Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerabilities: Frontend - tar and ws #446

Merged
merged 3 commits into from
Jul 26, 2024
Merged

Vulnerabilities: Frontend - tar and ws #446

merged 3 commits into from
Jul 26, 2024

Conversation

Matthew-Grayson
Copy link
Contributor

@Matthew-Grayson Matthew-Grayson commented Jul 15, 2024
edited
Loading

🗣 Description

Bump versions of tar and ws to address vulnerabilities.

💭 Motivation and context

tar <6.2.1
Severity: moderate
Denial of service while parsing a tar file due to lack of folders count validation - GHSA-f5x3-32g6-xq36

ws 6.0.0 - 6.2.2 || 7.0.0 - 7.5.9 || 8.0.0 - 8.17.0
Severity: high
ws affected by a DoS when handling a request with many HTTP headers - GHSA-3h5v-q93c-6h6q

Closes issue #437
Closes issue #438

🧪 Testing

✅ Pre-approval checklist

  • This PR has an informative and human-readable title.
  • Changes are limited to a single goal - eschew scope creep!
  • All future TODOs are captured in issues, which are referenced
    in code comments.
  • All relevant type-of-change labels have been added.
  • I have read the CONTRIBUTING document.
  • These code changes follow cisagov code standards.
  • All relevant repo and/or project documentation has been updated
    to reflect the changes in this PR.
  • Tests have been added and/or modified to cover the changes in this PR.
  • All new and existing tests pass.

✅ Pre-merge checklist

  • Revert dependencies to default branches.
  • Finalize version.

✅ Post-merge checklist

  • Create a release.

@Matthew-Grayson Matthew-Grayson linked an issue Jul 15, 2024 that may be closed by this pull request
Vulnerability: Frontend tar #437
Closed
@Matthew-Grayson Matthew-Grayson changed the title Bump tar from 6.2.0 to 6.2.1 in frontend package-lock. Vulnerability: Frontend - tar Jul 15, 2024
@Matthew-Grayson
Update Frontend Node Module ws
23afd54 
Bump ws 6.2.2 to 6.2.3
Bump ws 7.5.9 to 7.5.10
Bump ws 8.13.0 to 8.18.0
@Matthew-Grayson Matthew-Grayson changed the title Vulnerability: Frontend - tar Vulnerabilities: Frontend - tar and ws Jul 15, 2024
@Matthew-Grayson Matthew-Grayson marked this pull request as ready for review July 15, 2024 15:31
@Matthew-Grayson Matthew-Grayson self-assigned this Jul 16, 2024
cduhn17
cduhn17 approved these changes Jul 17, 2024
View reviewed changes
Copy link
Collaborator

@cduhn17 cduhn17 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

hawkishpolicy
hawkishpolicy approved these changes Jul 17, 2024
View reviewed changes
Copy link
Collaborator

@hawkishpolicy hawkishpolicy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

nickviola
nickviola approved these changes Jul 17, 2024
View reviewed changes
Copy link
Collaborator

@nickviola nickviola left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

schmelz21
schmelz21 approved these changes Jul 19, 2024
View reviewed changes
Copy link
Collaborator

@schmelz21 schmelz21 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Per our conversation and Merge develop into 437-vulnerability-frontend-tar.. LGTM

frontend/package-lock.json Show resolved Hide resolved
@schmelz21 schmelz21 merged commit 111c656 into develop Jul 26, 2024
13 of 15 checks passed
@schmelz21 schmelz21 deleted the 437-vulnerability-frontend-tar branch July 26, 2024 13:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nickviola nickviola nickviola approved these changes

@schmelz21 schmelz21 schmelz21 approved these changes

@cduhn17 cduhn17 cduhn17 approved these changes

@hawkishpolicy hawkishpolicy hawkishpolicy approved these changes

@aloftus23 aloftus23 Awaiting requested review from aloftus23 aloftus23 is a code owner

@rapidray12 rapidray12 Awaiting requested review from rapidray12 rapidray12 is a code owner

Assignees

@Matthew-Grayson Matthew-Grayson

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Vulnerability: Frontend tar
5 participants
@Matthew-Grayson @nickviola @schmelz21 @cduhn17 @hawkishpolicy