Bumped up packages:
* glob
* globals
* jest
* @quasar/app-webpack
Yarn resolutions added
- `serialize-javascript: ^7.0.3` — fixes high-severity RCE vulnerability
via RegExp.flags/Date.toISOString() (CVE in terser-webpack-plugin and
@quasar/ssr-helpers paths)
- `**/postcss-svgo/svgo: ^4.0.1` — fixes high-severity Billion Laughs
DoS (XML entity expansion) in cssnano's SVG optimization pipeline
- `dot-object/minimatch: ^3.1.2` — fixes high-severity ReDoS in
dot-object's glob dependency
- `**/flatted: 3.4.0` — fixes high-severity unbounded recursion DoS
in eslint and eslint-webpack-plugin's caching layer
What remains (30 vulnerabilities — all upstream-blocked)
The remaining vulnerabilities are entirely confined to dev-only
tooling and cannot be fixed without upstream releases:
- minimatch ReDoS across jest, @vue/test-utils, jest-serializer-vue,
@quasar/app-webpack, @quasar/quasar-app-extension-testing-unit-jest
- ajv ReDoS across eslint, eslint-webpack-plugin, @quasar/app-webpack
- webpack SSRF (buildHttp feature, not used in this project)
- qs DoS in webpack-dev-server's express (local dev only)
- esbuild dev server CORS issue (local dev only)
- vue-template-compiler XSS (no patch available upstream)
- tmp symlink issue, @tootallnate/once control flow (test tooling only)
Change-Id: I72f34757538f97bb3495a57d7f0263df58102f1e
(cherry picked from commit 1ebe3c0683)
Update axios to version 1.13.5 to fix a
denial‑of‑service issue in mergeConfig when
using malicious config object.
Change-Id: I4c1d2b3de42d7ab854ffaaee07e30fcb98d4cadc
(cherry picked from commit d62d29bfc1)
- force @isaacs/brace-expansion 5.0.1 (patches minimatch/glob issue)
- force qs 6.14.1 (patches express/body-parser issue from quasar tooling)
- force tar 7.5.7 (patches node-gyp/tar issue pulled via npm)
- note: npm itself has no patch plus the dep was not used so we
removed it.
NGCP-Flow: mr11.5
Change-Id: I9acd8e3c992d0678b39ca4f1722df5a2ce8f225c
Bump axios from previous version to 1.13.1 for security and stability improvements
Change-Id: I3855f02d71837f0b6c7e86590f6b8e5ab16d2cb4
(cherry picked from commit 3a6f992f4a)
Remove stylus library as it has a malware
and it is not used in the repo.
We are not backporting the trunk commit
as currently the two branches have huge
differences with regards of libs versions.
NGCP-Flow: mr11.5
Change-Id: Iad196ce9d02e80a5775a1e4f3138e554b1a36d37
After backporting dependencies
upgrade with commits:
- d2ff287a63
- c189b98ad2
we were left with two high
vulnerabilities. We are
resolving those with this commit
NGCP-Flow: mr11.5
Change-Id: I15cc6c23643e289fbab0d18c6d426fe5b6ad112a
Resolved 21 out of 22 vulnerabilities (1 Low, 6 Moderate, 15 High).
Only vulnerability left is a moderate one from "vue-template-compiler",
a dependency of @quasar/quasar-app-extension-testing-unit-jest.
Tried the yarn resolution method too, however the version
needed to resolve the vulnerability is not compatible
with our current setup.
Change-Id: I5477c791542196d14dcb6b809c76c4981c8a0973
(cherry picked from commit 09f639c935)
To clean up a bit the situation we upgrade all possible
dependencies to resolve vulnerabilities alerts and
adapt the code where necessary.
* Started with 89 vulnerabilities.
Severity: 13 Low, 44 Moderate,32 High
* Result: 1 vulnerability.
Severity: 1 Moderate
Change-Id: Ic0d9f1aa7c05ea5cb01980e8e110260b4f5dc534
(cherry picked from commit 3d0180e9e6)
- Enable and disable camera during the call
- Enable and disable screen during the call
- Switch from camera to screen and back
- Send in-band DTMF
- Send "603 Decline" on termination
Change-Id: Ife56ca49cadade44ee9b70b77b3f345b262be9d9
Note: to test it you can add some JS code with translations in commented block. That translation should not apper in en.json file if you execute "yarn run i18n:extract" command
Change-Id: I79f6a8358f3a52578b58044eb02169aaccf62123
- TT#128156 Add QR-Code button to the header
- TT#128157 Add QR-Code render library
- TT#128158 Implement QR-Code generation
- TT#129205 Render QR-Code in the popup
- TT#129224 Create store test and api test (including endpoint mockup)
NOTE
You need to enable sip_phone.show_qr_csc in /etc/ngcp-config/config.yml of your environment to be able to see the QR code icon
Change-Id: Ifa065ef057549696387026c5a62cf0f5297ffb05
AC:
Can run a script from package.json "i18n:extract" to add new translation keys found in source files
Can see the new translation in all language files
Can see an empty string but the key for untranslated phrases
Can see all language files synchronised based on the english translation
Change-Id: I7181a5224836f5e8f275cee4c975cb6d5199d8c0
AC:
Can add forwarding
Can alter forwarding
Can remove forwarding
Can enable forwarding
Can disable forwarding
Can enable that primary number rings
Can disable that primary number rings
Can forward to Number
Can forward to Voicebox
Can forward to Fax2Mail
Can forward to ManagerSecretary
Can forward to Conference
Can create SourceSet
Can assign number to SourceSet
Can remove number from SourceSet
Can change name of the SourceSet
Can search for existing SourceSets
Can assign an existing SourceSet
Can assign TimeSet (Date)
Can delete TimeSet (Date)
Can assign TimeSet (Date range)
Can delete TimeSet (Date range)
Can assign TimeSet (Weekdays)
Can delete TimeSet (Weekdays)
Can assign TimeSet (Office Hours)
Can delete TimeSet (Office Hours)
Change-Id: If5e5267e229a20947e0278212f59349d9e2eb7be
AC:
Can manage loading states without implementing boilerplate store code
Can use the Vue.$wait plugin in the context of a vue component
Can start a loading context with $wait.start('loading-context')
Can check the loading state of a context with $wait.is('loading-context')
Can end a loading context with $wait.end('loading-context')
Sources:
https://github.com/f/vue-wait
Change-Id: I4318729e5193bc362b4f13186d3f2f16dac90e8b
The Quasar Framework has released a new PATCH Version 1.14.3 and we intend to upgrade it by using "quasar upgrade" and "quasar upgrade -i".
Not only the quasar package, but also the Extras and the QuasarApp package are going to be upgraded.
Change-Id: I668209bdc09586b60cf5a78451b51b0f1045a449
This change fixes dependencies according to the audit report, that was created by "yarn audit".
The issues where fixed by using "yarn-audit-fix --package-lock-only"
Change-Id: I460637353254b0186e6348b4407d2dcdeb6982b0
Debora Crescenzo
nidrissi-zouggari
Hugo Zigha
Sergii Leonenko
Carlo Venusino
Hans-Peter Herzog