Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump path-to-regexp from 6.2.1 to 6.3.0 in /frontend-react #15897

Closed
wants to merge 3 commits into from
Closed

Bump path-to-regexp from 6.2.1 to 6.3.0 in /frontend-react #15897

wants to merge 3 commits into from

Conversation

snesm
Copy link
Contributor

@snesm snesm commented Sep 16, 2024

This PR updates path-to-regexp from 6.2.1 to 6.3.0 to mitigate Dependabot vulnerability.

It also performs a de-duplication.

If you are suggesting a fix for a currently exploitable issue, please disclose the issue to the prime-reportstream team directly outside of GitHub instead of filing a PR, so we may immediately patch the affected systems before a disclosure. See SECURITY.md/Reporting a Vulnerability for more information.

Test Steps:

  1. Include steps to test these changes

Changes

  • Include a comprehensive list of changes in this PR
  • (For web UI changes) Include screenshots/video of changes

Checklist

Testing

  • Tested locally?
  • Ran ./prime test or ./gradlew testSmoke against local Docker ReportStream container?
  • (For Changes to /frontend-react/...) Ran npm run lint:write?
  • Added tests?

Process

  • Are there licensing issues with any new dependencies introduced?
  • Includes a summary of what a code reviewer should test/verify?
  • Updated the release notes?
  • Database changes are submitted as a separate PR?
  • DevOps team has been notified if PR requires ops support?

Linked Issues

  • Fixes #issue

To Be Done

Create GitHub issues to track the work remaining, if any

  • #issue

Specific Security-related subjects a reviewer should pay specific attention to

  • Does this PR introduce new endpoints?
    • new endpoint A
    • new endpoint B
  • Does this PR include changes in authentication and/or authorization of existing endpoints?
  • Does this change introduce new dependencies that need vetting?
  • Does this change require changes to our infrastructure?
  • Does logging contain sensitive data?
  • Does this PR include or remove any sensitive information itself?

If you answered 'yes' to any of the questions above, conduct a detailed Review that addresses at least:

  • What are the potential security threats and mitigations? Please list the STRIDE threats and how they are mitigated
    • Spoofing (faking authenticity)
      • Threat T, which could be achieved by A, is mitigated by M
    • Tampering (influence or sabotage the integrity of information, data, or system)
    • Repudiation (the ability to dispute the origin or originator of an action)
    • Information disclosure (data made available to entities who should not have it)
    • Denial of service (make a resource unavailable)
    • Elevation of Privilege (reduce restrictions that apply or gain privileges one should not have)
  • Have you ensured logging does not contain sensitive data?
  • Have you received any additional approvals needed for this change?

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Sep 16, 2024
edited
Loading

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
npm/path-to-regexp 6.3.0 🟢 6.5
Details
CheckScoreReason
Binary-Artifacts🟢 10no binaries found in the repo
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
CI-Tests🟢 102 out of 2 merged PRs checked by a CI test -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Code-Review⚠️ 0found 28 unreviewed changesets out of 30 -- score normalized to 0
Contributors🟢 1027 different organizations found -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Dependency-Update-Tool⚠️ -1internal error: Search.Code: GET https://api.github.com/search/commits?per_page=100&q=repo%3Apillarjs%2Fpath-to-regexp+author%3Adependabot%5Bbot%5D: 403 You have exceeded a secondary rate limit. Please wait a few minutes before you try again. If you reach out to GitHub Support for help, please include the request ID F858:112791:B956CB:1517CAE:66F4D477. []
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Maintained🟢 1030 commit(s) out of 30 and 19 issue activity out of 30 found in the last 90 days -- score normalized to 10
Packaging⚠️ -1no published package detected
Pinned-Dependencies🟢 6dependency not pinned by hash detected -- score normalized to 6
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Security-Policy🟢 10security policy file detected
Signed-Releases⚠️ -1no releases found
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Vulnerabilities🟢 10no vulnerabilities detected

Scanned Manifest Files

frontend-react/yarn.lock

@snesm snesm marked this pull request as ready for review September 16, 2024 17:07
@snesm snesm added security Work Type label to flag work related to security dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Sep 16, 2024
@snesm snesm changed the title Bump path-to-regexp from 6.2.1 to 6.3.0 Bump path-to-regexp from 6.2.1 to 6.3.0 in /frontend-react Sep 16, 2024
@snesm snesm requested a review from jpandersen87 September 26, 2024 15:41
@github-actions GitHub Actions
Copy link
Contributor

Branch deployed to Chromatic 🚀.

  • ⚠️ Detected 3 tests with visual changes.
  • ✅ All tests passed.

View via:

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@github-actions GitHub Actions
Copy link
Contributor

⚠️ Broken Links ⚠️

https://www.hhs.gov/vulnerability-disclosure-policy/index.html

Error: Request failed with status code 403

https://www.cdc.gov/od/foia

Error: Request failed with status code 403

https://www.cdc.gov/poxvirus/mpox/lab-personnel/report-results.html

Error: Request failed with status code 404

https://www.hl7.org/implement/standards/product_brief.cfm?product_id=185

Error: Request failed with status code 403

@jpandersen87
Copy link
Collaborator

Fixed via another dependency update PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jpandersen87 jpandersen87 Awaiting requested review from jpandersen87

Assignees

@jpandersen87 jpandersen87

Labels
dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code security Work Type label to flag work related to security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@snesm @jpandersen87