Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Address high vulnerabilities #712

Merged
merged 4 commits into from
Nov 6, 2024
Merged

Address high vulnerabilities #712

merged 4 commits into from
Nov 6, 2024
+182 −204

Conversation

Assem-Hafez
Copy link
Contributor

@Assem-Hafez Assem-Hafez commented Nov 5, 2024
edited by Assem-Uber
Loading

Summary

Audit report before the fix: 9 vulnerabilities (3 low, 2 moderate, 4 high)
Audit report after the fix: 0 vulnerabilities

Changes

  • update next js (minor update)
  • update compile command to work with the new next js version
  • update msw (minor update)
  • remove jest pollyfill and use the new recommendation for msw node environment mocks
  • update grpc (minor update)
  • update browser list db

Detailed audit report before the fix

@grpc/grpc-js 1.10.0 - 1.10.8
Severity: moderate
@grpc/grpc-js can allocate memory for incoming messages well above configured limits - GHSA-7v5v-9h63-cj86
fix available via npm audit fix
node_modules/@grpc/grpc-js

braces <3.0.3
Severity: high
Uncontrolled resource consumption in braces - GHSA-grv7-fg5c-xmjg
fix available via npm audit fix
node_modules/braces

cookie <0.7.0
cookie accepts cookie name, path, and domain with out of bounds characters - GHSA-pxg6-pf52-xh8x
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/cookie
@bundled-es-modules/cookie >=2.0.0
Depends on vulnerable versions of cookie
node_modules/@bundled-es-modules/cookie
msw >=2.0.0
Depends on vulnerable versions of @bundled-es-modules/cookie
node_modules/msw

micromatch <4.0.8
Severity: moderate
Regular Expression Denial of Service (ReDoS) in micromatch - GHSA-952p-6rrq-rcjv
fix available via npm audit fix
node_modules/micromatch

next 10.0.0 - 14.2.9
Severity: high
Next.js Server-Side Request Forgery in Server Actions - GHSA-fr5h-rqp8-mj6g
Next.js Cache Poisoning - GHSA-gp8f-8m3g-qvj9
Denial of Service condition in Next.js image optimization - GHSA-g77x-44xx-532m
fix available via npm audit fix --force
Will install [email protected], which is outside the stated dependency range
node_modules/next

path-to-regexp 4.0.0 - 6.2.2
Severity: high
path-to-regexp outputs backtracking regular expressions - GHSA-9wv6-86v2-598j
fix available via npm audit fix
node_modules/path-to-regexp

ws 8.0.0 - 8.17.0
Severity: high
ws affected by a DoS when handling a request with many HTTP headers - GHSA-3h5v-q93c-6h6q
fix available via npm audit fix
node_modules/ws

@Assem-Uber Assem-Uber merged commit bcd9576 into uber:release/4.0.0 Nov 6, 2024
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adhityamamallan adhityamamallan adhityamamallan approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Assem-Hafez @adhityamamallan @Assem-Uber