chore(deps): upgrade various vulnerable packages (#5573)

* chore(deps): pin `@babel/traverse` to fix vulnerability

GHSA-67hx-6x53-jw92

* chore(deps): remove unused & vulnerable `yaml` dependency

GHSA-f9xv-q969-pqx4

* chore(deps): upgrade `http-proxy-middleware` for vulnerability

Fixes a vulnerability in `follow-redirects` by updating the package that depends on it, `http-proxy-middleware`.

GHSA-74fj-2j2h-c42q

* chore(deps): update `vite` to avoid a vulnerability

See GHSA-c24v-8rfc-w8vw

* chore(deps): update `react-pdf` to mitigate a vulnerability

Updates to `[email protected]` to mitigate GHSA-87hq-q4gp-9wr4.

```
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ react-pdf vulnerable to arbitrary JavaScript execution │
│                     │ upon opening a malicious PDF with PDF.js               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ react-pdf                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <7.7.3                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=7.7.3                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps/admin/frontend > [email protected]                  │
│                     │                                                        │
│                     │ apps/design/frontend > [email protected]                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ GHSA-87hq-q4gp-9wr4      │
└─────────────────────┴────────────────────────────────────────────────────────┘
```

* chore(deps): update `nodemon` for transitive vulnerability

* chore(deps): upgrade from vulnerable `rollup` version

Upgrades rollup to work around GHSA-gcx4-mw62-g8wm.

```
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ DOM Clobbering Gadget found in rollup bundled scripts  │
│                     │ that leads to XSS                                      │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ rollup                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=3.0.0 <3.29.5                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=3.29.5                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ . > @storybook/[email protected] > [email protected]      │
│                     │                                                        │
│                     │ . > @storybook/[email protected] > [email protected] >       │
│                     │ [email protected]                                          │
│                     │                                                        │
│                     │ . > @storybook/[email protected] >                      │
│                     │ @joshwooding/[email protected] │
│                     │ > [email protected] > [email protected]                           │
│                     │                                                        │
│                     │ ... Found 17 paths, run `pnpm why rollup` for more     │
│                     │ information                                            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ GHSA-gcx4-mw62-g8wm      │
└─────────────────────┴────────────────────────────────────────────────────────┘
```

apps/admin/backend/package.json

@@ -106,7 +106,7 @@
     "jest-watch-typeahead": "^2.2.2",
     "lint-staged": "11.0.0",
     "lodash.set": "^4.3.2",
-    "nodemon": "^2.0.20",
+    "nodemon": "^3.1.7",
     "sort-package-json": "^1.50.0",
     "supertest": "^6.0.1",
     "ts-jest": "29.1.1"

apps/admin/frontend/package.json

@@ -77,7 +77,7 @@
     "fetch-mock": "9.11.0",
     "fs-extra": "11.1.1",
     "history": "4.10.1",
-    "http-proxy-middleware": "1.0.6",
+    "http-proxy-middleware": "3.0.3",
     "identity-obj-proxy": "3.0.0",
     "js-file-download": "0.4.12",
     "js-sha256": "^0.9.0",
@@ -92,7 +92,7 @@
     "react": "18.3.1",
     "react-app-polyfill": "3.0.0",
     "react-dom": "18.3.1",
-    "react-pdf": "7.7.0",
+    "react-pdf": "7.7.3",
     "react-router-dom": "^5.3.4",
     "resolve": "1.18.1",
     "semver": "7.3.2",
@@ -147,7 +147,7 @@
     "lint-staged": "11.0.0",
     "sort-package-json": "^1.50.0",
     "ts-jest": "29.1.1",
-    "vite": "4.5.0"
+    "vite": "4.5.2"
   },
   "packageManager": "[email protected]",
   "vx": {

apps/admin/frontend/prodserver/package.json

@@ -5,8 +5,8 @@
   "main": "index.js",
   "dependencies": {
     "express": "4.18.2",
-    "http-proxy-middleware": "1.0.6",
+    "http-proxy-middleware": "3.0.3",
     "resolve": "1.18.1"
   },
   "packageManager": "[email protected]"
-}
+}

apps/admin/frontend/prodserver/setupProxy.js

@@ -6,16 +6,18 @@
 /* eslint-disable */
 /* istanbul ignore file */
 
-const resolve = require('resolve');
-const express = require('express');
+// @ts-check
+
 const { createProxyMiddleware: proxy } = require('http-proxy-middleware');
-const { dirname, join } = require('path');
 
 /**
  * @param {import('connect').Server} app
  */
 module.exports = function (app) {
-  app.use(proxy('/admin', { target: 'http://localhost:3004/' }));
-  app.use(proxy('/api', { target: 'http://localhost:3004/' }));
-  app.use(proxy('/dock', { target: 'http://localhost:3004/' }));
+  app.use(
+    proxy({
+      pathFilter: ['/api', '/dock'],
+      target: 'http://localhost:3004/',
+    })
+  );
 };

apps/central-scan/backend/package.json

@@ -92,7 +92,7 @@
     "jest-junit": "^16.0.0",
     "jest-watch-typeahead": "^2.2.2",
     "lint-staged": "11.0.0",
-    "nodemon": "^2.0.20",
+    "nodemon": "^3.1.7",
     "sort-package-json": "^1.50.0",
     "supertest": "^6.0.1",
     "ts-jest": "29.1.1"

apps/central-scan/frontend/package.json

@@ -66,7 +66,7 @@
     "dotenv-expand": "9.0.0",
     "events": "3.3.0",
     "fast-text-encoding": "^1.0.2",
-    "http-proxy-middleware": "1.0.6",
+    "http-proxy-middleware": "3.0.3",
     "js-file-download": "0.4.12",
     "normalize.css": "^8.0.1",
     "path": "^0.12.7",
@@ -127,7 +127,7 @@
     "sort-package-json": "^1.50.0",
     "ts-jest": "29.1.1",
     "type-fest": "^0.18.0",
-    "vite": "4.5.0"
+    "vite": "4.5.2"
   },
   "packageManager": "[email protected]",
   "vx": {

apps/central-scan/frontend/prodserver/package.json

@@ -5,7 +5,7 @@
   "main": "index.js",
   "dependencies": {
     "express": "4.18.2",
-    "http-proxy-middleware": "1.0.6"
+    "http-proxy-middleware": "3.0.3"
   },
   "packageManager": "[email protected]"
-}
+}

apps/central-scan/frontend/prodserver/setupProxy.js

@@ -6,27 +6,30 @@
 /* eslint-disable */
 /* istanbul ignore file */
 
+// @ts-check
+
 const { createProxyMiddleware: proxy } = require('http-proxy-middleware');
 
 /**
  * @param {import('connect').Server} app
  */
 module.exports = function (app) {
-  app.use(proxy('/central-scanner', { target: 'http://localhost:3002/' }));
-  app.use(proxy('/api', { target: 'http://localhost:3002/' }));
-  app.use(proxy('/dock', { target: 'http://localhost:3002/' }));
-
   app.use('/machine-config', (req, res, next) => {
     if (req.method === 'GET') {
       res.setHeader('Content-Type', 'application/json');
       res.end(
         JSON.stringify({
-          machineId: process.env.VX_MACHINE_ID || '0000',
-          codeVersion: process.env.VX_CODE_VERSION || 'dev',
+          machineId: process.env['VX_MACHINE_ID'] || '0000',
+          codeVersion: process.env['VX_CODE_VERSION'] || 'dev',
         })
       );
     } else {
       next();
     }
   });
+
+  app.use(proxy({
+    target: 'http://localhost:3002/',
+    pathFilter: ['/api', '/dock', '/central-scanner'],
+  }))
 };

apps/design/backend/package.json

@@ -91,7 +91,7 @@
     "jest-watch-typeahead": "^2.2.2",
     "lint-staged": "11.0.0",
     "lodash.get": "^4.4.2",
-    "nodemon": "^2.0.20",
+    "nodemon": "^3.1.7",
     "sort-package-json": "^1.50.0",
     "tmp": "^0.2.1",
     "ts-jest": "29.1.1"

apps/design/frontend/package.json

@@ -92,7 +92,7 @@
     "react": "18.3.1",
     "react-dom": "18.3.1",
     "react-flip-toolkit": "^7.1.0",
-    "react-pdf": "7.7.0",
+    "react-pdf": "7.7.3",
     "react-router-dom": "^5.3.4",
     "sanitize-html": "^2.13.0",
     "styled-components": "^5.3.11",
@@ -131,7 +131,7 @@
     "sort-package-json": "^1.50.0",
     "tmp": "^0.2.1",
     "ts-jest": "29.1.1",
-    "vite": "4.5.0"
+    "vite": "4.5.2"
   },
   "packageManager": "[email protected]",
   "vx": {

apps/mark-scan/backend/package.json

@@ -94,7 +94,7 @@
     "jest-junit": "^16.0.0",
     "jest-watch-typeahead": "^2.2.2",
     "lint-staged": "11.0.0",
-    "nodemon": "^2.0.20",
+    "nodemon": "^3.1.7",
     "sort-package-json": "^1.50.0",
     "ts-jest": "29.1.1"
   },

apps/mark-scan/frontend/package.json

@@ -71,7 +71,7 @@
     "dotenv": "16.3.1",
     "dotenv-expand": "9.0.0",
     "history": "4.10.1",
-    "http-proxy-middleware": "1.0.6",
+    "http-proxy-middleware": "3.0.3",
     "luxon": "^3.0.0",
     "normalize.css": "^8.0.1",
     "path": "^0.12.7",
@@ -124,7 +124,7 @@
     "node-fetch": "^2.6.0",
     "sort-package-json": "^1.50.0",
     "ts-jest": "29.1.1",
-    "vite": "4.5.0"
+    "vite": "4.5.2"
   },
   "engines": {
     "node": ">= 16"

apps/mark-scan/frontend/prodserver/package.json

@@ -5,7 +5,7 @@
   "main": "index.js",
   "dependencies": {
     "express": "4.18.2",
-    "http-proxy-middleware": "1.0.6"
+    "http-proxy-middleware": "3.0.3"
   },
   "packageManager": "[email protected]"
-}
+}

apps/mark-scan/frontend/prodserver/setupProxy.js

@@ -6,13 +6,18 @@
 /* eslint-disable */
 /* istanbul ignore file */
 
+// @ts-check
+
 const { createProxyMiddleware: proxy } = require('http-proxy-middleware');
 
 /**
  * @param {import('connect').Server} app
  */
 module.exports = function (app) {
-  app.use(proxy('/api', { target: 'http://localhost:3002/' }));
-  app.use(proxy('/dock', { target: 'http://localhost:3002/' }));
-  app.use(proxy('/card', { target: 'http://localhost:3001/' }));
+  app.use(
+    proxy({
+      pathFilter: ['/api', '/dock'],
+      target: 'http://localhost:3002/',
+    })
+  );
 };

apps/mark/backend/package.json

@@ -81,7 +81,7 @@
     "jest-junit": "^16.0.0",
     "jest-watch-typeahead": "^2.2.2",
     "lint-staged": "11.0.0",
-    "nodemon": "^2.0.20",
+    "nodemon": "^3.1.7",
     "sort-package-json": "^1.50.0",
     "ts-jest": "29.1.1"
   },

apps/mark/frontend/package.json

@@ -71,7 +71,7 @@
     "dotenv": "16.3.1",
     "dotenv-expand": "9.0.0",
     "history": "4.10.1",
-    "http-proxy-middleware": "1.0.6",
+    "http-proxy-middleware": "3.0.3",
     "luxon": "^3.0.0",
     "normalize.css": "^8.0.1",
     "path": "^0.12.7",
@@ -126,7 +126,7 @@
     "node-fetch": "^2.6.0",
     "sort-package-json": "^1.50.0",
     "ts-jest": "29.1.1",
-    "vite": "4.5.0"
+    "vite": "4.5.2"
   },
   "engines": {
     "node": ">= 16"

apps/mark/frontend/prodserver/package.json

@@ -5,7 +5,7 @@
   "main": "index.js",
   "dependencies": {
     "express": "4.18.2",
-    "http-proxy-middleware": "1.0.6"
+    "http-proxy-middleware": "3.0.3"
   },
   "packageManager": "[email protected]"
-}
+}

apps/mark/frontend/prodserver/setupProxy.js

@@ -6,13 +6,18 @@
 /* eslint-disable */
 /* istanbul ignore file */
 
+// @ts-check
+
 const { createProxyMiddleware: proxy } = require('http-proxy-middleware');
 
 /**
  * @param {import('connect').Server} app
  */
 module.exports = function (app) {
-  app.use(proxy('/api', { target: 'http://localhost:3002/' }));
-  app.use(proxy('/dock', { target: 'http://localhost:3002/' }));
-  app.use(proxy('/card', { target: 'http://localhost:3001/' }));
+  app.use(
+    proxy({
+      pathFilter: ['/api', '/dock'],
+      target: 'http://localhost:3002/',
+    })
+  );
 };

apps/scan/backend/package.json

@@ -100,7 +100,7 @@
     "jest-watch-typeahead": "^2.2.2",
     "lint-staged": "11.0.0",
     "nock": "^13.1.0",
-    "nodemon": "^2.0.20",
+    "nodemon": "^3.1.7",
     "sort-package-json": "^1.50.0",
     "supertest": "^6.0.1",
     "ts-jest": "29.1.1",

apps/scan/frontend/package.json

@@ -67,7 +67,7 @@
     "debug": "4.3.4",
     "dotenv": "16.3.1",
     "dotenv-expand": "9.0.0",
-    "http-proxy-middleware": "1.0.6",
+    "http-proxy-middleware": "3.0.3",
     "normalize.css": "^8.0.1",
     "path": "^0.12.7",
     "pluralize": "8.0.0",
@@ -118,7 +118,7 @@
     "react-app-polyfill": "3.0.0",
     "sort-package-json": "^1.50.0",
     "ts-jest": "29.1.1",
-    "vite": "4.5.0"
+    "vite": "4.5.2"
   },
   "packageManager": "[email protected]",
   "vx": {

apps/scan/frontend/prodserver/package.json

@@ -5,7 +5,7 @@
   "main": "index.js",
   "dependencies": {
     "express": "4.18.2",
-    "http-proxy-middleware": "1.0.6"
+    "http-proxy-middleware": "3.0.3"
   },
   "packageManager": "[email protected]"
-}
+}

apps/scan/frontend/prodserver/setupProxy.js

@@ -6,13 +6,18 @@
 /* eslint-disable */
 /* istanbul ignore file */
 
+// @ts-check
+
 const { createProxyMiddleware: proxy } = require('http-proxy-middleware');
 
 /**
  * @param {import('connect').Server} app
  */
 module.exports = function (app) {
-  app.use(proxy('/api', { target: 'http://localhost:3002/' }));
-  app.use(proxy('/dock', { target: 'http://localhost:3002/' }));
-  app.use(proxy('/card', { target: 'http://localhost:3001/' }));
+  app.use(
+    proxy({
+      pathFilter: ['/api', '/dock'],
+      target: 'http://localhost:3002/',
+    })
+  );
 };

libs/custom-scanner/package.json

@@ -47,7 +47,7 @@
     "jest-mock-extended": "^3.0.4",
     "jest-watch-typeahead": "^2.2.2",
     "ts-jest": "29.1.1",
-    "vite": "4.5.0"
+    "vite": "4.5.2"
   },
   "packageManager": "[email protected]"
-}
+}

libs/hmpb/package.json

@@ -78,7 +78,7 @@
     "sort-package-json": "^1.50.0",
     "tmp": "^0.2.1",
     "ts-jest": "29.1.1",
-    "vite": "4.5.0"
+    "vite": "4.5.2"
   },
   "engines": {
     "node": ">= 12"

libs/mark-flow-ui/package.json

@@ -111,7 +111,7 @@
     "styled-components": "^5.3.11",
     "ts-jest": "29.1.1",
     "util": "^0.12.4",
-    "vite": "4.5.0"
+    "vite": "4.5.2"
   },
   "peerDependencies": {
     "react": "18.3.1",

libs/ui/package.json

@@ -140,7 +140,7 @@
     "tmp": "^0.2.1",
     "ts-jest": "29.1.1",
     "util": "^0.12.4",
-    "vite": "4.5.0"
+    "vite": "4.5.2"
   },
   "peerDependencies": {
     "@tanstack/react-query": "4.32.1",