[Aikido] Fix 19 security issues in lodash, @microsoft/api-extractor, express and 13 more#12
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Upgrade dependencies to fix critical RCE vulnerability in lodash template injection, high-severity SSRF in Angular SSR, prototype pollution DoS in qs/Express, and Unicode handling bypass in validator.
✅ After thoroughly searching the codebase, I found that this is an Angular framework development repository with no application source code outside of
node_modules. All the packages being upgraded (lodash,@angular/platform-server,@angular/core,qs,validator,angular,z-schema,protobufjs,webpack-dev-server) are only present as dependencies in thenode_modulesdirectory.The key findings:
No direct imports or usage of
lodashmethods like_.unset,_.omit, or_.templatein application codeNo usage of
@angular/platform-serveror@angular/coreAPIs in application code (these are framework packages being developed, not consumed)No direct usage of
qs,validator,angular,z-schema,protobufjs, orwebpack-dev-serverAPIs in application codeThe
validatorpackage is only used internally byz-schema(in node_modules)The
z-schemapackage is only used by@rushstack/node-core-library(in node_modules)No webpack-dev-server configuration files or API usage found outside node_modules
Since this appears to be a build/test infrastructure setup for Angular framework development rather than an application that directly consumes these packages, the breaking changes in the upgraded packages do not affect any application code in this codebase.
All breaking changes by upgrading lodash from version 4.17.21 to 4.18.1 (CHANGELOG)
_.unset/_.omitnow blockconstructorandprototypeas non-terminal path keys unconditionally. Calls that previously returnedtrueand deleted the property now returnfalseand leave the target untouched._.templatenow throws"Invalid imports option passed into _.template"whenimportskeys contain forbidden identifier characters, which were previously allowed.All breaking changes by upgrading validator from version 8.2.0 to 13.15.26 (CHANGELOG)
normalizeEmail()no longer validates the email addressisNumeric()isFQDN(),isURL()andisEmail()isEmail()isURL()to reject protocol relative URLs unless a flag is setisMobilePhone()to match any locale's pattern by defaultisEmail()to validate display names according to RFC2822isEmail()to check total email lengthtoString()util is no longer exportedisLength()isFQDN: make more strictisRFC3339: Disallow prepended and appended strings to RFC 3339 date-timeisUUIDrequire valid variant field and require RFC9562 UUID in versionallisDatereturn false instead of Error in certain casesAll breaking changes by upgrading @angular/core from version 12.2.13 to 19.2.18 (CHANGELOG)
AbstractControl.statushas been narrowed fromstringtoFormControlStatus, andstatusChangeshas been narrowed fromObservable<any>toObservable<FormControlStatus>. This may cause breakage if the app is comparingAbstractControl.statusagainst an invalid status string or usingstatusChangesevents as something other than strings./path?q=hello?&other=123, query params would be parsed to{q: 'hello'}. Now they are correctly parsed to{q: 'hello?', other: '123'}.nullandundefinedinputs forrouterLinkno longer behave as empty string and now disable the link's navigation. Thehrefchanged from a propertyHostBinding()to an attribute binding (HostBinding('attr.href')), affectingDebugElement.properties['href']which now returns the full URL rather than the internal value.SpyLocationbehavior changed to match browsers: it no longer emits a 'popstate' event whenLocation.gois called, andsimulateHashChangenow triggers both ahashchangeand apopstateevent.Route.loadChildrenusing a string value is no longer possible. The following classes were removed:NgModuleFactoryLoader,SystemJsNgModuleFactoryLoaderfrom@angular/core;SpyNgModuleFactoryLoader,DeprecatedLoadChildrenfrom@angular/router. ThesetupTestingRouterfunction signature changed to drop itsNgModuleFactoryLoaderparameter.WrappedValueclass can no longer be imported from@angular/core, which may result in compile errors or runtime failures if outdated libraries still usingWrappedValueare used.SwUpdate#activateUpdateandSwUpdate#checkForUpdatechanged toPromise<boolean>.v12.20.0are no longer supported due to the Angular packages using the NodeJS package exports feature with subpath patterns.TransferStatemethods are tightened, which may reveal existing problematic calls.Router.initialUrlhas changed;Router.urlis the recommended replacement.AnimationDriver.getParentElementmethod has become required for implementors of this interface.Route.pathMatchis now more strict and may require explicitRoute/Routestype annotations.LoadChildrenCallbackreturn type is restricted to `TypeaotSummariesfields in TestBed APIs have been removed.componentonActivatedRouteandActivatedRouteSnapshotno longer includesstring.UrlTreeredirects are no longer scheduled within asetTimeout, which may affect tests.initialNavigation: 'enabled'has been removed; useinitialNavigation: 'enabledBlocking'instead.AnimationDriver.getParentElementmethod has become required, so any implementors of this interface are now required to provide an implementation for this method.aotSummariesfields in TestBed APIs have been removed.TransferStatemethods by tightening parameter types.Route.pathMatchis now stricter.Promisefrom theLoadChildrenCallback, the possible type is now restricted to `TypeinitialNavigation: 'enabled'was deprecated in v11 and is replaced byinitialNavigation: 'enabledBlocking'.componentonActivatedRouteandActivatedRouteSnapshotincludesstring. In reality, the component cannot be anything other than a component class.initialUrlis set to `stringUrlTree, the router would previously schedule the redirect navigation within asetTimeout. This timeout is now removed.enableIvyhas been removed as Ivy is the only rendering engine.RouterOutletnow instantiates components during change detection rather than immediately during navigation. This could affect tests which do not trigger change detection after a router navigation and, in rarer cases, production code that relies on the exact timing of component availability.14.[15-19].xand16.[10-12].x. Current supported versions are14.20.x,16.13.xand18.10.x.setDisabledStatewill always be called when aControlValueAccessoris attached. You can opt-out withFormsModule.withConfigorReactiveFormsModule.withConfig.relativeLinkResolutionis no longer configurable in the Router. This option was used as a means to opt out of a bug fix.srcorsrcdocpreceding other attributes. Such usages may need to be updated to ensure compliance with the new stricter rules around iframe bindings.MockPlatformLocationis now provided by default in tests. Existing tests may have behaviors which rely onBrowserPlatformLocationinstead, requiring updates to test providers or code to be compatible withMockPlatformLocation.All breaking changes by upgrading z-schema from version 3.18.4 to 12.0.5 (CHANGELOG)
breakOnFirstErrornow defaults tofalse(wastrue). All validation errors are reported by default. SetbreakOnFirstError: trueto restore previous behavior.enginesfield now requires Node.js 22 or later.mainfield replaced byexportsmap. Importz-schema(ESM),z-schema/cjs(CJS), orz-schema/umd/ZSchema.js(UMD). Direct deep imports likez-schema/src/ZSchemano longer work.ZSchema.js,FormatValidators.js) to kebab-case (z-schema.ts,format-validators.ts). Any direct submodule imports will break.$schemaare now treated as draft-04. Previously, schemas missing$schemawere validated without strict draft semantics. Now$schemais automatically set tohttp://json-schema.org/draft-04/schema#. Use{ version: 'none' }to opt out.ZSchema.setRemoteReference()at module load time instead of per-instance in the constructor.new ZSchema()replaced byZSchema.create()factory. The constructor is no longer the public API. UseZSchema.create(options)to get a typed validator instance.validate()now throws by default. Returnstrueon success, throwsValidateErroron failure. Use{ safe: true }for a non-throwing API that returns{ valid, err? }.getLastError()/getLastErrors()removed. Errors are now returned directly fromvalidate()— thrown asValidateError(default) or in{ err }field (safe mode).isValid(),compileSchema(),getMissingReferences(),getMissingRemoteReferences(),getResolvedSchema()removed.setRemoteReference()is now static only. The instance method was removed; useZSchema.setRemoteReference().validateAsyncSafe()return type changed. Returns{ valid, err? }instead of{ valid, errs? }.draft-07todraft2020-12. If your schemas rely on draft-04/06/07 behavior, setversionexplicitly or declare$schemain every schema.formatAssertions: nullto restore the legacy always-assert behavior.maxRecursionDepthsafeguard (default: 100). Deeply nested schemas or data that previously validated may now fail withMAX_RECURSION_DEPTH_EXCEEDED. Increase the value if needed.All breaking changes by upgrading protobufjs from version 6.8.8 to 8.0.1 (CHANGELOG)
✅ 19 CVEs resolved by this upgrade, including 1 critical 🚨 CVE
This PR will resolve the following CVEs:
__proto__keys in query strings, causing Node process hangs and denial of service in Express applications without authentication.5.76.0does not avoid cross-realm object access.ImportParserPlugin.jsmishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.append,prepend, andnew JQLitewhen processing user-controlled HTML.__proto__orconstructor, affecting all subsequently created objects.protofield, enabling prototype chain manipulation and unintended property injection across the application.shell.exec()output may be visible to other users on the same system in multi-user environments or when running as root, allowing information disclosure through process output visibility.🔗 Related Tasks