Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update the react-router-dom library to remove the polyfill.io term in the warning message (ECMPS 2.0) #6331

Open
maheese opened this issue Jul 22, 2024 · 3 comments · Fixed by US-EPA-CAMD/easey-ecmps-ui#1473
Open

Update the react-router-dom library to remove the polyfill.io term in the warning message (ECMPS 2.0) #6331

maheese opened this issue Jul 22, 2024 · 3 comments · Fixed by US-EPA-CAMD/easey-ecmps-ui#1473
Assignees
@ibarra-michelle
Labels
ECMPS Phase 1 CAMPD & ECMPS 2.0 tickets Vulnerability

Comments

@maheese
Copy link

maheese commented Jul 22, 2024
edited by mark-hayward-erg
Loading

Recently, the Cloud.gov platform engineers scanned Cloud.gov to determine if any applications hosted in Cloud.gov were vulnerable to the polyfill.io attack (see https://fossa.com/blog/polyfill-supply-chain-attack-details-fixes/). The scan was performed by searching for the term "polyfill.io" in the application code deployed to platform. The ecmps-ui in the perf environment was flagged as having the vulnerability. After reviewing the finding and the code it appears that this term is used in a warning message produced by the react-router-dom library (see remix-run/react-router#11733). Although the code is not vulnerable to this attack we should update the library to remove the reference to the polyfill.io website.

Need to update to at least version 6.24.1.
@maheese maheese added the Phase 1 CAMPD & ECMPS 2.0 tickets label Jul 22, 2024
@mark-hayward-erg mark-hayward-erg changed the title Update the react-router-dom library to remove the polyfill.io term in the warning message Update the react-router-dom library to remove the polyfill.io term in the warning message (ECMPS/CAMPD 2.0) Aug 5, 2024
@maxdiebold-erg maxdiebold-erg mentioned this issue Aug 21, 2024
Merged
@maxdiebold-erg
Copy link

The easey-design-system has @storybook/router as a Dev dependency, which has react-router and react-router-dom as dependencies. As a dev dependency, however, it will not be bundled into easey-design-system builds, and so it will not be in easey-ecmps-ui or easey-campd-ui application code.

We may still want to update storybook in easey-design-system at a later time, but this involves two major versions so it will require more effort.

@maxdiebold-erg maxdiebold-erg linked a pull request Aug 21, 2024 that will close this issue
Fix/6331 update react router US-EPA-CAMD/easey-ecmps-ui#1473
Merged
@maxdiebold-erg maxdiebold-erg removed their assignment Aug 21, 2024
@mark-hayward-erg mark-hayward-erg changed the title Update the react-router-dom library to remove the polyfill.io term in the warning message (ECMPS/CAMPD 2.0) Update the react-router-dom library to remove the polyfill.io term in the warning message (ECMPS 2.0) Aug 22, 2024
@mark-hayward-erg
Copy link

Testing will be covered by other ECMPS functionality testing (nothing specific to test, just regression testing).

@ibarra-michelle
Copy link
Contributor

UAT - refer to Mark's 09/06/2024 comment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ibarra-michelle ibarra-michelle

Labels
ECMPS Phase 1 CAMPD & ECMPS 2.0 tickets Vulnerability
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix/6331 update react router US-EPA-CAMD/easey-ecmps-ui
6 participants
@maheese @ibarra-michelle @mark-hayward-erg @lgiannini1 @annalbrecht @maxdiebold-erg