search

pantheon-systems / drops-8

Pantheon Upstream for Drupal 8 Sites. Deprecated; please see https://github.com/pantheon-upstreams/drupal-composer-managed
GNU General Public License v2.0
80 stars 117 forks source link

Update to Drupal 9.5.6. For more information, see https://www.drupal.org/project/drupal/releases/9.5.6 #427

Closed pantheon-upstream closed 1 year ago

pantheon-upstream commented 1 year ago

Update from Drupal 9.1.0 to Drupal 9.5.6.

This is experimental. Do not merge.

guardrails[bot] commented 1 year ago

:warning: We detected 21 security issues in this pull request:

Hard-Coded Secrets (1)
Docs | Details ----- | -------- [:bulb:](https://docs.guardrails.io/docs/en/vulnerabilities/general/hard-coded_secrets.html?utm_source=ghpr#SecretKeyword) | Title: **Secret Keyword**, Severity: Medium
https://github.com/pantheon-systems/drops-8/blob/9d0eb2cc2bb0a5c4982ca5c31008b539740a8ff8/core/modules/user/config/install/user.mail.yml#L34 More info on how to fix Hard-Coded Secrets in [General](https://docs.guardrails.io/docs/en/vulnerabilities/general/hard-coded_secrets.html?utm_source=ghpr). ---
Insecure Use of Regular Expressions (4)
Docs | Details ----- | -------- [:bulb:](https://docs.guardrails.io/docs/en/vulnerabilities/javascript/insecure_use_of_regular_expressions.html?utm_source=ghpr#security/detect-unsafe-regex) | Title: **Regex DOS (ReDOS)**, Severity: Medium
https://github.com/pantheon-systems/drops-8/blob/9d0eb2cc2bb0a5c4982ca5c31008b539740a8ff8/core/misc/position.es6.js#L30 [:bulb:](https://docs.guardrails.io/docs/en/vulnerabilities/javascript/insecure_use_of_regular_expressions.html?utm_source=ghpr#security/detect-unsafe-regex) | Title: **Regex DOS (ReDOS)**, Severity: Medium
https://github.com/pantheon-systems/drops-8/blob/9d0eb2cc2bb0a5c4982ca5c31008b539740a8ff8/core/misc/position.js#L13 [:bulb:](https://docs.guardrails.io/docs/en/vulnerabilities/javascript/insecure_use_of_regular_expressions.html?utm_source=ghpr#security/detect-unsafe-regex) | Title: **Regex DOS (ReDOS)**, Severity: Medium
https://github.com/pantheon-systems/drops-8/blob/9d0eb2cc2bb0a5c4982ca5c31008b539740a8ff8/core/scripts/js/ckeditor5-types-documentation.js#L30 [:bulb:](https://docs.guardrails.io/docs/en/vulnerabilities/javascript/insecure_use_of_regular_expressions.html?utm_source=ghpr#security/detect-unsafe-regex) | Title: **Regex DOS (ReDOS)**, Severity: Medium
https://github.com/pantheon-systems/drops-8/blob/9d0eb2cc2bb0a5c4982ca5c31008b539740a8ff8/core/scripts/js/vendor-update.js#L34 More info on how to fix Insecure Use of Regular Expressions in [JavaScript](https://docs.guardrails.io/docs/en/vulnerabilities/javascript/insecure_use_of_regular_expressions.html?utm_source=ghpr). ---
Information Disclosure (1)
Docs | Details ----- | -------- [:bulb:](https://docs.guardrails.io/docs/en/vulnerabilities/php/information-disclosure.html?utm_source=ghpr#phpinfo-use) | Title: **Use of phpinfo()**, Severity: Medium
https://github.com/pantheon-systems/drops-8/blob/9d0eb2cc2bb0a5c4982ca5c31008b539740a8ff8/core/modules/system/src/Controller/SystemInfoController.php#L62 More info on how to fix Information Disclosure in [PHP](https://docs.guardrails.io/docs/en/vulnerabilities/php/information-disclosure.html?utm_source=ghpr). ---
Insecure Processing of Data (3)
Docs | Details ----- | -------- [:bulb:](https://docs.guardrails.io/docs/en/vulnerabilities/php/insecure_processing_of_data.html?utm_source=ghpr#http-redirect-gr) | Title: **Insecure HTTP redirect**, Severity: Low
https://github.com/pantheon-systems/drops-8/blob/9d0eb2cc2bb0a5c4982ca5c31008b539740a8ff8/.ht.router.php#L29 [:bulb:](https://docs.guardrails.io/docs/en/vulnerabilities/javascript/insecure_processing_of_data.html?utm_source=ghpr#javascript.lang.taint-frontend-html-injection) | Title: **Unescaped user input in HTML**, Severity: Medium
https://github.com/pantheon-systems/drops-8/blob/9d0eb2cc2bb0a5c4982ca5c31008b539740a8ff8/core/modules/ckeditor5/js/ckeditor5.es6.js#L652 [:bulb:](https://docs.guardrails.io/docs/en/vulnerabilities/javascript/insecure_processing_of_data.html?utm_source=ghpr#javascript.lang.taint-frontend-html-injection) | Title: **Unescaped user input in HTML**, Severity: Medium
https://github.com/pantheon-systems/drops-8/blob/9d0eb2cc2bb0a5c4982ca5c31008b539740a8ff8/core/modules/ckeditor5/js/ckeditor5.js#L291 More info on how to fix Insecure Processing of Data in [PHP](https://docs.guardrails.io/docs/en/vulnerabilities/php/insecure_processing_of_data.html?utm_source=ghpr) and [JavaScript](https://docs.guardrails.io/docs/en/vulnerabilities/javascript/insecure_processing_of_data.html?utm_source=ghpr). ---
Insecure Use of Dangerous Function (6)
Docs | Details ----- | -------- [:bulb:](https://docs.guardrails.io/docs/en/vulnerabilities/javascript/insecure_use_of_dangerous_function.html?utm_source=ghpr#javascript.lang.eval-dom-frontend) | Title: **Dynamic evaluation of untrusted input (Frontend)**, Severity: Medium
https://github.com/pantheon-systems/drops-8/blob/9d0eb2cc2bb0a5c4982ca5c31008b539740a8ff8/core/modules/ckeditor5/js/ckeditor5.admin.es6.js#L328 [:bulb:](https://docs.guardrails.io/docs/en/vulnerabilities/javascript/insecure_use_of_dangerous_function.html?utm_source=ghpr#javascript.lang.eval-dom-frontend) | Title: **Dynamic evaluation of untrusted input (Frontend)**, Severity: Medium
https://github.com/pantheon-systems/drops-8/blob/9d0eb2cc2bb0a5c4982ca5c31008b539740a8ff8/core/modules/ckeditor5/js/ckeditor5.admin.es6.js#L737 [:bulb:](https://docs.guardrails.io/docs/en/vulnerabilities/javascript/insecure_use_of_dangerous_function.html?utm_source=ghpr#javascript.lang.eval-dom-frontend) | Title: **Dynamic evaluation of untrusted input (Frontend)**, Severity: Medium
https://github.com/pantheon-systems/drops-8/blob/9d0eb2cc2bb0a5c4982ca5c31008b539740a8ff8/core/modules/ckeditor5/js/ckeditor5.admin.js#L184 [:bulb:](https://docs.guardrails.io/docs/en/vulnerabilities/javascript/insecure_use_of_dangerous_function.html?utm_source=ghpr#javascript.lang.eval-dom-frontend) | Title: **Dynamic evaluation of untrusted input (Frontend)**, Severity: Medium
https://github.com/pantheon-systems/drops-8/blob/9d0eb2cc2bb0a5c4982ca5c31008b539740a8ff8/core/modules/ckeditor5/js/ckeditor5.admin.js#L386 [:bulb:](https://docs.guardrails.io/docs/en/vulnerabilities/javascript/insecure_use_of_dangerous_function.html?utm_source=ghpr#javascript.lang.eval-dom-frontend) | Title: **Dynamic evaluation of untrusted input (Frontend)**, Severity: Medium
https://github.com/pantheon-systems/drops-8/blob/9d0eb2cc2bb0a5c4982ca5c31008b539740a8ff8/core/themes/olivero/js/second-level-navigation.es6.js#L81 [:bulb:](https://docs.guardrails.io/docs/en/vulnerabilities/javascript/insecure_use_of_dangerous_function.html?utm_source=ghpr#javascript.lang.eval-dom-frontend) | Title: **Dynamic evaluation of untrusted input (Frontend)**, Severity: Medium
https://github.com/pantheon-systems/drops-8/blob/9d0eb2cc2bb0a5c4982ca5c31008b539740a8ff8/core/themes/olivero/js/second-level-navigation.js#L38 More info on how to fix Insecure Use of Dangerous Function in [JavaScript](https://docs.guardrails.io/docs/en/vulnerabilities/javascript/insecure_use_of_dangerous_function.html?utm_source=ghpr). ---
Vulnerable Libraries (6)
Severity | Details ----- | -------- N/A | [pkg:npm/jake@10.8.5@10.8.5](https://github.com/pantheon-systems/drops-8/blob/9d0eb2cc2bb0a5c4982ca5c31008b539740a8ff8/core/yarn.lock#L4144) (t) - **no patch available** Low | [pkg:npm/node-fetch@2.6.7@2.6.7](https://github.com/pantheon-systems/drops-8/blob/9d0eb2cc2bb0a5c4982ca5c31008b539740a8ff8/core/yarn.lock#L4821) (t) - **no patch available** High | [pkg:npm/webpack@5.75.0@5.75.0](https://github.com/pantheon-systems/drops-8/blob/9d0eb2cc2bb0a5c4982ca5c31008b539740a8ff8/core/yarn.lock#L6677) (t) upgrade to: *5.76.0* Medium | [pkg:npm/jquery-form@4.3.0@4.3.0](https://github.com/pantheon-systems/drops-8/blob/9d0eb2cc2bb0a5c4982ca5c31008b539740a8ff8/core/yarn.lock#L4167) (t) - **no patch available** N/A | [pkg:npm/debug@2.6.9@2.6.9](https://github.com/pantheon-systems/drops-8/blob/9d0eb2cc2bb0a5c4982ca5c31008b539740a8ff8/core/yarn.lock#L2791) (t) upgrade to: *3.1.0* High | [pkg:npm/minimatch@3.0.4@3.0.4](https://github.com/pantheon-systems/drops-8/blob/9d0eb2cc2bb0a5c4982ca5c31008b539740a8ff8/core/yarn.lock#L4648) (t) upgrade to: *3.0.5* More info on how to fix Vulnerable Libraries in [JavaScript](https://docs.guardrails.io/docs/en/vulnerabilities/javascript/using_vulnerable_libraries.html?utm_source=ghpr).

👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.

pantheon-upstream commented 1 year ago

Superseeded by #428.