Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix security vulnerabilities #1017

Merged
merged 18 commits into from
Feb 13, 2023
Merged

Fix security vulnerabilities #1017

merged 18 commits into from
Feb 13, 2023

Conversation

SimmonsRitchie
Copy link
Contributor

@SimmonsRitchie SimmonsRitchie commented Jan 26, 2023

What's this PR do?

Fixes an array of vulnerabilities recommended by Dependabot, including:

Bump vue and vue-template-compiler

Bump decode-uri-component from 0.2.0 to 0.2.2

Bump qs from 6.10.1 to 6.11.0

Bump jsonwebtoken from 8.5.1 to 9.0.0

Bump @babel/core from 7.15.8 to 7.20.12

Bump json5 from 1.0.1 to 1.0.2

Bump redis from 3.5.3 to 4.4.2

Bump flask-wtf from 0.15.1 to 1.1.1

Bump cookiejar from 2.1.3 to 2.1.4

Why are we doing this? How does it help us?

Good to stay on top of dependency upgrades for security!

Here are some major upgrades of note:

redis 4.4.2

The breaking changes in Redis 4 don't seem to affect this app:

flask-wtf 1.1.1

Flask-wtf v1 doesn't appear to have any breaking changes when migrating from 0.15.1. Support for python 3.6 was dropped in v1.1, but we're using python 3.9 in this repo so it doesn't affect us.

jsonwebtoken 9.0.0

None of the breaking changes appear to affect us:

  • Removed support for Node versions 11 and below.
  • The verify() function no longer accepts unsigned tokens by default.
  • RSA key size must be 2048 bits or greater.
  • Asymmetric keys cannot be used to sign & verify HMAC tokens.
  • Key types must be valid for the signing / verification algorithm

How should this be manually tested?

Spin up the donations app and:

  • Confirm logging into the portal works for both staff and non-staff
  • Confirm you can update profile info in the portal
  • Confirm you can successfully make a donation

How should this change be communicated to end users?

Are there any smells or added technical debt to note?

At time of writing, this PR does not address all Dependabot recommended fixes but we have quite a few. I thought it might be best to handle them in batches.

What are the relevant tickets?

Have you done the following, if applicable:

(optional: add explanation between parentheses)

  • Added automated tests? ( )
  • Tested manually on mobile? ( )
  • Checked BrowserStack? ( )
  • Checked for performance implications? ( )
  • Checked accessibility? ( )
  • Checked for security implications? ( )
  • Updated the documentation/wiki? ( )

TODOs / next steps:

  • your TODO here

dependabot bot and others added 18 commits July 1, 2022 11:14
Bumps [vue](https://github.com/vuejs/core) and [vue-template-compiler](https://github.com/vuejs/vue). These dependencies needed to be updated together.

Updates `vue` from 2.6.11 to 2.7.0
- [Release notes](https://github.com/vuejs/core/releases)
- [Changelog](https://github.com/vuejs/core/blob/main/CHANGELOG.md)
- [Commits](https://github.com/vuejs/core/commits)

Updates `vue-template-compiler` from 2.6.11 to 2.7.0
- [Release notes](https://github.com/vuejs/vue/releases)
- [Changelog](https://github.com/vuejs/vue/blob/main/CHANGELOG.md)
- [Commits](vuejs/vue@v2.6.11...v2.7.0)

---
updated-dependencies:
- dependency-name: vue
  dependency-type: direct:production
  update-type: version-update:semver-minor
- dependency-name: vue-template-compiler
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [decode-uri-component](https://github.com/SamVerschueren/decode-uri-component) from 0.2.0 to 0.2.2.
- [Release notes](https://github.com/SamVerschueren/decode-uri-component/releases)
- [Commits](SamVerschueren/decode-uri-component@v0.2.0...v0.2.2)

---
updated-dependencies:
- dependency-name: decode-uri-component
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [qs](https://github.com/ljharb/qs) from 6.10.1 to 6.11.0.
- [Release notes](https://github.com/ljharb/qs/releases)
- [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md)
- [Commits](ljharb/qs@v6.10.1...v6.11.0)

---
updated-dependencies:
- dependency-name: qs
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [jsonwebtoken](https://github.com/auth0/node-jsonwebtoken) from 8.5.1 to 9.0.0.
- [Release notes](https://github.com/auth0/node-jsonwebtoken/releases)
- [Changelog](https://github.com/auth0/node-jsonwebtoken/blob/master/CHANGELOG.md)
- [Commits](auth0/node-jsonwebtoken@v8.5.1...v9.0.0)

---
updated-dependencies:
- dependency-name: jsonwebtoken
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [@babel/core](https://github.com/babel/babel/tree/HEAD/packages/babel-core) from 7.15.8 to 7.20.12.
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.20.12/packages/babel-core)

---
updated-dependencies:
- dependency-name: "@babel/core"
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [json5](https://github.com/json5/json5) from 1.0.1 to 1.0.2.
- [Release notes](https://github.com/json5/json5/releases)
- [Changelog](https://github.com/json5/json5/blob/main/CHANGELOG.md)
- [Commits](json5/json5@v1.0.1...v1.0.2)

---
updated-dependencies:
- dependency-name: json5
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [redis](https://github.com/redis/redis-py) from 3.5.3 to 4.4.2.
- [Release notes](https://github.com/redis/redis-py/releases)
- [Changelog](https://github.com/redis/redis-py/blob/master/CHANGES)
- [Commits](redis/redis-py@3.5.3...v4.4.2)

---
updated-dependencies:
- dependency-name: redis
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [flask-wtf](https://github.com/wtforms/flask-wtf) from 0.15.1 to 1.1.1.
- [Release notes](https://github.com/wtforms/flask-wtf/releases)
- [Changelog](https://github.com/wtforms/flask-wtf/blob/main/docs/changes.rst)
- [Commits](pallets-eco/flask-wtf@v0.15.1...v1.1.1)

---
updated-dependencies:
- dependency-name: flask-wtf
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [cookiejar](https://github.com/bmeck/node-cookiejar) from 2.1.3 to 2.1.4.
- [Release notes](https://github.com/bmeck/node-cookiejar/releases)
- [Commits](https://github.com/bmeck/node-cookiejar/commits)

---
updated-dependencies:
- dependency-name: cookiejar
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
…vue-template-compiler-2.7.0' into security-vulns
Copy link
Member

@ashley-hebler ashley-hebler left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All the functionality worked for me. I'm nervous that this includes some major version bumps. Not to say we shouldn't do them, but just curious if you were able to look into any of the implications there?

I remember @erxclau had a good process for this where he'd check in on what each dependency did for us and cross referenced that with the release notes. It's fortunate that the upgrades in this PR don't require any code changes, but it'd still be nice to know a little background on some of the bigger changes so we know we're looking in the right place for bugs.

@tribune-servers tribune-servers temporarily deployed to donations-testing February 9, 2023 21:54 Inactive
Copy link
Member

@ashley-hebler ashley-hebler left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just did a quick check by pushing to staging and all seems to WFM!

@SimmonsRitchie SimmonsRitchie merged commit 54e9d2d into master Feb 13, 2023
@SimmonsRitchie SimmonsRitchie deleted the security-vulns branch February 13, 2023 15:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants