Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Upgrade: , , , , , , , axios, moment, oauth4webapi, react-hook-form, react-monaco-editor, react-redux, yaml #339

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

psturc
Copy link
Member

@psturc psturc commented Sep 22, 2024

snyk-top-banner

Snyk has created this PR to upgrade multiple dependencies.

👯‍♂ The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name Versions Released on

@badgateway/oauth2-client
from 2.3.0 to 2.4.1 | 2 versions ahead of your current version | a month ago
on 2024-08-22
@openid/appauth
from 1.3.1 to 1.3.2 | 1 version ahead of your current version | 5 months ago
on 2024-04-15
@patternfly/react-icons
from 4.93.6 to 4.93.7 | 1 version ahead of your current version | a year ago
on 2023-06-05
@patternfly/react-catalog-view-extension
from 4.96.0 to 4.96.1 | 1 version ahead of your current version | a year ago
on 2023-08-31
@patternfly/react-charts
from 6.94.19 to 6.94.21 | 2 versions ahead of your current version | a year ago
on 2023-06-05
@reduxjs/toolkit
from 1.9.5 to 1.9.7 | 2 versions ahead of your current version | a year ago
on 2023-10-04
@storybook/builder-webpack5
from 7.6.17 to 7.6.20 | 3 versions ahead of your current version | 3 months ago
on 2024-06-24
axios
from 1.6.7 to 1.7.7 | 12 versions ahead of your current version | 21 days ago
on 2024-08-31
moment
from 2.29.4 to 2.30.1 | 2 versions ahead of your current version | 9 months ago
on 2023-12-27
oauth4webapi
from 2.10.3 to 2.12.0 | 4 versions ahead of your current version | a month ago
on 2024-08-19
react-hook-form
from 7.51.1 to 7.53.0 | 8 versions ahead of your current version | a month ago
on 2024-08-24
react-monaco-editor
from 0.55.0 to 0.56.1 | 2 versions ahead of your current version | a month ago
on 2024-08-13
react-redux
from 8.1.1 to 8.1.3 | 2 versions ahead of your current version | a year ago
on 2023-10-01
yaml
from 2.4.2 to 2.5.0 | 4 versions ahead of your current version | 2 months ago
on 2024-07-24

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
high severity Server-side Request Forgery (SSRF)
SNYK-JS-AXIOS-7361793
761 Proof of Concept
high severity Asymmetric Resource Consumption (Amplification)
SNYK-JS-BODYPARSER-7926860
761 No Known Exploit
high severity Uncontrolled resource consumption
SNYK-JS-BRACES-6838727
761 Proof of Concept
high severity Improper Input Validation
SNYK-JS-FOLLOWREDIRECTS-6141137
761 Proof of Concept
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-SEMVER-3247795
761 Proof of Concept
high severity Path Traversal
SNYK-JS-WEBPACKDEVMIDDLEWARE-6476555
761 Proof of Concept
medium severity Open Redirect
SNYK-JS-EXPRESS-6474509
761 No Known Exploit
medium severity Cross-site Scripting
SNYK-JS-EXPRESS-7926867
761 No Known Exploit
medium severity Information Exposure
SNYK-JS-FOLLOWREDIRECTS-6444610
761 Proof of Concept
medium severity Information Exposure
SNYK-JS-FOLLOWREDIRECTS-6444610
761 Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-PATHTOREGEXP-7925106
761 Proof of Concept
medium severity Cross-site Scripting (XSS)
SNYK-JS-SERIALIZEJAVASCRIPT-6147607
761 Proof of Concept
medium severity Cross-site Scripting (XSS)
SNYK-JS-WEBPACK-7840298
761 Proof of Concept
low severity Cross-site Scripting
SNYK-JS-SEND-7926862
761 No Known Exploit
low severity Cross-site Scripting
SNYK-JS-SERVESTATIC-7926865
761 No Known Exploit
Release notes
Package name: @badgateway/oauth2-client
  • 2.4.1 - 2024-08-22
    • #151: Add 'Accept' header on token requests to fix a Github compatibility issue.
    • #151: Throw error when we get an invalid reply from a token endpoint.
  • 2.4.0 - 2024-07-27
    • More robust error handling. When an error is emitted, you now give you access to the emitted HTTP Response and response body.
    • Support for response_mode=fragment in the authorization_code flow.
  • 2.3.0 - 2024-02-03
    • Fix for #128: If there's no secret, we should never use Basic auth to encode the client_id.
    • Support for the resource parameter from RFC 8707.
    • Add support for scope parameter to refresh().
    • Support for RFC 7009, Token Revocation. (@ adambom)
from @badgateway/oauth2-client GitHub release notes
Package name: @openid/appauth
  • 1.3.2 - 2024-04-15
  • 1.3.1 - 2021-04-18
from @openid/appauth GitHub release notes
Package name: @patternfly/react-icons
  • 4.93.7 - 2023-06-05
  • 4.93.6 - 2023-01-23
from @patternfly/react-icons GitHub release notes
Package name: @patternfly/react-catalog-view-extension from @patternfly/react-catalog-view-extension GitHub release notes
Package name: @patternfly/react-charts
  • 6.94.21 - 2023-06-05
  • 6.94.20 - 2023-04-06
  • 6.94.19 - 2023-02-27
from @patternfly/react-charts GitHub release notes
Package name: @reduxjs/toolkit
  • 1.9.7 - 2023-10-04

    This bugfix release rewrites the RTKQ hook TS types to significantly improve TS perf.

    Changelog

    RTKQ TS Perf

    A number of users had reported that Intellisense for RTKQ API objects was extremely slow (multiple seconds) - see discussion in #3214 . We did some perf investigation on user-provided examples, and concluded that the biggest factor to slow RTKQ TS perf was the calculation of hook names like useGetPokemonQuery, which was generating a large TS union of types.

    We've rewritten that hook names type calculation to use mapped types and a couple of intersections. In a specific user-provided stress test repo, it dropped TS calculation time by 60% (2600ms to 1000ms).

    There's more potential work we can do to improve things, but this seems like a major perf improvement worth shipping now.

    What's Changed

    Full Changelog: v1.9.6...v1.9.7

  • 1.9.6 - 2023-09-24

    This bugfix release adds a new dev-mode middleware to catch accidentally dispatching an action creator, adds a new listener middleware option around waiting for forks, adds a new option to update provided tags when updateQueryData is used, reworks internal types to better handle uses with TS declaration output, and fixes a variety of small issues.

    Changelog

    Action Creator Dev Check Middleware

    RTK already includes dev-mode middleware that check for the common mistakes of accidentally mutating state and putting non-serializable values into state or actions.

    Over the years we've also seen a semi-frequent error where users accidentally pass an action creator reference to dispatch, instead of calling it and dispatching the action it returns.

    We've added another dev-mode middleware that specifically catches this error and warns about it.

    Additional Options

    The listener middleware's listenerApi.fork() method now has an optional autoJoin flag that can be used to keep the effect from finishing until all active forked tasks have completed.

    updateQueryData now has an updateProvidedTags option that will force a recalculation of that endpoint's provided tags. It currently defaults to false, and we'll likely turn that to true in the next major.

    Other Fixes

    The builder.addCase method now throws an error if a type string is empty.

    fetchBaseQuery now uses an alternate method to clone the original Request in order to work around an obscure Chrome bug.

    The immutability middleware logic was tweaked to avoid a potential stack overflow.

    Types Changes

    The internal type imports have been reworked to try to fix "type portability" issues when used in combination with TS declaration outputs.

    A couple additional types were exported to help with wrapping createAsyncThunk.

    What's Changed

    Full Changelog: v1.9.5...v1.9.6

  • 1.9.5 - 2023-04-18

    This bugfix release includes notable improvements to TS type inference when using the enhancers option in configureStore, and updates the listener middleware to only check predicates if the dispatched value is truly an action object.

    What's Changed

    • update to latest remark-typescript-tools by @ EskiMojo14 in #3311
    • add isAction helper function, and ensure listener middleware only runs for actions by @ EskiMojo14 in #3372
    • Allow inference of enhancer state extensions, and fix inference when using callback form by @ EskiMojo14 in #3207

    Full Changelog: v1.9.4...v1.9.5

from @reduxjs/toolkit GitHub release notes
Package name: @storybook/builder-webpack5
  • 7.6.20 - 2024-06-24
  • 7.6.19 - 2024-05-01
  • 7.6.18 - 2024-04-23
  • 7.6.17 - 2024-02-20
from @storybook/builder-webpack5 GitHub release notes
Package name: axios from axios GitHub release notes
Package name: moment from moment GitHub release notes
Package name: oauth4webapi
  • 2.12.0 - 2024-08-19

    Features

    • graduate jwksCache to stable API (0e0e1d2)

    Documentation

    • move clockSkew and clockTolerance docs to the symbol (3b5d2ea)
    • update clockSkew and clockTolerance docs (c97313a)
  • 2.11.1 - 2024-06-20

    Fixes

    • allow ID Token auth_time to be present even if client.require_auth_time is false (caa9ab3)
  • 2.11.0 - 2024-06-19

    Features

    • add experimental support for edge compute runtimes JWKS caching (15b7aff)

    Refactor

    • update maxAge option type check error message (7fe3454)

    Documentation

    • clarify documentation is more an API Reference (c96c8e0)
    • update example import (651e8ea)
    • updates for readability and consistency (b1b8b7d)
  • 2.10.4 - 2024-03-29

    Refactor

    • types: add explicit type to all exported functions (76e8d19)
    • types: add explicit type to all exported symbols (c66c595)
    • types: protectedResourceRequest method argument is just a string (a15d76c)

    Documentation

    • mention RFC 6750 in validateJwtAccessToken (f61b68e), closes #115
  • 2.10.3 - 2024-02-07

    Refactor

    • make protectedResourceRequest headers argument optional (bcbc872)

    Documentation

from oauth4webapi GitHub release notes
Package name: react-hook-form
  • 7.53.0 - 2024-08-24

    🌫️ feat: #12148 support isValid when mode is set to onBlur (#12194)

    // update formstate isValid with onBlur event
    const { formState: { isValid } } = useForm({
      mode: 'onBlur'
    })

    🐞 fix #12021 issue with disable prop not reflecting on re-render without trigger by useEffect (#12193)
    👩‍🌾 close #12168 optimise re-render with validating fields subscription (#12192)
    🐞 fix #12127 issue with compare object value changed with object input (#12185)
    🎲 improve : break out of recursive loops on first focus (#11827)
    📖 fix example of ObjectKeys type (#11965)

    thanks to @ suke & @ DPflasterer

  • 7.52.2 - 2024-08-03

    👍 close #12108 useController should subscribe to exact field name of form's state (#12109)
    👍 chore: upgrade app deps
    🩻 fix: add useCallback for ref callback (#12078)
    🚀 fix: skip call executeBuiltInValidation if no sub-fields left (#12054)

    thanks to @ newsiberian, @ Wendystraite and @ abnud11

  • 7.52.1 - 2024-07-02

    🐞 fix #12024 dirty not update issue with values prop (#12041)
    🐞 fix: field array validate rules shift errors (#12033)

    thanks to @ JardelCheung

  • 7.52.0 - 2024-06-15

    ⚛️ close #11932 enable react 19 peer dependency (#11935)
    👮‍♀️ close #11954 getFieldState remove unnessaried inValidating and touched subscription (#11995)
    🐞 fix #11985 logic createFormControl check field before usage (#11986)
    ⌨️ fix: enforce type safety for deps property in RegisterOptions (#11969)
    🐞 fix #11922 keep dirty on reset with dirty fields (#11958)
    🚔 close #11937 add validation in the cleanup process in useController (

Snyk has created this PR to upgrade:
  - @badgateway/oauth2-client from 2.3.0 to 2.4.1.
    See this package in npm: https://www.npmjs.com/package/@badgateway/oauth2-client
  - @openid/appauth from 1.3.1 to 1.3.2.
    See this package in npm: https://www.npmjs.com/package/@openid/appauth
  - @patternfly/react-icons from 4.93.6 to 4.93.7.
    See this package in npm: https://www.npmjs.com/package/@patternfly/react-icons
  - @patternfly/react-catalog-view-extension from 4.96.0 to 4.96.1.
    See this package in npm: https://www.npmjs.com/package/@patternfly/react-catalog-view-extension
  - @patternfly/react-charts from 6.94.19 to 6.94.21.
    See this package in npm: https://www.npmjs.com/package/@patternfly/react-charts
  - @reduxjs/toolkit from 1.9.5 to 1.9.7.
    See this package in npm: https://www.npmjs.com/package/@reduxjs/toolkit
  - @storybook/builder-webpack5 from 7.6.17 to 7.6.20.
    See this package in npm: https://www.npmjs.com/package/@storybook/builder-webpack5
  - axios from 1.6.7 to 1.7.7.
    See this package in npm: https://www.npmjs.com/package/axios
  - moment from 2.29.4 to 2.30.1.
    See this package in npm: https://www.npmjs.com/package/moment
  - oauth4webapi from 2.10.3 to 2.12.0.
    See this package in npm: https://www.npmjs.com/package/oauth4webapi
  - react-hook-form from 7.51.1 to 7.53.0.
    See this package in npm: https://www.npmjs.com/package/react-hook-form
  - react-monaco-editor from 0.55.0 to 0.56.1.
    See this package in npm: https://www.npmjs.com/package/react-monaco-editor
  - react-redux from 8.1.1 to 8.1.3.
    See this package in npm: https://www.npmjs.com/package/react-redux
  - yaml from 2.4.2 to 2.5.0.
    See this package in npm: https://www.npmjs.com/package/yaml

See this project in Snyk:
https://app.snyk.io/org/developer-red-hat-trusted-application-pipeline/project/62358635-6218-4506-9c5b-1ad33a8f5b3b?utm_source=github&utm_medium=referral&page=upgrade-pr
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment