Update JS packages to latest versions (#9811)

[retornam]

Signed-off-by: Raymond Etornam retornam@users.noreply.github.com

---

^ Add meaningful description above

Read the Pull Request Guidelines for more information.
In case of fundamental code change, Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in UPDATING.md.

[potiuk]

You might want to add "Closes #9811 " in the commit message. Did you have a chance to test that the UI works after this upgrade @retornam ? Maybe some more people might test that one before we merge it (the UI is rather weakly tested) Summoning @apache/airflow-committers here.

[potiuk]

Also - even the limited tests here we have did not run because of "test-target" limitation. @retornam - can you please add "^airflow/www" to the patterns in script/ci/tools/ci_check_if_tests_should_be_run.sh to trigger them ?

Update: Ah no - no need to do that. It's another error I see.

[kaxil]

jquery 3.5.0 previously broke the pause/unpause functionality. Have you tested the webserver after the changes in the PR @retornam ?

[kaxil]

Details: dpgaspar/Flask-AppBuilder#1362 | #8613 | #8599

[retornam]

@kaxil I started the webserver, logged in but didn't test the example dags. I'll run more detailed testing and fix bugs I find.

[houqp]

@retornam while you are doing the tests, could you document and share with us on what UI functionalities you have tested? That way we can also double check on it with different data or see if any major feature is being missed.

[retornam]

Full details of what I did. I ended up upgrading each package separately. We cannot upgrade the following packages

• d3
• nvd3 (original package is no longer maintained and there are two active forks)
• jquery due to a bug with CSRF support in Flask App Builder 2.3.3 (jQuery upgrade) breaks CSRF on some Safari, Chrome dpgaspar/Flask-AppBuilder#1362
• moment ( upgrading to the new version broke moment support completely)

For UI testing, I checked the following pages

• /home
  • made sure there were no new JS errors / CSS errors in the console.
  • turned the example dags on and off
  • triggered dags button
  • clicked on tree view button
  • clicked on graph view button
  • clicked on task view button
  • clicked on task tries button
  • clicked on landing times button
  • clicked on the code button
  • clicked on the refresh button
  • clicked on the delete dag button
  • performed a search for a dag using the search button
  • filtered dags using the string example
  • reset the filtered dags
  • clicked on last run for the example_bash operator which I enabled
  • clicked on the successful, failed and running dag links
  • clicked on the recent tasks icon
  • switched tabs between all, active and paused
• /users/list/
  • added a new user
  • deleted a new user
    -/tree for a dag
  • verified it displays the tree
    -/graph for a dag
  • verified the graph renders
    -/duration for a dag
• verified the graph renders
  -/tries for a dag
• verified graph renders
  -/landing_times for a graph
• verified graph renders
  -/gant for a dag
• verified graph renders
  -/dag_details for a dag
• verified page logs
  -/code for a dag
• verified page loads
• verified the trigger dag, refresh dag and delete dag buttons work on all pages
• logged out
• logged in

I tried to cover as many pages that include the scripts moment.*.js, base.*.js and d3.min.js

[feluelle]

jquery due to a bug with CSRF support in Flask App Builder dpgaspar/Flask-AppBuilder#1362

@kaxil you answered that it was fixed in 2.3.4?! it isn't?

[feluelle]

I think d3 and nvd3 is not worth the time we need to spend to upgrade the UI.

If we build a new UI from scratch then we should keep that in mind or use a different library then d3.

[fengsi]

jquery due to a bug with CSRF support in Flask App Builder dpgaspar/Flask-AppBuilder#1362

@kaxil you answered that it was fixed in 2.3.4?! it isn't?

I believe "fixed" just means "FAB 2.3.4 reverted previous jQuery bump". It's not a fix but just a workaround.

[kaxil]

Yeah that is correct, jQuery 3.5 still causes issue

[feluelle]

Ah yeah I am remembering now.

[retornam]

@kaxil is anyone else looking at this? Its been a while now I dont want things to go too stale.

[kaxil]

I plan to include this in 1.10.12 (that would be released next week) so if no-one gets to it first, I will review it soon'ish

[potiuk]

I am also happy to do some testing during the weekend before we cut 1.10.12

[fengsi]

FYI: CSRF doesn't seem to work for Docker Desktop Kubernetes URL:
http://kubernetes.docker.internal/airflow/

It works on a "real" FQDN. One thing I noticed is the session cookie doesn't exist for kubernetes.docker.internal – could contribute to the CSRF issue. Not sure if it's a browser thing not issuing cookie or due to flask-wtf CSRF internals.

[kaxil]

@retornam I still see the following errors in Console on my deployment:

[kaxil]

Just want to thank you again @retornam for this PR as it eliminated some CVEs :)