Update ua-parser-js and chart-js - critical CVEs

[jammsen]

Describe the bug
Hello @Ylianst the dependencies or cross-deps have major CVE reports, please update the deps and release a "clean" version. Current Version is 1.1.8.

To Reproduce
Steps to reproduce the behavior:
Do a SBOM scan on this package via Sonatype Nexus

Expected behavior
Removal of CVEs through updating assets

Screenshots

[jammsen]

Here is another screenshot for this.

[jammsen]

#5106 has the same problem since months

[si458]

Development is on hold! If you can upgrade the assets urself manually and confirm all is good I'm sure @Ylianst will accept a PR

Last time I looked at the jthe post, upgrading the graphs by increasing the nukber didnt work so it wasn't straight forward

[jammsen]

What does "Development is on hold!" mean in reality?

[si458]

#4795
#5257

[jammsen]

I would just copy paste the newest version of ua-parser.js and chart.js??? into the directory. But i have no means to test this or cant really understand what is working and whats not. I never once used this software. Im asking for our IT department which has no developers. @si458

Is it as easy as replace the files?

[si458]

Sadly, as i commented on ur other post from the other month
When I tried copying and pasting the latest chart-js, everything fell flat on its face
So the must be stuff that is different or changed in new releases so I'll have to look when I get chance
I'm only a community member and look after meshcentral as I use it everyday for myself

[si458]

@jammsen does ur test show which version of ua-parser-js is needed to PASS the test?
as the is a latest ua-parser-js 0.7.35 from April 2023?
so in theory the ua-parser.js file in the root of meshcentral in node_modules could be replaced with a built version in there repo?
https://github.com/faisalman/ua-parser-js/blob/0.7.x/dist/ua-parser.min.js

[si458]

@jammsen #5276 should fix ua-parser-js for you
ill look into chart-js another tine👍

[jammsen]

@si458 thanks
ua-parser-js was sadly the lower cve one 😃
charts.js is in public/scripts/charts.js from what i can see and from v2.7.2 to v4.3.3 ( https://github.com/chartjs/Chart.js/releases ) is a major jump. There will be surely some breaking changes. BUT mabye you can try this version, there was in the 2.X version one release where there was no critical cve in there, maybe that doesnt break all of the stuff?

[jammsen]

Really hope that helps fingers crossed

[si458]

ill look into it again tomorrow when im stationary at my desk,
i tried upgrading to the 2.9.4 if i remember last time but stuff stopped working,
and BTW love the 'activate windows' watermark 😆

[jammsen]

"BTW love the 'activate windows' watermark 😆"
Yeah .... well ..... what can i say, Windows is weird with virtual machines where the motherboard id is sometimes changed, i have almost given up on always changing it 😎

[jammsen]

Looking forward to hear from you tomorrow if you find the time.

[jammsen]

@jammsen does ur test show which version of ua-parser-js is needed to PASS the test? as the is a latest ua-parser-js 0.7.35 from April 2023? so in theory the ua-parser.js file in the root of meshcentral in node_modules could be replaced with a built version in there repo? https://github.com/faisalman/ua-parser-js/blob/0.7.x/dist/ua-parser.min.js

I did not see your question here, do you still need input on that?

[si458]

@jammsen plz can u verify the latest release is ok with ua-parser-js now?
im still looking into chart-js for you 👍

[jammsen]

@si458

Came down, better than before

[si458]

That screenshot shows version 1.0.35?
The latest is 1.1.9?

[jammsen]

"plz can u verify the latest release is ok with ua-parser-js now?"
That screenshot is for ua-parser.js, before to after, i thought thats what you wanted to know, sorry.

Do you have Discord by any chance to make communication easier?

[si458]

same as github/email or unofficial meshcentral discord server - https://discord.gg/8wHC6ASWAc

[Ylianst]

#5276 was released with the latest MeshCentral. Let me know if this fixes it or more is needed.

[jammsen]

@Ylianst ua-parser-js was fixed the above CVEs 5 and 7 were fixed, now its only chart.js left the CVE9 the big one.

[si458]

#5293 should update chart.js to 4.33 for you!
we lost the pretty shadows around the doughnuts but ill look at fixing them in the future if people want it back

[jammsen]

@Ylianst Do you have an eta when do you have time to review this?
I would like to security scan the next release.