From eb7662e68918eb095ee6c41c9fc2254d41a1cf04 Mon Sep 17 00:00:00 2001 From: Abhinav Minhas Date: Tue, 23 May 2023 15:25:58 +1000 Subject: [PATCH 1/3] Security Update - minimatch ReDoS vulnerability, decode-uri-component vulnerable to Denial of Service (DoS) --- package-lock.json | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/package-lock.json b/package-lock.json index 5dd4aad..edbb620 100644 --- a/package-lock.json +++ b/package-lock.json @@ -357,9 +357,9 @@ } }, "node_modules/decode-uri-component": { - "version": "0.2.0", - "resolved": "https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.0.tgz", - "integrity": "sha1-6zkTMzRYd1y4TNGh+uBiEGu4dUU=", + "version": "0.2.2", + "resolved": "https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.2.tgz", + "integrity": "sha512-FqUYQ+8o158GyGTrMFJms9qh3CqTKvAqgqsTnkLI8sKu0028orqBhxNMFkFen0zGyg6epACD32pjVk58ngIErQ==", "engines": { "node": ">=0.10" } @@ -939,9 +939,9 @@ } }, "node_modules/minimatch": { - "version": "3.0.4", - "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz", - "integrity": "sha512-yJHVQEhyqPLUTgt9B83PXu6W3rx4MvvHvSUvToogpwoGDOUQ+yDrR0HRot+yOCdCO7u4hX3pWft6kWBBcqh0UA==", + "version": "3.1.2", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz", + "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==", "dependencies": { "brace-expansion": "^1.1.7" }, @@ -1952,9 +1952,9 @@ } }, "decode-uri-component": { - "version": "0.2.0", - "resolved": "https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.0.tgz", - "integrity": "sha1-6zkTMzRYd1y4TNGh+uBiEGu4dUU=" + "version": "0.2.2", + "resolved": "https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.2.tgz", + "integrity": "sha512-FqUYQ+8o158GyGTrMFJms9qh3CqTKvAqgqsTnkLI8sKu0028orqBhxNMFkFen0zGyg6epACD32pjVk58ngIErQ==" }, "define-property": { "version": "2.0.2", @@ -2401,9 +2401,9 @@ } }, "minimatch": { - "version": "3.0.4", - "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz", - "integrity": "sha512-yJHVQEhyqPLUTgt9B83PXu6W3rx4MvvHvSUvToogpwoGDOUQ+yDrR0HRot+yOCdCO7u4hX3pWft6kWBBcqh0UA==", + "version": "3.1.2", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz", + "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==", "requires": { "brace-expansion": "^1.1.7" } From 8504e7a95e8bda4b51cbcd585a54ee85030b216d Mon Sep 17 00:00:00 2001 From: Abhinav Minhas Date: Tue, 23 May 2023 15:31:25 +1000 Subject: [PATCH 2/3] Security Update - xml2js is vulnerable to prototype pollution --- package-lock.json | 14 +++++++------- package.json | 2 +- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/package-lock.json b/package-lock.json index edbb620..e4eacb4 100644 --- a/package-lock.json +++ b/package-lock.json @@ -11,7 +11,7 @@ "dependencies": { "fs": "^0.0.1-security", "globby": "^9.1.0", - "xml2js": "^0.4.23" + "xml2js": "^0.5.0" } }, "node_modules/@mrmlnc/readdir-enhanced": { @@ -1659,9 +1659,9 @@ "integrity": "sha1-tSQ9jz7BqjXxNkYFvA0QNuMKtp8=" }, "node_modules/xml2js": { - "version": "0.4.23", - "resolved": "https://registry.npmjs.org/xml2js/-/xml2js-0.4.23.tgz", - "integrity": "sha512-ySPiMjM0+pLDftHgXY4By0uswI3SPKLDw/i3UXbnO8M/p28zqexCUoPmQFrYD+/1BzhGJSs2i1ERWKJAtiLrug==", + "version": "0.5.0", + "resolved": "https://registry.npmjs.org/xml2js/-/xml2js-0.5.0.tgz", + "integrity": "sha512-drPFnkQJik/O+uPKpqSgr22mpuFHqKdbS835iAQrUC73L2F5WkboIRd63ai/2Yg6I1jzifPFKH2NTK+cfglkIA==", "dependencies": { "sax": ">=0.6.0", "xmlbuilder": "~11.0.0" @@ -2968,9 +2968,9 @@ "integrity": "sha1-tSQ9jz7BqjXxNkYFvA0QNuMKtp8=" }, "xml2js": { - "version": "0.4.23", - "resolved": "https://registry.npmjs.org/xml2js/-/xml2js-0.4.23.tgz", - "integrity": "sha512-ySPiMjM0+pLDftHgXY4By0uswI3SPKLDw/i3UXbnO8M/p28zqexCUoPmQFrYD+/1BzhGJSs2i1ERWKJAtiLrug==", + "version": "0.5.0", + "resolved": "https://registry.npmjs.org/xml2js/-/xml2js-0.5.0.tgz", + "integrity": "sha512-drPFnkQJik/O+uPKpqSgr22mpuFHqKdbS835iAQrUC73L2F5WkboIRd63ai/2Yg6I1jzifPFKH2NTK+cfglkIA==", "requires": { "sax": ">=0.6.0", "xmlbuilder": "~11.0.0" diff --git a/package.json b/package.json index 221dfc0..848718a 100644 --- a/package.json +++ b/package.json @@ -19,6 +19,6 @@ "dependencies": { "fs": "^0.0.1-security", "globby": "^9.1.0", - "xml2js": "^0.4.23" + "xml2js": "^0.5.0" } } From cc442da7e02e9928a7d962acf573796a140bab7b Mon Sep 17 00:00:00 2001 From: Abhinav Minhas Date: Tue, 23 May 2023 15:45:27 +1000 Subject: [PATCH 3/3] Github release creation - v.1.0.4 --- .github/workflows/release.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fe07c77..b418a9f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,11 +1,11 @@ name: Release env: - RELEASE_NAME: "v.1.0.3" + RELEASE_NAME: "v.1.0.4" RELEASE_NOTES: | - - Sofware Release (qTest-MSTest-Parser) - - No change to qTest-MSTest-Parser - - Security Update - 'glob-parent' dependency update to latest version (6.0.2) to avoid [CVE-2020-28469](https://github.com/advisories/GHSA-ww39-953v-wcq6) + - Security Update - 'decode-uri-component' vulnerable to Denial of Service (DoS) [CVE-2022-38900](https://github.com/advisories/GHSA-w573-4hg7-7wgq) + - Security Update - 'minimatch' ReDoS vulnerability [CVE-2022-3517](https://github.com/advisories/GHSA-f8q6-p94x-37v3) + - Security Update - 'xml2js' is vulnerable to prototype pollution [CVE-2023-0842](https://github.com/advisories/GHSA-776f-qx25-q3cc) on: workflow_dispatch: