Skip to content

optimize: fix frontend security vulnerabilities #7704

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Oct 22, 2025
Merged

optimize: fix frontend security vulnerabilities #7704

merged 3 commits into from
Oct 22, 2025

Conversation

@slievrly
Copy link
Member

@slievrly slievrly commented Oct 17, 2025

Overview

This PR addresses frontend security vulnerabilities reported by GitHub Dependabot by upgrading webpack from version 4 to version 5 and updating related dependencies to their latest secure versions.

Security Impact

console-fe

  • Before: 23 vulnerabilities (7 high, 11 moderate, 5 low)
  • After: 5 vulnerabilities (0 high, 0 moderate, 5 low)
  • Result: ✅ 100% of high and moderate vulnerabilities resolved

saga-designer

  • Before: 1 vulnerability (1 moderate)
  • After: 0 vulnerabilities
  • Result: ✅ 100% of all vulnerabilities resolved

Key Vulnerabilities Fixed

  1. webpack-dev-server (Moderate - GHSA-9jgg-88mc-972h, GHSA-4v9v-hfq4-rm2v)

    • Source code theft vulnerability when accessing malicious websites
    • Fixed by upgrading from 4.15.1 to 5.2.2

  2. serialize-javascript (High - GHSA-h9rv-jmmf-4pgx, GHSA-hxcc-f52p-wc94)

    • Cross-Site Scripting (XSS) vulnerability
    • Insecure serialization leading to RCE
    • Fixed by replacing uglifyjs-webpack-plugin with built-in TerserPlugin

  3. braces (High - GHSA-grv7-fg5c-xmjg)

    • Uncontrolled resource consumption (ReDoS)
    • Fixed via package override to version 3.0.3

  4. micromatch (Moderate - GHSA-952p-6rrq-rcjv)

    • Regular Expression Denial of Service (ReDoS)
    • Fixed via package override to version 4.0.8

  5. nanoid (Moderate - GHSA-mwcw-c2x4-8c55)

    • Predictable results in generation
    • Fixed via package override to version 3.3.8

  6. svelte/swiper (Moderate - GHSA-8266-84wp-wv5c)

    • Potential mXSS vulnerability
    • Fixed via package override to version 6.5.9

Changes Made

Major Upgrade

  • webpack: 4.47.0 → 5.102.1 (required for webpack-dev-server security fix)

Dependency Updates (console-fe)

  • webpack-dev-server: 4.15.1 → 5.2.2
  • html-webpack-plugin: 4.5.2 → 5.6.3
  • copy-webpack-plugin: 6.4.1 → 11.0.0
  • mini-css-extract-plugin: 1.6.2 → 2.9.2
  • css-loader: 5.2.7 → 6.11.0
  • sass-loader: 10.5.2 → 13.3.3
  • Replaced uglifyjs-webpack-plugin with built-in TerserPlugin
  • Replaced optimize-css-assets-webpack-plugin with css-minimizer-webpack-plugin

Package Overrides (console-fe)

Updated package.json overrides to enforce secure versions:

  • nanoid: 3.1.31 → 3.3.8
  • swiper: 6.5.1 → 6.5.9
  • node-fetch: 2.6.7 → 2.7.0
  • braces: → 3.0.3 (new)
  • micromatch: → 4.0.8 (new)
  • serialize-javascript: → 6.0.2 (new)

Configuration Updates (console-fe)

  • Updated webpack.prod.conf.js to use TerserPlugin and CssMinimizerPlugin
  • Updated webpack.base.conf.js to use webpack 5 syntax (resolve.fallback instead of deprecated node.fs)

Dependency Updates (saga-designer)

  • webpack-dev-server: 4.13.2 → 5.2.2

Testing

npm install successful on both projects
npm run build successful on both projects
npm audit confirms vulnerability reduction
✅ Build output sizes within expected range
✅ Webpack 5 configuration properly migrated

Remaining Issues

5 low severity vulnerabilities remain in console-fe, all related to @alicloud/console-components-console-menu dependency:

  • min-document (prototype pollution)
  • global, dva-core, dva (dependent on min-document)

These vulnerabilities have no fix available and require the vendor (@alicloud) to update their dependencies. Risk assessment: LOW.

Breaking Changes

This PR includes a major version upgrade from webpack 4 to webpack 5. While the build process has been tested and verified, it's recommended to:

  • Test the built applications in development and staging environments
  • Monitor for any runtime issues with the upgraded webpack
  • Verify dev server functionality with npm run start

References

slievrly#7

@codecov
Copy link

codecov bot commented Oct 17, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 61.83%. Comparing base (49f0bc2) to head (ce19a67).
⚠️ Report is 3 commits behind head on 2.x.

Additional details and impacted files 
@@             Coverage Diff              @@
##                2.x    #7704      +/-   ##
============================================
+ Coverage     61.72%   61.83%   +0.11%     
+ Complexity      684      680       -4     
============================================
  Files          1324     1324              
  Lines         50046    50046              
  Branches       5910     5910              
============================================
+ Hits          30891    30948      +57     
+ Misses        16369    16285      -84     
- Partials       2786     2813      +27

see 43 files with indirect coverage changes

Impacted file tree graph

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@funky-eyes funky-eyes requested a review from Copilot October 18, 2025 12:07
Copilot AI reviewed Oct 18, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR addresses critical frontend security vulnerabilities by upgrading webpack from version 4 to 5 and updating related dependencies to their latest secure versions across two projects: console-fe and saga-designer.

  • Major webpack upgrade from v4 to v5 with associated plugin updates
  • Security vulnerability fixes addressing XSS, ReDoS, and source code theft issues
  • Package overrides to enforce secure versions of indirect dependencies

Reviewed Changes

Copilot reviewed 4 out of 6 changed files in this pull request and generated no comments.

File Description
saga/seata-saga-statemachine-designer/package.json Updates webpack-dev-server to v5.2.2 for security fixes
console/src/main/resources/static/console-fe/package.json Major dependency updates including webpack v5 upgrade and security overrides
console/src/main/resources/static/console-fe/build/webpack.prod.conf.js Migrates from deprecated UglifyJsPlugin to TerserPlugin and OptimizeCSSAssetsPlugin to CssMinimizerPlugin
console/src/main/resources/static/console-fe/build/webpack.base.conf.js Updates webpack configuration for v5 compatibility using resolve.fallback
Files not reviewed (1)
  • saga/seata-saga-statemachine-designer/package-lock.json: Language not supported

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@funky-eyes funky-eyes added this to the 2.6.0 milestone Oct 18, 2025
funky-eyes
funky-eyes approved these changes Oct 21, 2025
View reviewed changes
Copy link
Contributor

@funky-eyes funky-eyes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@funky-eyes funky-eyes merged commit da686b1 into apache:2.x Oct 22, 2025
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@funky-eyes funky-eyes funky-eyes approved these changes

Assignees

No one assigned

Labels

module/console type: optimize

Projects

None yet

Milestone

2.6.0

Development

Successfully merging this pull request may close these issues.

2 participants

@slievrly @funky-eyes