acatchpole commented 4 months ago

Pull Request Standards

[x] The title of the PR is accurate
[x] The title includes the type of change [HOTFIX, FEATURE, etc]
[x] The PR title includes the ticket number in format of [NRPTI-###]
[x] Documentation is updated to reflect change

Description

This PR includes the following proposed change(s): There were 17 critical vulnerabilities identified by npm audit. 14 of those have been addressed by the changes listed below.

Updated babel translator packages (dependency of jest)
Updated express version
Running npm audit fix applied non-breaking updates to several other packages

Not Done:

Update mongoose to >=5.13.20

Despite showing no breaking changes, updating to >=5.13.4 causes 2 test suites (nris datasource tests) to not run. They fail with the error require-at: not a directory: <my-project-dir>/api. The actual functionality that these tests describe appear to all work as intended on this version, but I was unable to diagnose what was causing the tests to fail.
This thread shows testers of the reported vulnerability unable to reproduce its affects. Given the time already invested in trying to resolve, and the evidence that the reported vulnerability is not actually 'critical', I am leaving this update undone.
Details of reported vulnerability -> https://github.com/advisories/GHSA-9m93-w8w6-76hh

Update BSON to >=1.1.4

BSON is a sub-dependancy of db-migrate-mongodb :| : │ db-migrate-mongodb > mongodb > mongodb-core > bson
That package has not been updated in 6 years
Details of reported vulnerability -> https://github.com/advisories/GHSA-v8w9-2789-6hhr