Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix Moderate Backend Vulnerabilities Flagged by GitHub Actions #146

Conversation

Matthew-Grayson
Copy link
Contributor

@Matthew-Grayson Matthew-Grayson commented Apr 2, 2024

Fix three moderate vulnerabilities related to express, follow-redirects, and jose.

🗣 Description

Bump express from 4.18.2 to 4.19.2
Bump follow-redirects from 1.15.4 to 1.15.6
Bump jose from 4.14.4 to 4.14.5
Bump es5-ext from 0.10.62 to 0.10.64
Add esniff 2.0.1 as es5-ext dependency
Bump body-parser from 1.20.1 to 1.20.2
Bump cookie from 0.5.0 to 0.6.0

💭 Motivation and context

Related to PR #143

🧪 Testing

GitHub Actions only flags 1 backend node vulnerability related to TypeORM. (This is being addressed in issue #147)
All unit tests pass and site functions as expected.

✅ Pre-approval checklist

  • This PR has an informative and human-readable title.
  • Changes are limited to a single goal - eschew scope creep!
  • All future TODOs are captured in issues, which are referenced
    in code comments.
  • All relevant type-of-change labels have been added.
  • I have read the CONTRIBUTING document.
  • These code changes follow cisagov code standards.
  • All relevant repo and/or project documentation has been updated
    to reflect the changes in this PR.
  • Tests have been added and/or modified to cover the changes in this PR.
  • All new and existing tests pass.

✅ Pre-merge checklist

  • Revert dependencies to default branches.
  • Finalize version.

✅ Post-merge checklist

  • Create a release.

Bump es5-ext from 0.10.62 to 0.10.64
Add esniff 2.0.1 as es5-ext dependency
Bump body-parser from 1.20.1 to 1.20.2
Bump cookie from 0.5.0 to 0.6.0
Bump express from 4.18.2 to 4.19.2
Bump follow-redirects from 1.15.4 to 1.15.6
@Matthew-Grayson Matthew-Grayson self-assigned this Apr 2, 2024
@Matthew-Grayson Matthew-Grayson marked this pull request as ready for review April 8, 2024 14:05
@Matthew-Grayson Matthew-Grayson changed the title Fix Moderate Vulnerabilities Flagged by GitHub Actions Fix Moderate Backend Vulnerabilities Flagged by GitHub Actions Apr 8, 2024
Copy link
Collaborator

@cduhn17 cduhn17 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Copy link
Collaborator

@nickviola nickviola left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@nickviola nickviola merged commit 2e95b52 into develop Apr 8, 2024
18 of 24 checks passed
@nickviola nickviola deleted the 143-address-failing-github-action-check-for-vulnerabilities-backend branch April 8, 2024 14:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Address Failing GitHub Action: Check for Vulnerabilities / backend
3 participants