Fix security issues. Change to using less instead of sass (as it has … (microsoft#5566)

* Fix security issues. Change to using less instead of sass (as it has a tar dependency) * Fix functional tests

Author: rchiodo

news/3 Code Health/5538.md

@@ -0,0 +1 @@
+Fix security issues.

package-lock.json

@@ -24,6 +24,7 @@
  "base16",
  "bintrees",
  "bootstrap",
+ "bootstrap-less",
  "character-entities-legacy",
  "character-reference-invalid",
  "classnames",

package.datascience-ui.dependencies.json

@@ -2186,11 +2186,11 @@
  "@babel/core": "^7.1.0",
  "@babel/preset-env": "^7.1.0",
  "@babel/preset-react": "^7.0.0",
+ "@nteract/plotly": "^1.47.1",
  "@nteract/transform-dataresource": "^4.3.5",
  "@nteract/transform-geojson": "^3.2.3",
  "@nteract/transform-model-debug": "^3.2.3",
  "@nteract/transform-plotly": "^5.0.0",
- "@nteract/plotly": "^1.47.1",
  "@nteract/transforms": "^4.4.4",
  "@types/chai": "^4.1.2",
  "@types/chai-arrays": "^1.0.2",
@@ -2240,6 +2240,7 @@
  "babel-plugin-transform-runtime": "^6.23.0",
  "babel-polyfill": "^6.26.0",
  "bootstrap": "^4.3.1",
+ "bootstrap-less": "^3.3.8",
  "chai": "^4.1.2",
  "chai-arrays": "^2.0.0",
  "chai-as-promised": "^7.1.1",
@@ -2259,7 +2260,7 @@
  "gulp": "^4.0.0",
  "gulp-azure-storage": "^0.9.0",
  "gulp-filter": "^5.1.0",
- "gulp-inline-source": "^3.2.0",
+ "gulp-inline-source": "^4.0.0",
  "gulp-json-editor": "^2.2.2",
  "gulp-rename": "^1.4.0",
  "gulp-sourcemaps": "^2.6.4",
@@ -2271,14 +2272,15 @@
  "istanbul": "^0.4.5",
  "jsdom": "^12.2.0",
  "json-loader": "^0.5.7",
+ "less": "^3.9.0",
+ "less-loader": "^5.0.0",
  "loader-utils": "^1.1.0",
- "mocha": "^6.0.2",
+ "mocha": "^6.1.4",
  "mocha-junit-reporter": "^1.17.0",
  "mocha-multi-reporters": "^1.1.7",
  "node-has-native-dependencies": "^1.0.2",
  "node-html-parser": "^1.1.13",
- "node-sass": "^4.11.0",
- "nyc": "^13.3.0",
+ "nyc": "^14.1.0",
  "raw-loader": "^0.5.1",
  "react": "^16.5.2",
  "react-codemirror": "^1.0.0",
@@ -2309,10 +2311,10 @@
  "url-loader": "^1.1.1",
  "uuid": "^3.3.2",
  "vsce": "^1.59.0",
- "vscode": "^1.1.30",
+ "vscode": "^1.1.33",
  "vscode-debugadapter-testsupport": "^1.27.0",
  "webpack": "^4.20.2",
- "webpack-bundle-analyzer": "^3.0.3",
+ "webpack-bundle-analyzer": "^3.3.2",
  "webpack-cli": "^3.1.2",
  "webpack-fix-default-import-plugin": "^1.0.3",
  "webpack-merge": "^4.1.4",

package.json

@@ -16,7 +16,7 @@ import { VariableExplorerEmptyRowsView } from './variableExplorerEmptyRows';
 
 import * as AdazzleReactDataGrid from 'react-data-grid';
 
-import './variableExplorerGrid.scss';
+import './variableExplorerGrid.less';
 
 interface IVariableExplorerProps {
  baseTheme: string;

src/datascience-ui/history-react/variableExplorer.tsx

@@ -1,14 +1,14 @@
 /* Import bootstrap, but prefix it all with our grid div so we don't clobber our history windows styles */
-#variable-explorer-data-grid {
- @import "~bootstrap/dist/css/bootstrap";
+#variable-explorer-data-grid { 
+ @import "~bootstrap-less/bootstrap/bootstrap.less"; 
 }
 
 #variable-explorer-data-grid .form-control {
- height: auto;
+ height: auto; 
  padding: 0px;
  font-size: inherit;
  font-weight: inherit;
- line-height: inherit;
+ line-height: inherit; 
  border-radius: 0px;
 }
 

src/datascience-ui/history-react/variableExplorerGrid.scss renamed to src/datascience-ui/history-react/variableExplorerGrid.less

@@ -40,9 +40,9 @@ export function initialize() {
  if (request === 'vscode-extension-telemetry') {
  return { default: vscMockTelemetryReporter };
  }
- // scss files need to be in import statements to be converted to css
+ // less files need to be in import statements to be converted to css
  // But we don't want to try to load them in the mock vscode
- if (/\.scss$/.test(request)) {
+ if (/\.less$/.test(request)) {
  return;
  }
  return originalLoad.apply(this, arguments);

src/test/vscode-mock.ts

@@ -88,12 +88,13 @@ module.exports = [
  }
  ]
  },
+ { test: /\.(png|woff|woff2|eot|ttf)$/, loader: 'url-loader?limit=100000' },
  {
- test: /\.scss$/,
+ test: /\.less$/,
  use: [
  'style-loader',
  'css-loader',
- 'sass-loader'
+ 'less-loader'
  ]
  }
  ]