Skip to content

USWDS - Hotfix: Remove classlist-polyfill dependency #6012

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 9, 2024
Merged

USWDS - Hotfix: Remove classlist-polyfill dependency #6012

merged 1 commit into from
Aug 9, 2024

Conversation

mahoneycm
Copy link
Contributor

@mahoneycm mahoneycm commented Aug 6, 2024
edited
Loading

Summary

Removed the IE11 classlist-polyfill dependency that caused a DoS Vulnerability

Breaking change

This is a potentially breaking change.

This polyfill added support for the classList property in IE11, which now has partial support.

Related issue

Closes #6008

Related pull requests

The remaining IE11 polyfills are removed in #4692

Preview link

Storybook preview →

Problem statement

The classlist-polyfill dependency was causing a DoS vulnerability affecting downstream projects.

Solution

Remove the polyfill now that IE11 is no longer officially supported.

Testing and review

  1. Run npm install and confirm there are no issues
  2. Run npm run start and confirm there are no build errors
  3. Use JS components and confirm there are no visual or functional regressions across browsers
  4. Confirm there are no additional references to the removed dependency that also need to be removed

Dependency updates

Dependency name Previous version New version
classlist-polyfill 1.2.0 -

@mahoneycm mahoneycm changed the title Remove classlist-polyfill and reference USWDS - Hotfix: Remove classlist-polyfill dependency Aug 6, 2024
@mahoneycm mahoneycm changed the base branch from develop to main August 6, 2024 19:37
@mahoneycm mahoneycm mentioned this pull request Aug 6, 2024
Closed
@mahoneycm mahoneycm changed the base branch from main to release-3.8.2 August 6, 2024 21:37
@amyleadem amyleadem linked an issue Aug 6, 2024 that may be closed by this pull request
USWDS - Core: Remove classlist-polyfill dependency #6008
Closed
amyleadem
amyleadem approved these changes Aug 6, 2024
View reviewed changes
Copy link
Contributor

@amyleadem amyleadem left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. I was able to successfully complete the following:

  • Run npm install
  • Run npm start

Components as expected in Chrome, Safari, and Firefox.

@amyleadem
Copy link
Contributor

Oh, one small note: It might be good to add a note to the "Breaking change" section of the PR description that this will remove some IE11 support. Just think it would be good to be super clear in case there are projects that still support IE?

@thisisdano
Copy link
Contributor

While this dependency has a potential DoS vulnerability via regex, we don't consider it exploitable from the front end of applications. Even so, it make sense to remove this dependency.

@thisisdano thisisdano merged commit d7d222b into release-3.8.2 Aug 9, 2024
5 checks passed
@thisisdano thisisdano deleted the cm-remove-classlist-polyfill-main branch August 9, 2024 16:17
@thisisdano thisisdano mentioned this pull request Aug 9, 2024
Merged
claytonjbarnette added a commit to GSA/idmanagement.gov that referenced this pull request Aug 12, 2024
@claytonjbarnette
Update package.json
11a0dcd 
Updated USWDS to v3.8.2 
- [new release](https://github.com/uswds/uswds/releases/tag/v3.8.2)
- [Removed the `classlist-polyfill` dependency in issue 6012](uswds/uswds#6012)
@FuhuXia FuhuXia mentioned this pull request Aug 31, 2024
Closed
@lane-formio lane-formio mentioned this pull request Aug 31, 2024
Merged
@Jin-Sun-tts Jin-Sun-tts mentioned this pull request Sep 12, 2024
Closed
@jbrown-xentity jbrown-xentity mentioned this pull request Sep 13, 2024
Merged
@FuhuXia FuhuXia mentioned this pull request Sep 26, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@heymatthenry heymatthenry heymatthenry approved these changes

+2 more reviewers

@thisisdano thisisdano thisisdano approved these changes

@amyleadem amyleadem amyleadem approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

USWDS - Core: Remove classlist-polyfill dependency
4 participants
@mahoneycm @amyleadem @thisisdano @heymatthenry