- Removed `crypto-browserify` from package.json and quasar.config.js
(unused webpack polyfill that was bundling vulnerable bn.js and
elliptic into the production build)
Bumped up packages:
* glob
* globals
* jest
* @quasar/app-webpack
Yarn resolutions added
- `serialize-javascript: ^7.0.3` — fixes high-severity RCE vulnerability
via RegExp.flags/Date.toISOString() (CVE in terser-webpack-plugin and
@quasar/ssr-helpers paths)
- `**/postcss-svgo/svgo: ^4.0.1` — fixes high-severity Billion Laughs
DoS (XML entity expansion) in cssnano's SVG optimization pipeline
- `dot-object/minimatch: ^3.1.2` — fixes high-severity ReDoS in
dot-object's glob dependency
- `**/flatted: 3.4.0` — fixes high-severity unbounded recursion DoS
in eslint and eslint-webpack-plugin's caching layer
What remains (30 vulnerabilities — all upstream-blocked)
The remaining vulnerabilities are entirely confined to dev-only
tooling and cannot be fixed without upstream releases:
- minimatch ReDoS across jest, @vue/test-utils, jest-serializer-vue,
@quasar/app-webpack, @quasar/quasar-app-extension-testing-unit-jest
- ajv ReDoS across eslint, eslint-webpack-plugin, @quasar/app-webpack
- webpack SSRF (buildHttp feature, not used in this project)
- qs DoS in webpack-dev-server's express (local dev only)
- esbuild dev server CORS issue (local dev only)
- vue-template-compiler XSS (no patch available upstream)
- tmp symlink issue, @tootallnate/once control flow (test tooling only)
Change-Id: I72f34757538f97bb3495a57d7f0263df58102f1e
(cherry picked from commit 1ebe3c0683)
(cherry picked from commit 0cb639dc46)
Update axios to version 1.13.5 to fix a
denial‑of‑service issue in mergeConfig when
using malicious config object.
Change-Id: I4c1d2b3de42d7ab854ffaaee07e30fcb98d4cadc
(cherry picked from commit d62d29bfc1)
(cherry picked from commit 5221556390)
- force @isaacs/brace-expansion 5.0.1 (patches minimatch/glob issue)
- force qs 6.14.1 (patches express/body-parser issue from quasar tooling)
- force tar 7.5.7 (patches node-gyp/tar issue pulled via npm)
- note: npm itself has no patch plus the dep was not used so we
removed it.
Change-Id: Ic145cbc509d80cf9d96b9a053de1ce0a7d8dc5a8
(cherry picked from commit cecc11ab30)
(cherry picked from commit d53bfaed5e)
Bump axios from previous version to 1.13.1 for security and stability improvements
Change-Id: I3855f02d71837f0b6c7e86590f6b8e5ab16d2cb4
(cherry picked from commit 3a6f992f4a)
(cherry picked from commit e74180db53)
This update introduced many breaking changes.
Listed here the most important ones:
* quasar.conf.js file has been renamed
quasar.config.js.
* Quasar v4 replaced the old /src/index.template.html
with a new /index.html at the root of the project.
The special comment <!-- quasar:entry-point -->
is used to inject scripts/styles automatically.
* Use setupMiddlewares instead of onBeforeSetupMiddleware.
* proxy is now an array of proxy config objects.
* Dropped support for Vuex. We can still use Vuex as any
Vue plugin, but we have to manage everything (installing the
store, no store parameter in boot files, etc.).
We'll migrate to Pinia asap.
* Updated postcssrc according to docs
Change-Id: I585a3e2d17f666d9ca2773fa446d644f0fc201a2
* Run yarn outdated and run through the list
to upgrade all libs but @quasar/app-webpack
and related libs. this will be done in a
separate commit.
* Remove parseuri because it is not used anywhere
in fact the project has a custom SIP URI parsing
implementation in sip-uri-parse.js.
* Remove jwt-decode because it is not used in fact
JWT decoding is manually implemented using native
browser functions.
* Updating to glob@11 where the glob.sync() method
is no longer accessible, but requires to be
imported directly from globModule.
* Remove eventsource:
- No Direct Usage: I could not find any direct imports,
requires, or uses of the eventsource package or
EventSource APIs in the codebase.
- Security Updates: The package was updated on
January 11, 2023, from version 1.1.1 to 2.0.2 as
part of a security updates (MT#56339).
- No Indirect Dependencies: The yarn why eventsource
command confirmed that no other packages depend on
eventsource.
- No Build Process Integration: I didn't find any
references to eventsource in the build config files
or webpack configurations.
- No SSE Implementation: While we handle media streams
for calls, in my understanding they use WebRTC or
similar technologies, not Server-Sent Events which,
in my understanding, is what eventsource is designed
for.
* Remove eslint-plugin-standard as it's not longer needed
by standard and eslint-config-standard.
* Upgrading eslint-plugin-vue required adding
vue-eslint-parser as a peer dependency and
required some changes to since new warnings.
Change-Id: I8f582275ae344f0ede7520136deba30c4d94ffd7
Resolved 21 out of 22 vulnerabilities (1 Low, 6 Moderate, 15 High).
Only vulnerability left is a moderate one from "vue-template-compiler",
a dependency of @quasar/quasar-app-extension-testing-unit-jest.
Tried the yarn resolution method too, however the version
needed to resolve the vulnerability is not compatible
with our current setup.
Change-Id: I5477c791542196d14dcb6b809c76c4981c8a0973
Migrating from ^8.10.0 to 9.14.0 had breaking changes.
* We moved to a flat configuration and changed the amended the script to run lint.
* We upgraded all eslint relevant libraries/plugins.
* We opened another ticket to review all the console.log/debug/info present in the repo.
Change-Id: Ie1e2c1ef49fc09cddbd9cc639505a1a65917bd35
To clean up a bit the situation we upgrade all possible
dependencies to resolve vulnerabilities alerts and
adapt the code where necessary.
* Started with 89 vulnerabilities.
Severity: 13 Low, 44 Moderate,32 High
* Result: 1 vulnerability.
Severity: 1 Moderate
Change-Id: Ic0d9f1aa7c05ea5cb01980e8e110260b4f5dc534
- remove some spaces and some code in comment
- change icon for upload
- adding an error for the number when it is duplicated in add/edit pages
Change-Id: I3f1ca01e70a1b3bcf068bdea3c5cc98668f74c9f
The jest module cannot be found after the update due
to a wrong transformation:
07:46:39 yarn run v1.22.19
07:46:39 $ jest --updateSnapshot
07:46:39 ● Validation Error:
07:46:39
07:46:39 Module vue-jest in the transform option was not found.
07:46:39 <rootDir> is: /tmp/code
07:46:39
07:46:39 Configuration Documentation:
07:46:39 https://jestjs.io/docs/configuration
This commit fixes the transformation and points to the new
'@vue/vue3-jest'
Change-Id: If781a23155352d0e3275c064bbca92d17076dbad
- Enable and disable camera during the call
- Enable and disable screen during the call
- Switch from camera to screen and back
- Send in-band DTMF
- Send "603 Decline" on termination
Change-Id: Ife56ca49cadade44ee9b70b77b3f345b262be9d9
Note: to test it you can add some JS code with translations in commented block. That translation should not apper in en.json file if you execute "yarn run i18n:extract" command
Change-Id: I79f6a8358f3a52578b58044eb02169aaccf62123
- TT#128156 Add QR-Code button to the header
- TT#128157 Add QR-Code render library
- TT#128158 Implement QR-Code generation
- TT#129205 Render QR-Code in the popup
- TT#129224 Create store test and api test (including endpoint mockup)
NOTE
You need to enable sip_phone.show_qr_csc in /etc/ngcp-config/config.yml of your environment to be able to see the QR code icon
Change-Id: Ifa065ef057549696387026c5a62cf0f5297ffb05
AC:
Can run a script from package.json "i18n:extract" to add new translation keys found in source files
Can see the new translation in all language files
Can see an empty string but the key for untranslated phrases
Can see all language files synchronised based on the english translation
Change-Id: I7181a5224836f5e8f275cee4c975cb6d5199d8c0
AC:
Can add forwarding
Can alter forwarding
Can remove forwarding
Can enable forwarding
Can disable forwarding
Can enable that primary number rings
Can disable that primary number rings
Can forward to Number
Can forward to Voicebox
Can forward to Fax2Mail
Can forward to ManagerSecretary
Can forward to Conference
Can create SourceSet
Can assign number to SourceSet
Can remove number from SourceSet
Can change name of the SourceSet
Can search for existing SourceSets
Can assign an existing SourceSet
Can assign TimeSet (Date)
Can delete TimeSet (Date)
Can assign TimeSet (Date range)
Can delete TimeSet (Date range)
Can assign TimeSet (Weekdays)
Can delete TimeSet (Weekdays)
Can assign TimeSet (Office Hours)
Can delete TimeSet (Office Hours)
Change-Id: If5e5267e229a20947e0278212f59349d9e2eb7be
AC:
Can manage loading states without implementing boilerplate store code
Can use the Vue.$wait plugin in the context of a vue component
Can start a loading context with $wait.start('loading-context')
Can check the loading state of a context with $wait.is('loading-context')
Can end a loading context with $wait.end('loading-context')
Sources:
https://github.com/f/vue-wait
Change-Id: I4318729e5193bc362b4f13186d3f2f16dac90e8b
The Quasar Framework has released a new PATCH Version 1.14.3 and we intend to upgrade it by using "quasar upgrade" and "quasar upgrade -i".
Not only the quasar package, but also the Extras and the QuasarApp package are going to be upgraded.
Change-Id: I668209bdc09586b60cf5a78451b51b0f1045a449
Debora Crescenzo
nidrissi-zouggari
Hugo Zigha
Carlo Venusino
Hans-Peter Herzog
Sergii Leonenko