Skip to content

Commit

Permalink
fix(security): update path-to-regex
Browse files Browse the repository at this point in the history
- also related parent module express
- and related module body-parser
- dependencies are dev only
- removed test project file change
- second upgrade of express overnight
- and related module static-server
- and related module send

Issue: tools-suite/issues/31259
Issue: https://github.com/SAP/open-ux-tools/security/dependabot/148
Issue: https://github.com/SAP/open-ux-tools/security/dependabot/149
Issue: https://github.com/SAP/open-ux-tools/security/dependabot/135
Issue: https://github.com/SAP/open-ux-tools/security/dependabot/151
Issue: https://github.com/SAP/open-ux-tools/security/dependabot/150
  • Loading branch information
donal-tobin-sap committed Sep 12, 2024
1 parent 0ecbd4a commit fa7480e
Show file tree
Hide file tree
Showing 11 changed files with 263 additions and 210 deletions.
22 changes: 21 additions & 1 deletion docs/version-overrides.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,26 @@

This document lists the version overrides for vulnerable (nested) dependencies and the reason.

```
## @ui5/cli -> @ui5/server -> router

- waiting on UI5 fixes to be released
- may be necessary to upgrade to version 4 of the UI5 cli

```
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high │ path-to-regexp outputs backtracking regular │
│ │ expressions │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package │ path-to-regexp │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <0.1.10 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions │ >=0.1.10 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths │ packages\preview-middleware-client > @ui5/[email protected] > │
│ │ @ui5/[email protected] > [email protected] > │
│ │ [email protected]
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-9wv6-86v2-598j │
└─────────────────────┴────────────────────────────────────────────────────────┘
```
1 change: 1 addition & 0 deletions package.json
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,7 @@
"packageManager": "[email protected]",
"pnpm": {
"overrides": {
"router>path-to-regexp": "0.1.10"
}
}
}
2 changes: 1 addition & 1 deletion packages/adp-tooling/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@
"@types/supertest": "2.0.12",
"@types/uuid": "10.0.0",
"dotenv": "16.3.1",
"express": "4.19.2",
"express": "4.21.0",
"nock": "13.4.0",
"rimraf": "5.0.5",
"supertest": "6.3.3"
Expand Down
2 changes: 1 addition & 1 deletion packages/backend-proxy-middleware/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@
"@types/prompts": "2.4.4",
"@types/proxy-from-env": "1.0.1",
"@types/supertest": "2.0.12",
"express": "4.19.2",
"express": "4.21.0",
"nock": "13.4.0",
"supertest": "6.3.3",
"yaml": "2.2.2"
Expand Down
3 changes: 2 additions & 1 deletion packages/cards-editor-middleware/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,8 @@
"@types/ejs": "3.1.2",
"@types/express": "4.17.21",
"@types/supertest": "2.0.12",
"supertest": "6.3.3"
"supertest": "6.3.3",
"express": "4.21.0"
},
"peerDependencies": {
"express": "4"
Expand Down
2 changes: 1 addition & 1 deletion packages/control-property-editor/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@
"@types/remote-redux-devtools": "0.5.4",
"@types/source-map-support": "0.5.0",
"@types/react": "16.14.55",
"body-parser": "1.20.1",
"body-parser": "1.20.3",
"eslint-plugin-react": "7.33.2",
"http-proxy-middleware": "1.3.1",
"i18next": "20.6.1",
Expand Down
2 changes: 1 addition & 1 deletion packages/preview-middleware/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@
"copyfiles": "2.4.1",
"@types/mem-fs": "1.1.2",
"@types/mem-fs-editor": "7.0.1",
"express": "4.19.2",
"express": "4.21.0",
"npm-run-all2": "6.2.0",
"nock": "13.4.0",
"supertest": "6.3.3",
Expand Down
2 changes: 1 addition & 1 deletion packages/reload-middleware/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@
"@types/livereload": "0.9.5",
"@types/supertest": "2.0.12",
"axios": "1.7.4",
"express": "4.19.2",
"express": "4.21.0",
"supertest": "6.3.3"
},
"engines": {
Expand Down
4 changes: 2 additions & 2 deletions packages/serve-static-middleware/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -36,8 +36,8 @@
"@sap-ux/logger": "workspace:*"
},
"devDependencies": {
"express": "4.19.2",
"serve-static": "1.15.0",
"express": "4.21.0",
"serve-static": "1.16.2",
"supertest": "6.3.3",
"@types/express": "4.17.21",
"@types/serve-static": "1.15.5",
Expand Down
2 changes: 1 addition & 1 deletion packages/ui5-proxy-middleware/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@
"@types/express": "4.17.21",
"@types/supertest": "2.0.12",
"@types/proxy-from-env": "1.0.1",
"express": "4.19.2",
"express": "4.21.0",
"nock": "13.4.0",
"supertest": "6.3.3",
"yaml": "2.2.2"
Expand Down
Loading

0 comments on commit fa7480e

Please sign in to comment.