Resolve Vulnerabilities (#1855)

This PR resolves the following vulnerabilities:

bump search-core's version to 2.5.1 to include the latest vulnerabilities fix
remove usages of insecure document method
bump the version of http-cache-semantics (to 4.1.1), get-func-name (to 2.0.2) and terser (to 5.14.2) to resolve vulnerabilities to uncontrolled resource consumption and inefficient regular expression complexity
J=VULN-37771, VULN-37772, VULN-37773, VULN-38373, VULN-38391, VULN-38401
TEST=auto

Added new tests for the chang. Ran npm run test and npm run acceptance.

THIRD-PARTY-NOTICES

@@ -487,7 +487,7 @@ CDN
 
 The following NPM package may be included in this product:
 
- - @yext/search-core@2.4.0
+ - @yext/search-core@2.5.1
 
 This package contains the following license and notice below:
 

package.json

@@ -30,7 +30,7 @@
     "@mapbox/mapbox-gl-language": "^0.10.1",
     "@yext/answers-storage": "^1.1.0",
     "@yext/rtf-converter": "^1.7.1",
-    "@yext/search-core": "^2.4.0",
+    "@yext/search-core": "^2.5.1",
     "bowser": "^2.11.0",
     "cross-fetch": "^3.1.5",
     "css-vars-ponyfill": "^2.4.3",

src/ui/components/filters/filteroptionscomponent.js

@@ -448,21 +448,21 @@ export default class FilterOptionsComponent extends Component {
             if (!filter) {
               filterOption.classList.remove('hiddenSearch');
               filterOption.classList.remove('displaySearch');
-              labelEl.innerHTML = labelText;
+              labelEl.textContent = labelText;
             } else {
               const matchedSubstring = this._getMatchedSubstring(
                 labelText.toLowerCase(), filter.toLowerCase());
               if (matchedSubstring) {
                 filterOption.classList.add('displaySearch');
                 filterOption.classList.remove('hiddenSearch');
-                labelEl.innerHTML = new HighlightedValue({
+                labelEl.textContent = new HighlightedValue({
                   value: labelText,
                   matchedSubstrings: [matchedSubstring]
                 }).get();
               } else {
                 filterOption.classList.add('hiddenSearch');
                 filterOption.classList.remove('displaySearch');
-                labelEl.innerHTML = labelText;
+                labelEl.textContent = labelText;
               }
             }
           }

tests/setup/enzymeadapter.js

@@ -110,7 +110,16 @@ export default class AnswersAdapter extends EnzymeAdapter {
           composed: args.composed,
           cancelable: args.cancelable
         });
-        Object.assign(event, args);
+
+        if (Array.isArray(...args)) {
+          for (const arg in args) {
+            if (arg && arg.target) {
+              Object.defineProperty(event, 'target', { value: arg.target });
+            }
+          }
+        } else {
+          Object.defineProperty(event, 'target', { value: args[0].target });
+        }
 
         node.instance.dispatchEvent(event);
       }

tests/ui/components/filters/filteroptionscomponent.js

@@ -116,6 +116,48 @@ describe('filter options component', () => {
     expect(wrapper.find('.js-yxt-FilterOptions-showMore')).toHaveLength(1);
   });
 
+  it('renders correct options based on the searchable input', () => {
+    const config = {
+      ...defaultConfig,
+      control: 'multioption',
+      searchable: true
+    };
+    const component = COMPONENT_MANAGER.create('FilterOptions', config);
+    const wrapper = mount(component);
+    expect(options).toHaveLength(6);
+    const searchInputEl = wrapper.find('.js-yxt-FilterOptions-filter');
+    expect(searchInputEl).toHaveLength(1);
+
+    // empty input
+    searchInputEl.at(0).simulate('input', { target: { value: '' } });
+    expect(wrapper.find('.js-yxt-FilterOptions-clearSearch').hasClass('js-hidden')).toBeTruthy();
+    expect(wrapper.find('.js-yxt-FilterOptions-container')
+      .hasClass('yxt-FilterOptions-container--searching')).toBeFalsy();
+    let filterOptionEls = wrapper.find('.js-yxt-FilterOptions-option');
+    for (let index = 0; index < filterOptionEls.length; index++) {
+      const filterOptionEl = filterOptionEls.at(index);
+
+      expect(filterOptionEl.hasClass('hiddenSearch')).toBeFalsy();
+      expect(filterOptionEl.hasClass('displaySearch')).toBeFalsy();
+      expect(filterOptionEl.find('.js-yxt-FilterOptions-optionLabel--name').text().trim())
+        .toEqual(options[index].label);
+    }
+
+    // non-empty input
+    searchInputEl.at(0).simulate('input', { target: { value: 'cir' } });
+    expect(wrapper.find('.js-yxt-FilterOptions-clearSearch').hasClass('js-hidden')).toBeFalsy();
+    expect(wrapper.find('.js-yxt-FilterOptions-container')
+      .hasClass('yxt-FilterOptions-container--searching')).toBeTruthy();
+    filterOptionEls = wrapper.find('.js-yxt-FilterOptions-option');
+    for (let index = 0; index < filterOptionEls.length; index++) {
+      const filterOptionEl = filterOptionEls.at(index);
+      expect(filterOptionEl.hasClass(index === 0 ? 'displaySearch' : 'hiddenSearch')).toBeTruthy();
+      expect(filterOptionEl.hasClass(index === 0 ? 'hiddenSearch' : 'displaySearch')).toBeFalsy();
+      expect(filterOptionEl.find('.js-yxt-FilterOptions-optionLabel--name').text().trim())
+        .toEqual(index === 0 ? '<strong>cir</strong>i' : options[index].label);
+    }
+  });
+
   it('renders correct number of multi options', () => {
     const config = {
       ...defaultConfig,