search

GSA-TTS / tts.gsa.gov

Making the website work for people who make websites work
https://federalist-a2423046-fe43-4e75-a2ef-2651e5e123ca.sites.pages.cloud.gov/preview/gsa-tts/tts.gsa.gov/staging/
Other
5 stars 3 forks source link

Update Node dependencies #95

Closed wesley-dean-gsa closed 1 month ago

wesley-dean-gsa commented 2 months ago 
Results of grype linter (version 0.79.2)
See documentation on https://megalinter.io/7.13.0/descriptors/repository_grype/
-----------------------------------------------

❌ [ERROR] for workspace /tmp/lint
Linter raw log:
NAME              INSTALLED  FIXED-IN  TYPE  VULNERABILITY        SEVERITY 
braces            3.0.2      3.0.3     npm   GHSA-grv7-fg5c-xmjg  High      
ejs               3.1.9      3.1.10    npm   GHSA-ghr5-ch3p-vcr6  Medium    
express           4.17.3     4.19.2    npm   GHSA-rv95-896h-c2vc  Medium    
follow-redirects  1.15.4     1.15.6    npm   GHSA-cxjh-pqwp-8mfp  Medium    
luxon             2.3.1      2.5.2     npm   GHSA-3xq5-wjfh-ppjc  High      
nth-check         1.0.2      2.0.1     npm   GHSA-rp65-9cf3-cjxr  High      
pug               3.0.2      3.0.3     npm   GHSA-3965-hpx2-q597  Medium    
request           2.88.2               npm   GHSA-p8p7-x288-28g6  Medium    
semver            7.3.8      7.5.2     npm   GHSA-c2qf-rxjj-qqgw  Medium    
tough-cookie      2.5.0      4.1.3     npm   GHSA-72xf-g2v4-qvf3  Medium    
trim              0.0.1      0.0.3     npm   GHSA-w5p7-h5w8-2hfq  High      
ws                7.5.9      7.5.10    npm   GHSA-3h5v-q93c-6h6q  High      
ws                8.13.0     8.17.1    npm   GHSA-3h5v-q93c-6h6q  High
discovered vulnerabilities at or above the severity threshold
wesley-dean-gsa commented 2 months ago 
Results of trivy linter (version 0.53.0)
See documentation on https://megalinter.io/7.13.0/descriptors/repository_trivy/
-----------------------------------------------

❌ [ERROR] for workspace /tmp/lint
Linter raw log:
2024-07-10T15:57:45Z    INFO    Need to update DB
2024-07-10T15:57:45Z    INFO    Downloading DB...       repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-10T15:57:52Z    INFO    Vulnerability scanning is enabled
2024-07-10T15:57:52Z    INFO    Misconfiguration scanning is enabled
2024-07-10T15:57:52Z    INFO    Need to update the built-in policies
2024-07-10T15:57:52Z    INFO    Downloading the built-in policies...
2024-07-10T15:57:55Z    INFO    [npm] To collect the license information of packages, "npm install" needs to be performed beforehand    dir="node_modules"
2024-07-10T15:57:56Z    INFO    Suppressing dependencies for development and testing. To display them, try the '--include-dev-deps' flag.
2024-07-10T15:57:56Z    INFO    Number of language-specific files       num=1
2024-07-10T15:57:56Z    INFO    [npm] Detecting vulnerabilities...
2024-07-10T15:57:56Z    INFO    Detected config files   num=0

package-lock.json (npm)
=======================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌─────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├─────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ trim    │ CVE-2020-7753 │ HIGH     │ fixed  │ 0.0.1             │ 0.0.3         │ nodejs-trim: Regular Expression Denial of Service (ReDoS) in │
│         │               │          │        │                   │               │ trim function                                                │
│         │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2020-7753                    │
└─────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
wesley-dean-gsa commented 2 months ago

Needs #100 (PR #102) first so we can verify builds still work after updating the dependencies.

wesley-dean-gsa commented 2 months ago

A bunch of these are likely to be updated by Dependabot when #96 (PR #97) is done.

wesley-dean-gsa commented 1 month ago

A incorrect comment was added to this ticket saying that it could be closed out as all of the GHA dependencies were hash-pinned. That statement was meant for #94 , not this issue.

wesley-dean-gsa commented 1 month ago

When #140 is merged, we can run npm audit fix to bring the Node dependencies up to date.