/opendocs-menu.js index 7b99b1d..06d112c 100644 --- a/Resources/Public/JavaScript/toolbar/opendocs-menu.js +++ b/Resources/Public/JavaScript/toolbar/opendocs-menu.js @@ -10,4 +10,4 @@ * * The TYPO3 project - inspiring people to share! */ -import $ from"jquery";import AjaxRequest from"@typo3/core/ajax/ajax-request.js";import Icons from"@typo3/backend/icons.js";import Viewport from"@typo3/backend/viewport.js";import{ModuleStateStorage}from"@typo3/backend/storage/module-state-storage.js";var Selectors;!function(e){e.containerSelector="#typo3-cms-opendocs-backend-toolbaritems-opendocstoolbaritem",e.closeSelector=".t3js-topbar-opendocs-close",e.menuContainerSelector=".dropdown-menu",e.toolbarIconSelector=".toolbar-item-icon .t3js-icon",e.openDocumentsItemsSelector=".t3js-topbar-opendocs-item",e.counterSelector="#tx-opendocs-counter",e.entrySelector=".t3js-open-doc"}(Selectors||(Selectors={}));class OpendocsMenu{constructor(){this.hashDataAttributeName="opendocsidentifier",this.toggleMenu=()=>{$(".scaffold").removeClass("scaffold-toolbar-expanded"),$(Selectors.containerSelector).toggleClass("open")},document.addEventListener("typo3:opendocs:updateRequested",e=>this.updateMenu()),Viewport.Topbar.Toolbar.registerEvent(()=>{this.initializeEvents(),this.updateMenu()})}static updateNumberOfDocs(){const e=$(Selectors.containerSelector).find(Selectors.openDocumentsItemsSelector).length;$(Selectors.counterSelector).text(e).toggle(e>0)}updateMenu(){let e=$(Selectors.toolbarIconSelector,Selectors.containerSelector),t=e.clone();Icons.getIcon("spinner-circle-light",Icons.sizes.small).then(t=>{e.replaceWith(t)}),new AjaxRequest(TYPO3.settings.ajaxUrls.opendocs_menu).get().then(async e=>{$(Selectors.containerSelector).find(Selectors.menuContainerSelector).html(await e.resolve()),OpendocsMenu.updateNumberOfDocs()}).finally(()=>{$(Selectors.toolbarIconSelector,Selectors.containerSelector).replaceWith(t)})}initializeEvents(){$(Selectors.containerSelector).on("click",Selectors.closeSelector,e=>{e.preventDefault();const t=$(e.currentTarget).data(this.hashDataAttributeName);this.closeDocument(t)}).on("click",Selectors.entrySelector,e=>{e.preventDefault();const t=$(e.currentTarget);this.toggleMenu(),ModuleStateStorage.updateWithCurrentMount("web",t.data("pid"),!0);document.querySelector("typo3-backend-module-router").setAttribute("endpoint",t.attr("href"))})}closeDocument(e){const t={};e&&(t.md5sum=e),new AjaxRequest(TYPO3.settings.ajaxUrls.opendocs_closedoc).post(t).then(async e=>{$(Selectors.menuContainerSelector,Selectors.containerSelector).html(await e.resolve()),OpendocsMenu.updateNumberOfDocs(),$(Selectors.containerSelector).toggleClass("open")})}}let opendocsMenuObject;opendocsMenuObject=new OpendocsMenu,"undefined"!=typeof TYPO3&&(TYPO3.OpendocsMenu=opendocsMenuObject);export default opendocsMenuObject; \ No newline at end of file +import $ from"jquery";import AjaxRequest from"@typo3/core/ajax/ajax-request.js";import Icons from"@typo3/backend/icons.js";import Viewport from"@typo3/backend/viewport.js";import{ModuleStateStorage}from"@typo3/backend/storage/module-state-storage.js";var Selectors;!function(e){e.containerSelector="#typo3-cms-opendocs-backend-toolbaritems-opendocstoolbaritem",e.closeSelector=".t3js-topbar-opendocs-close",e.menuContainerSelector=".dropdown-menu",e.toolbarIconSelector=".toolbar-item-icon .t3js-icon",e.openDocumentsItemsSelector=".t3js-topbar-opendocs-item",e.counterSelector="#tx-opendocs-counter",e.entrySelector=".t3js-open-doc"}(Selectors||(Selectors={}));class OpendocsMenu{constructor(){this.hashDataAttributeName="opendocsidentifier",this.toggleMenu=()=>{$(".scaffold").removeClass("scaffold-toolbar-expanded"),$(Selectors.containerSelector).toggleClass("open")},document.addEventListener("typo3:opendocs:updateRequested",(e=>this.updateMenu())),Viewport.Topbar.Toolbar.registerEvent((()=>{this.initializeEvents(),this.updateMenu()}))}static updateNumberOfDocs(){const e=$(Selectors.containerSelector).find(Selectors.openDocumentsItemsSelector).length;$(Selectors.counterSelector).text(e).toggle(e>0)}updateMenu(){let e=$(Selectors.toolbarIconSelector,Selectors.containerSelector),t=e.clone();Icons.getIcon("spinner-circle-light",Icons.sizes.small).then((t=>{e.replaceWith(t)})),new AjaxRequest(TYPO3.settings.ajaxUrls.opendocs_menu).get().then((async e=>{$(Selectors.containerSelector).find(Selectors.menuContainerSelector).html(await e.resolve()),OpendocsMenu.updateNumberOfDocs()})).finally((()=>{$(Selectors.toolbarIconSelector,Selectors.containerSelector).replaceWith(t)}))}initializeEvents(){$(Selectors.containerSelector).on("click",Selectors.closeSelector,(e=>{e.preventDefault();const t=$(e.currentTarget).data(this.hashDataAttributeName);this.closeDocument(t)})).on("click",Selectors.entrySelector,(e=>{e.preventDefault();const t=$(e.currentTarget);this.toggleMenu(),ModuleStateStorage.updateWithCurrentMount("web",t.data("pid"),!0);document.querySelector("typo3-backend-module-router").setAttribute("endpoint",t.attr("href"))}))}closeDocument(e){const t={};e&&(t.md5sum=e),new AjaxRequest(TYPO3.settings.ajaxUrls.opendocs_closedoc).post(t).then((async e=>{$(Selectors.menuContainerSelector,Selectors.containerSelector).html(await e.resolve()),OpendocsMenu.updateNumberOfDocs(),$(Selectors.containerSelector).toggleClass("open")}))}}let opendocsMenuObject;opendocsMenuObject=new OpendocsMenu,"undefined"!=typeof TYPO3&&(TYPO3.OpendocsMenu=opendocsMenuObject);export default opendocsMenuObject; \ No newline at end of file