Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Resolve Frontend node_modules vulnerabilities (CRASM-1076) #763

Merged
merged 17 commits into from
Jan 17, 2025
Merged

Resolve Frontend node_modules vulnerabilities (CRASM-1076) #763

merged 17 commits into from
Jan 17, 2025
+1,790 βˆ’3,157

Conversation

hawkishpolicy
Copy link
Collaborator

Updating node packages to remove vulnerabilities.

πŸ—£ Description

πŸ’­ Motivation and context

πŸ§ͺ Testing

  • Tested locally.

βœ… Pre-approval checklist

  • This PR has an informative and human-readable title.
  • Changes are limited to a single goal - eschew scope creep!
  • All relevant type-of-change labels have been added.
  • I have read the CONTRIBUTING document.
  • These code changes follow cisagov code standards.
  • All new and existing tests pass.

βœ… Pre-merge checklist

  • Revert dependencies to default branches.
  • Finalize version.

βœ… Post-merge checklist

  • Create a release.

@hawkishpolicy
Updated axios to 1.7.9
4ba44c0 
- addresses Server-Side Request Forgery
@hawkishpolicy
Updated express to 4.21.2
28aad6a 
- Affects vulnerable versions of body-parser, cookie, path-to-regexp, send, and serve-static.
@hawkishpolicy hawkishpolicy added the dependencies Pull requests that update a dependency file label Jan 16, 2025
@hawkishpolicy hawkishpolicy self-assigned this Jan 16, 2025
@hawkishpolicy
Updated cross-spawn to 7.0.6
644c13f 
- Addresses Regex Denial of Service (ReDoS) in cross-spawn.
@hawkishpolicy
Updated dompurify to 3.2.3
aed962c 
- Resolves case of malicious HTML using special nesting techniques to bypass depth checking.
- Resolves use of Prototype Pollution to weaken depth checking.
- Resolves vulnerability to nesting based mXSS.
@hawkishpolicy
Updated browser list
1346f2e 
- Installed caniuse 1.0.30001692
@hawkishpolicy
Updated import/usage of DOMPurify in ResultCard
456e47a
@hawkishpolicy
Installed version 2.5.8 of DOMPurify
7a524f9 
- the latest version contains the aforementioned vulnerabilities.
@hawkishpolicy
Updated fast-xml-parser to 4.5.1
259a132 
- Resolves ReDOS vulnerability at currency parsing.
@hawkishpolicy
Updated http-proxy-middleware to 3.0.3
9d2e8ba 
- Addresses DoS in hhtp-proxy-middleware.
@hawkishpolicy
Updated nanoid to 5.0.9
a2ec471 
- Addresses predictable results in nanoid generation when given non-integer values.
@hawkishpolicy
Merge remote-tracking branch 'origin/develop' into Frontend-Node-Modu…
5cbbdbd 
…les-CRASM-1076
@hawkishpolicy
Updated path-to-regexp to 8.2.0
7384ce6 
- Addresses the output of backtracking regular expressions.
@hawkishpolicy
Updated rollup to 2.79.2
21225cf 
- DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS.
@hawkishpolicy
Updated webpack to 5.97.1
4338d4f 
- Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to XSS.
@hawkishpolicy
Ran npm audit fix
5316154 
- Addresses low level vulnerabilities relating to the following dependencies:
  - @aws-amplify/analytics
  - @aws-amplify/api
  - @aws-amplify/auth
  - @aws-amplify/cache
  - @aws-amplify/core
  - @aws-amplify/datastore
  - @aws-amplify/geo
  - @aws-amplify/interactions
  - @aws-amplify/notifications
  - @aws-amplify/predictions
  - @aws-amplify/pubsub
  - @aws-amplify/storage
@hawkishpolicy
Updated cookie to 1.0.2
1a42a4c
@hawkishpolicy
Updated universal-cookie to 7.2.2
341834c 
- Addresses instances where cookie accepts name, path, and domain with out of bounds characters.
- This could be a breaking change.
@hawkishpolicy hawkishpolicy marked this pull request as ready for review January 17, 2025 17:27
nickviola
nickviola approved these changes Jan 17, 2025
View reviewed changes
Copy link
Collaborator

@nickviola nickviola left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@schmelz21 schmelz21 merged commit 2c136b2 into develop Jan 17, 2025
13 of 14 checks passed
@schmelz21 schmelz21 deleted the Frontend-Node-Modules-CRASM-1076 branch January 17, 2025 20:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@schmelz21 schmelz21 schmelz21 approved these changes

@nickviola nickviola nickviola approved these changes

@aloftus23 aloftus23 Awaiting requested review from aloftus23 aloftus23 is a code owner

@cduhn17 cduhn17 Awaiting requested review from cduhn17 cduhn17 is a code owner

@Matthew-Grayson Matthew-Grayson Awaiting requested review from Matthew-Grayson Matthew-Grayson is a code owner

@rapidray12 rapidray12 Awaiting requested review from rapidray12 rapidray12 is a code owner

Assignees

@hawkishpolicy hawkishpolicy

Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@hawkishpolicy @nickviola @schmelz21