roost.tools / coop
Mirror of https://github.com/roostorg/coop github.com/roostorg/coop
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

Fix lodash, underscore, and jsonpath vulnerabilities across project (#186)

authored by

Juan Mrad and committed by
GitHub b651709a e7c7b1a8

+74 -107
+6 -6
migrator/package-lock.json
··· 347 347 } 348 348 }, 349 349 "node_modules/lodash": { 350 - "version": "4.17.23", 351 - "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz", 352 - "integrity": "sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==", 350 + "version": "4.18.1", 351 + "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.18.1.tgz", 352 + "integrity": "sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==", 353 353 "license": "MIT" 354 354 }, 355 355 "node_modules/long": { ··· 985 985 "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==" 986 986 }, 987 987 "lodash": { 988 - "version": "4.17.23", 989 - "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz", 990 - "integrity": "sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==" 988 + "version": "4.18.1", 989 + "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.18.1.tgz", 990 + "integrity": "sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==" 991 991 }, 992 992 "long": { 993 993 "version": "5.2.5",
+6 -7
package-lock.json
··· 976 976 "license": "0BSD" 977 977 }, 978 978 "node_modules/@graphql-codegen/plugin-helpers": { 979 - "version": "6.2.0", 980 - "resolved": "https://registry.npmjs.org/@graphql-codegen/plugin-helpers/-/plugin-helpers-6.2.0.tgz", 981 - "integrity": "sha512-TKm0Q0+wRlg354Qt3PyXc+sy6dCKxmNofBsgmHoFZNVHtzMQSSgNT+rUWdwBwObQ9bFHiUVsDIv8QqxKMiKmpw==", 979 + "version": "6.2.1", 980 + "resolved": "https://registry.npmjs.org/@graphql-codegen/plugin-helpers/-/plugin-helpers-6.2.1.tgz", 981 + "integrity": "sha512-shRr26TfVZ6KFBjzRYUj02gLNh6yaECz9gTGgI6riANw5sSH9PONwTsBRYkEgU+6IXiL7VQeCumahvxSGFbRlQ==", 982 982 "license": "MIT", 983 983 "dependencies": { 984 984 "@graphql-tools/utils": "^11.0.0", 985 985 "change-case-all": "1.0.15", 986 986 "common-tags": "1.8.2", 987 987 "import-from": "4.0.0", 988 - "lodash": "~4.17.0", 989 988 "tslib": "~2.6.0" 990 989 }, 991 990 "engines": { ··· 3924 3923 } 3925 3924 }, 3926 3925 "node_modules/lodash": { 3927 - "version": "4.17.23", 3928 - "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz", 3929 - "integrity": "sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==", 3926 + "version": "4.18.1", 3927 + "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.18.1.tgz", 3928 + "integrity": "sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==", 3930 3929 "license": "MIT" 3931 3930 }, 3932 3931 "node_modules/lodash.sortby": {
+51 -87
server/package-lock.json
··· 33 33 "@types/debug": "^4.1.5", 34 34 "@types/express": "^4.17.17", 35 35 "@types/express-session": "^1.17.4", 36 - "@types/jsonpath": "^0.2.0", 37 36 "@types/jsonwebtoken": "^8.5.8", 38 37 "@types/lodash": "^4.14.179", 39 38 "@types/morgan": "^1.9.3", ··· 128 127 "jest-junit": "^16.0.0", 129 128 "jest-light-runner": "^0.4.1", 130 129 "js-yaml": "^4.1.0", 131 - "jsonpath": "^1.3.0", 130 + "jsonpath-plus": "^10.4.0", 132 131 "supertest": "^6.2.2", 133 132 "ts-node": "^10.9.1", 134 133 "tsc-watch": "^4.6.0", ··· 3037 3036 "funding": { 3038 3037 "type": "opencollective", 3039 3038 "url": "https://opencollective.com/js-sdsl" 3039 + } 3040 + }, 3041 + "node_modules/@jsep-plugin/assignment": { 3042 + "version": "1.3.0", 3043 + "resolved": "https://registry.npmjs.org/@jsep-plugin/assignment/-/assignment-1.3.0.tgz", 3044 + "integrity": "sha512-VVgV+CXrhbMI3aSusQyclHkenWSAm95WaiKrMxRFam3JSUiIaQjoMIw2sEs/OX4XifnqeQUN4DYbJjlA8EfktQ==", 3045 + "dev": true, 3046 + "license": "MIT", 3047 + "engines": { 3048 + "node": ">= 10.16.0" 3049 + }, 3050 + "peerDependencies": { 3051 + "jsep": "^0.4.0||^1.0.0" 3052 + } 3053 + }, 3054 + "node_modules/@jsep-plugin/regex": { 3055 + "version": "1.0.4", 3056 + "resolved": "https://registry.npmjs.org/@jsep-plugin/regex/-/regex-1.0.4.tgz", 3057 + "integrity": "sha512-q7qL4Mgjs1vByCaTnDFcBnV9HS7GVPJX5vyVoCgZHNSC9rjwIlmbXG5sUuorR5ndfHAIlJ8pVStxvjXHbNvtUg==", 3058 + "dev": true, 3059 + "license": "MIT", 3060 + "engines": { 3061 + "node": ">= 10.16.0" 3062 + }, 3063 + "peerDependencies": { 3064 + "jsep": "^0.4.0||^1.0.0" 3040 3065 } 3041 3066 }, 3042 3067 "node_modules/@lukeed/csprng": { ··· 10704 10729 "dev": true, 10705 10730 "license": "MIT" 10706 10731 }, 10707 - "node_modules/@types/jsonpath": { 10708 - "version": "0.2.0", 10709 - "resolved": "https://registry.npmjs.org/@types/jsonpath/-/jsonpath-0.2.0.tgz", 10710 - "integrity": "sha512-v7qlPA0VpKUlEdhghbDqRoKMxFB3h3Ch688TApBJ6v+XLDdvWCGLJIYiPKGZnS6MAOie+IorCfNYVHOPIHSWwQ==" 10711 - }, 10712 10732 "node_modules/@types/jsonwebtoken": { 10713 10733 "version": "8.5.9", 10714 10734 "resolved": "https://registry.npmjs.org/@types/jsonwebtoken/-/jsonwebtoken-8.5.9.tgz", ··· 13848 13868 "url": "https://github.com/sponsors/sindresorhus" 13849 13869 } 13850 13870 }, 13851 - "node_modules/escodegen": { 13852 - "version": "2.1.0", 13853 - "resolved": "https://registry.npmjs.org/escodegen/-/escodegen-2.1.0.tgz", 13854 - "integrity": "sha512-2NlIDTwUWJN0mRPQOdtQBzbUHvdGY2P1VXSyU83Q3xKxM7WHX2Ql8dKq782Q9TgQUNOLEzEYu9bzLNj1q88I5w==", 13855 - "dev": true, 13856 - "license": "BSD-2-Clause", 13857 - "dependencies": { 13858 - "esprima": "^4.0.1", 13859 - "estraverse": "^5.2.0", 13860 - "esutils": "^2.0.2" 13861 - }, 13862 - "bin": { 13863 - "escodegen": "bin/escodegen.js", 13864 - "esgenerate": "bin/esgenerate.js" 13865 - }, 13866 - "engines": { 13867 - "node": ">=6.0" 13868 - }, 13869 - "optionalDependencies": { 13870 - "source-map": "~0.6.1" 13871 - } 13872 - }, 13873 - "node_modules/escodegen/node_modules/esprima": { 13874 - "version": "4.0.1", 13875 - "resolved": "https://registry.npmjs.org/esprima/-/esprima-4.0.1.tgz", 13876 - "integrity": "sha512-eGuFFw7Upda+g4p+QHvnW0RyTX/SVeJBDM/gCtMARO0cLuT2HcEKnTPvhjV6aGeqrCB/sbNop0Kszm0jsaWU4A==", 13877 - "dev": true, 13878 - "license": "BSD-2-Clause", 13879 - "bin": { 13880 - "esparse": "bin/esparse.js", 13881 - "esvalidate": "bin/esvalidate.js" 13882 - }, 13883 - "engines": { 13884 - "node": ">=4" 13885 - } 13886 - }, 13887 13871 "node_modules/eslint": { 13888 13872 "version": "9.39.4", 13889 13873 "resolved": "https://registry.npmjs.org/eslint/-/eslint-9.39.4.tgz", ··· 14048 14032 "peerDependencies": { 14049 14033 "eslint": ">=6" 14050 14034 } 14051 - }, 14052 - "node_modules/eslint-plugin-better-mutation/node_modules/lodash": { 14053 - "version": "4.17.23", 14054 - "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz", 14055 - "integrity": "sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==", 14056 - "dev": true, 14057 - "license": "MIT" 14058 14035 }, 14059 14036 "node_modules/eslint-plugin-es": { 14060 14037 "version": "3.0.1", ··· 14443 14420 }, 14444 14421 "funding": { 14445 14422 "url": "https://opencollective.com/eslint" 14446 - } 14447 - }, 14448 - "node_modules/esprima": { 14449 - "version": "1.2.5", 14450 - "resolved": "https://registry.npmjs.org/esprima/-/esprima-1.2.5.tgz", 14451 - "integrity": "sha512-S9VbPDU0adFErpDai3qDkjq8+G05ONtKzcyNrPKg/ZKa+tf879nX2KexNU95b31UoTJjRLInNBHHHjFPoCd7lQ==", 14452 - "dev": true, 14453 - "bin": { 14454 - "esparse": "bin/esparse.js", 14455 - "esvalidate": "bin/esvalidate.js" 14456 - }, 14457 - "engines": { 14458 - "node": ">=0.4.0" 14459 14423 } 14460 14424 }, 14461 14425 "node_modules/esquery": { ··· 17317 17281 "node": ">=20.0.0" 17318 17282 } 17319 17283 }, 17284 + "node_modules/jsep": { 17285 + "version": "1.4.0", 17286 + "resolved": "https://registry.npmjs.org/jsep/-/jsep-1.4.0.tgz", 17287 + "integrity": "sha512-B7qPcEVE3NVkmSJbaYxvv4cHkVW7DQsZz13pUMrfS8z8Q/BuShN+gcTXrUlPiGqM2/t/EEaI030bpxMqY8gMlw==", 17288 + "dev": true, 17289 + "license": "MIT", 17290 + "engines": { 17291 + "node": ">= 10.16.0" 17292 + } 17293 + }, 17320 17294 "node_modules/jsesc": { 17321 17295 "version": "3.1.0", 17322 17296 "resolved": "https://registry.npmjs.org/jsesc/-/jsesc-3.1.0.tgz", ··· 17373 17347 "node": ">=6" 17374 17348 } 17375 17349 }, 17376 - "node_modules/jsonpath": { 17377 - "version": "1.3.0", 17378 - "resolved": "https://registry.npmjs.org/jsonpath/-/jsonpath-1.3.0.tgz", 17379 - "integrity": "sha512-0kjkYHJBkAy50Z5QzArZ7udmvxrJzkpKYW27fiF//BrMY7TQibYLl+FYIXN2BiYmwMIVzSfD8aDRj6IzgBX2/w==", 17350 + "node_modules/jsonpath-plus": { 17351 + "version": "10.4.0", 17352 + "resolved": "https://registry.npmjs.org/jsonpath-plus/-/jsonpath-plus-10.4.0.tgz", 17353 + "integrity": "sha512-T92WWatJXmhBbKsgH/0hl+jxjdXrifi5IKeMY02DWggRxX0UElcbVzPlmgLTbvsPeW1PasQ6xE2Q75stkhGbsA==", 17380 17354 "dev": true, 17381 17355 "license": "MIT", 17382 17356 "dependencies": { 17383 - "esprima": "1.2.5", 17384 - "static-eval": "2.1.1", 17385 - "underscore": "1.13.6" 17357 + "@jsep-plugin/assignment": "^1.3.0", 17358 + "@jsep-plugin/regex": "^1.0.4", 17359 + "jsep": "^1.4.0" 17360 + }, 17361 + "bin": { 17362 + "jsonpath": "bin/jsonpath-cli.js", 17363 + "jsonpath-plus": "bin/jsonpath-cli.js" 17364 + }, 17365 + "engines": { 17366 + "node": ">=18.0.0" 17386 17367 } 17387 17368 }, 17388 17369 "node_modules/jsonwebtoken": { ··· 20056 20037 "resolved": "https://registry.npmjs.org/standard-as-callback/-/standard-as-callback-2.1.0.tgz", 20057 20038 "integrity": "sha512-qoRRSyROncaz1z0mvYqIE4lCd9p2R90i6GxW3uZv5ucSu8tU7B5HXUP1gG8pVZsYNVaXjk8ClXHPttLyxAL48A==" 20058 20039 }, 20059 - "node_modules/static-eval": { 20060 - "version": "2.1.1", 20061 - "resolved": "https://registry.npmjs.org/static-eval/-/static-eval-2.1.1.tgz", 20062 - "integrity": "sha512-MgWpQ/ZjGieSVB3eOJVs4OA2LT/q1vx98KPCTTQPzq/aLr0YUXTsgryTXr4SLfR0ZfUUCiedM9n/ABeDIyy4mA==", 20063 - "dev": true, 20064 - "license": "MIT", 20065 - "dependencies": { 20066 - "escodegen": "^2.1.0" 20067 - } 20068 - }, 20069 20040 "node_modules/statuses": { 20070 20041 "version": "2.0.2", 20071 20042 "resolved": "https://registry.npmjs.org/statuses/-/statuses-2.0.2.tgz", ··· 21158 21129 "funding": { 21159 21130 "url": "https://github.com/sponsors/ljharb" 21160 21131 } 21161 - }, 21162 - "node_modules/underscore": { 21163 - "version": "1.13.6", 21164 - "resolved": "https://registry.npmjs.org/underscore/-/underscore-1.13.6.tgz", 21165 - "integrity": "sha512-+A5Sja4HP1M08MaXya7p5LvjuM7K6q/2EaC0+iovj/wOcMsTzMvDFbasi/oSapiwOlt252IqsKqPjCl7huKS0A==", 21166 - "dev": true, 21167 - "license": "MIT" 21168 21132 }, 21169 21133 "node_modules/undici": { 21170 21134 "version": "7.24.5",
+4 -2
server/package.json
··· 47 47 "@types/debug": "^4.1.5", 48 48 "@types/express": "^4.17.17", 49 49 "@types/express-session": "^1.17.4", 50 - "@types/jsonpath": "^0.2.0", 51 50 "@types/jsonwebtoken": "^8.5.8", 52 51 "@types/lodash": "^4.14.179", 53 52 "@types/morgan": "^1.9.3", ··· 142 141 "jest-junit": "^16.0.0", 143 142 "jest-light-runner": "^0.4.1", 144 143 "js-yaml": "^4.1.0", 145 - "jsonpath": "^1.3.0", 144 + "jsonpath-plus": "^10.4.0", 146 145 "supertest": "^6.2.2", 147 146 "ts-node": "^10.9.1", 148 147 "tsc-watch": "^4.6.0", ··· 166 165 }, 167 166 "apollo-server-express": { 168 167 "@types/express": "npm:@types/express@4.17.17" 168 + }, 169 + "eslint-plugin-better-mutation": { 170 + "lodash": "^4.18.1" 169 171 } 170 172 } 171 173 }
+7 -5
server/test/extendExpect.ts
··· 1 1 // eslint-disable-next-line import/no-extraneous-dependencies 2 2 import jestSnapshot from 'jest-snapshot'; 3 - // eslint-disable-next-line import/no-extraneous-dependencies 4 - import jsonPath from 'jsonpath'; 3 + import { JSONPath } from 'jsonpath-plus'; 5 4 import lodash from 'lodash'; 6 5 7 6 const { toMatchSnapshot } = jestSnapshot; ··· 55 54 if (isJsonPath(k)) { 56 55 // eslint-disable-next-line @typescript-eslint/no-dynamic-delete 57 56 delete generatedPropertyMatchers[key]; 58 - jsonPath.paths(received, k).forEach((path) => { 59 - set(generatedPropertyMatchers, path.slice(1), propertyMatchers[key]); 60 - }); 57 + JSONPath({ path: k, json: received, resultType: 'path' }).forEach( 58 + (pathStr: string) => { 59 + const path = JSONPath.toPathArray(pathStr).slice(1); 60 + set(generatedPropertyMatchers, path, propertyMatchers[key]); 61 + }, 62 + ); 61 63 } 62 64 }); 63 65