From 324de238ad9279e3d9f1d7d5006825bec60257d9 Mon Sep 17 00:00:00 2001 From: andrewmcmahon Date: Mon, 5 Feb 2024 10:32:28 +0000 Subject: [PATCH 01/13] Update preview chart secrets & alias' to reflect latest in claim-store --- .../values.preview.template.yaml | 74 +++++++++++++------ yarn.lock | 33 +++------ 2 files changed, 64 insertions(+), 43 deletions(-) diff --git a/charts/cmc-citizen-frontend/values.preview.template.yaml b/charts/cmc-citizen-frontend/values.preview.template.yaml index 767efaf3cc..6b64b71021 100644 --- a/charts/cmc-citizen-frontend/values.preview.template.yaml +++ b/charts/cmc-citizen-frontend/values.preview.template.yaml @@ -83,26 +83,58 @@ cmc-claim-store: cmc: resourceGroup: cmc secrets: - - AppInsightsInstrumentationKey - - citizen-oauth-client-secret - - claim-store-s2s-secret - - anonymous-caseworker-username - - anonymous-caseworker-password - - system-update-username - - system-update-password - - notify-api-key - - milo-recipient - - staff-email - - live-support-email - - rpa-email-sealed-claim - - rpa-email-more-time-requested - - rpa-email-response - - rpa-email-ccj - - rpa-email-paid-in-full - - launchDarkly-sdk-key - - sendgrid-api-key - - staff-email-legal-rep - - rpa-email-breathing-space + - name: claim-store-db-password + alias: CLAIM_STORE_DB_PASSWORD + - name: AppInsightsInstrumentationKey + alias: azure.application-insights.instrumentation-key + - name: cmc-db-password-v15 + alias: CMC_DB_PASSWORD + - name: cmc-db-username-v15 + alias: CMC_DB_USERNAME + - name: cmc-db-host-v15 + alias: CMC_DB_HOST + - name: citizen-oauth-client-secret + alias: oauth2.client.secret + - name: claim-store-s2s-secret + alias: idam.s2s-auth.totp_secret + - name: anonymous-caseworker-username + alias: idam.caseworker.anonymous.username + - name: anonymous-caseworker-password + alias: idam.caseworker.anonymous.password + - name: system-update-username + alias: idam.caseworker.system.username + - name: system-update-password + alias: idam.caseworker.system.password + - name: notify-api-key + alias: GOV_NOTIFY_API_KEY + - name: milo-recipient + alias: MILO_CSV_RECIPIENT + - name: staff-email + alias: staff-notifications.recipient + - name: live-support-email + alias: live-support.recipient + - name: rpa-email-sealed-claim + alias: rpa.notifications.sealedClaimRecipient + - name: rpa-email-breathing-space + alias: rpa.notifications.breathingSpaceRecipient + - name: rpa-email-legal-sealed-claim + alias: rpa.notifications.legalSealedClaimRecipient + - name: rpa-email-more-time-requested + alias: rpa.notifications.moreTimeRequestedRecipient + - name: rpa-email-response + alias: rpa.notifications.responseRecipient + - name: rpa-email-ccj + alias: rpa.notifications.countyCourtJudgementRecipient + - name: rpa-email-paid-in-full + alias: rpa.notifications.paidInFullRecipient + - name: launchDarkly-sdk-key + alias: LAUNCH_DARKLY_SDK_KEY + - name: sendgrid-api-key + alias: SENDGRID_API_KEY + - name: staff-email-legal-rep + alias: staff-notifications.legalRecipient + - name: appinsights-connection-string + alias: appinsights-connection-string environment: LOG_LEVEL: DEBUG DOC_ASSEMBLY_URL: http://dg-docassembly-aat.service.core-compute-aat.internal @@ -270,4 +302,4 @@ ccd: logstash: image: tag: ccd-cmc-logstash-latest - + diff --git a/yarn.lock b/yarn.lock index a2c56be16e..c0a0be0300 100644 --- a/yarn.lock +++ b/yarn.lock @@ -11940,11 +11940,11 @@ __metadata: linkType: hard "semver@npm:2 || 3 || 4 || 5, semver@npm:^5.3.0, semver@npm:^5.4.1, semver@npm:^5.5.0, semver@npm:^5.5.1, semver@npm:^5.6.0, semver@npm:^5.7.0, semver@npm:^5.7.1": - version: 5.7.1 - resolution: "semver@npm:5.7.1" + version: 5.7.2 + resolution: "semver@npm:5.7.2" bin: - semver: ./bin/semver - checksum: 57fd0acfd0bac382ee87cd52cd0aaa5af086a7dc8d60379dfe65fea491fb2489b6016400813930ecd61fd0952dae75c115287a1b16c234b1550887117744dfaf + semver: bin/semver + checksum: fb4ab5e0dd1c22ce0c937ea390b4a822147a9c53dbd2a9a0132f12fe382902beef4fbf12cf51bb955248d8d15874ce8cd89532569756384f994309825f10b686 languageName: node linkType: hard @@ -11958,33 +11958,22 @@ __metadata: linkType: hard "semver@npm:^6.0.0, semver@npm:^6.2.0, semver@npm:^6.3.0": - version: 6.3.0 - resolution: "semver@npm:6.3.0" - bin: - semver: ./bin/semver.js - checksum: 1b26ecf6db9e8292dd90df4e781d91875c0dcc1b1909e70f5d12959a23c7eebb8f01ea581c00783bbee72ceeaad9505797c381756326073850dc36ed284b21b9 - languageName: node - linkType: hard - -"semver@npm:^7.3.0, semver@npm:^7.3.4": - version: 7.3.5 - resolution: "semver@npm:7.3.5" - dependencies: - lru-cache: ^6.0.0 + version: 6.3.1 + resolution: "semver@npm:6.3.1" bin: semver: bin/semver.js - checksum: 5eafe6102bea2a7439897c1856362e31cc348ccf96efd455c8b5bc2c61e6f7e7b8250dc26b8828c1d76a56f818a7ee907a36ae9fb37a599d3d24609207001d60 + checksum: ae47d06de28836adb9d3e25f22a92943477371292d9b665fb023fae278d345d508ca1958232af086d85e0155aee22e313e100971898bbb8d5d89b8b1d4054ca2 languageName: node linkType: hard -"semver@npm:^7.3.5, semver@npm:^7.3.7": - version: 7.5.1 - resolution: "semver@npm:7.5.1" +"semver@npm:^7.3.0, semver@npm:^7.3.4, semver@npm:^7.3.5, semver@npm:^7.3.7": + version: 7.5.4 + resolution: "semver@npm:7.5.4" dependencies: lru-cache: ^6.0.0 bin: semver: bin/semver.js - checksum: d16dbedad53c65b086f79524b9ef766bf38670b2395bdad5c957f824dcc566b624988013564f4812bcace3f9d405355c3635e2007396a39d1bffc71cfec4a2fc + checksum: 12d8ad952fa353b0995bf180cdac205a4068b759a140e5d3c608317098b3575ac2f1e09182206bf2eb26120e1c0ed8fb92c48c592f6099680de56bb071423ca3 languageName: node linkType: hard From 6cd089fc90df5d4cbfc4a81974efacd1141adbf6 Mon Sep 17 00:00:00 2001 From: andrewmcmahon Date: Tue, 6 Feb 2024 14:08:51 +0000 Subject: [PATCH 02/13] Attempt docker uninstall --- bin/run-smoke-tests.sh | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/bin/run-smoke-tests.sh b/bin/run-smoke-tests.sh index 0c274e9a1f..ef94e76f01 100755 --- a/bin/run-smoke-tests.sh +++ b/bin/run-smoke-tests.sh @@ -1,6 +1,25 @@ #!/bin/bash set -ex +pip uninstall docker-compose + +sudo apt-get update +sudo apt-get install ca-certificates curl +sudo install -m 0755 -d /etc/apt/keyrings +sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc +sudo chmod a+r /etc/apt/keyrings/docker.asc + +# Add the repository to Apt sources: +echo \ + "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \ + $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \ + sudo tee /etc/apt/sources.list.d/docker.list > /dev/null +sudo apt-get update + +sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin + +sudo docker run hello-world + ADDITIONAL_COMPOSE_FILE="docker-compose.smoke-tests.yml -f docker-compose.yml" function shutdownDocker() { From f7a499944693b03dfe573023d19998946550e7d8 Mon Sep 17 00:00:00 2001 From: andrewmcmahon Date: Tue, 6 Feb 2024 15:23:09 +0000 Subject: [PATCH 03/13] Attempt docker uninstall --- bin/run-smoke-tests.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/run-smoke-tests.sh b/bin/run-smoke-tests.sh index ef94e76f01..65bbaf18c9 100755 --- a/bin/run-smoke-tests.sh +++ b/bin/run-smoke-tests.sh @@ -1,7 +1,7 @@ #!/bin/bash set -ex -pip uninstall docker-compose +pip uninstall -y docker-compose sudo apt-get update sudo apt-get install ca-certificates curl From 705275745be941fe05c6bc11213e5d9307dbb733 Mon Sep 17 00:00:00 2001 From: andrewmcmahon Date: Tue, 6 Feb 2024 16:27:23 +0000 Subject: [PATCH 04/13] Remove sudo --- bin/run-smoke-tests.sh | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/bin/run-smoke-tests.sh b/bin/run-smoke-tests.sh index 65bbaf18c9..5bc80a5618 100755 --- a/bin/run-smoke-tests.sh +++ b/bin/run-smoke-tests.sh @@ -3,22 +3,21 @@ set -ex pip uninstall -y docker-compose -sudo apt-get update -sudo apt-get install ca-certificates curl -sudo install -m 0755 -d /etc/apt/keyrings -sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc -sudo chmod a+r /etc/apt/keyrings/docker.asc +apt-get update +apt-get install ca-certificates curl +install -m 0755 -d /etc/apt/keyrings +curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc +chmod a+r /etc/apt/keyrings/docker.asc # Add the repository to Apt sources: echo \ "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \ $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \ - sudo tee /etc/apt/sources.list.d/docker.list > /dev/null -sudo apt-get update + tee /etc/apt/sources.list.d/docker.list > /dev/null -sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin +apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin -sudo docker run hello-world +docker run hello-world ADDITIONAL_COMPOSE_FILE="docker-compose.smoke-tests.yml -f docker-compose.yml" From 0adec7a0d92593d83fa534dd0deded96c0634e7d Mon Sep 17 00:00:00 2001 From: andrewmcmahon Date: Wed, 7 Feb 2024 14:59:53 +0000 Subject: [PATCH 05/13] Revert to old and test changing docker-compose version --- bin/run-smoke-tests.sh | 18 ------------------ docker-compose.smoke-tests.yml | 2 +- docker-compose.yml | 2 +- 3 files changed, 2 insertions(+), 20 deletions(-) diff --git a/bin/run-smoke-tests.sh b/bin/run-smoke-tests.sh index 5bc80a5618..0c274e9a1f 100755 --- a/bin/run-smoke-tests.sh +++ b/bin/run-smoke-tests.sh @@ -1,24 +1,6 @@ #!/bin/bash set -ex -pip uninstall -y docker-compose - -apt-get update -apt-get install ca-certificates curl -install -m 0755 -d /etc/apt/keyrings -curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc -chmod a+r /etc/apt/keyrings/docker.asc - -# Add the repository to Apt sources: -echo \ - "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \ - $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \ - tee /etc/apt/sources.list.d/docker.list > /dev/null - -apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin - -docker run hello-world - ADDITIONAL_COMPOSE_FILE="docker-compose.smoke-tests.yml -f docker-compose.yml" function shutdownDocker() { diff --git a/docker-compose.smoke-tests.yml b/docker-compose.smoke-tests.yml index f38288297b..30d2e6ff73 100644 --- a/docker-compose.smoke-tests.yml +++ b/docker-compose.smoke-tests.yml @@ -1,4 +1,4 @@ -version: '2.1' +version: '1.29' services: citizen-integration-tests: diff --git a/docker-compose.yml b/docker-compose.yml index b928609129..2ca2427fec 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,4 +1,4 @@ -version: '2.1' +version: '1.29' services: citizen-frontend: From ee543ad73cafa9d8df2a739422ef28a53d548cd3 Mon Sep 17 00:00:00 2001 From: andrewmcmahon Date: Wed, 7 Feb 2024 15:30:28 +0000 Subject: [PATCH 06/13] Revert to original docker-compose and upgrade python library --- bin/run-smoke-tests.sh | 2 ++ docker-compose.smoke-tests.yml | 2 +- docker-compose.yml | 2 +- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/bin/run-smoke-tests.sh b/bin/run-smoke-tests.sh index 0c274e9a1f..a39a92bc9d 100755 --- a/bin/run-smoke-tests.sh +++ b/bin/run-smoke-tests.sh @@ -1,6 +1,8 @@ #!/bin/bash set -ex +pip3 install --upgrade requests + ADDITIONAL_COMPOSE_FILE="docker-compose.smoke-tests.yml -f docker-compose.yml" function shutdownDocker() { diff --git a/docker-compose.smoke-tests.yml b/docker-compose.smoke-tests.yml index 30d2e6ff73..f38288297b 100644 --- a/docker-compose.smoke-tests.yml +++ b/docker-compose.smoke-tests.yml @@ -1,4 +1,4 @@ -version: '1.29' +version: '2.1' services: citizen-integration-tests: diff --git a/docker-compose.yml b/docker-compose.yml index 2ca2427fec..b928609129 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,4 +1,4 @@ -version: '1.29' +version: '2.1' services: citizen-frontend: From b68d79496f8f752382108872a18db337ca758f45 Mon Sep 17 00:00:00 2001 From: andrewmcmahon Date: Wed, 7 Feb 2024 15:54:33 +0000 Subject: [PATCH 07/13] pin docker version --- bin/run-smoke-tests.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/bin/run-smoke-tests.sh b/bin/run-smoke-tests.sh index a39a92bc9d..e00b2e043f 100755 --- a/bin/run-smoke-tests.sh +++ b/bin/run-smoke-tests.sh @@ -2,6 +2,7 @@ set -ex pip3 install --upgrade requests +pip3 install docker==6.1.3 ADDITIONAL_COMPOSE_FILE="docker-compose.smoke-tests.yml -f docker-compose.yml" From d248c4ee118d1d3f2b2d86a6e072d0a9ddf2b140 Mon Sep 17 00:00:00 2001 From: andrewmcmahon Date: Wed, 7 Feb 2024 16:45:27 +0000 Subject: [PATCH 08/13] Update yarn lock file --- yarn.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/yarn.lock b/yarn.lock index c0a0be0300..60a9516ca9 100644 --- a/yarn.lock +++ b/yarn.lock @@ -11967,13 +11967,13 @@ __metadata: linkType: hard "semver@npm:^7.3.0, semver@npm:^7.3.4, semver@npm:^7.3.5, semver@npm:^7.3.7": - version: 7.5.4 - resolution: "semver@npm:7.5.4" + version: 7.6.0 + resolution: "semver@npm:7.6.0" dependencies: lru-cache: ^6.0.0 bin: semver: bin/semver.js - checksum: 12d8ad952fa353b0995bf180cdac205a4068b759a140e5d3c608317098b3575ac2f1e09182206bf2eb26120e1c0ed8fb92c48c592f6099680de56bb071423ca3 + checksum: 7427f05b70786c696640edc29fdd4bc33b2acf3bbe1740b955029044f80575fc664e1a512e4113c3af21e767154a94b4aa214bf6cd6e42a1f6dba5914e0b208c languageName: node linkType: hard From b54d8ced99c044ee4678ed4d1b841e40d471f2b5 Mon Sep 17 00:00:00 2001 From: andrewmcmahon Date: Thu, 8 Feb 2024 09:48:07 +0000 Subject: [PATCH 09/13] trigger rebuild --- bin/run-smoke-tests.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/bin/run-smoke-tests.sh b/bin/run-smoke-tests.sh index e00b2e043f..45890214c9 100755 --- a/bin/run-smoke-tests.sh +++ b/bin/run-smoke-tests.sh @@ -4,6 +4,8 @@ set -ex pip3 install --upgrade requests pip3 install docker==6.1.3 +# trigger a rebuild including static checks + ADDITIONAL_COMPOSE_FILE="docker-compose.smoke-tests.yml -f docker-compose.yml" function shutdownDocker() { From b234a4aee921aee8555bd690dd064afefcd3bf5e Mon Sep 17 00:00:00 2001 From: andrewmcmahon Date: Thu, 8 Feb 2024 11:04:11 +0000 Subject: [PATCH 10/13] Remove ldclient-node to fix security issue as launchdarkly-node-server-sdk is already installed and new version --- package.json | 1 - yarn.lock | 269 +++------------------------------------------------ 2 files changed, 11 insertions(+), 259 deletions(-) diff --git a/package.json b/package.json index bcab11311d..62ab6debe7 100644 --- a/package.json +++ b/package.json @@ -86,7 +86,6 @@ "jquery": "3.6.0", "js-base64": "^2.5.1", "launchdarkly-node-server-sdk": "^7.0.0", - "ldclient-node": "^5.8.0", "lodash": "^4.17.21", "mime": "^2.4.6", "moment": "^2.29.4", diff --git a/yarn.lock b/yarn.lock index 60a9516ca9..5dfbb8c3d7 100644 --- a/yarn.lock +++ b/yarn.lock @@ -1157,13 +1157,6 @@ __metadata: languageName: node linkType: hard -"@types/events@npm:*": - version: 3.0.0 - resolution: "@types/events@npm:3.0.0" - checksum: 9a424c2da210957d5636e0763e8c9fc3aaeee35bf411284ddec62a56a6abe31de9c7c2e713dabdd8a76ff98b47db2bd52f61310be6609641d6234cc842ecbbe3 - languageName: node - linkType: hard - "@types/expect@npm:^1.20.4": version: 1.20.4 resolution: "@types/expect@npm:1.20.4" @@ -1331,16 +1324,6 @@ __metadata: languageName: node linkType: hard -"@types/redis@npm:2.8.6": - version: 2.8.6 - resolution: "@types/redis@npm:2.8.6" - dependencies: - "@types/events": "*" - "@types/node": "*" - checksum: 5a466d7fb502f579226473c2ebba97e033ed188abf319da41685bafc74e9ca064e19db26c9e622b8222232c5c8f7a93067cf007feb33c3599fa952c9b1262172 - languageName: node - linkType: hard - "@types/request-promise-native@npm:^1.0.16": version: 1.0.18 resolution: "@types/request-promise-native@npm:1.0.18" @@ -2418,15 +2401,6 @@ __metadata: languageName: node linkType: hard -"async@npm:2.6.0": - version: 2.6.0 - resolution: "async@npm:2.6.0" - dependencies: - lodash: ^4.14.0 - checksum: 1cb5dddf9a50e1e6f73a7f52753894a9f42dcc249b5b9b24a04e25f4f1b50fbd3d3cd9792b02ca280611ed5c489c07913c55bcdca186827c5909b01eb6d6813e - languageName: node - linkType: hard - "async@npm:^2.6.3, async@npm:^2.6.4, async@npm:^3.2.0": version: 2.6.4 resolution: "async@npm:2.6.4" @@ -2443,13 +2417,6 @@ __metadata: languageName: node linkType: hard -"async@npm:~1.0.0": - version: 1.0.0 - resolution: "async@npm:1.0.0" - checksum: 04d4e57806b1a46b1635a3d821a9bcc06f893d6828a0468ceb494d1857b565754cbbaed22529aef79749dbbe7cf5080bfdb346b54be0e9cd35c41d7ef8d7911f - languageName: node - linkType: hard - "asynckit@npm:^0.4.0": version: 0.4.0 resolution: "asynckit@npm:0.4.0" @@ -2480,13 +2447,6 @@ __metadata: languageName: node linkType: hard -"aws4@npm:^1.6.0": - version: 1.12.0 - resolution: "aws4@npm:1.12.0" - checksum: 68f79708ac7c335992730bf638286a3ee0a645cf12575d557860100767c500c08b30e24726b9f03265d74116417f628af78509e1333575e9f8d52a80edfe8cbc - languageName: node - linkType: hard - "aws4@npm:^1.8.0": version: 1.11.0 resolution: "aws4@npm:1.11.0" @@ -3339,13 +3299,6 @@ __metadata: languageName: node linkType: hard -"clone@npm:1.0.x": - version: 1.0.4 - resolution: "clone@npm:1.0.4" - checksum: d06418b7335897209e77bdd430d04f882189582e67bd1f75a04565f3f07f5b3f119a9d670c943b6697d0afb100f03b866b3b8a1f91d4d02d72c4ecf2bb64b5dd - languageName: node - linkType: hard - "clone@npm:2.x, clone@npm:^2.1.1": version: 2.1.2 resolution: "clone@npm:2.1.2" @@ -3461,7 +3414,6 @@ __metadata: jsdom: ^16.6.0 jsonwebtoken: ^8.5.1 launchdarkly-node-server-sdk: ^7.0.0 - ldclient-node: ^5.8.0 lodash: ^4.17.21 mime: ^2.4.6 mocha: ^10.2.0 @@ -3674,7 +3626,7 @@ __metadata: languageName: node linkType: hard -"combined-stream@npm:^1.0.6, combined-stream@npm:^1.0.8, combined-stream@npm:~1.0.5, combined-stream@npm:~1.0.6": +"combined-stream@npm:^1.0.6, combined-stream@npm:^1.0.8, combined-stream@npm:~1.0.6": version: 1.0.8 resolution: "combined-stream@npm:1.0.8" dependencies: @@ -4453,13 +4405,6 @@ __metadata: languageName: node linkType: hard -"denque@npm:^1.5.0": - version: 1.5.1 - resolution: "denque@npm:1.5.1" - checksum: 4375ad19d5cea99f90effa82a8cecdaa10f4eb261fbcd7e47cd753ff2737f037aac8f7f4e031cc77f3966314c491c86a0d3b20c128aeee57f791b4662c45108e - languageName: node - linkType: hard - "depd@npm:2.0.0, depd@npm:^2.0.0, depd@npm:~2.0.0": version: 2.0.0 resolution: "depd@npm:2.0.0" @@ -5352,7 +5297,7 @@ __metadata: languageName: node linkType: hard -"extend@npm:3.0.2, extend@npm:^3.0.0, extend@npm:~3.0.1, extend@npm:~3.0.2": +"extend@npm:3.0.2, extend@npm:^3.0.0, extend@npm:~3.0.2": version: 3.0.2 resolution: "extend@npm:3.0.2" checksum: a50a8309ca65ea5d426382ff09f33586527882cf532931cb08ca786ea3146c0553310bda688710ff61d7668eba9f96b923fe1420cdf56a2c3eaf30fcab87b515 @@ -5885,7 +5830,7 @@ __metadata: languageName: node linkType: hard -"form-data@npm:~2.3.1, form-data@npm:~2.3.2": +"form-data@npm:~2.3.2": version: 2.3.3 resolution: "form-data@npm:2.3.3" dependencies: @@ -6762,16 +6707,6 @@ __metadata: languageName: node linkType: hard -"har-validator@npm:~5.0.3": - version: 5.0.3 - resolution: "har-validator@npm:5.0.3" - dependencies: - ajv: ^5.1.0 - har-schema: ^2.0.0 - checksum: 48109cd27cfb6eb54ba013e2b1c3a6e53087b41c54e08c96ad2f3d40e93e04d2459d5c2a095fc58d06622149a633017e21c27a5c785e09b80a8d723bebcef75f - languageName: node - linkType: hard - "har-validator@npm:~5.1.3": version: 5.1.5 resolution: "har-validator@npm:5.1.5" @@ -6948,13 +6883,6 @@ __metadata: languageName: node linkType: hard -"hoek@npm:4.2.1": - version: 4.2.1 - resolution: "hoek@npm:4.2.1" - checksum: 3f28857c9d4c29e0d4c0bfb0d73973529fdd700266e963f9964c59ad92a4bc08943b94c4ada97c105a20c78d4dec98e4fc2c08025660743722558e6da793fd0f - languageName: node - linkType: hard - "hoek@npm:5.x.x": version: 5.0.4 resolution: "hoek@npm:5.0.4" @@ -8508,27 +8436,6 @@ __metadata: languageName: node linkType: hard -"ldclient-node@npm:^5.8.0": - version: 5.8.0 - resolution: "ldclient-node@npm:5.8.0" - dependencies: - "@types/redis": 2.8.6 - async: 2.6.0 - hoek: 4.2.1 - lrucache: ^1.0.3 - node-cache: ^3.2.1 - node-sha1: 0.0.1 - redis: ^2.6.0-2 - request: 2.87.0 - request-etag: ^2.0.3 - semver: 5.5.0 - tunnel: 0.0.6 - winston: 2.4.1 - yaml: 1.0.1 - checksum: abf907a8323072c6e8e0dcc1d0770873faa10f8003411229fb73ef76b2e8648721982d48406a6f0959d868769a07cd4958ba97c7aaa4ef1af0d6015b41d15c30 - languageName: node - linkType: hard - "lead@npm:^1.0.0": version: 1.0.0 resolution: "lead@npm:1.0.0" @@ -8644,7 +8551,7 @@ __metadata: languageName: node linkType: hard -"lodash.assign@npm:^4.0.0, lodash.assign@npm:^4.2.0": +"lodash.assign@npm:^4.2.0": version: 4.2.0 resolution: "lodash.assign@npm:4.2.0" checksum: 75bbc6733c9f577c448031b4051f990f068802708891f94be9d4c2faffd6a9ec67a2c49671dafc908a068d35687765464853282842b4560b662e6c903d11cc90 @@ -8658,7 +8565,7 @@ __metadata: languageName: node linkType: hard -"lodash.clonedeep@npm:^4.0.1, lodash.clonedeep@npm:^4.5.0": +"lodash.clonedeep@npm:^4.5.0": version: 4.5.0 resolution: "lodash.clonedeep@npm:4.5.0" checksum: 92c46f094b064e876a23c97f57f81fbffd5d760bf2d8a1c61d85db6d1e488c66b0384c943abee4f6af7debf5ad4e4282e74ff83177c9e63d8ff081a4837c3489 @@ -8900,7 +8807,7 @@ __metadata: languageName: node linkType: hard -"lru-cache@npm:^4.0.0, lru-cache@npm:^4.1.5": +"lru-cache@npm:^4.1.5": version: 4.1.5 resolution: "lru-cache@npm:4.1.5" dependencies: @@ -8926,13 +8833,6 @@ __metadata: languageName: node linkType: hard -"lrucache@npm:^1.0.3": - version: 1.0.3 - resolution: "lrucache@npm:1.0.3" - checksum: beb7821b61d45d4e6b89adc07c5fef36aff32ab48ea2fe3f9bb8ec1a82852a0ca6a1a7d68f5d723b6a4e890d11146afb255f9fd7879c80467983531cd47f97a9 - languageName: node - linkType: hard - "make-dir@npm:^1.0.0": version: 1.3.0 resolution: "make-dir@npm:1.3.0" @@ -9110,7 +9010,7 @@ __metadata: languageName: node linkType: hard -"mime-db@npm:1.52.0, mime-db@npm:^1.28.0": +"mime-db@npm:^1.28.0": version: 1.52.0 resolution: "mime-db@npm:1.52.0" checksum: 0d99a03585f8b39d68182803b12ac601d9c01abfa28ec56204fa330bc9f3d1c5e14beb049bafadb3dbdf646dfb94b87e24d4ec7b31b7279ef906a8ea9b6a513f @@ -9126,15 +9026,6 @@ __metadata: languageName: node linkType: hard -"mime-types@npm:~2.1.17": - version: 2.1.35 - resolution: "mime-types@npm:2.1.35" - dependencies: - mime-db: 1.52.0 - checksum: 89a5b7f1def9f3af5dad6496c5ed50191ae4331cc5389d7c521c8ad28d5fdad2d06fd81baf38fed813dc4e46bb55c8145bb0ff406330818c9cf712fb2e9b3836 - languageName: node - linkType: hard - "mime@npm:1.6.0, mime@npm:^1.4.1": version: 1.6.0 resolution: "mime@npm:1.6.0" @@ -9741,16 +9632,6 @@ __metadata: languageName: node linkType: hard -"node-cache@npm:^3.2.1": - version: 3.2.1 - resolution: "node-cache@npm:3.2.1" - dependencies: - clone: 1.0.x - lodash: 4.x - checksum: 416d5ba99da4d3080375550aeddba1719270f2a2841328076bc4088c181433f9f396dc41e44516f6e6520329d1be203b0c0eeef34384022697d8b81de93495fa - languageName: node - linkType: hard - "node-cache@npm:^5.1.0, node-cache@npm:^5.1.2": version: 5.1.2 resolution: "node-cache@npm:5.1.2" @@ -9829,13 +9710,6 @@ __metadata: languageName: node linkType: hard -"node-sha1@npm:0.0.1": - version: 0.0.1 - resolution: "node-sha1@npm:0.0.1" - checksum: 9a96ea197bf0ab3b460f86eb5ac7f5df9a890530d959dbad21a6d3025caf883d90e3b959a7f9c208b5bdd3a34f08532c6f5e062ec8de23e5e8e7298cb3b4ac39 - languageName: node - linkType: hard - "node.extend@npm:~2.0.2": version: 2.0.2 resolution: "node.extend@npm:2.0.2" @@ -10057,13 +9931,6 @@ __metadata: languageName: node linkType: hard -"oauth-sign@npm:~0.8.2": - version: 0.8.2 - resolution: "oauth-sign@npm:0.8.2" - checksum: dcf2a5d810c1e75e2a4bcd5be6f809444ddc3b7076e9bfc9d489094f708d45b544308ef0c37c8e8479ad51d2e2e2052fc5fc6b6ebf95570468d0046e08d53599 - languageName: node - linkType: hard - "oauth-sign@npm:~0.9.0": version: 0.9.0 resolution: "oauth-sign@npm:0.9.0" @@ -10970,7 +10837,7 @@ __metadata: languageName: node linkType: hard -"punycode@npm:^1.3.2, punycode@npm:^1.4.1": +"punycode@npm:^1.3.2": version: 1.4.1 resolution: "punycode@npm:1.4.1" checksum: fa6e698cb53db45e4628559e557ddaf554103d2a96a1d62892c8f4032cd3bc8871796cae9eabc1bc700e2b6677611521ce5bb1d9a27700086039965d0cf34518 @@ -11044,7 +10911,7 @@ __metadata: languageName: node linkType: hard -"qs@npm:~6.5.1, qs@npm:~6.5.2": +"qs@npm:~6.5.2": version: 6.5.3 resolution: "qs@npm:6.5.3" checksum: 6f20bf08cabd90c458e50855559539a28d00b2f2e7dddcb66082b16a43188418cb3cb77cbd09268bcef6022935650f0534357b8af9eeb29bf0f27ccb17655692 @@ -11253,41 +11120,6 @@ __metadata: languageName: node linkType: hard -"redis-commands@npm:^1.7.0": - version: 1.7.0 - resolution: "redis-commands@npm:1.7.0" - checksum: d1ff7fbcb5e54768c77f731f1d49679d2a62c3899522c28addb4e2e5813aea8bcac3f22519d71d330224c3f2937f935dfc3d8dc65e90db0f5fe22dc2c1515aa7 - languageName: node - linkType: hard - -"redis-errors@npm:^1.0.0, redis-errors@npm:^1.2.0": - version: 1.2.0 - resolution: "redis-errors@npm:1.2.0" - checksum: f28ac2692113f6f9c222670735aa58aeae413464fd58ccf3fce3f700cae7262606300840c802c64f2b53f19f65993da24dc918afc277e9e33ac1ff09edb394f4 - languageName: node - linkType: hard - -"redis-parser@npm:^3.0.0": - version: 3.0.0 - resolution: "redis-parser@npm:3.0.0" - dependencies: - redis-errors: ^1.0.0 - checksum: 89290ae530332f2ae37577647fa18208d10308a1a6ba750b9d9a093e7398f5e5253f19855b64c98757f7129cccce958e4af2573fdc33bad41405f87f1943459a - languageName: node - linkType: hard - -"redis@npm:^3.1.1": - version: 3.1.2 - resolution: "redis@npm:3.1.2" - dependencies: - denque: ^1.5.0 - redis-commands: ^1.7.0 - redis-errors: ^1.2.0 - redis-parser: ^3.0.0 - checksum: baec42198626b22d2dfc063b6a6f30394daee994c21f380e58ecf91c3edee333c4e32907c30f082fe66d2177695f7b2567902eef399ecb22da3e199ea6363a30 - languageName: node - linkType: hard - "reflect-metadata@npm:^0.1.13": version: 0.1.13 resolution: "reflect-metadata@npm:0.1.13" @@ -11424,18 +11256,6 @@ __metadata: languageName: node linkType: hard -"request-etag@npm:^2.0.3": - version: 2.0.3 - resolution: "request-etag@npm:2.0.3" - dependencies: - lodash.assign: ^4.0.0 - lodash.clonedeep: ^4.0.1 - lru-cache: ^4.0.0 - request: ^2.67.0 - checksum: 96a1dda8de607ea5b6f760b4db41b2463f6aef4bf3b4970e5798e5d62580009514ff6f372f2fe8861104dbb56a82497cb91448c675fc06c76e3db0fa7eea1e55 - languageName: node - linkType: hard - "request-promise-core@npm:1.1.4, request-promise-core@npm:^1.1.1": version: 1.1.4 resolution: "request-promise-core@npm:1.1.4" @@ -11474,35 +11294,7 @@ __metadata: languageName: node linkType: hard -"request@npm:2.87.0": - version: 2.87.0 - resolution: "request@npm:2.87.0" - dependencies: - aws-sign2: ~0.7.0 - aws4: ^1.6.0 - caseless: ~0.12.0 - combined-stream: ~1.0.5 - extend: ~3.0.1 - forever-agent: ~0.6.1 - form-data: ~2.3.1 - har-validator: ~5.0.3 - http-signature: ~1.2.0 - is-typedarray: ~1.0.0 - isstream: ~0.1.2 - json-stringify-safe: ~5.0.1 - mime-types: ~2.1.17 - oauth-sign: ~0.8.2 - performance-now: ^2.1.0 - qs: ~6.5.1 - safe-buffer: ^5.1.1 - tough-cookie: ~2.3.3 - tunnel-agent: ^0.6.0 - uuid: ^3.1.0 - checksum: 914ed39e51bfa0348d2293b974336dce11e3def7c17dc9719d8b983f2cde50019570144dfaeaf47479cc87d260b3dee258fb21a1df21d36e39ee6ffc37588c8c - languageName: node - linkType: hard - -"request@npm:^2.67.0, request@npm:^2.74.0, request@npm:^2.81.0, request@npm:^2.83.0, request@npm:^2.88.0, request@npm:^2.88.2": +"request@npm:^2.74.0, request@npm:^2.81.0, request@npm:^2.83.0, request@npm:^2.88.0, request@npm:^2.88.2": version: 2.88.2 resolution: "request@npm:2.88.2" dependencies: @@ -11948,15 +11740,6 @@ __metadata: languageName: node linkType: hard -"semver@npm:5.5.0": - version: 5.5.0 - resolution: "semver@npm:5.5.0" - bin: - semver: ./bin/semver - checksum: f7ae12b9d2f88ea58754512f7d9c19544a370de15ae4f323d9ce2a1158329e33d8644414c685ba20d123653745a2cbe00619fcb7e89d1eff4bef61b070e32b01 - languageName: node - linkType: hard - "semver@npm:^6.0.0, semver@npm:^6.2.0, semver@npm:^6.3.0": version: 6.3.1 resolution: "semver@npm:6.3.1" @@ -13191,15 +12974,6 @@ __metadata: languageName: node linkType: hard -"tough-cookie@npm:~2.3.3": - version: 2.3.4 - resolution: "tough-cookie@npm:2.3.4" - dependencies: - punycode: ^1.4.1 - checksum: cbdf41cba6799c0e58c1832247045669ea82157786b22536f59216d06a7f342fab7f17aea65662729afb32cd5f10a843246bd87a0efb30594bbd85a9d9fd9687 - languageName: node - linkType: hard - "tr46@npm:^2.1.0": version: 2.1.0 resolution: "tr46@npm:2.1.0" @@ -13792,7 +13566,7 @@ __metadata: languageName: node linkType: hard -"uuid@npm:^3.0.0, uuid@npm:^3.1.0, uuid@npm:^3.3.2, uuid@npm:^3.3.3, uuid@npm:^3.4.0": +"uuid@npm:^3.0.0, uuid@npm:^3.3.2, uuid@npm:^3.3.3, uuid@npm:^3.4.0": version: 3.4.0 resolution: "uuid@npm:3.4.0" bin: @@ -14192,20 +13966,6 @@ __metadata: languageName: node linkType: hard -"winston@npm:2.4.1": - version: 2.4.1 - resolution: "winston@npm:2.4.1" - dependencies: - async: ~1.0.0 - colors: 1.0.x - cycle: 1.0.x - eyes: 0.1.x - isstream: 0.1.x - stack-trace: 0.0.x - checksum: 4ae2d3a4e216e74b01ac64438934fa54858b2e82e9d614bcee9f19479afafe2f6ee47e9e8e2252ab1e08e47571e1668577b3264e6c2096c48b59749d3198221c - languageName: node - linkType: hard - "winston@npm:^2.4.5": version: 2.4.7 resolution: "winston@npm:2.4.7" @@ -14407,13 +14167,6 @@ __metadata: languageName: node linkType: hard -"yaml@npm:1.0.1": - version: 1.0.1 - resolution: "yaml@npm:1.0.1" - checksum: 7b6192c824ea3b79dd72b67f50a56ef2eae12062c8f7772d962621dc433570123d5e1aad9d621c31c94c4f1b3ab85f5b9c473ec11f1ecfc8a716352fff0980c6 - languageName: node - linkType: hard - "yargs-parser@npm:^20.2.7": version: 20.2.9 resolution: "yargs-parser@npm:20.2.9" From 03fa37f0b1fa7e74fd37a251dd535c4e1e49c4a8 Mon Sep 17 00:00:00 2001 From: andrewmcmahon Date: Thu, 8 Feb 2024 11:06:37 +0000 Subject: [PATCH 11/13] Swap to new launchdarkly-node-server-sdk package --- src/main/common/clients/launchDarklyClient.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/common/clients/launchDarklyClient.ts b/src/main/common/clients/launchDarklyClient.ts index 284bec9ba3..f758a83bb0 100644 --- a/src/main/common/clients/launchDarklyClient.ts +++ b/src/main/common/clients/launchDarklyClient.ts @@ -1,6 +1,6 @@ import * as config from 'config' import { User } from 'idam/user' -import * as ld from 'ldclient-node' +import * as ld from 'launchdarkly-node-server-sdk' const sdkKey: string = config.get('secrets.cmc.launchDarkly-sdk-key') const ldConfig = { From 694cee5505c89d769bdbe07e057801afa61cca2d Mon Sep 17 00:00:00 2001 From: andrewmcmahon Date: Thu, 8 Feb 2024 11:13:51 +0000 Subject: [PATCH 12/13] Upgrade version of tough-cookie --- yarn.lock | 42 +++++++++++++++++++++++++++++++++++++----- 1 file changed, 37 insertions(+), 5 deletions(-) diff --git a/yarn.lock b/yarn.lock index 5dfbb8c3d7..94dee6ac93 100644 --- a/yarn.lock +++ b/yarn.lock @@ -10925,6 +10925,13 @@ __metadata: languageName: node linkType: hard +"querystringify@npm:^2.1.1": + version: 2.2.0 + resolution: "querystringify@npm:2.2.0" + checksum: 5641ea231bad7ef6d64d9998faca95611ed4b11c2591a8cae741e178a974f6a8e0ebde008475259abe1621cb15e692404e6b6626e927f7b849d5c09392604b15 + languageName: node + linkType: hard + "queue-microtask@npm:^1.2.2": version: 1.2.3 resolution: "queue-microtask@npm:1.2.3" @@ -11354,6 +11361,13 @@ __metadata: languageName: node linkType: hard +"requires-port@npm:^1.0.0": + version: 1.0.0 + resolution: "requires-port@npm:1.0.0" + checksum: eee0e303adffb69be55d1a214e415cf42b7441ae858c76dfc5353148644f6fd6e698926fc4643f510d5c126d12a705e7c8ed7e38061113bdf37547ab356797ff + languageName: node + linkType: hard + "resolve-alpn@npm:^1.0.0": version: 1.2.1 resolution: "resolve-alpn@npm:1.2.1" @@ -12964,13 +12978,14 @@ __metadata: linkType: hard "tough-cookie@npm:^4.0.0": - version: 4.0.0 - resolution: "tough-cookie@npm:4.0.0" + version: 4.1.3 + resolution: "tough-cookie@npm:4.1.3" dependencies: psl: ^1.1.33 punycode: ^2.1.1 - universalify: ^0.1.2 - checksum: 0891b37eb7d17faa3479d47f0dce2e3007f2583094ad272f2670d120fbcc3df3b0b0a631ba96ecad49f9e2297d93ff8995ce0d3292d08dd7eabe162f5b224d69 + universalify: ^0.2.0 + url-parse: ^1.5.3 + checksum: c9226afff36492a52118432611af083d1d8493a53ff41ec4ea48e5b583aec744b989e4280bcf476c910ec1525a89a4a0f1cae81c08b18fb2ec3a9b3a72b91dcc languageName: node linkType: hard @@ -13417,13 +13432,20 @@ __metadata: languageName: node linkType: hard -"universalify@npm:^0.1.0, universalify@npm:^0.1.2": +"universalify@npm:^0.1.0": version: 0.1.2 resolution: "universalify@npm:0.1.2" checksum: 40cdc60f6e61070fe658ca36016a8f4ec216b29bf04a55dce14e3710cc84c7448538ef4dad3728d0bfe29975ccd7bfb5f414c45e7b78883567fb31b246f02dff languageName: node linkType: hard +"universalify@npm:^0.2.0": + version: 0.2.0 + resolution: "universalify@npm:0.2.0" + checksum: e86134cb12919d177c2353196a4cc09981524ee87abf621f7bc8d249dbbbebaec5e7d1314b96061497981350df786e4c5128dbf442eba104d6e765bc260678b5 + languageName: node + linkType: hard + "universalify@npm:^2.0.0": version: 2.0.0 resolution: "universalify@npm:2.0.0" @@ -13511,6 +13533,16 @@ __metadata: languageName: node linkType: hard +"url-parse@npm:^1.5.3": + version: 1.5.10 + resolution: "url-parse@npm:1.5.10" + dependencies: + querystringify: ^2.1.1 + requires-port: ^1.0.0 + checksum: fbdba6b1d83336aca2216bbdc38ba658d9cfb8fc7f665eb8b17852de638ff7d1a162c198a8e4ed66001ddbf6c9888d41e4798912c62b4fd777a31657989f7bdf + languageName: node + linkType: hard + "url-to-options@npm:^1.0.1": version: 1.0.1 resolution: "url-to-options@npm:1.0.1" From 3d46ec2b154fe4ee2c98df4a76ba78aba936a9c3 Mon Sep 17 00:00:00 2001 From: andrewmcmahon Date: Thu, 8 Feb 2024 11:22:47 +0000 Subject: [PATCH 13/13] Suppress request vulnerability as no new versions or packages for this --- yarn-audit-known-issues | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yarn-audit-known-issues b/yarn-audit-known-issues index 528a0337aa..92ea005985 100644 --- a/yarn-audit-known-issues +++ b/yarn-audit-known-issues @@ -1 +1 @@ -{"actions":[],"advisories":{"1092972":{"findings":[{"version":"2.87.0","paths":["request","@hmcts/draft-store-client>request","@hmcts/cmc-draft-store-middleware>@hmcts/draft-store-client>request"]}],"metadata":null,"vulnerable_versions":"<=2.88.2","module_name":"request","severity":"moderate","github_advisory_id":"GHSA-p8p7-x288-28g6","cves":["CVE-2023-28155"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":6.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},"updated":"2023-08-14T20:53:47.000Z","recommendation":"None","cwe":["CWE-918"],"found_by":null,"deleted":null,"id":1092972,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-28155\n- https://github.com/request/request/issues/3442\n- https://github.com/request/request/pull/3444\n- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf\n- https://security.netapp.com/advisory/ntap-20230413-0007/\n- https://github.com/github/advisory-database/pull/2500\n- https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116\n- https://github.com/request/request/blob/master/lib/redirect.js#L111\n- https://github.com/cypress-io/request/pull/28\n- https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f\n- https://github.com/cypress-io/request/releases/tag/v3.0.0\n- https://github.com/advisories/GHSA-p8p7-x288-28g6","created":"2023-03-16T15:30:19.000Z","reported_by":null,"title":"Server-Side Request Forgery in Request","npm_advisory_id":null,"overview":"The `request` package through 2.88.2 for Node.js and the `@cypress/request` package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).\n\nNOTE: The `request` package is no longer supported by the maintainer.","url":"https://github.com/advisories/GHSA-p8p7-x288-28g6"},"1094555":{"findings":[{"version":"6.3.0","paths":["launchdarkly-node-server-sdk>semver","@hmcts/nodejs-healthcheck>superagent>semver","applicationinsights>continuation-local-storage>async-listener>semver","gulp>glob-watcher>chokidar>fsevents>nan>node-gyp>semver","gulp>glob-watcher>chokidar>fsevents>nan>node-gyp>make-fetch-happen>cacache>@npmcli/fs>semver"]}],"metadata":null,"vulnerable_versions":">=6.0.0 <6.3.1","module_name":"semver","severity":"moderate","github_advisory_id":"GHSA-c2qf-rxjj-qqgw","cves":["CVE-2022-25883"],"access":"public","patched_versions":">=6.3.1","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-11-05T05:04:46.000Z","recommendation":"Upgrade to version 6.3.1 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1094555,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25883\n- https://github.com/npm/node-semver/pull/564\n- https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441\n- https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795\n- https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L138\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L160\n- https://github.com/npm/node-semver/pull/585\n- https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c\n- https://github.com/npm/node-semver/pull/593\n- https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0\n- https://github.com/advisories/GHSA-c2qf-rxjj-qqgw","created":"2023-06-21T06:30:28.000Z","reported_by":null,"title":"semver vulnerable to Regular Expression Denial of Service","npm_advisory_id":null,"overview":"Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.","url":"https://github.com/advisories/GHSA-c2qf-rxjj-qqgw"},"1095102":{"findings":[{"version":"2.3.4","paths":["request>tough-cookie","@hmcts/draft-store-client>request>tough-cookie","@hmcts/cmc-draft-store-middleware>@hmcts/draft-store-client>request>tough-cookie"]}],"metadata":null,"vulnerable_versions":"<4.1.3","module_name":"tough-cookie","severity":"moderate","github_advisory_id":"GHSA-72xf-g2v4-qvf3","cves":["CVE-2023-26136"],"access":"public","patched_versions":">=4.1.3","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},"updated":"2023-11-29T22:32:01.000Z","recommendation":"Upgrade to version 4.1.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1095102,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3","created":"2023-07-01T06:30:16.000Z","reported_by":null,"title":"tough-cookie Prototype Pollution vulnerability","npm_advisory_id":null,"overview":"Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.","url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":0,"moderate":11,"high":0,"critical":0},"dependencies":667,"devDependencies":0,"optionalDependencies":0,"totalDependencies":667}} +{"actions":[],"advisories":{"1092972":{"findings":[{"version":"2.88.2","paths":["request","@hmcts/draft-store-client>request","@hmcts/cmc-draft-store-middleware>@hmcts/draft-store-client>request"]}],"metadata":null,"vulnerable_versions":"<=2.88.2","module_name":"request","severity":"moderate","github_advisory_id":"GHSA-p8p7-x288-28g6","cves":["CVE-2023-28155"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":6.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},"updated":"2023-08-14T20:53:47.000Z","recommendation":"None","cwe":["CWE-918"],"found_by":null,"deleted":null,"id":1092972,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-28155\n- https://github.com/request/request/issues/3442\n- https://github.com/request/request/pull/3444\n- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf\n- https://security.netapp.com/advisory/ntap-20230413-0007/\n- https://github.com/github/advisory-database/pull/2500\n- https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116\n- https://github.com/request/request/blob/master/lib/redirect.js#L111\n- https://github.com/cypress-io/request/pull/28\n- https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f\n- https://github.com/cypress-io/request/releases/tag/v3.0.0\n- https://github.com/advisories/GHSA-p8p7-x288-28g6","created":"2023-03-16T15:30:19.000Z","reported_by":null,"title":"Server-Side Request Forgery in Request","npm_advisory_id":null,"overview":"The `request` package through 2.88.2 for Node.js and the `@cypress/request` package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).\n\nNOTE: The `request` package is no longer supported by the maintainer.","url":"https://github.com/advisories/GHSA-p8p7-x288-28g6"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":0,"moderate":3,"high":0,"critical":0},"dependencies":657,"devDependencies":0,"optionalDependencies":0,"totalDependencies":657}}