logview_new: updated the react router to 7.12.0 or above (#2628)#3345
Open
gurasinghMS wants to merge 2 commits intomicrosoft:release/1.7.2511from
Open
logview_new: updated the react router to 7.12.0 or above (#2628)#3345gurasinghMS wants to merge 2 commits intomicrosoft:release/1.7.2511from
gurasinghMS wants to merge 2 commits intomicrosoft:release/1.7.2511from
Conversation
) There a vulnerability found in router version < 7.12.0 which allows XSS when using SSR (Server Side Rendering) with the react router. Notably this does not impact apps using declarative mode for the router (i.e. `<BrowserRouter>`). Our app doesn't use SSR and only uses declarative mode for the router, hence should not be vulnerable. However, still updating router version to the patched version of 7.12.0 or above for cleanliness and to appease dependabot. Dependabot vulnerabilities that will be addressed with this PR: * https://github.com/microsoft/openvmm/security/dependabot/8 * https://github.com/microsoft/openvmm/security/dependabot/9 * https://github.com/microsoft/openvmm/security/dependabot/10 (cherry picked from commit de4be3b)
github-actions
Bot
added
the
release_1.7.2511
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the (currently unused) petri/logview_new front-end dependencies to address Dependabot-reported React Router vulnerabilities by moving to react-router-dom >= 7.12.0.
Changes:
- Bump
react-router-domfrom^7.9.3to^7.12.0(and corresponding lockfile entries). - Bump
react/react-domdependency ranges from^19.1.1to^19.2.1.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
petri/logview_new/package.json |
Updates React + React Router dependency ranges. |
petri/logview_new/package-lock.json |
Updates resolved react-router / react-router-dom packages and the top-level dependency ranges. |
Files not reviewed (1)
- petri/logview_new/package-lock.json: Language not supported
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Cherry Picking changes from #2628 and ran
npm audit fix. THIS IS NOT A CLEAN CHERRY PICK. However, this code is completely unused / dead in the target branch. These changes are being made to appease Component Governance.There a vulnerability found in router version < 7.12.0 which allows XSS when using SSR (Server Side Rendering) with the react router. Notably this does not impact apps using declarative mode for the router (i.e.
<BrowserRouter>). Our app doesn't use SSR and only uses declarative mode for the router, hence should not be vulnerable. However, still updating router version to the patched version of 7.12.0 or above for cleanliness and to appease dependabot.Dependabot vulnerabilities that will be addressed with this PR:
(cherry picked from commit de4be3b)