Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Upgrade: , , , , , , , axios, moment, oauth4webapi, react-hook-form, react-monaco-editor, react-redux, yaml #334

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

psturc
Copy link
Member

@psturc psturc commented Sep 8, 2024

snyk-top-banner

Snyk has created this PR to upgrade multiple dependencies.

👯‍♂ The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name Versions Released on

@badgateway/oauth2-client
from 2.3.0 to 2.4.0 | 1 version ahead of your current version | a month ago
on 2024-07-27
@openid/appauth
from 1.3.1 to 1.3.2 | 1 version ahead of your current version | 5 months ago
on 2024-04-15
@patternfly/react-icons
from 4.93.6 to 4.93.7 | 1 version ahead of your current version | a year ago
on 2023-06-05
@patternfly/react-catalog-view-extension
from 4.96.0 to 4.96.1 | 1 version ahead of your current version | a year ago
on 2023-08-31
@patternfly/react-charts
from 6.94.19 to 6.94.21 | 2 versions ahead of your current version | a year ago
on 2023-06-05
@reduxjs/toolkit
from 1.9.5 to 1.9.7 | 2 versions ahead of your current version | a year ago
on 2023-10-04
@storybook/builder-webpack5
from 7.6.17 to 7.6.20 | 3 versions ahead of your current version | 2 months ago
on 2024-06-24
axios
from 1.6.7 to 1.7.4 | 9 versions ahead of your current version | 25 days ago
on 2024-08-13
moment
from 2.29.4 to 2.30.1 | 2 versions ahead of your current version | 8 months ago
on 2023-12-27
oauth4webapi
from 2.10.3 to 2.11.1 | 3 versions ahead of your current version | 3 months ago
on 2024-06-20
react-hook-form
from 7.51.1 to 7.52.2 | 7 versions ahead of your current version | a month ago
on 2024-08-03
react-monaco-editor
from 0.55.0 to 0.56.1 | 2 versions ahead of your current version | 25 days ago
on 2024-08-13
react-redux
from 8.1.1 to 8.1.3 | 2 versions ahead of your current version | a year ago
on 2023-10-01
yaml
from 2.4.2 to 2.5.0 | 4 versions ahead of your current version | a month ago
on 2024-07-24

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
high severity Server-side Request Forgery (SSRF)
SNYK-JS-AXIOS-7361793
761 Proof of Concept
high severity Uncontrolled resource consumption
SNYK-JS-BRACES-6838727
761 Proof of Concept
high severity Improper Input Validation
SNYK-JS-FOLLOWREDIRECTS-6141137
761 Proof of Concept
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-SEMVER-3247795
761 Proof of Concept
high severity Path Traversal
SNYK-JS-WEBPACKDEVMIDDLEWARE-6476555
761 Proof of Concept
medium severity Open Redirect
SNYK-JS-EXPRESS-6474509
761 No Known Exploit
medium severity Information Exposure
SNYK-JS-FOLLOWREDIRECTS-6444610
761 Proof of Concept
medium severity Information Exposure
SNYK-JS-FOLLOWREDIRECTS-6444610
761 Proof of Concept
medium severity Cross-site Scripting (XSS)
SNYK-JS-SERIALIZEJAVASCRIPT-6147607
761 Proof of Concept
medium severity Cross-site Scripting (XSS)
SNYK-JS-WEBPACK-7840298
761 Proof of Concept
Release notes
Package name: @badgateway/oauth2-client
  • 2.4.0 - 2024-07-27
    • More robust error handling. When an error is emitted, you now give you access to the emitted HTTP Response and response body.
    • Support for response_mode=fragment in the authorization_code flow.
  • 2.3.0 - 2024-02-03
    • Fix for #128: If there's no secret, we should never use Basic auth to encode the client_id.
    • Support for the resource parameter from RFC 8707.
    • Add support for scope parameter to refresh().
    • Support for RFC 7009, Token Revocation. (@ adambom)
from @badgateway/oauth2-client GitHub release notes
Package name: @openid/appauth
  • 1.3.2 - 2024-04-15
  • 1.3.1 - 2021-04-18
from @openid/appauth GitHub release notes
Package name: @patternfly/react-icons
  • 4.93.7 - 2023-06-05
  • 4.93.6 - 2023-01-23
from @patternfly/react-icons GitHub release notes
Package name: @patternfly/react-catalog-view-extension from @patternfly/react-catalog-view-extension GitHub release notes
Package name: @patternfly/react-charts
  • 6.94.21 - 2023-06-05
  • 6.94.20 - 2023-04-06
  • 6.94.19 - 2023-02-27
from @patternfly/react-charts GitHub release notes
Package name: @reduxjs/toolkit
  • 1.9.7 - 2023-10-04

    This bugfix release rewrites the RTKQ hook TS types to significantly improve TS perf.

    Changelog

    RTKQ TS Perf

    A number of users had reported that Intellisense for RTKQ API objects was extremely slow (multiple seconds) - see discussion in #3214 . We did some perf investigation on user-provided examples, and concluded that the biggest factor to slow RTKQ TS perf was the calculation of hook names like useGetPokemonQuery, which was generating a large TS union of types.

    We've rewritten that hook names type calculation to use mapped types and a couple of intersections. In a specific user-provided stress test repo, it dropped TS calculation time by 60% (2600ms to 1000ms).

    There's more potential work we can do to improve things, but this seems like a major perf improvement worth shipping now.

    What's Changed

    Full Changelog: v1.9.6...v1.9.7

  • 1.9.6 - 2023-09-24

    This bugfix release adds a new dev-mode middleware to catch accidentally dispatching an action creator, adds a new listener middleware option around waiting for forks, adds a new option to update provided tags when updateQueryData is used, reworks internal types to better handle uses with TS declaration output, and fixes a variety of small issues.

    Changelog

    Action Creator Dev Check Middleware

    RTK already includes dev-mode middleware that check for the common mistakes of accidentally mutating state and putting non-serializable values into state or actions.

    Over the years we've also seen a semi-frequent error where users accidentally pass an action creator reference to dispatch, instead of calling it and dispatching the action it returns.

    We've added another dev-mode middleware that specifically catches this error and warns about it.

    Additional Options

    The listener middleware's listenerApi.fork() method now has an optional autoJoin flag that can be used to keep the effect from finishing until all active forked tasks have completed.

    updateQueryData now has an updateProvidedTags option that will force a recalculation of that endpoint's provided tags. It currently defaults to false, and we'll likely turn that to true in the next major.

    Other Fixes

    The builder.addCase method now throws an error if a type string is empty.

    fetchBaseQuery now uses an alternate method to clone the original Request in order to work around an obscure Chrome bug.

    The immutability middleware logic was tweaked to avoid a potential stack overflow.

    Types Changes

    The internal type imports have been reworked to try to fix "type portability" issues when used in combination with TS declaration outputs.

    A couple additional types were exported to help with wrapping createAsyncThunk.

    What's Changed

    Full Changelog: v1.9.5...v1.9.6

  • 1.9.5 - 2023-04-18

    This bugfix release includes notable improvements to TS type inference when using the enhancers option in configureStore, and updates the listener middleware to only check predicates if the dispatched value is truly an action object.

    What's Changed

    • update to latest remark-typescript-tools by @ EskiMojo14 in #3311
    • add isAction helper function, and ensure listener middleware only runs for actions by @ EskiMojo14 in #3372
    • Allow inference of enhancer state extensions, and fix inference when using callback form by @ EskiMojo14 in #3207

    Full Changelog: v1.9.4...v1.9.5

from @reduxjs/toolkit GitHub release notes
Package name: @storybook/builder-webpack5
  • 7.6.20 - 2024-06-24
  • 7.6.19 - 2024-05-01
  • 7.6.18 - 2024-04-23
  • 7.6.17 - 2024-02-20
from @storybook/builder-webpack5 GitHub release notes
Package name: axios from axios GitHub release notes
Package name: moment from moment GitHub release notes
Package name: oauth4webapi
  • 2.11.1 - 2024-06-20

    Fixes

    • allow ID Token auth_time to be present even if client.require_auth_time is false (caa9ab3)
  • 2.11.0 - 2024-06-19

    Features

    • add experimental support for edge compute runtimes JWKS caching (15b7aff)

    Refactor

    • update maxAge option type check error message (7fe3454)

    Documentation

    • clarify documentation is more an API Reference (c96c8e0)
    • update example import (651e8ea)
    • updates for readability and consistency (b1b8b7d)
  • 2.10.4 - 2024-03-29

    Refactor

    • types: add explicit type to all exported functions (76e8d19)
    • types: add explicit type to all exported symbols (c66c595)
    • types: protectedResourceRequest method argument is just a string (a15d76c)

    Documentation

    • mention RFC 6750 in validateJwtAccessToken (f61b68e), closes #115
  • 2.10.3 - 2024-02-07

    Refactor

    • make protectedResourceRequest headers argument optional (bcbc872)

    Documentation

from oauth4webapi GitHub release notes
Package name: react-hook-form

Snyk has created this PR to upgrade:
  - @badgateway/oauth2-client from 2.3.0 to 2.4.0.
    See this package in npm: https://www.npmjs.com/package/@badgateway/oauth2-client
  - @openid/appauth from 1.3.1 to 1.3.2.
    See this package in npm: https://www.npmjs.com/package/@openid/appauth
  - @patternfly/react-icons from 4.93.6 to 4.93.7.
    See this package in npm: https://www.npmjs.com/package/@patternfly/react-icons
  - @patternfly/react-catalog-view-extension from 4.96.0 to 4.96.1.
    See this package in npm: https://www.npmjs.com/package/@patternfly/react-catalog-view-extension
  - @patternfly/react-charts from 6.94.19 to 6.94.21.
    See this package in npm: https://www.npmjs.com/package/@patternfly/react-charts
  - @reduxjs/toolkit from 1.9.5 to 1.9.7.
    See this package in npm: https://www.npmjs.com/package/@reduxjs/toolkit
  - @storybook/builder-webpack5 from 7.6.17 to 7.6.20.
    See this package in npm: https://www.npmjs.com/package/@storybook/builder-webpack5
  - axios from 1.6.7 to 1.7.4.
    See this package in npm: https://www.npmjs.com/package/axios
  - moment from 2.29.4 to 2.30.1.
    See this package in npm: https://www.npmjs.com/package/moment
  - oauth4webapi from 2.10.3 to 2.11.1.
    See this package in npm: https://www.npmjs.com/package/oauth4webapi
  - react-hook-form from 7.51.1 to 7.52.2.
    See this package in npm: https://www.npmjs.com/package/react-hook-form
  - react-monaco-editor from 0.55.0 to 0.56.1.
    See this package in npm: https://www.npmjs.com/package/react-monaco-editor
  - react-redux from 8.1.1 to 8.1.3.
    See this package in npm: https://www.npmjs.com/package/react-redux
  - yaml from 2.4.2 to 2.5.0.
    See this package in npm: https://www.npmjs.com/package/yaml

See this project in Snyk:
https://app.snyk.io/org/developer-red-hat-trusted-application-pipeline/project/62358635-6218-4506-9c5b-1ad33a8f5b3b?utm_source=github&utm_medium=referral&page=upgrade-pr
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment