chore(deps): upgrade various vulnerable packages #5573
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fixes a vulnerability in `follow-redirects` by updating the package that depends on it, `http-proxy-middleware`. GHSA-74fj-2j2h-c42q
Updates to `[email protected]` to mitigate GHSA-87hq-q4gp-9wr4. ``` ┌─────────────────────┬────────────────────────────────────────────────────────┐ │ high │ react-pdf vulnerable to arbitrary JavaScript execution │ │ │ upon opening a malicious PDF with PDF.js │ ├─────────────────────┼────────────────────────────────────────────────────────┤ │ Package │ react-pdf │ ├─────────────────────┼────────────────────────────────────────────────────────┤ │ Vulnerable versions │ <7.7.3 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ │ Patched versions │ >=7.7.3 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ │ Paths │ apps/admin/frontend > [email protected] │ │ │ │ │ │ apps/design/frontend > [email protected] │ ├─────────────────────┼────────────────────────────────────────────────────────┤ │ More info │ GHSA-87hq-q4gp-9wr4 │ └─────────────────────┴────────────────────────────────────────────────────────┘ ```
Upgrades rollup to work around GHSA-gcx4-mw62-g8wm. ``` ┌─────────────────────┬────────────────────────────────────────────────────────┐ │ high │ DOM Clobbering Gadget found in rollup bundled scripts │ │ │ that leads to XSS │ ├─────────────────────┼────────────────────────────────────────────────────────┤ │ Package │ rollup │ ├─────────────────────┼────────────────────────────────────────────────────────┤ │ Vulnerable versions │ >=3.0.0 <3.29.5 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ │ Patched versions │ >=3.29.5 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ │ Paths │ . > @storybook/[email protected] > [email protected] │ │ │ │ │ │ . > @storybook/[email protected] > [email protected] > │ │ │ [email protected] │ │ │ │ │ │ . > @storybook/[email protected] > │ │ │ @joshwooding/[email protected] │ │ │ > [email protected] > [email protected] │ │ │ │ │ │ ... Found 17 paths, run `pnpm why rollup` for more │ │ │ information │ ├─────────────────────┼────────────────────────────────────────────────────────┤ │ More info │ GHSA-gcx4-mw62-g8wm │ └─────────────────────┴────────────────────────────────────────────────────────┘ ```
jonahkagan
approved these changes
Oct 31, 2024
|
Thank you for the detailed consideration here Brian! I agree with your assessments and think that these changes are sufficient for v4 I may end up merging this on your behalf before I make images today, FYI |
arsalansufi
deleted the
3826-audit-vxsuite--kiosk-browser-dependecies-and-upgradeprune-where-possible
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Upgrades various packages past known vulnerable versions:
None of these were clearly exploitable, but the risk of the upgrades should be low as they're mostly development dependencies. The one that we do use in the application is
react-pdf, but I kept the upgrade as minimal as possible (7.7.0 → 7.7.3, current is 9.1.1).We still have a number of known vulnerable dependencies with
high,moderate, andlowseverity. None of the remaininghighones are clearly exploitable:lodash.setandlodash.setWith: used in tests and with no user-generated property pathspdfjs-distfor malicious PDFs: we only show PDFs we generatebraces: this is a transitive dependency oflint-stagedandstylelint, which take our code and paths as inputwsgiven too many headers: we don't use websockets, and we don't accept requests outsidelocalhostsemverDoS, but not in the way it is transitively used in our codebaseipvulnerability, used via development-only@storybook/*packagesbody-parservulnerability, used via development-only@storybook/*packagespath-to-regexpvulnerability, used byfetch-mockin tests,react-routerwith fixed vendor-provided strings, and@storybook/cliin development