Page MenuHomePhabricator
Differential D14045

[alias-server] Run npm audit fix to update dependencies
ClosedPublic
Actions

Authored by bytesofman on Jun 12 2023, 16:49.

Details

Reviewers
Fabien
Group Reviewers
Restricted Project
Commits
rABC198545d6cddb: [alias-server] Run npm audit fix to update dependencies
Summary

T3060

Run npm audit fix to update dependencies

Test Plan

npm test

Diff Detail

Repository
rABC Bitcoin ABC
Branch
master
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 24003
Build 47616: Build Diffalias-server-tests
Build 47615: arc lint + arc unit

Event Timeline

bytesofman created this revision.Jun 12 2023, 16:49
Herald added a reviewer: Restricted Project. · View Herald TranscriptJun 12 2023, 16:49
bytesofman requested review of this revision.Jun 12 2023, 16:49
Harbormaster completed remote builds in B24003: Diff 40736.Jun 12 2023, 16:51
Fabien accepted this revision.Jun 13 2023, 06:28
Fabien added a subscriber: Fabien.
Fabien added inline comments.
apps/alias-server/package-lock.json
64

Are you able to tell me why these dependencies are needed ?

This revision is now accepted and ready to land.Jun 13 2023, 06:28
bytesofman mentioned this in D14046: [alias-server] Move aliasConstants out of config and into constants dir.Jun 13 2023, 16:31
bytesofman added a child revision: D14046: [alias-server] Move aliasConstants out of config and into constants dir.
bytesofman added inline comments.Jun 13 2023, 16:47
apps/alias-server/package-lock.json
64

Summary

mongodb requires
credential-providers requires
client-cognito-identity requires
middleware-signing requires
signature-v4 (upgraded) requires
evenstream-codec requires
crc32

  • tslib is a dependency of crc32

...took some digging

Root cause is that a well nested dependency of mongodb, that isn't even used directly in this app, threw a vuln

From running npm audit

# npm audit report

fast-xml-parser  <4.2.4
Severity: high
fast-xml-parser vulnerable to Regex Injection via Doctype Entities - https://github.com/advisories/GHSA-6w63-h3fj-q4vw
fix available via `npm audit fix`
node_modules/fast-xml-parser
  @aws-sdk/client-sts  <=3.54.1 || 3.55.0 - 3.186.1 || 3.188.0 - 3.335.0 || 3.337.0 - 3.347.0
  Depends on vulnerable versions of fast-xml-parser
  node_modules/@aws-sdk/client-sts
    @aws-sdk/client-cognito-identity  3.12.0 - 3.54.1 || 3.55.0 - 3.347.0
    Depends on vulnerable versions of @aws-sdk/client-sts
    node_modules/@aws-sdk/client-cognito-identity
      @aws-sdk/credential-provider-cognito-identity  3.12.0 - 3.347.0
      Depends on vulnerable versions of @aws-sdk/client-cognito-identity
      node_modules/@aws-sdk/credential-provider-cognito-identity
    @aws-sdk/credential-providers  <=3.347.0
    Depends on vulnerable versions of @aws-sdk/client-sts
    node_modules/@aws-sdk/credential-providers
bytesofman updated this revision to Diff 40763.Jun 13 2023, 16:49

move from master

This revision was landed with ongoing or failed builds.Jun 13 2023, 16:49
Closed by commit rABC198545d6cddb: [alias-server] Run npm audit fix to update dependencies (authored by bytesofman). · Explain Why
This revision was automatically updated to reflect the committed changes.
bytesofman added a commit: rABC198545d6cddb: [alias-server] Run npm audit fix to update dependencies.
Harbormaster completed remote builds in B24020: Diff 40763.Jun 13 2023, 16:50
bytesofman removed a child revision: D14046: [alias-server] Move aliasConstants out of config and into constants dir.Jun 13 2023, 16:51

Revision Contents
Changeset List

PathSize
apps/
alias-server/
1892 lines

Diff 40736

View Options

apps/alias-server/package-lock.json

Loading...