Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(bit): update deps that have vulnerabilities #8804

Draft
wants to merge 45 commits into
base: master
Choose a base branch
from

Conversation

luvkapur
Copy link
Member

@luvkapur luvkapur commented Apr 19, 2024

Vulnerability Report

Summary

Total vulnerabilities: 72

  • CRITICAL: 13
  • HIGH: 21
  • MEDIUM: 35
  • LOW: 3

Detailed Report

CRITICAL Severity Vulnerabilities

Library Vulnerability ID Installed Version Fixed Version Title Status Progress
ejs CVE-2022-29078 2.7.4 3.1.7 Server-side template injection in outputFunctionName Fixed
hermes-engine CVE-2021-24037 0.7.2 0.8.0 Use After Free in Hermes No
CVE-2021-24044 0.10.0 Access of Resource Using Incompatible Type in Hermes No [ ]
json-schema CVE-2021-3918 0.3.0 0.4.0 Prototype pollution vulnerability No [ ]
minimist CVE-2021-44906 0.0.10 1.2.6, 0.2.4 Prototype pollution No [ ]
shell-quote CVE-2021-42740 1.6.1 1.7.3 Command injection vulnerability No [ ]
url-parse CVE-2022-0686 1.4.7 1.5.8 Authorization bypass through user-controlled key No ✅ fixed as part of https://bit.cloud/teambit/ui-foundation/~change-requests/bump-url-parse-dependents
CVE-2022-0691 Authorization bypass through user-controlled key No ✅ fixed as part of https://bit.cloud/teambit/ui-foundation/~change-requests/bump-url-parse-dependents

HIGH Severity Vulnerabilities

Library Vulnerability ID Installed Version Fixed Version Title Status Progress
apollo-server GHSA-qm7x-rc44-rrqw 2.19.2 2.25.3, 3.4.1 Cross-site Scripting Vulnerability in GraphQL Playground Fixed ✅ fixed as part of #8753
aws-sdk CVE-2020-28472 2.756.0 2.814.0 Prototype Pollution via file load No
d3-color GHSA-36jr-mh4h-2g58 2.0.0 3.1.0 Vulnerable to ReDoS No [ ]
dicer CVE-2022-24434 0.3.0 None Nodejs service crash by sending a crafted payload No [ ]
immer CVE-2021-3757 8.0.1 None Prototype pollution may lead to DoS or remote code execution No [ ]
loader-utils CVE-2022-37599 2.0.0 1.4.2, 2.0.4, 3.2.1 Regular expression denial of service in interpolateName.js No [ ]
lodash CVE-2021-23337 4.17.20 None Command injection via template No [ ]
qs CVE-2022-24999 6.7.0 6.10.3, 6.9.7, etc. "qs" prototype poisoning causes the hang of the node process No [ ]
shelljs CVE-2022-0144 0.3.0 0.8.5 Improper privilege management No [ ]
trim CVE-2020-7753 0.0.1 0.0.3 Regular Expression Denial of Service (ReDoS) in trim function Fixed [ ]
webpack-dev-middleware CVE-2024-29180 5.3.3 7.1.0, 6.1.2, 5.3.4 Lack of URL validation may lead to file leak Fixed [ ]
ws CVE-2021-32640 7.4.2 7.4.6, 6.2.2, 5.2.3 Specially crafted value of Sec-Websocket-Protocol header used No ✅ fixed as part of #8753

MEDIUM Severity Vulnerabilities

Library Vulnerability ID Installed Version Fixed Version Title Status Progress
apollo-server GHSA-2p3c-p3qw-69r4 2.25.4 CSRF vulnerability in graphql-upload library No ✅ fixed as part of #8753
bl CVE-2020-8244 1.1.2 1.2.3, 2.2.1, 3.0.1, 4.0.3 Buffer over-read leads to corrupted BufferList No [ ]
browserslist CVE-2021-23364 4.14.2 4.16.5 Parsing of invalid queries could lead to RegEx Denial of Service No [ ]
express CVE-2024-29041 4.17.1 4.19.2, 5.0.0-beta.3 Express.js versions are vulnerable to unknown issue No
got CVE-2022-33987 6.7.1 12.1.0, 11.8.5 Missing verification of requested URLs allows redirects to UNIX sockets No [ ]
lodash CVE-2020-28500 4.17.21 ReDoS via the toNumber, trim and trimEnd functions No [ ]
postcss CVE-2023-44270 8.4.18 8.4.31 An issue discovered in PostCSS before 8.4.31 No [ ]
request CVE-2023-28155 2.88.2 None Allows a bypass of SSRF protection No [ ]
ws GHSA-64g7-mvw6-v9qj Improper Privilege Management in shelljs No [ ]

LOW Severity Vulnerabilities

Library Vulnerability ID Installed Version Fixed Version Title Status Progress
es5-ext CVE-2024-27088 0.10.62 0.10.63 ECMAScript 5 extensions can lead to functions with very... No [ ]
node-fetch CVE-2020-15168 2.6.1, 3.0.0-beta.9 Size of data after fetch() JS thread leads to DoS No [ ]
utile NSWG-ECO-445 0.3.0 None Out-of-bounds Read in utile No [ ]

luvkapur and others added 30 commits April 19, 2024 14:54
The capsule base-dir is normally a `sha1` of the workspace/scope dir,
which is 40 chars long. Problem is that Windows is not happy with long
paths.
This PR uses a shorter hash. The number 9 is pretty random, it's what we
use for short-hash of snaps.
We're aware of an extremely low risk of collision. Keep in mind that in
most cases you won't have more than 10 capsules in the machine, so it's
fine.
…ing easier (#8828)

With this flag, no need to push to the remote in order to investigate
the `Version` object changes.
currently, if there are local changes in the component.json (generated
by `bit config eject-conf`), then `bit checkout reset` doesn't reset
them. It leaves the file as is.
This PR refactors the way how this component.json file is saved to reuse
the infrastructure we had for package.json (with indent and EOL taken
into account). With this, it was easier to change the component-written
command to make sure this file is written if it was there before.
…onents (#8830)

Otherwise, the components that depend on these removed aspects are
trying to load them, find out they don't exists, then trying to import
them and throw an error "unable to import".
Because these removed aspects are new, there is no easy way to fix this.
It's impossible to install them as packages.
This PR blocks it unless `--force` flag was used.
…plate name (#8831)

Otherwise, the code might have a class that extends itself. 
For example, `bit create node-env node-env` produces `class NodeEnv
extends NodeEnv`.
Or `bit create react-env envs/react-env --aspect
teambit.react/react-env` produces `class ReactEnv extends ReactEnv`.
remove the duplicate "error".
This command is useful when you got a messy merge state that from one
hand you don't want to loose the changes, but on the other hand, you
want to keep your lane without those changes.
This command does the following:
1. create a new lane with the current merge state. including all the
filesystem changes. (in practice, it leaves the fs intact).
2. reset the current lane to the state before the merge, so then once
done with the new lane, you can switch to the current lane and it'll be
clean.
)

Also, when a component has issues, replace the " ... ok" with "...
issues found".
…en on a lane (#8836)

We used to throw an error suggesting the user to import the components
individually. The reason was that when you're on a lane, you probably
want to import components from the lane. not main. That's why when the
wildcard matches both, lane and main, only the lane are imported.
However, if only components from main are matched, it's not very clear
whether you really want to import from lane, or your wildcard syntax
didn't bring the results you thought it would.
With this PR we assume that in this case you do want to import from main
so we let you do that.
…e of objects rather than trying to fetch them (#8839)

This will be actually used once remotes are updated and support the new
GraphQL query.
Once deployed on the remote scopes, it can help a client in negotiating
with the server and adjusting API compatibility.
When the `bit scope-rename` (or `bit rename`) suppose to change multiple
values in the workspace.jsonc, it was changing only the first one.
davidfirst and others added 15 commits May 3, 2024 10:34
…ge (#8844)

Similar to `bit deprecate --range`, this new flag allows deleting
specific tags. For example `bit delete my-comp --range 0.0.1`. It marks
0.0.1 only as deleted.
This is supported in `bit log`. It's also shown in the `bit import` and `bit show` output. 
For example, when running `bit show [email protected]` the "removed" is false. 
However, `bit show [email protected]` shows it as true. It also shows the range.
Until now, `.gitignore` files were always ignored by default and never
tracked by Bit.

## Proposed Changes

- track `.gitignore` files. This way, when multiple users import the
same component and using different git repos, they could use the same
.gitignore file.
- in case `.gitignore` is found in the component root-dir, Bit reads it
and uses it to untrack component files.
- in case `.bitignore` is found in the component root-dir in addition to
`.gitignore`, the `.bitignore` takes precedence and is used to untrack
component files. (still, `.gitignore` itself is tracked). This way, it's
possible to have different patterns/rules for bit and git.
- until now, bit was searching for the `.gitignore` of the
workspace-root, now only in the workspace-root, but also upwards until
it finds it. This is unintuitive and can cause confusion. It was changed
to use only the one in the workspace root.
This is done via `bit ws-config` for awhile now
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants