Skip to content
This repository was archived by the owner on Jul 9, 2025. It is now read-only.

fix: Update dependencies to address pipeline failures#9486

Merged
tracyboehrer merged 18 commits intomainfrom
southworks/fix/alerts
Jan 19, 2023
Merged

fix: Update dependencies to address pipeline failures#9486
tracyboehrer merged 18 commits intomainfrom
southworks/fix/alerts

Conversation

@sw-joelmut
Copy link
Copy Markdown
Collaborator

@sw-joelmut sw-joelmut commented Jan 17, 2023

Fixes #9484
Fixes #9483
Fixes #9482
Fixes #9481
Fixes #9480
Fixes #9479
Fixes #9478
Fixes #9477
Fixes #9476
Fixes #9475
Fixes #9474
Fixes #9473
Fixes #9472
Fixes #9471
Fixes #9470
Fixes #9469

Description

This PR updates multiple dependencies from an old version to a new one that has the vulnerability fixes.

Specific Changes

Dependencies:

[critical]

  • loader-utils 0.2.17: CVE-2022-37601
    • Updated loader-utils from >= 1.0.0 < 2.0.0 to 1.4.2
  • @xmldom/xmldom: CVE-2022-39353
    • Updated botbuilder-lg from 4.14.0 to 4.18.0
    • Updated adaptive-expressions from 4.12.0 to 4.18.0
    • Updated adal-node from 0.2.3 to 0.2.4
  • ejs: CVE-2022-29078
    • Updated ejs from 3.1.6 to 3.1.8
  • plist: CVE-2022-22912
    • Updated plist from 3.0.4 to 3.0.6
  • jszip: WS-2023-0004
    • Updated jszip from 3.6.0 to 3.8.0
  • uglify-js: CVE-2022-37598
    • Updated uglify-js from 3.4.x to 3.17.4
  • minimist: CVE-2021-44906
    • Already updated to 1.2.6

[high]

  • terser: CVE-2022-25858
    • Updated terser from 5.x to 5.14.2
    • Updated terser from 4.x to 4.8.1
    • Updated botframework-webchat from 4.15.3 to 4.15.6
  • express: CVE-2022-24999
    • Updated express from 4.17.1 to 4.17.3
  • d3-color: GHSA-36jr-mh4h-2g58
    • Updated d3-color from 1.4.1 to 3.1.0
  • jsonwebtoken: CVE-2022-23529
    • Updated jsonwebtoken from 8.5.1 to 9.0.0
  • loader-utils 1.2.3: CVE-2022-37599
    • Updated loader-utils from >= 1.0.0 < 2.0.0 to 1.4.2
    • Updated loader-utils from >= 2.0.0 to 2.0.4
  • qs: CVE-2022-24999
    • Updated qs from 6.9.6 to 6.11.0
    • Updated body-parser from 1.18.3 (has qs 6.9.6) to 1.19.2 (has qs 6.11.0)
  • json5: CVE-2022-46175
    • Updated json5 from 1.0.1 to 1.0.2
    • Updated json5 from >= 2.1.0 to 2.2.2
  • minimatch: CVE-2022-3517
    • Updated minimatch from 3.0.4 to 3.1.2
  • mongoose: CVE-2022-2564
    • Updated mongoose from 6.4.3 to 4.8.3
  • node-fetch: CVE-2022-0235
    • Updated node-fetch from 2.6.1 to 2.6.7

sw-joelmut and others added 16 commits January 16, 2023 16:09
@sw-joelmut
[CVE-2022-29078] Updated ejs from 3.1.6 to 3.1.8
4a8767a
@sw-joelmut
[CVE-2022-39353] Updated botbuilder-lg, adaptive-expressions and adal…
e5449fa 
…-node from 4.14.0, 4.12.0, 0.2.3 to 4.18.0, 4.18.0, 0.2.4 respectively
@sw-joelmut
[CVE-2022-22912] Updated plist from 3.0.4 to 3.0.6
382594f
@sw-joelmut
[CVE-2022-25858] Updated terser from 4.x, 5.x to 4.8.1, 5.14.2 respec…
acaf677 
…tively, and botframework-webchat from 4.15.3 to 4.15.6
@sw-joelmut
[GHSA-36jr-mh4h-2g58] Updated d3-color from 1.4.1 to 3.1.0
96b2f83
@sw-joelmut
[CVE-2022-24999] Updated express from 4.17.1 to 4.17.3
5f8ce08
@sw-joelmut
[CVE-2022-24999] Updated qs from 6.9.6 to 6.11.0
06ed60a
@sw-joelmut
[CVE-2022-46175] Updated json5 from 1.0.1, 2.1.0 to 1.0.2, 2.2.2 resp…
f181484 
…ectively
@sw-joelmut
[CVE-2022-37601] Updated loader-utils from >= 1.0.0 < 2.0.0 to 1.4.2
338b451
@sw-joelmut
[CVE-2022-3517] Updated minimatch from 3.0.4 to 3.1.2
d8e7cfb
@sw-joelmut
[CVE-2022-23529] Updated jsonwebtoken from 8.5.1 to 9.0.0
4f8bd77
@dependabot @sw-joelmut
[CVE-2022-0235] Updated node-fetch from 2.6.1 to 2.6.7
7a03a49
@sw-joelmut
[CVE-2022-37598] Updated uglify-js from 3.4.x to 3.17.4
720fb0e 
[WS-2023-0004] Updated jszip from 3.6.0 to 3.8.0
@sw-joelmut
[CVE-2022-2564] Updated mongoose from 6.4.3 to 4.8.3
df89824
@sw-joelmut
Fix yarn-berry.lock files
eb42857
@sw-joelmut
Fix adaptive-expressions tests
8f7e8f8
@sw-joelmut sw-joelmut marked this pull request as ready for review January 17, 2023 13:06
@coveralls
Copy link
Copy Markdown

coveralls commented Jan 17, 2023
edited
Loading

Coverage Status

Coverage: 54.638%. Remained the same when pulling c5d7fe0 on southworks/fix/alerts into cdc83c9 on main.

@tracyboehrer tracyboehrer merged commit b65a8c3 into main Jan 19, 2023
@tracyboehrer tracyboehrer deleted the southworks/fix/alerts branch January 19, 2023 18:40
This was referenced Jan 23, 2023
Closed
Closed
@OEvgeny OEvgeny mentioned this pull request Mar 22, 2023
Closed
6 tasks
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@VamsiModem VamsiModem Awaiting requested review from VamsiModem

@benbrown benbrown Awaiting requested review from benbrown

@cwhitten cwhitten Awaiting requested review from cwhitten

@boydc2014 boydc2014 Awaiting requested review from boydc2014

@a-b-r-o-w-n a-b-r-o-w-n Awaiting requested review from a-b-r-o-w-n

@srinaath srinaath Awaiting requested review from srinaath

@tdurnford tdurnford Awaiting requested review from tdurnford

1 more reviewer

@tracyboehrer tracyboehrer tracyboehrer approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@tracyboehrer tracyboehrer

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

CVE-2022-37601 CVE-2022-37601 CVE-2022-37601 CVE-2022-29078 CVE-2022-37616
CVE-2022-37601 CVE-2021-44906 CVE-2022-37598 CVE-2022-39353 CVE-2022-39353

3 participants

@sw-joelmut @coveralls @tracyboehrer