[Security] update outdated dependencies #347

eatyourgreens · 2024-09-27T06:10:33Z

Updates for outdated dependencies, including 12 security patches. See individual Dependabot commits for details.

Convert the tests to ESM, as Chai no longer supports CJS, and remove a couple of Chai plugins that weren't being used.

Fix the CI tests workflow so that it runs again.

Fix some outdated syntax in the Dockerfile.

WIth the changes here, npm outdated should only report @sentry/node as outdated. Upgrading Sentry from v7 to v8 breaks the tests, because Sugar is using some deprecated APIs.

npm audit should report 0 vulnerabilities on this branch (12 on the current production release.)

(base) jimodonnell@Jims-MBP sugar % git checkout production-release 
HEAD is now at 081aa63 Merge pull request #315 from zooniverse/dependabot/npm_and_yarn/sentry/node-7.108.0
(base) jimodonnell@Jims-MBP sugar % npm ci                         

added 395 packages, and audited 396 packages in 5s

36 packages are looking for funding
  run `npm fund` for details

12 vulnerabilities (1 low, 3 moderate, 8 high)

To address all issues, run:
  npm audit fix

Run `npm audit` for details.

Includes test: Convert tests to ESM and upgrade Chai #297.

Bumps the npm_and_yarn group with 6 updates: | Package | From | To | | --- | --- | --- | | [express](https://github.com/expressjs/express) | `4.18.3` | `4.19.2` | | [@grpc/grpc-js](https://github.com/grpc/grpc-node) | `1.9.8` | `1.10.9` | | [ws](https://github.com/websockets/ws) | `8.16.0` | `8.17.1` | | [engine.io](https://github.com/socketio/engine.io) | `6.5.4` | `6.5.5` | | [engine.io-client](https://github.com/socketio/engine.io-client) | `6.5.3` | `6.5.4` | | [braces](https://github.com/micromatch/braces) | `3.0.2` | `3.0.3` | Updates `express` from 4.18.3 to 4.19.2 - [Release notes](https://github.com/expressjs/express/releases) - [Changelog](https://github.com/expressjs/express/blob/master/History.md) - [Commits](expressjs/express@4.18.3...4.19.2) Updates `@grpc/grpc-js` from 1.9.8 to 1.10.9 - [Release notes](https://github.com/grpc/grpc-node/releases) - [Commits](https://github.com/grpc/grpc-node/compare/@grpc/[email protected]...@grpc/[email protected]) Updates `ws` from 8.16.0 to 8.17.1 - [Release notes](https://github.com/websockets/ws/releases) - [Commits](websockets/ws@8.16.0...8.17.1) Updates `engine.io` from 6.5.4 to 6.5.5 - [Release notes](https://github.com/socketio/engine.io/releases) - [Changelog](https://github.com/socketio/engine.io/blob/main/CHANGELOG.md) - [Commits](socketio/engine.io@6.5.4...6.5.5) Updates `engine.io-client` from 6.5.3 to 6.5.4 - [Release notes](https://github.com/socketio/engine.io-client/releases) - [Changelog](https://github.com/socketio/engine.io-client/blob/main/CHANGELOG.md) - [Commits](socketio/engine.io-client@6.5.3...6.5.4) Updates `braces` from 3.0.2 to 3.0.3 - [Changelog](https://github.com/micromatch/braces/blob/master/CHANGELOG.md) - [Commits](micromatch/braces@3.0.2...3.0.3) --- updated-dependencies: - dependency-name: express dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: "@grpc/grpc-js" dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: ws dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: engine.io dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: engine.io-client dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: braces dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps the npm_and_yarn group with 6 updates: | Package | From | To | | --- | --- | --- | | [body-parser](https://github.com/expressjs/body-parser) | `1.20.2` | `1.20.3` | | [express](https://github.com/expressjs/express) | `4.19.2` | `4.21.0` | | [axios](https://github.com/axios/axios) | `1.6.8` | `1.7.7` | | [path-to-regexp](https://github.com/pillarjs/path-to-regexp) | `0.1.7` | `0.1.10` | | [send](https://github.com/pillarjs/send) | `0.18.0` | `0.19.0` | | [serve-static](https://github.com/expressjs/serve-static) | `1.15.0` | `1.16.2` | Updates `body-parser` from 1.20.2 to 1.20.3 - [Release notes](https://github.com/expressjs/body-parser/releases) - [Changelog](https://github.com/expressjs/body-parser/blob/master/HISTORY.md) - [Commits](expressjs/body-parser@1.20.2...1.20.3) Updates `express` from 4.19.2 to 4.21.0 - [Release notes](https://github.com/expressjs/express/releases) - [Changelog](https://github.com/expressjs/express/blob/4.21.0/History.md) - [Commits](expressjs/express@4.19.2...4.21.0) Updates `express` from 4.19.2 to 4.21.0 - [Release notes](https://github.com/expressjs/express/releases) - [Changelog](https://github.com/expressjs/express/blob/4.21.0/History.md) - [Commits](expressjs/express@4.19.2...4.21.0) Updates `axios` from 1.6.8 to 1.7.7 - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md) - [Commits](axios/axios@v1.6.8...v1.7.7) Updates `path-to-regexp` from 0.1.7 to 0.1.10 - [Release notes](https://github.com/pillarjs/path-to-regexp/releases) - [Changelog](https://github.com/pillarjs/path-to-regexp/blob/master/History.md) - [Commits](pillarjs/path-to-regexp@v0.1.7...v0.1.10) Updates `send` from 0.18.0 to 0.19.0 - [Release notes](https://github.com/pillarjs/send/releases) - [Changelog](https://github.com/pillarjs/send/blob/master/HISTORY.md) - [Commits](pillarjs/send@0.18.0...0.19.0) Updates `serve-static` from 1.15.0 to 1.16.2 - [Release notes](https://github.com/expressjs/serve-static/releases) - [Changelog](https://github.com/expressjs/serve-static/blob/v1.16.2/HISTORY.md) - [Commits](expressjs/serve-static@v1.15.0...v1.16.2) --- updated-dependencies: - dependency-name: body-parser dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: express dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: express dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: axios dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: path-to-regexp dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: send dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: serve-static dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [express-rate-limit](https://github.com/express-rate-limit/express-rate-limit) from 7.2.0 to 7.3.1. - [Release notes](https://github.com/express-rate-limit/express-rate-limit/releases) - [Commits](express-rate-limit/express-rate-limit@v7.2.0...v7.3.1) --- updated-dependencies: - dependency-name: express-rate-limit dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [uglify-js](https://github.com/mishoo/UglifyJS) from 3.17.4 to 3.18.0. - [Release notes](https://github.com/mishoo/UglifyJS/releases) - [Commits](mishoo/UglifyJS@v3.17.4...v3.18.0) --- updated-dependencies: - dependency-name: uglify-js dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [redis](https://github.com/redis/node-redis) from 4.6.13 to 4.6.14. - [Release notes](https://github.com/redis/node-redis/releases) - [Changelog](https://github.com/redis/node-redis/blob/master/CHANGELOG.md) - [Commits](https://github.com/redis/node-redis/compare/[email protected]@4.6.14) --- updated-dependencies: - dependency-name: redis dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [mocha](https://github.com/mochajs/mocha) from 10.3.0 to 10.4.0. - [Release notes](https://github.com/mochajs/mocha/releases) - [Changelog](https://github.com/mochajs/mocha/blob/master/CHANGELOG.md) - [Commits](mochajs/mocha@v10.3.0...v10.4.0) --- updated-dependencies: - dependency-name: mocha dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 5 to 6. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](docker/build-push-action@v5...v6) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [newrelic](https://github.com/newrelic/node-newrelic) from 11.14.0 to 12.5.1. - [Release notes](https://github.com/newrelic/node-newrelic/releases) - [Changelog](https://github.com/newrelic/node-newrelic/blob/main/changelog.json) - [Commits](newrelic/node-newrelic@v11.14.0...v12.5.1) --- updated-dependencies: - dependency-name: newrelic dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [engine.io-client](https://github.com/socketio/socket.io) from 6.5.4 to 6.6.1. - [Release notes](https://github.com/socketio/socket.io/releases) - [Changelog](https://github.com/socketio/socket.io/blob/main/CHANGELOG.md) - [Commits](https://github.com/socketio/socket.io/commits/[email protected]) --- updated-dependencies: - dependency-name: engine.io-client dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [express-rate-limit](https://github.com/express-rate-limit/express-rate-limit) from 7.3.1 to 7.4.0. - [Release notes](https://github.com/express-rate-limit/express-rate-limit/releases) - [Commits](express-rate-limit/express-rate-limit@v7.3.1...v7.4.0) --- updated-dependencies: - dependency-name: express-rate-limit dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [mocha](https://github.com/mochajs/mocha) from 10.4.0 to 10.7.3. - [Release notes](https://github.com/mochajs/mocha/releases) - [Changelog](https://github.com/mochajs/mocha/blob/main/CHANGELOG.md) - [Commits](mochajs/mocha@v10.4.0...v10.7.3) --- updated-dependencies: - dependency-name: mocha dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [engine.io](https://github.com/socketio/socket.io) from 6.5.5 to 6.6.1. - [Release notes](https://github.com/socketio/socket.io/releases) - [Changelog](https://github.com/socketio/socket.io/blob/main/CHANGELOG.md) - [Commits](https://github.com/socketio/socket.io/commits/[email protected]) --- updated-dependencies: - dependency-name: engine.io dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [uglify-js](https://github.com/mishoo/UglifyJS) from 3.18.0 to 3.19.3. - [Release notes](https://github.com/mishoo/UglifyJS/releases) - [Commits](mishoo/UglifyJS@v3.18.0...v3.19.3) --- updated-dependencies: - dependency-name: uglify-js dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [redis](https://github.com/redis/node-redis) from 4.6.14 to 4.7.0. - [Release notes](https://github.com/redis/node-redis/releases) - [Changelog](https://github.com/redis/node-redis/blob/master/CHANGELOG.md) - [Commits](https://github.com/redis/node-redis/compare/[email protected]@4.7.0) --- updated-dependencies: - dependency-name: redis dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Update the `docker compose` command.

Convert all the tests to ESM (`.mjs`) in preparation for Chai 5, which drops support for CommonJS. - replace `require` with `import` throughout. - create a global `chai` object to replace the old `chai = require('chai')`. - rename tests from '.js' to '.mjs'.

Bumps [express-rate-limit](https://github.com/express-rate-limit/express-rate-limit) from 7.4.0 to 7.4.1. - [Release notes](https://github.com/express-rate-limit/express-rate-limit/releases) - [Commits](express-rate-limit/express-rate-limit@v7.4.0...v7.4.1) --- updated-dependencies: - dependency-name: express-rate-limit dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps the npm_and_yarn group with 2 updates in the / directory: [engine.io](https://github.com/socketio/socket.io) and [express](https://github.com/expressjs/express). Updates `engine.io` from 6.6.1 to 6.6.2 - [Release notes](https://github.com/socketio/socket.io/releases) - [Changelog](https://github.com/socketio/socket.io/blob/main/CHANGELOG.md) - [Commits](https://github.com/socketio/socket.io/compare/[email protected]@6.6.2) Updates `express` from 4.21.0 to 4.21.1 - [Release notes](https://github.com/expressjs/express/releases) - [Changelog](https://github.com/expressjs/express/blob/4.21.1/History.md) - [Commits](expressjs/express@4.21.0...4.21.1) Updates `cookie` from 0.4.2 to 0.7.1 - [Release notes](https://github.com/jshttp/cookie/releases) - [Commits](jshttp/cookie@v0.4.2...v0.7.1) --- updated-dependencies: - dependency-name: engine.io dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: express dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: cookie dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

eatyourgreens · 2024-10-14T04:08:34Z

Updated to include a couple more security patches that were released this week.

kieftrav · 2024-10-17T16:04:57Z

@eatyourgreens - I bumped the version of engine.io to match both PFE and FEM before merging this PR. Thanks!

eatyourgreens · 2024-10-17T16:24:24Z

👍 dependabot had already bumped it to 6.6.2 in the lock file, but it didn't update package.json. Weird bit of semver trivia: the minor version isn't pinned for ^ if the patch version is 0, so ^6.3.0 will match 6.6.2, depsite being a completely different minor version. Your change should pin the minor version down.

dependabot bot and others added 15 commits September 27, 2024 06:59

Update CI tests

22d2a02

Update the `docker compose` command.

eatyourgreens force-pushed the master branch from 37beac8 to 22d2a02 Compare September 27, 2024 08:23

eatyourgreens and others added 5 commits September 27, 2024 09:27

Convert tests to ESM

43fe297

Convert all the tests to ESM (`.mjs`) in preparation for Chai 5, which drops support for CommonJS. - replace `require` with `import` throughout. - create a global `chai` object to replace the old `chai = require('chai')`. - rename tests from '.js' to '.mjs'.

Remove chai-http

148b6d0

Fix global expect

ae1bd45

Install Chai v5.1.0

c859ac9

Remove chai-as-promised

ed40f16

eatyourgreens mentioned this pull request Sep 27, 2024

test: Convert tests to ESM and upgrade Chai #297

Closed

fix outdated Dockerfile syntax

44b6915

eatyourgreens force-pushed the master branch from 03ac842 to 44b6915 Compare September 27, 2024 08:58

eatyourgreens mentioned this pull request Sep 27, 2024

build(deps): bump engine.io-client from 6.5.3 to 6.6.0 zooniverse/front-end-monorepo#6305

Merged

eatyourgreens and others added 3 commits September 27, 2024 10:26

superagent isn't used any more

a50ee75

Bump engine.io version to match FEM.

421459f

kieftrav merged commit 9f23369 into zooniverse:master Oct 17, 2024
2 checks passed

eatyourgreens mentioned this pull request Oct 17, 2024

Bump docker/build-push-action from 5 to 6 #346

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Security] update outdated dependencies #347

[Security] update outdated dependencies #347

eatyourgreens commented Sep 27, 2024 •

edited

Loading

eatyourgreens commented Oct 14, 2024

kieftrav commented Oct 17, 2024

eatyourgreens commented Oct 17, 2024 •

edited

Loading

[Security] update outdated dependencies #347

[Security] update outdated dependencies #347

Conversation

eatyourgreens commented Sep 27, 2024 • edited Loading

eatyourgreens commented Oct 14, 2024

kieftrav commented Oct 17, 2024

eatyourgreens commented Oct 17, 2024 • edited Loading

eatyourgreens commented Sep 27, 2024 •

edited

Loading

eatyourgreens commented Oct 17, 2024 •

edited

Loading