4043 Snyk Med, node-fetch

[rfultz]

Questions

• Do we still want/need to do this upgrade if it doesn't address the vulnerability?
• Should we change [Snyk: Medium] package.json - Denial of Service (due 11/16/20) #4043 to can't fix?

Summary

• Doesn't really resolve # 4043 so I'm not linking it. Yet.

This ticket upgrades draftail to the most recent version, but even it requires the draft-js version in this vulnerability.

Draftail powers our page admin interface so is inside the locked admin area.

Complications:

• This ticket is about node-fetch
• node-fetch is being used by a dependency of a dependency of draft-js, which is only being used by Draftail.
• Draftail requires draft-js 0.10.5 and gives me a warning when I use a newer version (.5 is the last of 0.10 and 0.11.0 errs)
• For us, this ticket requires an upgrade of Draftail, which doesn't exist

More complications:
We may need to look into a new editor as there hasn't been a Draftail update since August 2019. There's an issue from August 2020 asking whether the Draftail project is dead with no replies

dependency tree: [email protected] › [email protected] › [email protected] › [email protected]

Impacted areas of the application

Our site admin editor

Screenshots

Should be no visible changes

Related PRs

None

How to test

• Pull the branch
• npm i
• npm run build-production
• ./manage.py runserver
• Go into the admin area of localhost:8000 or http://127.0.0.1:8000 and edit a couple pages
• Should be no difference from current functionality
• Unfortunately, snyk test still lists the vulnerability is [Snyk: Medium] package.json - Denial of Service (due 11/16/20) #4043

---

[rfultz]

Closing this because it doesn't really solve 4043. About to move #4043 to Blocked, too