Update dependency moment to v2.29.4 [SECURITY] #443
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
renovate
bot
added
the
Type: Dependencies
Codecov Report
@@ Coverage Diff @@
## v1.0.7 #443 +/- ##
=========================================
Coverage 100.00% 100.00%
=========================================
Files 62 62
Lines 1688 1688
Branches 320 320
=========================================
Hits 1688 1688
Flags with carried forward coverage won't be shown. Click here to find out more. Continue to review full report at Codecov.
|
renovate
bot
force-pushed
the
renovate/npm-moment-vulnerability
branch
from
8b2fa0e
to
980a613
Compare
Merged
downiec
added a commit
that referenced
this pull request
Sep 2, 2022
* Bumped version number. * Changes to fix wget download issues. (#452) * changes to fix wget download issues: multiple download, direct link handed to browser * Removed uneccessary import Co-authored-by: Sasha Ames <amysash2006@gmail.com> * Update dependency @types/jest to v28.1.6 (#444) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Update typescript-eslint monorepo to v5.30.7 (#445) * hotfix to get wget script download to work (#449) (#450) * hotfix to get wget script download to work (#449) * hotfix to get wget script download to work * fix removed return * Updating file to fix minor blank line issue. Co-authored-by: Sasha Ames <sashakames@users.noreply.github.com> * Update typescript-eslint monorepo to v5.30.7 Co-authored-by: Carlos Downie <42552189+downiec@users.noreply.github.com> Co-authored-by: Sasha Ames <sashakames@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Update dependency moment to v2.29.4 [SECURITY] (#443) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Bump terser from 5.12.1 to 5.14.2 in /frontend (#451) Bumps [terser](https://github.com/terser/terser) from 5.12.1 to 5.14.2. - [Release notes](https://github.com/terser/terser/releases) - [Changelog](https://github.com/terser/terser/blob/master/CHANGELOG.md) - [Commits](https://github.com/terser/terser/commits) --- updated-dependencies: - dependency-name: terser dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump moment from 2.29.2 to 2.29.4 in /frontend (#442) Bumps [moment](https://github.com/moment/moment) from 2.29.2 to 2.29.4. - [Release notes](https://github.com/moment/moment/releases) - [Changelog](https://github.com/moment/moment/blob/develop/CHANGELOG.md) - [Commits](moment/moment@2.29.2...2.29.4) --- updated-dependencies: - dependency-name: moment dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Carlos Downie <42552189+downiec@users.noreply.github.com> * Feature/453 update deployment configs (#458) * Testing the use of a central config file and a manager script. Created a metagrid_configs folder where different configs can be stored and used. * updates to scripts and dockerfile for traefik to handle empty prefx variables. * More fixes and updates. * Refactoring to fix issues with the variables used in the master config file, so that they don't repeat in the config. Removed unnecessary folders and updated the manage_metagrid script to allow saving and restoring of config files in an automated way. Every time changes are made to the config, a backup will be created which will have date and time associated to it. Users can then restore that backup with a simple command in the script (which will also save the current config that is replaced. Note that if lots of changes are made, config backups should probably be deleted now and then. * Updated script to include sudo that was missing and also copy to traefik when a backup is restored. * updates t the script for local testing. Fixed a docker-compose minor issue in the backend production so it points to correct config file. * Updated the scripts to save environment file in each docker directory. It seems that the frontend uses the package.json build call rather than the one in docker compose, so the environment file was not found when building react. Modifications should help fix that issue. * Added cors proxy variable because it still seems necessary for the backend communication with frontend... * Updates to the metagrid documentation. A restructuring update needs to be done for getting_started_production.md in order to reflect the new way which configuration is setup and updated in production. * Updated manage script to include the option for starting/stopping the docs local containers. Updated django version to 3.2.15 * Updated the documentation to specify the manage_metagrid.sh scripts and how to update the projects. Also updated the configuration steps and how to get production started. * Feature/447 generalize redirects (#465) * redirect test. * Change the order in the server location directive and update the entrypoint to use the new PREVIOUS_URL variable. * Connected environment variables in config to the front-end redirect logic to allow frontend to redirect if a previous url is specified in the config * Updated the manage_metagrid script to not use sudo. Updated the previous url env variable name so that it is useable in the front end. All variables used in the frontend need to be prefixed with REACT_APP_ otherwise they aren't visible and are undefined. Removed the console log statements. * Updated the git ignore files. Attempted to create mock imports for testing the generateRedirects function, however after various attempts and research, found out it would have required a significant rewrite and the test itself is not going to be worth it, so I cleaned up my changes and resorted to using the istanbul ignore. * Feature/459 expand all button facets (#467) * redirect test. * Change the order in the server location directive and update the entrypoint to use the new PREVIOUS_URL variable. * Added expand and collapse functionality to the facet forms. Opened the additional properties panel by default. * Updated tests for full coverage. Updated the joyride tour to include the new expand/collapse button functionality. Co-authored-by: Sasha Ames <amysash2006@gmail.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Sasha Ames <sashakames@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.29.2->2.29.4GitHub Vulnerability Alerts
CVE-2022-31129
Impact
Patches
The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking.
Workarounds
In general, given the proliferation of ReDoS attacks, it makes sense to limit the length of the user input to something sane, like 200 characters or less. I haven't seen legitimate cases of date-time strings longer than that, so all moment users who do pass a user-originating string to constructor are encouraged to apply such a rudimentary filter, that would help with this but also most future ReDoS vulnerabilities.
References
There is an excellent writeup of the issue here: https://github.com/moment/moment/pull/6015#issuecomment-1152961973=
Details
The issue is rooted in the code that removes legacy comments (stuff inside parenthesis) from strings during rfc2822 parsing.
moment("(".repeat(500000))will take a few minutes to process, which is unacceptable.Release Notes
moment/moment
v2.29.4Compare Source
v2.29.3Compare Source
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.