search

iTwin / itwinjs-core

Monorepo for iTwin.js Library
https://www.itwinjs.org
MIT License
620 stars 210 forks source link

mitigate GHSA-qwcr-r2fm-qrc7 (backport #7146) [release/4.8.x] #7155

Closed mergify[bot] closed 2 months ago

mergify[bot] commented 2 months ago

Handle audit failures: body-parser: https://github.com/advisories/GHSA-qwcr-r2fm-qrc7 ~path-to-regexp: https://github.com/advisories/GHSA-9wv6-86v2-598j~

Packages updated: ~sinon -> ^18.0.1~ body-parser -> ^1.20.3 express -> ^4.20.0 fetch-mock -> ~11.1.3

Working with @tcobbs-bentley to resolve the failing ios tests after upgrade. Seems to be a unicode issue related to this change in path-to-regexp. Working theory (from Travis):

it looks like both ID_Start and ID_Continue are special regex tokens. I found the following, and I'm not sure if it's related or not: https://stackoverflow.com/questions/71155109/invalid-regular-expression-invalid-property-name-in-character-class. Digging further, it looks like this regex will only work with full ICU (International Components for Unicode). The mobile build of Node does not have this (and probably cannot have it any time soon).

Also upgrade actions/upload-artifact@v2 -> actions/upload-artifact@v4 since v2 is no longer supported. This task is used in our extract-api action.

We'll get this through to unblock builds and take another look tomorrow.

This is an automatic backport of pull request #7146 done by Mergify.

mergify[bot] commented 2 months ago

Cherry-pick of 9f4c8a4babd31819fbaa99c3dd3b5f7434db448e has failed:

On branch mergify/bp/release/4.8.x/pr-7146
Your branch is up to date with 'origin/release/4.8.x'.

You are currently cherry-picking commit 9f4c8a4bab.
  (fix conflicts and run "git cherry-pick --continue")
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Changes to be committed:
    modified:   .github/workflows/extract-api.yaml
    new file:   common/changes/@itwin/appui-abstract/mitigate-various-audit-failures_2024-09-11-17-04.json
    new file:   common/changes/@itwin/certa/mitigate-various-audit-failures_2024-09-11-17-04.json
    new file:   common/changes/@itwin/core-backend/mitigate-various-audit-failures_2024-09-11-17-04.json
    new file:   common/changes/@itwin/core-frontend/mitigate-various-audit-failures_2024-09-11-17-04.json
    new file:   common/changes/@itwin/core-quantity/mitigate-various-audit-failures_2024-09-11-17-04.json
    new file:   common/changes/@itwin/ecschema-editing/mitigate-various-audit-failures_2024-09-11-17-04.json
    new file:   common/changes/@itwin/ecschema-locaters/mitigate-various-audit-failures_2024-09-11-17-04.json
    new file:   common/changes/@itwin/ecschema-metadata/mitigate-various-audit-failures_2024-09-11-17-04.json
    new file:   common/changes/@itwin/express-server/mitigate-various-audit-failures_2024-09-11-17-04.json
    new file:   common/changes/@itwin/frontend-tiles/mitigate-various-audit-failures_2024-09-11-17-04.json
    new file:   common/changes/@itwin/map-layers-auth/mitigate-various-audit-failures_2024-09-11-17-04.json
    new file:   common/changes/@itwin/map-layers-formats/mitigate-various-audit-failures_2024-09-11-17-04.json
    new file:   common/changes/@itwin/presentation-backend/mitigate-various-audit-failures_2024-09-11-17-04.json
    new file:   common/changes/@itwin/presentation-common/mitigate-various-audit-failures_2024-09-11-17-04.json
    new file:   common/changes/@itwin/presentation-frontend/mitigate-various-audit-failures_2024-09-11-17-04.json
    modified:   core/backend/package.json
    modified:   core/ecschema-editing/package.json
    modified:   core/ecschema-locaters/package.json
    modified:   core/ecschema-metadata/package.json
    modified:   core/express-server/package.json
    modified:   core/frontend/package.json
    modified:   core/quantity/package.json
    modified:   extensions/frontend-tiles/package.json
    modified:   extensions/map-layers-auth/package.json
    modified:   extensions/map-layers-auth/src/test/ArcGisAccessClient.test.ts
    modified:   extensions/map-layers-formats/package.json
    modified:   extensions/map-layers-formats/src/test/ArcGisFeature/ArcGisFeatureProvider.test.ts
    modified:   full-stack-tests/backend/package.json
    modified:   full-stack-tests/core/package.json
    modified:   full-stack-tests/presentation/package.json
    modified:   presentation/backend/package.json
    modified:   presentation/common/package.json
    modified:   presentation/frontend/package.json
    modified:   test-apps/display-performance-test-app/package.json
    modified:   test-apps/display-test-app/package.json
    modified:   tools/certa/package.json
    modified:   ui/appui-abstract/package.json

Unmerged paths:
  (use "git add <file>..." to mark resolution)
    both modified:   common/config/rush/pnpm-config.json
    both modified:   common/config/rush/pnpm-lock.yaml
    both modified:   full-stack-tests/rpc/package.json

To fix up this pull request, you can check it out locally. See documentation: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally