backport of commit ab0a16c

.changelog/21715.txt

@@ -0,0 +1,3 @@
+```release-note:security
+ui: Pin a newer resolution of Codemirror
+```

.changelog/21726.txt

@@ -0,0 +1,3 @@
+```release-note:security
+UI: Remove codemirror linting due to package dependency
+```

.changelog/21735.txt

@@ -0,0 +1,3 @@
+```release-note:security
+ui: Pin a newer resolution of ansi-html
+```

.github/workflows/nightly-test-integrations-1.17.x.yml → .github/workflows/nightly-test-integrations-1.20.x.yml

@@ -1,7 +1,7 @@
 # Copyright (c) HashiCorp, Inc.
 # SPDX-License-Identifier: MPL-2.0
 
-name: Nightly test-integrations 1.17.x
+name: Nightly test-integrations 1.20.x
 
 on:
   schedule:
@@ -19,19 +19,12 @@ env:
   # strip the hashicorp/ off the front of github.repository for consul
   CONSUL_LATEST_IMAGE_NAME: ${{ endsWith(github.repository, '-enterprise') && github.repository || 'hashicorp/consul' }}
   GOPRIVATE: github.com/hashicorp # Required for enterprise deps
-  BRANCH: "release/1.17.x"
-  BRANCH_NAME: "release-1.17.x"   # Used for naming artifacts
+  BRANCH: "release/1.20.x"
+  BRANCH_NAME: "release-1.20.x"   # Used for naming artifacts
 
 jobs:
-  check-ent:
-    runs-on: ubuntu-latest
-    if: ${{ endsWith(github.repository, '-enterprise') }}
-    steps:
-      - run: echo "Building Enterprise"
-
   setup:
     runs-on: ubuntu-latest
-    needs: [check-ent]
     name: Setup
     outputs:
       compute-small: ${{ steps.runners.outputs.compute-small }}
@@ -48,16 +41,14 @@ jobs:
         run: .github/scripts/get_runner_classes.sh
 
   get-go-version:
-    needs: [check-ent]
     uses: ./.github/workflows/reusable-get-go-version.yml
     with:
-      ref: release/1.17.x
+      ref: release/1.20.x
 
   get-envoy-versions:
-    needs: [check-ent]
     uses: ./.github/workflows/reusable-get-envoy-versions.yml
     with:
-      ref: release/1.17.x
+      ref: release/1.20.x
 
   dev-build:
     needs:
@@ -68,7 +59,7 @@ jobs:
       runs-on: ${{ needs.setup.outputs.compute-large }}
       repository-name: ${{ github.repository }}
       uploaded-binary-name: 'consul-bin'
-      branch-name: "release/1.17.x"
+      branch-name: "release/1.20.x"
       go-version: ${{ needs.get-go-version.outputs.go-version }}
     secrets:
       elevated-github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
@@ -223,20 +214,21 @@ jobs:
           DATADOG_API_KEY: "${{ endsWith(github.repository, '-enterprise') && env.DATADOG_API_KEY || secrets.DATADOG_API_KEY }}"
           DD_ENV: ci
         run: datadog-ci junit upload --service "$GITHUB_REPOSITORY" $TEST_RESULTS_DIR/results.xml
-
+  
   upgrade-integration-test:
     runs-on: ${{ fromJSON(needs.setup.outputs.compute-large) }}
     needs:
       - setup
       - get-go-version
+      - get-envoy-versions
       - dev-build
     permissions:
       id-token: write # NOTE: this permission is explicitly required for Vault auth.
       contents: read
     strategy:
       fail-fast: false
       matrix:
-        consul-version: ["1.15", "1.16", "1.17"]
+        consul-version: ["1.15", "1.18", "1.19"]
     env:
       CONSUL_LATEST_VERSION: ${{ matrix.consul-version }}
       # ENVOY_VERSION should be the latest version supported by _all_ Consul versions in the
@@ -372,7 +364,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        consul-version: [ "1.15", "1.16", "1.17"]
+        consul-version: ["1.15", "1.18", "1.19"]
     env:
       CONSUL_LATEST_VERSION: ${{ matrix.consul-version }}
     steps:
@@ -460,7 +452,7 @@ jobs:
     - upgrade-integration-test
     - upgrade-integration-test-deployer
     runs-on: ${{ fromJSON(needs.setup.outputs.compute-small) }}
-    if: ${{ always() && endsWith(github.repository, '-enterprise') }}
+    if: ${{ always() }}
     steps:
       - name: evaluate upstream job results
         run: |

.github/workflows/security-scan.yml

@@ -9,38 +9,27 @@ on:
     branches:
       - main
       - release/**
+    paths-ignore:
+      - 'docs/**'
+      - 'grafana/**'
+      - '.changelog/**'
 
 # cancel existing runs of the same workflow on the same ref
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
   cancel-in-progress: true
 
 jobs:
-  conditional-skip:
-    runs-on: ubuntu-latest
-    name: Get files changed and conditionally skip CI
-    outputs:
-      skip-ci: ${{ steps.read-files.outputs.skip-ci }}
-    steps:
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
-        with:
-          fetch-depth: 0
-      - name: Get changed files
-        id: read-files
-        run: ./.github/scripts/check_skip_ci.sh
-
   setup:
-    needs: [conditional-skip]
     name: Setup
-    if: needs.conditional-skip.outputs.skip-ci != 'true'
     runs-on: ubuntu-latest
     outputs:
       compute-small: ${{ steps.setup-outputs.outputs.compute-small }}
       compute-medium: ${{ steps.setup-outputs.outputs.compute-medium }}
       compute-large: ${{ steps.setup-outputs.outputs.compute-large }}
       compute-xl: ${{ steps.setup-outputs.outputs.compute-xl }}
     steps:
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - id: setup-outputs
         name: Setup outputs
         run: ./.github/scripts/get_runner_classes.sh
@@ -59,18 +48,18 @@ jobs:
       && (github.actor != 'dependabot[bot]') && (github.actor != 'hc-github-team-consul-core') }}
 
     steps:
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Set up Go
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version: ${{ needs.get-go-version.outputs.go-version }}
 
       - name: Clone Security Scanner repo
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           repository: hashicorp/security-scanner
-          token: ${{ secrets.HASHIBOT_PRODSEC_GITHUB_TOKEN }}
+          token: ${{ secrets.PRODSEC_SCANNER_READ_ONLY }}
           path: security-scanner
           ref: main
 
@@ -87,6 +76,6 @@ jobs:
           cat results.sarif | jq
 
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@c4fb451437765abf5018c6fbf22cce1a7da1e5cc # codeql-bundle-v2.17.1
+        uses: github/codeql-action/upload-sarif@8fd294e26a0e458834582b0fe4988d79966c7c0a # codeql-bundle-v2.18.4
         with:
-          sarif_file: results.sarif
+          sarif_file: results.sarif

.release/security-scan.hcl

@@ -38,11 +38,7 @@ container {
 		suppress {
 			# N.b. `vulnerabilites` is the correct spelling for this tool.
 			vulnerabilites = [
-				"CVE-2023-46218", # curl@8.4.0-r0
-				"CVE-2023-46219", # curl@8.4.0-r0
-				"CVE-2023-5678",  # openssl@3.1.4-r0
-				"CVE-2024-7264", # curl@8.9.0
-				"CVE-2024-8096", # curl@8.9.1-r0
+				"CVE-2024-8096", # curl@8.9.1-r2,
 			]
 			paths = [
 				"internal/tools/proto-gen-rpc-glue/e2e/consul/*",

.release/versions.hcl

@@ -6,6 +6,9 @@
 
 schema = 1
 active_versions {
+  version "1.20" {
+    ce_active = true
+  },
   version "1.19" {
     ce_active = true
   }

ui/package.json

@@ -24,7 +24,9 @@
     "ember-basic-dropdown": "3.0.21",
     "glob": "7.2.3",
     "braces": "^3.0.0",
-    "markdown-it": "^12.3.2"
+    "markdown-it": "^12.3.2",
+    "codemirror": "5.58.2",
+    "ansi-html": "0.0.8"
   },
   "engines": {
     "node": "18"

ui/packages/consul-ui/app/components/code-editor/index.js

@@ -11,8 +11,6 @@ const DEFAULTS = {
   lineNumbers: true,
   theme: 'hashi',
   showCursorWhenSelecting: true,
-  gutters: ['CodeMirror-lint-markers'],
-  lint: true,
 };
 export default Component.extend({
   settings: service('settings'),
@@ -51,7 +49,6 @@ export default Component.extend({
 
       const editor = this.editor;
       editor.setOption('mode', mode.mime);
-      this.helper.lint(editor, mode.mode);
       set(this, 'mode', mode);
     }
   },

ui/packages/consul-ui/app/services/code-mirror/linter.js

@@ -4,7 +4,6 @@
  */
 
 import Service, { inject as service } from '@ember/service';
-import lint from 'consul-ui/utils/editor/lint';
 const MODES = [
   {
     name: 'JSON',
@@ -41,10 +40,6 @@ export default class LinterService extends Service {
     return MODES;
   }
 
-  lint() {
-    return lint(...arguments);
-  }
-
   getEditor(element) {
     return this.dom.element('textarea + div', element).CodeMirror;
   }

ui/packages/consul-ui/ember-cli-build.js

@@ -206,13 +206,7 @@ module.exports = function (defaults, $ = process.env) {
       },
       codemirror: {
         keyMaps: ['sublime'],
-        addonFiles: [
-          'lint/lint.css',
-          'lint/lint.js',
-          'lint/json-lint.js',
-          'lint/yaml-lint.js',
-          'mode/loadmode.js',
-        ],
+        addonFiles: ['lint/lint.css', 'lint/yaml-lint.js', 'mode/loadmode.js'],
       },
       sassOptions: {
         implementation: require('sass'),
@@ -270,10 +264,7 @@ module.exports = function (defaults, $ = process.env) {
   // CSS.escape polyfill
   app.import('node_modules/css.escape/css.escape.js', { outputFile: 'assets/css.escape.js' });
 
-  // JSON linting support. Possibly dynamically loaded via CodeMirror linting. See components/code-editor.js
-  app.import('node_modules/jsonlint/lib/jsonlint.js', {
-    outputFile: 'assets/codemirror/mode/javascript/javascript.js',
-  });
+  // Possibly dynamically loaded via CodeMirror linting. See components/code-editor.js
   app.import('node_modules/codemirror/mode/javascript/javascript.js', {
     outputFile: 'assets/codemirror/mode/javascript/javascript.js',
   });

ui/packages/consul-ui/package.json

@@ -170,7 +170,6 @@
     "husky": "^4.2.5",
     "ivy-codemirror": "^2.1.0",
     "js-yaml": "^4.0.0",
-    "jsonlint": "^1.6.3",
     "lint-staged": "^10.2.11",
     "loader.js": "^4.7.0",
     "mnemonist": "^0.38.0",