Javascript-node & universal: Update 'minimatch' due to CVE-2022-3517 (#248)

samruddhikhandale · web-flow · commit 1c2435b43605 · 2022-12-14T14:26:47.000-08:00
* patch

* add check

* Patch for universal

* patch javascript-node

* update check-version-ge

* patch universal

* update manifest

* nit

* Patch

* update: javascript

* update universal

* update test

* check without --save

* debug

* remove debug

* add checks

* Remove unwanted check!

* Add comment

* remove unwanted checks

* update with wildcard

* update checks
diff --git a/src/javascript-node/.devcontainer/library-scripts/add-patch.sh b/src/javascript-node/.devcontainer/library-scripts/add-patch.sh
@@ -5,6 +5,7 @@ IMAGE_VARIANT=$1
 # Temporary: These packages are installed by the base image (node) for `node:14` which does not have the patch.
 # Upgrade 'decode-uri-component' due to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38900
 # Upgrade 'ansi-regex ' due to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3807
+# Upgrade 'minimatch' due to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3517
 if [[ "${IMAGE_VARIANT}" =~ "14" ]] ; then
     cd /usr/local/lib/node_modules/npm
     npm update --save
diff --git a/src/universal/.devcontainer/local-features/setup-user/install.sh b/src/universal/.devcontainer/local-features/setup-user/install.sh
@@ -23,8 +23,10 @@ export DEBIAN_FRONTEND=noninteractive
 # Temporary: Upgrade NPM packages due to mentioned CVEs.
 # decode-uri-component: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38900
 # ansi-regex: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3807
+# minimatch: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3517
 NPM_PACKAGES_LIST="decode-uri-component
-    ansi-regex"
+    ansi-regex
+    minimatch"
 
 cd /usr/local/share/nvm/versions/node/v14*/lib/node_modules/npm
 npm install ${NPM_PACKAGES_LIST}
diff --git a/src/universal/test-project/test.sh b/src/universal/test-project/test.sh
@@ -170,13 +170,16 @@ check "oryx-install-java-12.0.2" oryx prep --skip-detection --platforms-and-vers
 check "java-12.0.2-installed-by-oryx" ls /opt/java/ | grep 12.0.2
 check "java-version-on-path-is-12.0.2" java --version | grep 12.0.2
 
-cd /usr/local/share/nvm/versions/node/v14.21.1/lib/node_modules/npm
+cd /usr/local/share/nvm/versions/node/v14*/lib/node_modules/npm
 decodeVersion=$(npm ls --depth 1 --json | jq -r '.dependencies."decode-uri-component".version')
 check-version-ge "decode-uri-component" "${decodeVersion}" "0.2.1"
 
 ansiVersion=$(npm ls --depth 1 --json | jq -r '.dependencies."ansi-regex".version')
 check-version-ge "ansi-regex" "${ansiVersion}" "6.0.0"
 
+minimatchVersion=$(npm ls --depth 1 --json | jq -r '.dependencies.minimatch.version')
+check-version-ge "minimatch" "${minimatchVersion}" "3.0.5"
+
 ls -la /home/codespace
 
 # Report result
