roost.tools / coop
Mirror of https://github.com/roostorg/coop github.com/roostorg/coop
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

[Security] Bump sequelize and undici to fix high-severity vulnerabilities (#138)

* [Code Simplification] Replace Kafka with BullMQ for item submission processing

* [Security] Bump sequelize and undici to fix high-severity vulnerabilities

- sequelize 6.32.1 → 6.37.8: fixes SQL injection via JSON column cast type (GHSA)
- undici 7.19.0 → 7.24.5: fixes WebSocket memory/DoS, CRLF injection, and HTTP smuggling
- Lockfile-only changes, no package.json or source code modifications

* Raise minimum versions for sequelize and undici in package.json

authored by

Juan Mrad and committed by
GitHub 3eb5655f d819f319

+29 -27
+14 -13
.devops/migrator/package-lock.json
··· 18 18 "latlon-geohash": "^1.1.0", 19 19 "lodash": "^4.17.21", 20 20 "pg": "^8.7.1", 21 - "sequelize": "^6.32.1", 21 + "sequelize": "^6.37.8", 22 22 "ts-node": "^10.9.2", 23 23 "uid": "^2.0.0", 24 24 "umzug": "^3.0.0", ··· 2429 2429 } 2430 2430 }, 2431 2431 "node_modules/sequelize": { 2432 - "version": "6.32.1", 2433 - "resolved": "https://registry.npmjs.org/sequelize/-/sequelize-6.32.1.tgz", 2434 - "integrity": "sha512-3Iv0jruv57Y0YvcxQW7BE56O7DC1BojcfIrqh6my+IQwde+9u/YnuYHzK+8kmZLhLvaziRT1eWu38nh9yVwn/g==", 2432 + "version": "6.37.8", 2433 + "resolved": "https://registry.npmjs.org/sequelize/-/sequelize-6.37.8.tgz", 2434 + "integrity": "sha512-HJ0IQFqcTsTiqbEgiuioYFMSD00TP6Cz7zoTti+zVVBwVe9fEhev9cH6WnM3XU31+ABS356durAb99ZuOthnKw==", 2435 2435 "funding": [ 2436 2436 { 2437 2437 "type": "opencollective", 2438 2438 "url": "https://opencollective.com/sequelize" 2439 2439 } 2440 2440 ], 2441 + "license": "MIT", 2441 2442 "dependencies": { 2442 2443 "@types/debug": "^4.1.8", 2443 2444 "@types/validator": "^13.7.17", 2444 2445 "debug": "^4.3.4", 2445 - "dottie": "^2.0.4", 2446 + "dottie": "^2.0.6", 2446 2447 "inflection": "^1.13.4", 2447 2448 "lodash": "^4.17.21", 2448 2449 "moment": "^2.29.4", 2449 2450 "moment-timezone": "^0.5.43", 2450 - "pg-connection-string": "^2.6.0", 2451 + "pg-connection-string": "^2.6.1", 2451 2452 "retry-as-promised": "^7.0.4", 2452 - "semver": "^7.5.1", 2453 + "semver": "^7.5.4", 2453 2454 "sequelize-pool": "^7.1.0", 2454 2455 "toposort-class": "^1.0.1", 2455 2456 "uuid": "^8.3.2", ··· 4647 4648 } 4648 4649 }, 4649 4650 "sequelize": { 4650 - "version": "6.32.1", 4651 - "resolved": "https://registry.npmjs.org/sequelize/-/sequelize-6.32.1.tgz", 4652 - "integrity": "sha512-3Iv0jruv57Y0YvcxQW7BE56O7DC1BojcfIrqh6my+IQwde+9u/YnuYHzK+8kmZLhLvaziRT1eWu38nh9yVwn/g==", 4651 + "version": "6.37.8", 4652 + "resolved": "https://registry.npmjs.org/sequelize/-/sequelize-6.37.8.tgz", 4653 + "integrity": "sha512-HJ0IQFqcTsTiqbEgiuioYFMSD00TP6Cz7zoTti+zVVBwVe9fEhev9cH6WnM3XU31+ABS356durAb99ZuOthnKw==", 4653 4654 "requires": { 4654 4655 "@types/debug": "^4.1.8", 4655 4656 "@types/validator": "^13.7.17", 4656 4657 "debug": "^4.3.4", 4657 - "dottie": "^2.0.4", 4658 + "dottie": "^2.0.6", 4658 4659 "inflection": "^1.13.4", 4659 4660 "lodash": "^4.17.21", 4660 4661 "moment": "^2.29.4", 4661 4662 "moment-timezone": "^0.5.43", 4662 - "pg-connection-string": "^2.6.0", 4663 + "pg-connection-string": "^2.6.1", 4663 4664 "retry-as-promised": "^7.0.4", 4664 - "semver": "^7.5.1", 4665 + "semver": "^7.5.4", 4665 4666 "sequelize-pool": "^7.1.0", 4666 4667 "toposort-class": "^1.0.1", 4667 4668 "uuid": "^8.3.2",
+1 -1
.devops/migrator/package.json
··· 20 20 "latlon-geohash": "^1.1.0", 21 21 "lodash": "^4.17.21", 22 22 "pg": "^8.7.1", 23 - "sequelize": "^6.32.1", 23 + "sequelize": "^6.37.8", 24 24 "ts-node": "^10.9.2", 25 25 "uid": "^2.0.0", 26 26 "umzug": "^3.0.0",
+12 -11
server/package-lock.json
··· 84 84 "pg-cursor": "^2.7.4", 85 85 "pipeline-segment": "^0.0.6", 86 86 "safe-stable-stringify": "^2.4.2", 87 - "sequelize": "^6.25.1", 87 + "sequelize": "^6.37.8", 88 88 "size-limited-map": "^2.0.0", 89 89 "stream-json": "^1.8.0", 90 90 "stream-to-async-iterator": "^1.0.0", ··· 93 93 "type-fest": "^4.3.2", 94 94 "typescript-eslint": "^7.14.1", 95 95 "uid": "^2.0.1", 96 - "undici": "^7.19.0", 96 + "undici": "^7.24.0", 97 97 "unhomoglyph": "^1.0.6", 98 98 "uuid": "^8.3.2", 99 99 "uuid-apikey": "^1.5.3", ··· 18935 18935 "license": "MIT" 18936 18936 }, 18937 18937 "node_modules/sequelize": { 18938 - "version": "6.32.1", 18939 - "resolved": "https://registry.npmjs.org/sequelize/-/sequelize-6.32.1.tgz", 18940 - "integrity": "sha512-3Iv0jruv57Y0YvcxQW7BE56O7DC1BojcfIrqh6my+IQwde+9u/YnuYHzK+8kmZLhLvaziRT1eWu38nh9yVwn/g==", 18938 + "version": "6.37.8", 18939 + "resolved": "https://registry.npmjs.org/sequelize/-/sequelize-6.37.8.tgz", 18940 + "integrity": "sha512-HJ0IQFqcTsTiqbEgiuioYFMSD00TP6Cz7zoTti+zVVBwVe9fEhev9cH6WnM3XU31+ABS356durAb99ZuOthnKw==", 18941 18941 "funding": [ 18942 18942 { 18943 18943 "type": "opencollective", 18944 18944 "url": "https://opencollective.com/sequelize" 18945 18945 } 18946 18946 ], 18947 + "license": "MIT", 18947 18948 "dependencies": { 18948 18949 "@types/debug": "^4.1.8", 18949 18950 "@types/validator": "^13.7.17", 18950 18951 "debug": "^4.3.4", 18951 - "dottie": "^2.0.4", 18952 + "dottie": "^2.0.6", 18952 18953 "inflection": "^1.13.4", 18953 18954 "lodash": "^4.17.21", 18954 18955 "moment": "^2.29.4", 18955 18956 "moment-timezone": "^0.5.43", 18956 - "pg-connection-string": "^2.6.0", 18957 + "pg-connection-string": "^2.6.1", 18957 18958 "retry-as-promised": "^7.0.4", 18958 - "semver": "^7.5.1", 18959 + "semver": "^7.5.4", 18959 18960 "sequelize-pool": "^7.1.0", 18960 18961 "toposort-class": "^1.0.1", 18961 18962 "uuid": "^8.3.2", ··· 20440 20441 "license": "MIT" 20441 20442 }, 20442 20443 "node_modules/undici": { 20443 - "version": "7.19.0", 20444 - "resolved": "https://registry.npmjs.org/undici/-/undici-7.19.0.tgz", 20445 - "integrity": "sha512-Heho1hJD81YChi+uS2RkSjcVO+EQLmLSyUlHyp7Y/wFbxQaGb4WXVKD073JytrjXJVkSZVzoE2MCSOKugFGtOQ==", 20444 + "version": "7.24.5", 20445 + "resolved": "https://registry.npmjs.org/undici/-/undici-7.24.5.tgz", 20446 + "integrity": "sha512-3IWdCpjgxp15CbJnsi/Y9TCDE7HWVN19j1hmzVhoAkY/+CJx449tVxT5wZc1Gwg8J+P0LWvzlBzxYRnHJ+1i7Q==", 20446 20447 "license": "MIT", 20447 20448 "engines": { 20448 20449 "node": ">=20.18.1"
+2 -2
server/package.json
··· 98 98 "pg-cursor": "^2.7.4", 99 99 "pipeline-segment": "^0.0.6", 100 100 "safe-stable-stringify": "^2.4.2", 101 - "sequelize": "^6.25.1", 101 + "sequelize": "^6.37.8", 102 102 "size-limited-map": "^2.0.0", 103 103 "stream-json": "^1.8.0", 104 104 "stream-to-async-iterator": "^1.0.0", ··· 107 107 "type-fest": "^4.3.2", 108 108 "typescript-eslint": "^7.14.1", 109 109 "uid": "^2.0.1", 110 - "undici": "^7.19.0", 110 + "undici": "^7.24.0", 111 111 "unhomoglyph": "^1.0.6", 112 112 "uuid": "^8.3.2", 113 113 "uuid-apikey": "^1.5.3",