Dependabot (critical/High) - forms-flow-web

[antsand]

Dependabot link - https://github.com/bcgov/foi-flow/security/dependabot?q=is%3Aopen+manifest%3Aforms-flow-web%2Fpackage-lock.json

Upgrade to latest version of Nodejs before addressing these

• [x] - crypto-js PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard
• [x] - Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code
• [x] - Cross-realm object access in Webpack 5
• [x] - Insufficient validation when decoding a Socket.IO packet
• [x] - ReDoS Vulnerability in ua-parser-js version
• [x] - minimatch ReDoS vulnerability
• [x] - Prototype Pollution in JSON5 via Parse Method
• [x] - decode-uri-component vulnerable to Denial of Service (DoS)
• [x] - Terser insecure use of regular expressions leads to ReDoS
• [x] - Moment.js vulnerable to Inefficient Regular Expression Complexity

[antsand]

After upgrading to Node 20, clearing a few unused packages and upgrading some critical packages all the high and critical dependabots are fixed.

[antsand]

Though there is no vulnerability related to React, it will be good to upgrade React to v18 after this dependabot fix