Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Solve critical vulnerability of Presto UI from @babel/traverse npm package #21322

Merged
merged 1 commit into from
Nov 13, 2023
Merged

Solve critical vulnerability of Presto UI from @babel/traverse npm package #21322

merged 1 commit into from
Nov 13, 2023

Conversation

yhwang
Copy link
Member

@yhwang yhwang commented Nov 6, 2023
edited
Loading

Ref: #21319

Description

Update @babel and related packages to newer versions to solve the critical vulnerability issue reported by yarn audit: GHSA-67hx-6x53-jw92

Motivation and Context

The critical vulnerability issue reported by yarn audit may impact servers that run the babel to compile the Presto UI code or developers' machines. Although there is no path.evaluate() or path.evaluateTruthy() in the current code base, it's good to fix it.

Impact

Most of the JS files are not changed, except query.js.

Test Plan

Manually run the Presto UI and verify the query page.

Contributor checklist

  • Please make sure your submission complies with our development, formatting, commit message, and attribution guidelines.
  • PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
  • Documented new properties (with its default value), SQL syntax, functions, or other functionality.
  • If release notes are required, they follow the release notes guidelines.
  • Adequate tests were added if applicable.
  • CI passed.

Release Notes

Please follow release notes guidelines and fill in the release notes below.

== RELEASE NOTES ==

General Changes
* Update Babel and related npm packages to solve critical vulnerability: https://github.com/advisories/GHSA-67hx-6x53-jw92
  The Babel packages are used to generate the JavaScript files for Presto UI. The update prevents the build servers
  or developers' machines from running arbitrary code while building the JavaScript files.

@yhwang
Solve critical vulnerability of Presto UI
0bb82f5 
Update @babel and related packages to newer versions to
solve the critical vulnerability issue reported by
`yarn audit`: https://www.npmjs.com/advisories/1094446

Signed-off-by: Yihong Wang <[email protected]>
@yhwang yhwang requested a review from a team as a code owner November 6, 2023 19:08
@yhwang yhwang requested a review from presto-oss November 6, 2023 19:08
@yhwang
Copy link
Member Author

yhwang commented Nov 6, 2023

Below, it's a screenshot of the query page, I don't see any issue of this page.
query-1

@yhwang
Copy link
Member Author

yhwang commented Nov 6, 2023

Here is another screenshot which has a successful query:
query-2

@skairali skairali self-requested a review November 9, 2023 15:05
skairali
skairali approved these changes Nov 9, 2023
View reviewed changes
Copy link
Member

@skairali skairali left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a good change and required one from security perspective.

@steveburnett
Copy link
Contributor

If this is a "critical vulnerability" as described in the title, consider adding a release note to this PR for the Security section of the next release notes.

@yhwang
Copy link
Member Author

yhwang commented Nov 13, 2023

@steveburnett thanks for the feedback. update the description of this PR to include the release node.

@tdcmeehan tdcmeehan merged commit 6c48ec5 into prestodb:master Nov 13, 2023
@yhwang yhwang deleted the update-babel-version branch November 13, 2023 19:55
@wanglinsong wanglinsong mentioned this pull request Dec 8, 2023
Closed
26 tasks
@tdcmeehan tdcmeehan mentioned this pull request Dec 20, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tdcmeehan tdcmeehan tdcmeehan approved these changes

@skairali skairali skairali approved these changes

@presto-oss presto-oss Awaiting requested review from presto-oss presto-oss is a code owner automatically assigned from prestodb/committers

Assignees
No one assigned
Labels
Security
Projects
Security
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@yhwang @steveburnett @tdcmeehan @skairali