Dependabot Critical Issue 1 of 3: Upgrade Babel

[maortiz-27-80]

User Story or Problem Statement

As of 01/30/24 as part of compliance with https://github.com/orgs/department-of-veterans-affairs/discussions/5, the CMS team has identified three (3) critical issues that need to be remediated. Details on this issue:

Impact

Using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()or path.evaluateTruthy() internal Babel methods.

Known affected plugins are: [ ] @babel/plugin-transform-runtime [ ] @babel/preset-env when using its useBuiltIns option [ ] Any "polyfill provider" plugin that depends on @babel/helper-define-polyfill-provider, such as babel-plugin-polyfill-corejs3, babel-plugin-polyfill-corejs2, babel-plugin-polyfill-es-shims, babel-plugin-polyfill-regenerator No other plugins under the @babel/ namespace are impacted, but third-party plugins might be.

Users that only compile trusted code are not impacted.

Patches

The vulnerability has been fixed in @babel/traverse@7.23.2.

Babel 6 does not receive security fixes anymore (see Babel's security policy), hence there is no patch planned for babel-traverse@6.

Workarounds

[ ] Upgrade @babel/traverse to v7.23.2 or higher. You can do this by deleting it from your package manager's lockfile and re-installing the dependencies. @babel/core >=7.23.2 will automatically pull in a non-vulnerable version. [ ] If you cannot upgrade @babel/traverse and are using one of the affected packages mentioned above, upgrade them to their latest version to avoid triggering the vulnerable code path in affected @babel/traverse versions:

• [ ] @babel/plugin-transform-runtime v7.23.2
• [ ] @babel/preset-env v7.23.2
• [ ] @babel/helper-define-polyfill-provider v0.4.3
• [ ] babel-plugin-polyfill-corejs2 v0.4.6
• [ ] babel-plugin-polyfill-corejs3 v0.8.5
• [ ] babel-plugin-polyfill-es-shims v0.10.0
• [ ] babel-plugin-polyfill-regenerator v0.5.3

Acceptance Criteria

• [ ] Upgrade @babel/traverse to v7.23.2 or higher
• [ ] PR merge should fix this dependabot alert

Team

Please check the team(s) that will do this work.

• [X] CMS Team
• [ ] Public Websites
• [ ] Facilities
• [ ] Accelerated Publishing

cc: @ndouglas @EWashb @BerniXiongA6 @michelle-dooley @gracekretschmer-metrostar

[gracekretschmer-metrostar]

Email from @ndouglas on 2/5/2024 when asked about this task:

_They're security issues, but should be addressed by or at least include a frontend engineer who is familiar with the appearance and behavior of all of the components. This might cascade into other updates, touch many different parts of the frontend system, and become a substantial amount of work.

The outgoing CMS Team currently doesn't have any frontend engineers, and IIRC the incoming team doesn't either. Accelerated Publishing and Public Websites teams do; it's possible that this ticket should be reassigned or that a discussion should be held about who should be responsible for this.

I also don't know if perhaps the responsibilities of the CMS Team have changed.

Nate._

[gracekretschmer-metrostar]

@edmund-dunn

[Hassantariq-MetroStar]

@gracekretschmer-metrostar Needs someone from the accelerated publishing team or a Front-end developer intervention on this to complete. cc @edmund-dunn

[gracekretschmer-metrostar]

@Hassantariq-MetroStar I spoke to Edmund and we are still responsible for this ticket, but he said that we will need to ask either Accelerated Publishing or the Public Websites team to review and verify the update. When Amanda is back in the office, I will circle back with her to see if this is a task that she could do.

[EWashb]

@gracekretschmer-metrostar this issue will need coordination between either PW or AP. Let me know if you need my help routing. Any support we ask of them will need to be communicated ahead of time so that they may determine the lift and work it into an upcoming sprint dependent on capacity.

[gracekretschmer-metrostar]

Thanks, @EWashb. I will get with @timcosgrove today to discuss a plan of action for their support in reviewing.

[gracekretschmer-metrostar]

Per @timcosgrove: this issue cannot be resolved due to node version constraints. The platform team is working on the update that will allow moving node versions, but they have not gotten there yet.