From cba51eaa9bac83eed0eab1fbf9193e3f6e885950 Mon Sep 17 00:00:00 2001 From: OgunyemiO Date: Tue, 13 Feb 2024 11:45:16 +0000 Subject: [PATCH 01/37] yarn audit run --- yarn-audit-known-issues | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yarn-audit-known-issues b/yarn-audit-known-issues index 0fae62df2..4f0ea1e38 100644 --- a/yarn-audit-known-issues +++ b/yarn-audit-known-issues @@ -1 +1 @@ -{"actions":[],"advisories":{"1085685":{"findings":[{"version":"1.1.0","paths":["@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>yargs>os-locale>mem"]}],"metadata":null,"vulnerable_versions":"<4.0.0","module_name":"mem","severity":"moderate","github_advisory_id":"GHSA-4xcv-9jjx-gfj3","cves":[],"access":"public","patched_versions":">=4.0.0","cvss":{"score":5.1,"vectorString":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},"updated":"2023-01-09T05:01:45.000Z","recommendation":"Upgrade to version 4.0.0 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1085685,"references":"- https://github.com/sindresorhus/mem/commit/da4e4398cb27b602de3bd55f746efa9b4a31702b\n- https://bugzilla.redhat.com/show_bug.cgi?id=1623744\n- https://www.npmjs.com/advisories/1084\n- https://snyk.io/vuln/npm:mem:20180117\n- https://github.com/advisories/GHSA-4xcv-9jjx-gfj3","created":"2019-07-05T21:07:58.000Z","reported_by":null,"title":"Denial of Service in mem","npm_advisory_id":null,"overview":"Versions of `mem` prior to 4.0.0 are vulnerable to Denial of Service (DoS). The package fails to remove old values from the cache even after a value passes its `maxAge` property. This may allow attackers to exhaust the system's memory if they are able to abuse the application logging.\n\n\n## Recommendation\n\nUpgrade to version 4.0.0 or later.","url":"https://github.com/advisories/GHSA-4xcv-9jjx-gfj3"},"1088208":{"findings":[{"version":"0.8.4","paths":["git-rev-sync>shelljs"]}],"metadata":null,"vulnerable_versions":"<0.8.5","module_name":"shelljs","severity":"moderate","github_advisory_id":"GHSA-64g7-mvw6-v9qj","cves":[],"access":"public","patched_versions":">=0.8.5","cvss":{"score":0,"vectorString":null},"updated":"2023-01-11T05:03:39.000Z","recommendation":"Upgrade to version 0.8.5 or later","cwe":["CWE-269"],"found_by":null,"deleted":null,"id":1088208,"references":"- https://github.com/shelljs/shelljs/security/advisories/GHSA-64g7-mvw6-v9qj\n- https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/\n- https://github.com/advisories/GHSA-64g7-mvw6-v9qj","created":"2022-01-14T21:09:50.000Z","reported_by":null,"title":"Improper Privilege Management in shelljs","npm_advisory_id":null,"overview":"### Impact\nOutput from the synchronous version of `shell.exec()` may be visible to other users on the same system. You may be affected if you execute `shell.exec()` in multi-user Mac, Linux, or WSL environments, or if you execute `shell.exec()` as the root user.\n\nOther shelljs functions (including the asynchronous version of `shell.exec()`) are not impacted.\n\n### Patches\nPatched in shelljs 0.8.5\n\n### Workarounds\nRecommended action is to upgrade to 0.8.5.\n\n### References\nhttps://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Ask at https://github.com/shelljs/shelljs/issues/1058\n* Open an issue at https://github.com/shelljs/shelljs/issues/new\n","url":"https://github.com/advisories/GHSA-64g7-mvw6-v9qj"},"1088811":{"findings":[{"version":"8.1.0","paths":["@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>yargs>yargs-parser"]}],"metadata":null,"vulnerable_versions":">=6.0.0 <13.1.2","module_name":"yargs-parser","severity":"moderate","github_advisory_id":"GHSA-p9pc-299p-vxgp","cves":["CVE-2020-7608"],"access":"public","patched_versions":">=13.1.2","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},"updated":"2023-01-27T05:00:51.000Z","recommendation":"Upgrade to version 13.1.2 or later","cwe":["CWE-915","CWE-1321"],"found_by":null,"deleted":null,"id":1088811,"references":"- https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381\n- https://www.npmjs.com/advisories/1500\n- https://github.com/yargs/yargs-parser/commit/63810ca1ae1a24b08293a4d971e70e058c7a41e2\n- https://nvd.nist.gov/vuln/detail/CVE-2020-7608\n- https://github.com/yargs/yargs-parser/commit/1c417bd0b42b09c475ee881e36d292af4fa2cc36\n- https://github.com/advisories/GHSA-p9pc-299p-vxgp","created":"2020-09-04T18:00:54.000Z","reported_by":null,"title":"yargs-parser Vulnerable to Prototype Pollution","npm_advisory_id":null,"overview":"Affected versions of `yargs-parser` are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of `Object`, causing the addition or modification of an existing property that will exist on all objects. \nParsing the argument `--foo.__proto__.bar baz'` adds a `bar` property with value `baz` to all objects. This is only exploitable if attackers have control over the arguments being passed to `yargs-parser`.\n\n\n\n## Recommendation\n\nUpgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.","url":"https://github.com/advisories/GHSA-p9pc-299p-vxgp"},"1088948":{"findings":[{"version":"9.6.0","paths":["@hmcts/rpx-xui-node-lib>openid-client>got"]}],"metadata":null,"vulnerable_versions":"<11.8.5","module_name":"got","severity":"moderate","github_advisory_id":"GHSA-pfrx-2q88-qq97","cves":["CVE-2022-33987"],"access":"public","patched_versions":">=11.8.5","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"updated":"2023-01-27T05:05:01.000Z","recommendation":"Upgrade to version 11.8.5 or later","cwe":[],"found_by":null,"deleted":null,"id":1088948,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-33987\n- https://github.com/sindresorhus/got/pull/2047\n- https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0\n- https://github.com/sindresorhus/got/commit/861ccd9ac2237df762a9e2beed7edd88c60782dc\n- https://github.com/sindresorhus/got/releases/tag/v11.8.5\n- https://github.com/sindresorhus/got/releases/tag/v12.1.0\n- https://github.com/advisories/GHSA-pfrx-2q88-qq97","created":"2022-06-19T00:00:21.000Z","reported_by":null,"title":"Got allows a redirect to a UNIX socket","npm_advisory_id":null,"overview":"The got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.","url":"https://github.com/advisories/GHSA-pfrx-2q88-qq97"},"1089270":{"findings":[{"version":"2.7.4","paths":["ejs"]}],"metadata":null,"vulnerable_versions":"<3.1.7","module_name":"ejs","severity":"critical","github_advisory_id":"GHSA-phwq-j96m-2c2q","cves":["CVE-2022-29078"],"access":"public","patched_versions":">=3.1.7","cvss":{"score":9.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-01-30T05:02:57.000Z","recommendation":"Upgrade to version 3.1.7 or later","cwe":["CWE-74"],"found_by":null,"deleted":null,"id":1089270,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-29078\n- https://eslam.io/posts/ejs-server-side-template-injection-rce/\n- https://github.com/mde/ejs/commit/15ee698583c98dadc456639d6245580d17a24baf\n- https://github.com/mde/ejs/releases\n- https://security.netapp.com/advisory/ntap-20220804-0001/\n- https://github.com/advisories/GHSA-phwq-j96m-2c2q","created":"2022-04-26T00:00:40.000Z","reported_by":null,"title":"ejs template injection vulnerability","npm_advisory_id":null,"overview":"The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).","url":"https://github.com/advisories/GHSA-phwq-j96m-2c2q"},"1089434":{"findings":[{"version":"8.5.1","paths":["jsonwebtoken"]}],"metadata":null,"vulnerable_versions":"<=8.5.1","module_name":"jsonwebtoken","severity":"moderate","github_advisory_id":"GHSA-8cf7-32gw-wr33","cves":["CVE-2022-23539"],"access":"public","patched_versions":">=9.0.0","cvss":{"score":0,"vectorString":null},"updated":"2023-01-31T05:01:09.000Z","recommendation":"Upgrade to version 9.0.0 or later","cwe":["CWE-327"],"found_by":null,"deleted":null,"id":1089434,"references":"- https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-8cf7-32gw-wr33\n- https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3\n- https://nvd.nist.gov/vuln/detail/CVE-2022-23539\n- https://github.com/advisories/GHSA-8cf7-32gw-wr33","created":"2022-12-22T03:32:22.000Z","reported_by":null,"title":"jsonwebtoken unrestricted key type could lead to legacy keys usage ","npm_advisory_id":null,"overview":"# Overview\n\nVersions `<=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. \n\n# Am I affected?\n\nYou are affected if you are using an algorithm and a key type other than the combinations mentioned below\n\n| Key type | algorithm |\n|----------|------------------------------------------|\n| ec | ES256, ES384, ES512 |\n| rsa | RS256, RS384, RS512, PS256, PS384, PS512 |\n| rsa-pss | PS256, PS384, PS512 |\n\nAnd for Elliptic Curve algorithms:\n\n| `alg` | Curve |\n|-------|------------|\n| ES256 | prime256v1 |\n| ES384 | secp384r1 |\n| ES512 | secp521r1 |\n\n# How do I fix it?\n\nUpdate to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, If you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and/or `verify()` functions.\n\n# Will the fix impact my users?\n\nThere will be no impact, if you update to version 9.0.0 and you already use a valid secure combination of key type and algorithm. Otherwise, use the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and `verify()` functions to continue usage of invalid key type/algorithm combination in 9.0.0 for legacy compatibility. \n\n","url":"https://github.com/advisories/GHSA-8cf7-32gw-wr33"},"1089698":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.17.0","module_name":"xlsx","severity":"moderate","github_advisory_id":"GHSA-g973-978j-2c3p","cves":["CVE-2021-32014"],"access":"public","patched_versions":">=0.17.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-02-01T05:05:54.000Z","recommendation":"Upgrade to version 0.17.0 or later","cwe":["CWE-345","CWE-400"],"found_by":null,"deleted":null,"id":1089698,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32014\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-g973-978j-2c3p","created":"2021-07-22T19:47:15.000Z","reported_by":null,"title":"Denial of Service in SheetJS Pro","npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (CPU consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js.","url":"https://github.com/advisories/GHSA-g973-978j-2c3p"},"1089699":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.17.0","module_name":"xlsx","severity":"moderate","github_advisory_id":"GHSA-3x9f-74h4-2fqr","cves":["CVE-2021-32012"],"access":"public","patched_versions":">=0.17.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-02-01T05:06:10.000Z","recommendation":"Upgrade to version 0.17.0 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1089699,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32012\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-3x9f-74h4-2fqr","created":"2021-07-22T19:48:17.000Z","reported_by":null,"title":"Denial of Service in SheetJS Pro","npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js (issue 1 of 2).","url":"https://github.com/advisories/GHSA-3x9f-74h4-2fqr"},"1089700":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.17.0","module_name":"xlsx","severity":"moderate","github_advisory_id":"GHSA-8vcr-vxm8-293m","cves":["CVE-2021-32013"],"access":"public","patched_versions":">=0.17.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-02-01T05:06:00.000Z","recommendation":"Upgrade to version 0.17.0 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1089700,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32013\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-8vcr-vxm8-293m","created":"2021-07-22T19:48:13.000Z","reported_by":null,"title":"Denial of Service in SheetsJS Pro","npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js (issue 2 of 2).","url":"https://github.com/advisories/GHSA-8vcr-vxm8-293m"},"1091087":{"findings":[{"version":"8.5.1","paths":["jsonwebtoken"]}],"metadata":null,"vulnerable_versions":"<=8.5.1","module_name":"jsonwebtoken","severity":"moderate","github_advisory_id":"GHSA-hjrf-2m68-5959","cves":["CVE-2022-23541"],"access":"public","patched_versions":">=9.0.0","cvss":{"score":5,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"},"updated":"2023-01-29T05:06:34.000Z","recommendation":"Upgrade to version 9.0.0 or later","cwe":["CWE-287"],"found_by":null,"deleted":null,"id":1091087,"references":"- https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-hjrf-2m68-5959\n- https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3\n- https://nvd.nist.gov/vuln/detail/CVE-2022-23541\n- https://github.com/auth0/node-jsonwebtoken/releases/tag/v9.0.0\n- https://github.com/advisories/GHSA-hjrf-2m68-5959","created":"2022-12-22T03:33:19.000Z","reported_by":null,"title":"jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC","npm_advisory_id":null,"overview":"# Overview\n\nVersions `<=8.5.1` of `jsonwebtoken` library can be misconfigured so that passing a poorly implemented key retrieval function (referring to the `secretOrPublicKey` argument from the [readme link](https://github.com/auth0/node-jsonwebtoken#jwtverifytoken-secretorpublickey-options-callback)) will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. \n\n# Am I affected?\n\nYou will be affected if your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. \n\n# How do I fix it?\n \nUpdate to version 9.0.0.\n\n# Will the fix impact my users?\n\nThere is no impact for end users","url":"https://github.com/advisories/GHSA-hjrf-2m68-5959"},"1092549":{"findings":[{"version":"8.5.1","paths":["jsonwebtoken"]}],"metadata":null,"vulnerable_versions":"<9.0.0","module_name":"jsonwebtoken","severity":"moderate","github_advisory_id":"GHSA-qwph-4952-7xr6","cves":["CVE-2022-23540"],"access":"public","patched_versions":">=9.0.0","cvss":{"score":6.4,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L"},"updated":"2023-07-14T22:03:14.000Z","recommendation":"Upgrade to version 9.0.0 or later","cwe":["CWE-287","CWE-327","CWE-347"],"found_by":null,"deleted":null,"id":1092549,"references":"- https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-qwph-4952-7xr6\n- https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3\n- https://nvd.nist.gov/vuln/detail/CVE-2022-23540\n- https://github.com/advisories/GHSA-qwph-4952-7xr6","created":"2022-12-22T03:32:59.000Z","reported_by":null,"title":"jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify()","npm_advisory_id":null,"overview":"# Overview\n\nIn versions <=8.5.1 of jsonwebtoken library, lack of algorithm definition and a falsy secret or key in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification.\n\n# Am I affected?\nYou will be affected if all the following are true in the `jwt.verify()` function:\n- a token with no signature is received\n- no algorithms are specified \n- a falsy (e.g. null, false, undefined) secret or key is passed \n\n# How do I fix it?\n \nUpdate to version 9.0.0 which removes the default support for the none algorithm in the `jwt.verify()` method. \n\n# Will the fix impact my users?\n\nThere will be no impact, if you update to version 9.0.0 and you don’t need to allow for the `none` algorithm. If you need 'none' algorithm, you have to explicitly specify that in `jwt.verify()` options.\n","url":"https://github.com/advisories/GHSA-qwph-4952-7xr6"},"1093639":{"findings":[{"version":"0.4.1","paths":["@hmcts/rpx-xui-node-lib>passport"]}],"metadata":null,"vulnerable_versions":"<0.6.0","module_name":"passport","severity":"moderate","github_advisory_id":"GHSA-v923-w3x8-wh69","cves":["CVE-2022-25896"],"access":"public","patched_versions":">=0.6.0","cvss":{"score":4.8,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L"},"updated":"2023-09-11T16:22:18.000Z","recommendation":"Upgrade to version 0.6.0 or later","cwe":["CWE-384"],"found_by":null,"deleted":null,"id":1093639,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25896\n- https://github.com/jaredhanson/passport/pull/900\n- https://github.com/jaredhanson/passport/commit/7e9b9cf4d7be02428e963fc729496a45baeea608\n- https://snyk.io/vuln/SNYK-JS-PASSPORT-2840631\n- https://github.com/advisories/GHSA-v923-w3x8-wh69","created":"2022-07-02T00:00:19.000Z","reported_by":null,"title":"Passport vulnerable to session regeneration when a users logs in or out","npm_advisory_id":null,"overview":"This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed.","url":"https://github.com/advisories/GHSA-v923-w3x8-wh69"},"1094599":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.19.3","module_name":"xlsx","severity":"high","github_advisory_id":"GHSA-4r6h-8v6p-xvw6","cves":["CVE-2023-30533"],"access":"public","patched_versions":">=0.19.3","cvss":{"score":7.8,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},"updated":"2023-11-06T05:04:13.000Z","recommendation":"Upgrade to version 0.19.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1094599,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-30533\n- https://cdn.sheetjs.com/advisories/CVE-2023-30533\n- https://git.sheetjs.com/sheetjs/sheetjs/src/branch/master/CHANGELOG.md\n- https://git.sheetjs.com/sheetjs/sheetjs/issues/2667\n- https://git.sheetjs.com/sheetjs/sheetjs/issues/2986\n- https://github.com/advisories/GHSA-4r6h-8v6p-xvw6","created":"2023-04-24T09:30:19.000Z","reported_by":null,"title":"Prototype Pollution in sheetJS","npm_advisory_id":null,"overview":"All versions of SheetJS CE through 0.19.2 are vulnerable to \"Prototype Pollution\" when reading specially crafted files. Workflows that do not read arbitrary files (for example, exporting data to spreadsheet files) are unaffected.\n\nA non-vulnerable version cannot be found via npm, as the repository hosted on GitHub and the npm package `xlsx` are no longer maintained.","url":"https://github.com/advisories/GHSA-4r6h-8v6p-xvw6"},"1094889":{"findings":[{"version":"0.26.1","paths":["axios","@hmcts/rpx-xui-node-lib>axios"]}],"metadata":null,"vulnerable_versions":">=0.8.1 <1.6.0","module_name":"axios","severity":"moderate","github_advisory_id":"GHSA-wf5p-g6vw-rhxx","cves":["CVE-2023-45857"],"access":"public","patched_versions":">=1.6.0","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},"updated":"2023-11-16T19:59:09.000Z","recommendation":"Upgrade to version 1.6.0 or later","cwe":["CWE-352"],"found_by":null,"deleted":null,"id":1094889,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-45857\n- https://github.com/axios/axios/issues/6006\n- https://github.com/axios/axios/issues/6022\n- https://github.com/axios/axios/pull/6028\n- https://github.com/axios/axios/commit/96ee232bd3ee4de2e657333d4d2191cd389e14d0\n- https://github.com/axios/axios/releases/tag/v1.6.0\n- https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459\n- https://github.com/advisories/GHSA-wf5p-g6vw-rhxx","created":"2023-11-08T21:30:37.000Z","reported_by":null,"title":"Axios Cross-Site Request Forgery Vulnerability","npm_advisory_id":null,"overview":"An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.","url":"https://github.com/advisories/GHSA-wf5p-g6vw-rhxx"},"1094982":{"findings":[{"version":"3.3.0","paths":["crypto-js"]}],"metadata":null,"vulnerable_versions":"<4.2.0","module_name":"crypto-js","severity":"critical","github_advisory_id":"GHSA-xwcq-pm8m-c4vf","cves":["CVE-2023-46233"],"access":"public","patched_versions":">=4.2.0","cvss":{"score":9.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},"updated":"2023-11-27T21:30:53.000Z","recommendation":"Upgrade to version 4.2.0 or later","cwe":["CWE-327","CWE-328","CWE-916"],"found_by":null,"deleted":null,"id":1094982,"references":"- https://github.com/brix/crypto-js/security/advisories/GHSA-xwcq-pm8m-c4vf\n- https://github.com/brix/crypto-js/commit/421dd538b2d34e7c24a5b72cc64dc2b9167db40a\n- https://nvd.nist.gov/vuln/detail/CVE-2023-46233\n- https://lists.debian.org/debian-lts-announce/2023/11/msg00025.html\n- https://github.com/advisories/GHSA-xwcq-pm8m-c4vf","created":"2023-10-25T21:15:52.000Z","reported_by":null,"title":"crypto-js PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard","npm_advisory_id":null,"overview":"### Impact\n#### Summary\nCrypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and [at least 1,300,000 times weaker than current industry standard][OWASP PBKDF2 Cheatsheet]. This is because it both (1) defaults to [SHA1][SHA1 wiki], a cryptographic hash algorithm considered insecure [since at least 2005][Cryptanalysis of SHA-1] and (2) defaults to [one single iteration][one iteration src], a 'strength' or 'difficulty' value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to [preimage][preimage attack] and [collision][collision attack] attacks.\n\nPotential Impact:\n\n1. If used to protect passwords, the impact is high.\n2. If used to generate signatures, the impact is high.\n\nProbability / risk analysis / attack enumeration:\n\n1. [For at most $45,000][SHA1 is a Shambles], an attacker, given control of only the beginning of a crypto-js PBKDF2 input, can create a value which has _identical cryptographic signature_ to any chosen known value.\n4. Due to the [length extension attack] on SHA1, we can create a value that has identical signature to any _unknown_ value, provided it is prefixed by a known value. It does not matter if PBKDF2 applies '[salt][cryptographic salt]' or '[pepper][cryptographic pepper]' or any other secret unknown to the attacker. It will still create an identical signature.\n\n[cryptographic salt]: https://en.wikipedia.org/wiki/Salt_(cryptography) \"Salt (cryptography), Wikipedia\"\n[cryptographic pepper]: https://en.wikipedia.org/wiki/Pepper_(cryptography) \"Pepper (cryptography), Wikipedia\"\n[SHA1 wiki]: https://en.wikipedia.org/wiki/SHA-1 \"SHA-1, Wikipedia\"\n[Cryptanalysis of SHA-1]: https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html \"Cryptanalysis of SHA-1\"\n[one iteration src]: https://github.com/brix/crypto-js/blob/1da3dabf93f0a0435c47627d6f171ad25f452012/src/pbkdf2.js#L22-L26 \"crypto-js/src/pbkdf2.js lines 22-26\"\n[collision attack]: https://en.wikipedia.org/wiki/Hash_collision \"Collision Attack, Wikipedia\"\n[preimage attack]: https://en.wikipedia.org/wiki/Preimage_attack \"Preimage Attack, Wikipedia\"\n[SHA1 is a Shambles]: https://eprint.iacr.org/2020/014.pdf \"SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1\nand Application to the PGP Web of Trust, Gaëtan Leurent and Thomas Peyrin\"\n[Length Extension attack]: https://en.wikipedia.org/wiki/Length_extension_attack \"Length extension attack, Wikipedia\"\n\ncrypto-js has 10,642 public users [as displayed on NPM][crypto-js, NPM], today October 11th 2023. The number of transient dependents is likely several orders of magnitude higher.\n\nA very rough GitHub search[ shows 432 files][GitHub search: affected files] cross GitHub using PBKDF2 in crypto-js in Typescript or JavaScript, but not specifying any number of iterations.\n\n[OWASP PBKDF2 Cheatsheet]: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2 \"OWASP PBKDF2 Cheatsheet\"\n[crypto-js, NPM]: https://www.npmjs.com/package/crypto-js \"crypto-js on NPM\"\n[GitHub search: affected files]: https://github.com/search?q=%22crypto-js%22+AND+pbkdf2+AND+%28lang%3AJavaScript+OR+lang%3ATypeScript%29++NOT+%22iterations%22&type=code&p=2 \"GitHub search: crypto-js AND pbkdf2 AND (lang:JavaScript OR lang:TypeScript) NOT iterations\"\n\n#### Affected versions\nAll versions are impacted. This code has been the same since crypto-js was first created.\n\n#### Further Cryptanalysis\n\nThe issue here is especially egregious because the length extension attack makes useless any secret that might be appended to the plaintext before calculating its signature.\n\nConsider a scheme in which a secret is created for a user's username, and that secret is used to protect e.g. their passwords. Let's say that password is 'fake-password', and their username is 'example-username'.\n\nTo encrypt the user password via symmetric encryption we might do `encrypt(plaintext: 'fake-password', encryption_key: cryptojs.pbkdf2(value: 'example username' + salt_or_pepper))`. By this means, we would, in theory, create an `encryption_key` that can be determined from the public username, but which requires the secret `salt_or_pepper` to generate. This is a common scheme for protecting passwords, as exemplified in bcrypt & scrypt. Because the encryption key is symmetric, we can use this derived key to also decrypt the ciphertext.\n\nBecause of the length extension issue, if the attacker obtains (via attack 1), a collision with 'example username', the attacker _does not need to know_ `salt_or_pepper` to decrypt their account data, only their public username.\n\n### Description\n\nPBKDF2 is a key-derivation is a key-derivation function that is used for two main purposes: (1) to stretch or squash a variable length password's entropy into a fixed size for consumption by another cryptographic operation and (2) to reduce the chance of downstream operations recovering the password input (for example, for password storage).\n\nUnlike the modern [webcrypto](https://w3c.github.io/webcrypto/#pbkdf2-operations) standard, crypto-js does not throw an error when a number of iterations is not specified, and defaults to one single iteration. In the year 2000, when PBKDF2 was originally specified, the minimum number of iterations suggested was set at 1,000. Today, [OWASP recommends 1,300,000][OWASP PBKDF2 Cheatsheet]:\n\nhttps://github.com/brix/crypto-js/blob/4dcaa7afd08f48cd285463b8f9499cdb242605fa/src/pbkdf2.js#L22-L26\n\n### Patches\nNo available patch. The package is not maintained.\n\n### Workarounds\nConsult the [OWASP PBKDF2 Cheatsheet]. Configure to use SHA256 with at least 250,000 iterations.\n\n### Coordinated disclosure\nThis issue was simultaneously submitted to [crypto-js](https://github.com/brix/crypto-js) and [crypto-es](https://github.com/entronad/crypto-es) on the 23rd of October 2023.\n\n### Caveats\n\nThis issue was found in a security review that was _not_ scoped to crypto-js. This report is not an indication that crypto-js has undergone a formal security assessment by the author.\n\n","url":"https://github.com/advisories/GHSA-xwcq-pm8m-c4vf"},"1095051":{"findings":[{"version":"0.7.0","paths":["ngx-md>marked"]}],"metadata":null,"vulnerable_versions":"<4.0.10","module_name":"marked","severity":"high","github_advisory_id":"GHSA-rrrm-qjm4-v8hf","cves":["CVE-2022-21680"],"access":"public","patched_versions":">=4.0.10","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-11-29T20:51:52.000Z","recommendation":"Upgrade to version 4.0.10 or later","cwe":["CWE-400","CWE-1333"],"found_by":null,"deleted":null,"id":1095051,"references":"- https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21680\n- https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0\n- https://github.com/markedjs/marked/releases/tag/v4.0.10\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/\n- https://github.com/advisories/GHSA-rrrm-qjm4-v8hf","created":"2022-01-14T21:04:41.000Z","reported_by":null,"title":"Inefficient Regular Expression Complexity in marked","npm_advisory_id":null,"overview":"### Impact\n\n_What kind of vulnerability is it?_\n\nDenial of service.\n\nThe regular expression `block.def` may cause catastrophic backtracking against some strings.\nPoC is the following.\n\n```javascript\nimport * as marked from \"marked\";\n\nmarked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);\n```\n\n_Who is impacted?_\n\nAnyone who runs untrusted markdown through marked and does not use a worker with a time limit.\n\n### Patches\n\n_Has the problem been patched?_\n\nYes\n\n_What versions should users upgrade to?_\n\n4.0.10\n\n### Workarounds\n\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nDo not run untrusted markdown through marked or run marked on a [worker](https://marked.js.org/using_advanced#workers) thread and set a reasonable time limit to prevent draining resources.\n\n### References\n\n_Are there any links users can visit to find out more?_\n\n- https://marked.js.org/using_advanced#workers\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [marked](https://github.com/markedjs/marked)\n","url":"https://github.com/advisories/GHSA-rrrm-qjm4-v8hf"},"1095052":{"findings":[{"version":"0.7.0","paths":["ngx-md>marked"]}],"metadata":null,"vulnerable_versions":"<4.0.10","module_name":"marked","severity":"high","github_advisory_id":"GHSA-5v2h-r2cx-5xgj","cves":["CVE-2022-21681"],"access":"public","patched_versions":">=4.0.10","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-11-29T20:51:17.000Z","recommendation":"Upgrade to version 4.0.10 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1095052,"references":"- https://github.com/markedjs/marked/security/advisories/GHSA-5v2h-r2cx-5xgj\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21681\n- https://github.com/markedjs/marked/commit/8f806573a3f6c6b7a39b8cdb66ab5ebb8d55a5f5\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/\n- https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0\n- https://github.com/advisories/GHSA-5v2h-r2cx-5xgj","created":"2022-01-14T21:04:46.000Z","reported_by":null,"title":"Inefficient Regular Expression Complexity in marked","npm_advisory_id":null,"overview":"### Impact\n\n_What kind of vulnerability is it?_\n\nDenial of service.\n\nThe regular expression `inline.reflinkSearch` may cause catastrophic backtracking against some strings.\nPoC is the following.\n\n```javascript\nimport * as marked from 'marked';\n\nconsole.log(marked.parse(`[x]: x\n\n\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](`));\n```\n\n_Who is impacted?_\n\nAnyone who runs untrusted markdown through marked and does not use a worker with a time limit.\n\n### Patches\n\n_Has the problem been patched?_\n\nYes\n\n_What versions should users upgrade to?_\n\n4.0.10\n\n### Workarounds\n\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nDo not run untrusted markdown through marked or run marked on a [worker](https://marked.js.org/using_advanced#workers) thread and set a reasonable time limit to prevent draining resources.\n\n### References\n\n_Are there any links users can visit to find out more?_\n\n- https://marked.js.org/using_advanced#workers\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [marked](https://github.com/markedjs/marked)\n","url":"https://github.com/advisories/GHSA-5v2h-r2cx-5xgj"},"1095097":{"findings":[{"version":"1.8.3","paths":["@pact-foundation/pact-node>underscore","@pact-foundation/pact>@pact-foundation/pact-node>underscore"]}],"metadata":null,"vulnerable_versions":">=1.3.2 <1.12.1","module_name":"underscore","severity":"critical","github_advisory_id":"GHSA-cf4h-3jhx-xvhq","cves":["CVE-2021-23358"],"access":"public","patched_versions":">=1.12.1","cvss":{"score":9.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-11-29T22:34:54.000Z","recommendation":"Upgrade to version 1.12.1 or later","cwe":["CWE-94"],"found_by":null,"deleted":null,"id":1095097,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-23358\n- https://github.com/jashkenas/underscore/pull/2917\n- https://github.com/jashkenas/underscore/commit/4c73526d43838ad6ab43a6134728776632adeb66\n- https://github.com/jashkenas/underscore/releases/tag/1.12.1\n- https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984\n- https://www.npmjs.com/package/underscore\n- https://github.com/jashkenas/underscore/blob/master/modules/template.js%23L71\n- https://lists.debian.org/debian-lts-announce/2021/03/msg00038.html\n- https://www.debian.org/security/2021/dsa-4883\n- https://lists.apache.org/thread.html/r5df90c46f7000c4aab246e947f62361ecfb849c5a553dcdb0ef545e1@%3Cissues.cordova.apache.org%3E\n- https://lists.apache.org/thread.html/r770f910653772317b117ab4472b0a32c266ee4abbafda28b8a6f9306@%3Cissues.cordova.apache.org%3E\n- https://lists.apache.org/thread.html/raae088abdfa4fbd84e1d19d7a7ffe52bf8e426b83e6599ea9a734dba@%3Cissues.cordova.apache.org%3E\n- https://lists.apache.org/thread.html/rbc84926bacd377503a3f5c37b923c1931f9d343754488d94e6f08039@%3Cissues.cordova.apache.org%3E\n- https://lists.apache.org/thread.html/re69ee408b3983b43e9c4a82a9a17cbbf8681bb91a4b61b46f365aeaf@%3Cissues.cordova.apache.org%3E\n- https://www.tenable.com/security/tns-2021-14\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EOKATXXETD2PF3OR36Q5PD2VSVAR6J5Z/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FGEE7U4Z655A2MK5EW4UQQZ7B64XJWBV/\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1081504\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBJASHKENAS-1081505\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1081503\n- https://github.com/advisories/GHSA-cf4h-3jhx-xvhq","created":"2021-05-06T16:09:43.000Z","reported_by":null,"title":"Arbitrary Code Execution in underscore","npm_advisory_id":null,"overview":"The package `underscore` from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.","url":"https://github.com/advisories/GHSA-cf4h-3jhx-xvhq"},"1095102":{"findings":[{"version":"2.5.0","paths":["rx-polling-hmcts>jest-environment-jsdom>jsdom>tough-cookie"]}],"metadata":null,"vulnerable_versions":"<4.1.3","module_name":"tough-cookie","severity":"moderate","github_advisory_id":"GHSA-72xf-g2v4-qvf3","cves":["CVE-2023-26136"],"access":"public","patched_versions":">=4.1.3","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},"updated":"2023-11-29T22:32:01.000Z","recommendation":"Upgrade to version 4.1.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1095102,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3","created":"2023-07-01T06:30:16.000Z","reported_by":null,"title":"tough-cookie Prototype Pollution vulnerability","npm_advisory_id":null,"overview":"Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.","url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3"},"1095126":{"findings":[{"version":"0.8.4","paths":["git-rev-sync>shelljs"]}],"metadata":null,"vulnerable_versions":"<0.8.5","module_name":"shelljs","severity":"high","github_advisory_id":"GHSA-4rq4-32rv-6wp6","cves":["CVE-2022-0144"],"access":"public","patched_versions":">=0.8.5","cvss":{"score":7.1,"vectorString":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H"},"updated":"2023-11-29T22:21:11.000Z","recommendation":"Upgrade to version 0.8.5 or later","cwe":["CWE-269"],"found_by":null,"deleted":null,"id":1095126,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-0144\n- https://github.com/shelljs/shelljs/commit/d919d22dd6de385edaa9d90313075a77f74b338c\n- https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c\n- https://github.com/advisories/GHSA-4rq4-32rv-6wp6","created":"2022-01-21T23:37:28.000Z","reported_by":null,"title":"Improper Privilege Management in shelljs","npm_advisory_id":null,"overview":"shelljs is vulnerable to Improper Privilege Management","url":"https://github.com/advisories/GHSA-4rq4-32rv-6wp6"},"1095531":{"findings":[{"version":"6.2.1","paths":["log4js"]}],"metadata":null,"vulnerable_versions":"<6.4.0","module_name":"log4js","severity":"moderate","github_advisory_id":"GHSA-82v2-mx6x-wq7q","cves":["CVE-2022-21704"],"access":"public","patched_versions":">=6.4.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},"updated":"2024-01-24T08:54:14.000Z","recommendation":"Upgrade to version 6.4.0 or later","cwe":["CWE-276"],"found_by":null,"deleted":null,"id":1095531,"references":"- https://github.com/log4js-node/log4js-node/security/advisories/GHSA-82v2-mx6x-wq7q\n- https://github.com/log4js-node/log4js-node/pull/1141/commits/8042252861a1b65adb66931fdf702ead34fa9b76\n- https://github.com/log4js-node/streamroller/pull/87\n- https://github.com/log4js-node/log4js-node/blob/v6.4.0/CHANGELOG.md#640\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21704\n- https://lists.debian.org/debian-lts-announce/2022/12/msg00014.html\n- https://github.com/advisories/GHSA-82v2-mx6x-wq7q","created":"2022-01-21T18:53:27.000Z","reported_by":null,"title":"Incorrect Default Permissions in log4js","npm_advisory_id":null,"overview":"### Impact\r\nDefault file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config.\r\n\r\n### Patches\r\nFixed by:\r\n* https://github.com/log4js-node/log4js-node/pull/1141\r\n* https://github.com/log4js-node/streamroller/pull/87\r\n\r\nReleased to NPM in log4js@6.4.0\r\n\r\n### Workarounds\r\nEvery version of log4js published allows passing the mode parameter to the configuration of file appenders, see the documentation for details.\r\n\r\n### References\r\n\r\nThanks to [ranjit-git](https://www.huntr.dev/users/ranjit-git) for raising the issue, and to @lamweili for fixing the problem.\r\n\r\n### For more information\r\nIf you have any questions or comments about this advisory:\r\n* Open an issue in [logj4s-node](https://github.com/log4js-node/log4js-node)\r\n* Ask a question in the [slack channel](https://join.slack.com/t/log4js-node/shared_invite/enQtODkzMDQ3MzExMDczLWUzZmY0MmI0YWI1ZjFhODY0YjI0YmU1N2U5ZTRkOTYyYzg3MjY5NWI4M2FjZThjYjdiOGM0NjU2NzBmYTJjOGI)\r\n* Email us at [gareth.nomiddlename@gmail.com](mailto:gareth.nomiddlename@gmail.com)\r\n","url":"https://github.com/advisories/GHSA-82v2-mx6x-wq7q"},"1096353":{"findings":[{"version":"1.15.3","paths":["axios>follow-redirects","@hmcts/rpx-xui-node-lib>axios>follow-redirects"]}],"metadata":null,"vulnerable_versions":"<1.15.4","module_name":"follow-redirects","severity":"moderate","github_advisory_id":"GHSA-jchw-25xp-jwwc","cves":["CVE-2023-26159"],"access":"public","patched_versions":">=1.15.4","cvss":{"score":6.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},"updated":"2024-01-31T05:07:10.000Z","recommendation":"Upgrade to version 1.15.4 or later","cwe":["CWE-20","CWE-601"],"found_by":null,"deleted":null,"id":1096353,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26159\n- https://github.com/follow-redirects/follow-redirects/issues/235\n- https://github.com/follow-redirects/follow-redirects/pull/236\n- https://security.snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-6141137\n- https://github.com/follow-redirects/follow-redirects/commit/7a6567e16dfa9ad18a70bfe91784c28653fbf19d\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZZ425BFKNBQ6AK7I5SAM56TWON5OF2XM/\n- https://github.com/advisories/GHSA-jchw-25xp-jwwc","created":"2024-01-02T06:30:30.000Z","reported_by":null,"title":"Follow Redirects improperly handles URLs in the url.parse() function","npm_advisory_id":null,"overview":"Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.","url":"https://github.com/advisories/GHSA-jchw-25xp-jwwc"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":0,"moderate":17,"high":4,"critical":4},"dependencies":892,"devDependencies":6,"optionalDependencies":0,"totalDependencies":898}} +{"actions":[],"advisories":{"1085685":{"findings":[{"version":"1.1.0","paths":["@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>yargs>os-locale>mem"]}],"metadata":null,"vulnerable_versions":"<4.0.0","module_name":"mem","severity":"moderate","github_advisory_id":"GHSA-4xcv-9jjx-gfj3","cves":[],"access":"public","patched_versions":">=4.0.0","cvss":{"score":5.1,"vectorString":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},"updated":"2023-01-09T05:01:45.000Z","recommendation":"Upgrade to version 4.0.0 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1085685,"references":"- https://github.com/sindresorhus/mem/commit/da4e4398cb27b602de3bd55f746efa9b4a31702b\n- https://bugzilla.redhat.com/show_bug.cgi?id=1623744\n- https://www.npmjs.com/advisories/1084\n- https://snyk.io/vuln/npm:mem:20180117\n- https://github.com/advisories/GHSA-4xcv-9jjx-gfj3","created":"2019-07-05T21:07:58.000Z","reported_by":null,"title":"Denial of Service in mem","npm_advisory_id":null,"overview":"Versions of `mem` prior to 4.0.0 are vulnerable to Denial of Service (DoS). The package fails to remove old values from the cache even after a value passes its `maxAge` property. This may allow attackers to exhaust the system's memory if they are able to abuse the application logging.\n\n\n## Recommendation\n\nUpgrade to version 4.0.0 or later.","url":"https://github.com/advisories/GHSA-4xcv-9jjx-gfj3"},"1088208":{"findings":[{"version":"0.8.4","paths":["git-rev-sync>shelljs"]}],"metadata":null,"vulnerable_versions":"<0.8.5","module_name":"shelljs","severity":"moderate","github_advisory_id":"GHSA-64g7-mvw6-v9qj","cves":[],"access":"public","patched_versions":">=0.8.5","cvss":{"score":0,"vectorString":null},"updated":"2023-01-11T05:03:39.000Z","recommendation":"Upgrade to version 0.8.5 or later","cwe":["CWE-269"],"found_by":null,"deleted":null,"id":1088208,"references":"- https://github.com/shelljs/shelljs/security/advisories/GHSA-64g7-mvw6-v9qj\n- https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/\n- https://github.com/advisories/GHSA-64g7-mvw6-v9qj","created":"2022-01-14T21:09:50.000Z","reported_by":null,"title":"Improper Privilege Management in shelljs","npm_advisory_id":null,"overview":"### Impact\nOutput from the synchronous version of `shell.exec()` may be visible to other users on the same system. You may be affected if you execute `shell.exec()` in multi-user Mac, Linux, or WSL environments, or if you execute `shell.exec()` as the root user.\n\nOther shelljs functions (including the asynchronous version of `shell.exec()`) are not impacted.\n\n### Patches\nPatched in shelljs 0.8.5\n\n### Workarounds\nRecommended action is to upgrade to 0.8.5.\n\n### References\nhttps://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Ask at https://github.com/shelljs/shelljs/issues/1058\n* Open an issue at https://github.com/shelljs/shelljs/issues/new\n","url":"https://github.com/advisories/GHSA-64g7-mvw6-v9qj"},"1088811":{"findings":[{"version":"8.1.0","paths":["@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>yargs>yargs-parser"]}],"metadata":null,"vulnerable_versions":">=6.0.0 <13.1.2","module_name":"yargs-parser","severity":"moderate","github_advisory_id":"GHSA-p9pc-299p-vxgp","cves":["CVE-2020-7608"],"access":"public","patched_versions":">=13.1.2","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},"updated":"2023-01-27T05:00:51.000Z","recommendation":"Upgrade to version 13.1.2 or later","cwe":["CWE-915","CWE-1321"],"found_by":null,"deleted":null,"id":1088811,"references":"- https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381\n- https://www.npmjs.com/advisories/1500\n- https://github.com/yargs/yargs-parser/commit/63810ca1ae1a24b08293a4d971e70e058c7a41e2\n- https://nvd.nist.gov/vuln/detail/CVE-2020-7608\n- https://github.com/yargs/yargs-parser/commit/1c417bd0b42b09c475ee881e36d292af4fa2cc36\n- https://github.com/advisories/GHSA-p9pc-299p-vxgp","created":"2020-09-04T18:00:54.000Z","reported_by":null,"title":"yargs-parser Vulnerable to Prototype Pollution","npm_advisory_id":null,"overview":"Affected versions of `yargs-parser` are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of `Object`, causing the addition or modification of an existing property that will exist on all objects. \nParsing the argument `--foo.__proto__.bar baz'` adds a `bar` property with value `baz` to all objects. This is only exploitable if attackers have control over the arguments being passed to `yargs-parser`.\n\n\n\n## Recommendation\n\nUpgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.","url":"https://github.com/advisories/GHSA-p9pc-299p-vxgp"},"1088948":{"findings":[{"version":"9.6.0","paths":["@hmcts/rpx-xui-node-lib>openid-client>got"]}],"metadata":null,"vulnerable_versions":"<11.8.5","module_name":"got","severity":"moderate","github_advisory_id":"GHSA-pfrx-2q88-qq97","cves":["CVE-2022-33987"],"access":"public","patched_versions":">=11.8.5","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"updated":"2023-01-27T05:05:01.000Z","recommendation":"Upgrade to version 11.8.5 or later","cwe":[],"found_by":null,"deleted":null,"id":1088948,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-33987\n- https://github.com/sindresorhus/got/pull/2047\n- https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0\n- https://github.com/sindresorhus/got/commit/861ccd9ac2237df762a9e2beed7edd88c60782dc\n- https://github.com/sindresorhus/got/releases/tag/v11.8.5\n- https://github.com/sindresorhus/got/releases/tag/v12.1.0\n- https://github.com/advisories/GHSA-pfrx-2q88-qq97","created":"2022-06-19T00:00:21.000Z","reported_by":null,"title":"Got allows a redirect to a UNIX socket","npm_advisory_id":null,"overview":"The got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.","url":"https://github.com/advisories/GHSA-pfrx-2q88-qq97"},"1089270":{"findings":[{"version":"2.7.4","paths":["ejs"]}],"metadata":null,"vulnerable_versions":"<3.1.7","module_name":"ejs","severity":"critical","github_advisory_id":"GHSA-phwq-j96m-2c2q","cves":["CVE-2022-29078"],"access":"public","patched_versions":">=3.1.7","cvss":{"score":9.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-01-30T05:02:57.000Z","recommendation":"Upgrade to version 3.1.7 or later","cwe":["CWE-74"],"found_by":null,"deleted":null,"id":1089270,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-29078\n- https://eslam.io/posts/ejs-server-side-template-injection-rce/\n- https://github.com/mde/ejs/commit/15ee698583c98dadc456639d6245580d17a24baf\n- https://github.com/mde/ejs/releases\n- https://security.netapp.com/advisory/ntap-20220804-0001/\n- https://github.com/advisories/GHSA-phwq-j96m-2c2q","created":"2022-04-26T00:00:40.000Z","reported_by":null,"title":"ejs template injection vulnerability","npm_advisory_id":null,"overview":"The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).","url":"https://github.com/advisories/GHSA-phwq-j96m-2c2q"},"1089434":{"findings":[{"version":"8.5.1","paths":["jsonwebtoken"]}],"metadata":null,"vulnerable_versions":"<=8.5.1","module_name":"jsonwebtoken","severity":"moderate","github_advisory_id":"GHSA-8cf7-32gw-wr33","cves":["CVE-2022-23539"],"access":"public","patched_versions":">=9.0.0","cvss":{"score":0,"vectorString":null},"updated":"2023-01-31T05:01:09.000Z","recommendation":"Upgrade to version 9.0.0 or later","cwe":["CWE-327"],"found_by":null,"deleted":null,"id":1089434,"references":"- https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-8cf7-32gw-wr33\n- https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3\n- https://nvd.nist.gov/vuln/detail/CVE-2022-23539\n- https://github.com/advisories/GHSA-8cf7-32gw-wr33","created":"2022-12-22T03:32:22.000Z","reported_by":null,"title":"jsonwebtoken unrestricted key type could lead to legacy keys usage ","npm_advisory_id":null,"overview":"# Overview\n\nVersions `<=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. \n\n# Am I affected?\n\nYou are affected if you are using an algorithm and a key type other than the combinations mentioned below\n\n| Key type | algorithm |\n|----------|------------------------------------------|\n| ec | ES256, ES384, ES512 |\n| rsa | RS256, RS384, RS512, PS256, PS384, PS512 |\n| rsa-pss | PS256, PS384, PS512 |\n\nAnd for Elliptic Curve algorithms:\n\n| `alg` | Curve |\n|-------|------------|\n| ES256 | prime256v1 |\n| ES384 | secp384r1 |\n| ES512 | secp521r1 |\n\n# How do I fix it?\n\nUpdate to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, If you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and/or `verify()` functions.\n\n# Will the fix impact my users?\n\nThere will be no impact, if you update to version 9.0.0 and you already use a valid secure combination of key type and algorithm. Otherwise, use the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and `verify()` functions to continue usage of invalid key type/algorithm combination in 9.0.0 for legacy compatibility. \n\n","url":"https://github.com/advisories/GHSA-8cf7-32gw-wr33"},"1089698":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.17.0","module_name":"xlsx","severity":"moderate","github_advisory_id":"GHSA-g973-978j-2c3p","cves":["CVE-2021-32014"],"access":"public","patched_versions":">=0.17.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-02-01T05:05:54.000Z","recommendation":"Upgrade to version 0.17.0 or later","cwe":["CWE-345","CWE-400"],"found_by":null,"deleted":null,"id":1089698,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32014\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-g973-978j-2c3p","created":"2021-07-22T19:47:15.000Z","reported_by":null,"title":"Denial of Service in SheetJS Pro","npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (CPU consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js.","url":"https://github.com/advisories/GHSA-g973-978j-2c3p"},"1089699":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.17.0","module_name":"xlsx","severity":"moderate","github_advisory_id":"GHSA-3x9f-74h4-2fqr","cves":["CVE-2021-32012"],"access":"public","patched_versions":">=0.17.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-02-01T05:06:10.000Z","recommendation":"Upgrade to version 0.17.0 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1089699,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32012\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-3x9f-74h4-2fqr","created":"2021-07-22T19:48:17.000Z","reported_by":null,"title":"Denial of Service in SheetJS Pro","npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js (issue 1 of 2).","url":"https://github.com/advisories/GHSA-3x9f-74h4-2fqr"},"1089700":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.17.0","module_name":"xlsx","severity":"moderate","github_advisory_id":"GHSA-8vcr-vxm8-293m","cves":["CVE-2021-32013"],"access":"public","patched_versions":">=0.17.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-02-01T05:06:00.000Z","recommendation":"Upgrade to version 0.17.0 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1089700,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32013\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-8vcr-vxm8-293m","created":"2021-07-22T19:48:13.000Z","reported_by":null,"title":"Denial of Service in SheetsJS Pro","npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js (issue 2 of 2).","url":"https://github.com/advisories/GHSA-8vcr-vxm8-293m"},"1091087":{"findings":[{"version":"8.5.1","paths":["jsonwebtoken"]}],"metadata":null,"vulnerable_versions":"<=8.5.1","module_name":"jsonwebtoken","severity":"moderate","github_advisory_id":"GHSA-hjrf-2m68-5959","cves":["CVE-2022-23541"],"access":"public","patched_versions":">=9.0.0","cvss":{"score":5,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"},"updated":"2023-01-29T05:06:34.000Z","recommendation":"Upgrade to version 9.0.0 or later","cwe":["CWE-287"],"found_by":null,"deleted":null,"id":1091087,"references":"- https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-hjrf-2m68-5959\n- https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3\n- https://nvd.nist.gov/vuln/detail/CVE-2022-23541\n- https://github.com/auth0/node-jsonwebtoken/releases/tag/v9.0.0\n- https://github.com/advisories/GHSA-hjrf-2m68-5959","created":"2022-12-22T03:33:19.000Z","reported_by":null,"title":"jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC","npm_advisory_id":null,"overview":"# Overview\n\nVersions `<=8.5.1` of `jsonwebtoken` library can be misconfigured so that passing a poorly implemented key retrieval function (referring to the `secretOrPublicKey` argument from the [readme link](https://github.com/auth0/node-jsonwebtoken#jwtverifytoken-secretorpublickey-options-callback)) will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. \n\n# Am I affected?\n\nYou will be affected if your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. \n\n# How do I fix it?\n \nUpdate to version 9.0.0.\n\n# Will the fix impact my users?\n\nThere is no impact for end users","url":"https://github.com/advisories/GHSA-hjrf-2m68-5959"},"1092549":{"findings":[{"version":"8.5.1","paths":["jsonwebtoken"]}],"metadata":null,"vulnerable_versions":"<9.0.0","module_name":"jsonwebtoken","severity":"moderate","github_advisory_id":"GHSA-qwph-4952-7xr6","cves":["CVE-2022-23540"],"access":"public","patched_versions":">=9.0.0","cvss":{"score":6.4,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L"},"updated":"2023-07-14T22:03:14.000Z","recommendation":"Upgrade to version 9.0.0 or later","cwe":["CWE-287","CWE-327","CWE-347"],"found_by":null,"deleted":null,"id":1092549,"references":"- https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-qwph-4952-7xr6\n- https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3\n- https://nvd.nist.gov/vuln/detail/CVE-2022-23540\n- https://github.com/advisories/GHSA-qwph-4952-7xr6","created":"2022-12-22T03:32:59.000Z","reported_by":null,"title":"jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify()","npm_advisory_id":null,"overview":"# Overview\n\nIn versions <=8.5.1 of jsonwebtoken library, lack of algorithm definition and a falsy secret or key in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification.\n\n# Am I affected?\nYou will be affected if all the following are true in the `jwt.verify()` function:\n- a token with no signature is received\n- no algorithms are specified \n- a falsy (e.g. null, false, undefined) secret or key is passed \n\n# How do I fix it?\n \nUpdate to version 9.0.0 which removes the default support for the none algorithm in the `jwt.verify()` method. \n\n# Will the fix impact my users?\n\nThere will be no impact, if you update to version 9.0.0 and you don’t need to allow for the `none` algorithm. If you need 'none' algorithm, you have to explicitly specify that in `jwt.verify()` options.\n","url":"https://github.com/advisories/GHSA-qwph-4952-7xr6"},"1093639":{"findings":[{"version":"0.4.1","paths":["@hmcts/rpx-xui-node-lib>passport"]}],"metadata":null,"vulnerable_versions":"<0.6.0","module_name":"passport","severity":"moderate","github_advisory_id":"GHSA-v923-w3x8-wh69","cves":["CVE-2022-25896"],"access":"public","patched_versions":">=0.6.0","cvss":{"score":4.8,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L"},"updated":"2023-09-11T16:22:18.000Z","recommendation":"Upgrade to version 0.6.0 or later","cwe":["CWE-384"],"found_by":null,"deleted":null,"id":1093639,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25896\n- https://github.com/jaredhanson/passport/pull/900\n- https://github.com/jaredhanson/passport/commit/7e9b9cf4d7be02428e963fc729496a45baeea608\n- https://snyk.io/vuln/SNYK-JS-PASSPORT-2840631\n- https://github.com/advisories/GHSA-v923-w3x8-wh69","created":"2022-07-02T00:00:19.000Z","reported_by":null,"title":"Passport vulnerable to session regeneration when a users logs in or out","npm_advisory_id":null,"overview":"This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed.","url":"https://github.com/advisories/GHSA-v923-w3x8-wh69"},"1094599":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.19.3","module_name":"xlsx","severity":"high","github_advisory_id":"GHSA-4r6h-8v6p-xvw6","cves":["CVE-2023-30533"],"access":"public","patched_versions":">=0.19.3","cvss":{"score":7.8,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},"updated":"2023-11-06T05:04:13.000Z","recommendation":"Upgrade to version 0.19.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1094599,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-30533\n- https://cdn.sheetjs.com/advisories/CVE-2023-30533\n- https://git.sheetjs.com/sheetjs/sheetjs/src/branch/master/CHANGELOG.md\n- https://git.sheetjs.com/sheetjs/sheetjs/issues/2667\n- https://git.sheetjs.com/sheetjs/sheetjs/issues/2986\n- https://github.com/advisories/GHSA-4r6h-8v6p-xvw6","created":"2023-04-24T09:30:19.000Z","reported_by":null,"title":"Prototype Pollution in sheetJS","npm_advisory_id":null,"overview":"All versions of SheetJS CE through 0.19.2 are vulnerable to \"Prototype Pollution\" when reading specially crafted files. Workflows that do not read arbitrary files (for example, exporting data to spreadsheet files) are unaffected.\n\nA non-vulnerable version cannot be found via npm, as the repository hosted on GitHub and the npm package `xlsx` are no longer maintained.","url":"https://github.com/advisories/GHSA-4r6h-8v6p-xvw6"},"1094889":{"findings":[{"version":"0.26.1","paths":["axios","@hmcts/rpx-xui-node-lib>axios"]}],"metadata":null,"vulnerable_versions":">=0.8.1 <1.6.0","module_name":"axios","severity":"moderate","github_advisory_id":"GHSA-wf5p-g6vw-rhxx","cves":["CVE-2023-45857"],"access":"public","patched_versions":">=1.6.0","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},"updated":"2023-11-16T19:59:09.000Z","recommendation":"Upgrade to version 1.6.0 or later","cwe":["CWE-352"],"found_by":null,"deleted":null,"id":1094889,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-45857\n- https://github.com/axios/axios/issues/6006\n- https://github.com/axios/axios/issues/6022\n- https://github.com/axios/axios/pull/6028\n- https://github.com/axios/axios/commit/96ee232bd3ee4de2e657333d4d2191cd389e14d0\n- https://github.com/axios/axios/releases/tag/v1.6.0\n- https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459\n- https://github.com/advisories/GHSA-wf5p-g6vw-rhxx","created":"2023-11-08T21:30:37.000Z","reported_by":null,"title":"Axios Cross-Site Request Forgery Vulnerability","npm_advisory_id":null,"overview":"An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.","url":"https://github.com/advisories/GHSA-wf5p-g6vw-rhxx"},"1095051":{"findings":[{"version":"0.7.0","paths":["ngx-md>marked"]}],"metadata":null,"vulnerable_versions":"<4.0.10","module_name":"marked","severity":"high","github_advisory_id":"GHSA-rrrm-qjm4-v8hf","cves":["CVE-2022-21680"],"access":"public","patched_versions":">=4.0.10","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-11-29T20:51:52.000Z","recommendation":"Upgrade to version 4.0.10 or later","cwe":["CWE-400","CWE-1333"],"found_by":null,"deleted":null,"id":1095051,"references":"- https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21680\n- https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0\n- https://github.com/markedjs/marked/releases/tag/v4.0.10\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/\n- https://github.com/advisories/GHSA-rrrm-qjm4-v8hf","created":"2022-01-14T21:04:41.000Z","reported_by":null,"title":"Inefficient Regular Expression Complexity in marked","npm_advisory_id":null,"overview":"### Impact\n\n_What kind of vulnerability is it?_\n\nDenial of service.\n\nThe regular expression `block.def` may cause catastrophic backtracking against some strings.\nPoC is the following.\n\n```javascript\nimport * as marked from \"marked\";\n\nmarked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);\n```\n\n_Who is impacted?_\n\nAnyone who runs untrusted markdown through marked and does not use a worker with a time limit.\n\n### Patches\n\n_Has the problem been patched?_\n\nYes\n\n_What versions should users upgrade to?_\n\n4.0.10\n\n### Workarounds\n\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nDo not run untrusted markdown through marked or run marked on a [worker](https://marked.js.org/using_advanced#workers) thread and set a reasonable time limit to prevent draining resources.\n\n### References\n\n_Are there any links users can visit to find out more?_\n\n- https://marked.js.org/using_advanced#workers\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [marked](https://github.com/markedjs/marked)\n","url":"https://github.com/advisories/GHSA-rrrm-qjm4-v8hf"},"1095052":{"findings":[{"version":"0.7.0","paths":["ngx-md>marked"]}],"metadata":null,"vulnerable_versions":"<4.0.10","module_name":"marked","severity":"high","github_advisory_id":"GHSA-5v2h-r2cx-5xgj","cves":["CVE-2022-21681"],"access":"public","patched_versions":">=4.0.10","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-11-29T20:51:17.000Z","recommendation":"Upgrade to version 4.0.10 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1095052,"references":"- https://github.com/markedjs/marked/security/advisories/GHSA-5v2h-r2cx-5xgj\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21681\n- https://github.com/markedjs/marked/commit/8f806573a3f6c6b7a39b8cdb66ab5ebb8d55a5f5\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/\n- https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0\n- https://github.com/advisories/GHSA-5v2h-r2cx-5xgj","created":"2022-01-14T21:04:46.000Z","reported_by":null,"title":"Inefficient Regular Expression Complexity in marked","npm_advisory_id":null,"overview":"### Impact\n\n_What kind of vulnerability is it?_\n\nDenial of service.\n\nThe regular expression `inline.reflinkSearch` may cause catastrophic backtracking against some strings.\nPoC is the following.\n\n```javascript\nimport * as marked from 'marked';\n\nconsole.log(marked.parse(`[x]: x\n\n\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](`));\n```\n\n_Who is impacted?_\n\nAnyone who runs untrusted markdown through marked and does not use a worker with a time limit.\n\n### Patches\n\n_Has the problem been patched?_\n\nYes\n\n_What versions should users upgrade to?_\n\n4.0.10\n\n### Workarounds\n\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nDo not run untrusted markdown through marked or run marked on a [worker](https://marked.js.org/using_advanced#workers) thread and set a reasonable time limit to prevent draining resources.\n\n### References\n\n_Are there any links users can visit to find out more?_\n\n- https://marked.js.org/using_advanced#workers\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [marked](https://github.com/markedjs/marked)\n","url":"https://github.com/advisories/GHSA-5v2h-r2cx-5xgj"},"1095097":{"findings":[{"version":"1.8.3","paths":["@pact-foundation/pact-node>underscore","@pact-foundation/pact>@pact-foundation/pact-node>underscore"]}],"metadata":null,"vulnerable_versions":">=1.3.2 <1.12.1","module_name":"underscore","severity":"critical","github_advisory_id":"GHSA-cf4h-3jhx-xvhq","cves":["CVE-2021-23358"],"access":"public","patched_versions":">=1.12.1","cvss":{"score":9.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-11-29T22:34:54.000Z","recommendation":"Upgrade to version 1.12.1 or later","cwe":["CWE-94"],"found_by":null,"deleted":null,"id":1095097,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-23358\n- https://github.com/jashkenas/underscore/pull/2917\n- https://github.com/jashkenas/underscore/commit/4c73526d43838ad6ab43a6134728776632adeb66\n- https://github.com/jashkenas/underscore/releases/tag/1.12.1\n- https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984\n- https://www.npmjs.com/package/underscore\n- https://github.com/jashkenas/underscore/blob/master/modules/template.js%23L71\n- https://lists.debian.org/debian-lts-announce/2021/03/msg00038.html\n- https://www.debian.org/security/2021/dsa-4883\n- https://lists.apache.org/thread.html/r5df90c46f7000c4aab246e947f62361ecfb849c5a553dcdb0ef545e1@%3Cissues.cordova.apache.org%3E\n- https://lists.apache.org/thread.html/r770f910653772317b117ab4472b0a32c266ee4abbafda28b8a6f9306@%3Cissues.cordova.apache.org%3E\n- https://lists.apache.org/thread.html/raae088abdfa4fbd84e1d19d7a7ffe52bf8e426b83e6599ea9a734dba@%3Cissues.cordova.apache.org%3E\n- https://lists.apache.org/thread.html/rbc84926bacd377503a3f5c37b923c1931f9d343754488d94e6f08039@%3Cissues.cordova.apache.org%3E\n- https://lists.apache.org/thread.html/re69ee408b3983b43e9c4a82a9a17cbbf8681bb91a4b61b46f365aeaf@%3Cissues.cordova.apache.org%3E\n- https://www.tenable.com/security/tns-2021-14\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EOKATXXETD2PF3OR36Q5PD2VSVAR6J5Z/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FGEE7U4Z655A2MK5EW4UQQZ7B64XJWBV/\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1081504\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBJASHKENAS-1081505\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1081503\n- https://github.com/advisories/GHSA-cf4h-3jhx-xvhq","created":"2021-05-06T16:09:43.000Z","reported_by":null,"title":"Arbitrary Code Execution in underscore","npm_advisory_id":null,"overview":"The package `underscore` from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.","url":"https://github.com/advisories/GHSA-cf4h-3jhx-xvhq"},"1095102":{"findings":[{"version":"2.5.0","paths":["rx-polling-hmcts>jest-environment-jsdom>jsdom>tough-cookie"]}],"metadata":null,"vulnerable_versions":"<4.1.3","module_name":"tough-cookie","severity":"moderate","github_advisory_id":"GHSA-72xf-g2v4-qvf3","cves":["CVE-2023-26136"],"access":"public","patched_versions":">=4.1.3","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},"updated":"2023-11-29T22:32:01.000Z","recommendation":"Upgrade to version 4.1.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1095102,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3","created":"2023-07-01T06:30:16.000Z","reported_by":null,"title":"tough-cookie Prototype Pollution vulnerability","npm_advisory_id":null,"overview":"Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.","url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3"},"1095126":{"findings":[{"version":"0.8.4","paths":["git-rev-sync>shelljs"]}],"metadata":null,"vulnerable_versions":"<0.8.5","module_name":"shelljs","severity":"high","github_advisory_id":"GHSA-4rq4-32rv-6wp6","cves":["CVE-2022-0144"],"access":"public","patched_versions":">=0.8.5","cvss":{"score":7.1,"vectorString":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H"},"updated":"2023-11-29T22:21:11.000Z","recommendation":"Upgrade to version 0.8.5 or later","cwe":["CWE-269"],"found_by":null,"deleted":null,"id":1095126,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-0144\n- https://github.com/shelljs/shelljs/commit/d919d22dd6de385edaa9d90313075a77f74b338c\n- https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c\n- https://github.com/advisories/GHSA-4rq4-32rv-6wp6","created":"2022-01-21T23:37:28.000Z","reported_by":null,"title":"Improper Privilege Management in shelljs","npm_advisory_id":null,"overview":"shelljs is vulnerable to Improper Privilege Management","url":"https://github.com/advisories/GHSA-4rq4-32rv-6wp6"},"1095531":{"findings":[{"version":"6.2.1","paths":["log4js"]}],"metadata":null,"vulnerable_versions":"<6.4.0","module_name":"log4js","severity":"moderate","github_advisory_id":"GHSA-82v2-mx6x-wq7q","cves":["CVE-2022-21704"],"access":"public","patched_versions":">=6.4.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},"updated":"2024-01-24T08:54:14.000Z","recommendation":"Upgrade to version 6.4.0 or later","cwe":["CWE-276"],"found_by":null,"deleted":null,"id":1095531,"references":"- https://github.com/log4js-node/log4js-node/security/advisories/GHSA-82v2-mx6x-wq7q\n- https://github.com/log4js-node/log4js-node/pull/1141/commits/8042252861a1b65adb66931fdf702ead34fa9b76\n- https://github.com/log4js-node/streamroller/pull/87\n- https://github.com/log4js-node/log4js-node/blob/v6.4.0/CHANGELOG.md#640\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21704\n- https://lists.debian.org/debian-lts-announce/2022/12/msg00014.html\n- https://github.com/advisories/GHSA-82v2-mx6x-wq7q","created":"2022-01-21T18:53:27.000Z","reported_by":null,"title":"Incorrect Default Permissions in log4js","npm_advisory_id":null,"overview":"### Impact\r\nDefault file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config.\r\n\r\n### Patches\r\nFixed by:\r\n* https://github.com/log4js-node/log4js-node/pull/1141\r\n* https://github.com/log4js-node/streamroller/pull/87\r\n\r\nReleased to NPM in log4js@6.4.0\r\n\r\n### Workarounds\r\nEvery version of log4js published allows passing the mode parameter to the configuration of file appenders, see the documentation for details.\r\n\r\n### References\r\n\r\nThanks to [ranjit-git](https://www.huntr.dev/users/ranjit-git) for raising the issue, and to @lamweili for fixing the problem.\r\n\r\n### For more information\r\nIf you have any questions or comments about this advisory:\r\n* Open an issue in [logj4s-node](https://github.com/log4js-node/log4js-node)\r\n* Ask a question in the [slack channel](https://join.slack.com/t/log4js-node/shared_invite/enQtODkzMDQ3MzExMDczLWUzZmY0MmI0YWI1ZjFhODY0YjI0YmU1N2U5ZTRkOTYyYzg3MjY5NWI4M2FjZThjYjdiOGM0NjU2NzBmYTJjOGI)\r\n* Email us at [gareth.nomiddlename@gmail.com](mailto:gareth.nomiddlename@gmail.com)\r\n","url":"https://github.com/advisories/GHSA-82v2-mx6x-wq7q"},"1096353":{"findings":[{"version":"1.15.3","paths":["axios>follow-redirects","@hmcts/rpx-xui-node-lib>axios>follow-redirects"]}],"metadata":null,"vulnerable_versions":"<1.15.4","module_name":"follow-redirects","severity":"moderate","github_advisory_id":"GHSA-jchw-25xp-jwwc","cves":["CVE-2023-26159"],"access":"public","patched_versions":">=1.15.4","cvss":{"score":6.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},"updated":"2024-01-31T05:07:10.000Z","recommendation":"Upgrade to version 1.15.4 or later","cwe":["CWE-20","CWE-601"],"found_by":null,"deleted":null,"id":1096353,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26159\n- https://github.com/follow-redirects/follow-redirects/issues/235\n- https://github.com/follow-redirects/follow-redirects/pull/236\n- https://security.snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-6141137\n- https://github.com/follow-redirects/follow-redirects/commit/7a6567e16dfa9ad18a70bfe91784c28653fbf19d\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZZ425BFKNBQ6AK7I5SAM56TWON5OF2XM/\n- https://github.com/advisories/GHSA-jchw-25xp-jwwc","created":"2024-01-02T06:30:30.000Z","reported_by":null,"title":"Follow Redirects improperly handles URLs in the url.parse() function","npm_advisory_id":null,"overview":"Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.","url":"https://github.com/advisories/GHSA-jchw-25xp-jwwc"},"1096365":{"findings":[{"version":"3.3.0","paths":["crypto-js"]}],"metadata":null,"vulnerable_versions":"<4.2.0","module_name":"crypto-js","severity":"critical","github_advisory_id":"GHSA-xwcq-pm8m-c4vf","cves":["CVE-2023-46233"],"access":"public","patched_versions":">=4.2.0","cvss":{"score":9.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},"updated":"2024-02-01T16:30:31.000Z","recommendation":"Upgrade to version 4.2.0 or later","cwe":["CWE-327","CWE-328","CWE-916"],"found_by":null,"deleted":null,"id":1096365,"references":"- https://github.com/brix/crypto-js/security/advisories/GHSA-xwcq-pm8m-c4vf\n- https://github.com/brix/crypto-js/commit/421dd538b2d34e7c24a5b72cc64dc2b9167db40a\n- https://nvd.nist.gov/vuln/detail/CVE-2023-46233\n- https://lists.debian.org/debian-lts-announce/2023/11/msg00025.html\n- https://github.com/advisories/GHSA-xwcq-pm8m-c4vf","created":"2023-10-25T21:15:52.000Z","reported_by":null,"title":"crypto-js PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard","npm_advisory_id":null,"overview":"### Impact\n#### Summary\nCrypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and [at least 1,300,000 times weaker than current industry standard][OWASP PBKDF2 Cheatsheet]. This is because it both (1) defaults to [SHA1][SHA1 wiki], a cryptographic hash algorithm considered insecure [since at least 2005][Cryptanalysis of SHA-1] and (2) defaults to [one single iteration][one iteration src], a 'strength' or 'difficulty' value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to [preimage][preimage attack] and [collision][collision attack] attacks.\n\nPotential Impact:\n\n1. If used to protect passwords, the impact is high.\n2. If used to generate signatures, the impact is high.\n\nProbability / risk analysis / attack enumeration:\n\n1. [For at most $45,000][SHA1 is a Shambles], an attacker, given control of only the beginning of a crypto-js PBKDF2 input, can create a value which has _identical cryptographic signature_ to any chosen known value.\n4. Due to the [length extension attack] on SHA1, we can create a value that has identical signature to any _unknown_ value, provided it is prefixed by a known value. It does not matter if PBKDF2 applies '[salt][cryptographic salt]' or '[pepper][cryptographic pepper]' or any other secret unknown to the attacker. It will still create an identical signature.\n\nUpdate: PBKDF2 requires a pseudo-random function that takes two inputs, so HMAC-SHA1 is used rather than plain SHA1. HMAC is not affected by [length extension attacks][Length Extension attack]. However, by defaulting to a single PBKDF2 iteration, the hashes do not benefit from the extra computational complexity that PBKDF2 is supposed to provide. The resulting hashes therefore have little protection against an offline brute-force attack.\n \n[cryptographic salt]: https://en.wikipedia.org/wiki/Salt_(cryptography) \"Salt (cryptography), Wikipedia\"\n[cryptographic pepper]: https://en.wikipedia.org/wiki/Pepper_(cryptography) \"Pepper (cryptography), Wikipedia\"\n[SHA1 wiki]: https://en.wikipedia.org/wiki/SHA-1 \"SHA-1, Wikipedia\"\n[Cryptanalysis of SHA-1]: https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html \"Cryptanalysis of SHA-1\"\n[one iteration src]: https://github.com/brix/crypto-js/blob/1da3dabf93f0a0435c47627d6f171ad25f452012/src/pbkdf2.js#L22-L26 \"crypto-js/src/pbkdf2.js lines 22-26\"\n[collision attack]: https://en.wikipedia.org/wiki/Hash_collision \"Collision Attack, Wikipedia\"\n[preimage attack]: https://en.wikipedia.org/wiki/Preimage_attack \"Preimage Attack, Wikipedia\"\n[SHA1 is a Shambles]: https://eprint.iacr.org/2020/014.pdf \"SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1\nand Application to the PGP Web of Trust, Gaëtan Leurent and Thomas Peyrin\"\n[Length Extension attack]: https://en.wikipedia.org/wiki/Length_extension_attack \"Length extension attack, Wikipedia\"\n\ncrypto-js has 10,642 public users [as displayed on NPM][crypto-js, NPM], today October 11th 2023. The number of transient dependents is likely several orders of magnitude higher.\n\nA very rough GitHub search[ shows 432 files][GitHub search: affected files] cross GitHub using PBKDF2 in crypto-js in Typescript or JavaScript, but not specifying any number of iterations.\n\n[OWASP PBKDF2 Cheatsheet]: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2 \"OWASP PBKDF2 Cheatsheet\"\n[crypto-js, NPM]: https://www.npmjs.com/package/crypto-js \"crypto-js on NPM\"\n[GitHub search: affected files]: https://github.com/search?q=%22crypto-js%22+AND+pbkdf2+AND+%28lang%3AJavaScript+OR+lang%3ATypeScript%29++NOT+%22iterations%22&type=code&p=2 \"GitHub search: crypto-js AND pbkdf2 AND (lang:JavaScript OR lang:TypeScript) NOT iterations\"\n\n#### Affected versions\nAll versions are impacted. This code has been the same since crypto-js was first created.\n\n#### Further Cryptanalysis\n\nThe issue here is especially egregious because the length extension attack makes useless any secret that might be appended to the plaintext before calculating its signature.\n\nConsider a scheme in which a secret is created for a user's username, and that secret is used to protect e.g. their passwords. Let's say that password is 'fake-password', and their username is 'example-username'.\n\nTo encrypt the user password via symmetric encryption we might do `encrypt(plaintext: 'fake-password', encryption_key: cryptojs.pbkdf2(value: 'example username' + salt_or_pepper))`. By this means, we would, in theory, create an `encryption_key` that can be determined from the public username, but which requires the secret `salt_or_pepper` to generate. This is a common scheme for protecting passwords, as exemplified in bcrypt & scrypt. Because the encryption key is symmetric, we can use this derived key to also decrypt the ciphertext.\n\nBecause of the length extension issue, if the attacker obtains (via attack 1), a collision with 'example username', the attacker _does not need to know_ `salt_or_pepper` to decrypt their account data, only their public username.\n\n### Description\n\nPBKDF2 is a key-derivation is a key-derivation function that is used for two main purposes: (1) to stretch or squash a variable length password's entropy into a fixed size for consumption by another cryptographic operation and (2) to reduce the chance of downstream operations recovering the password input (for example, for password storage).\n\nUnlike the modern [webcrypto](https://w3c.github.io/webcrypto/#pbkdf2-operations) standard, crypto-js does not throw an error when a number of iterations is not specified, and defaults to one single iteration. In the year 2000, when PBKDF2 was originally specified, the minimum number of iterations suggested was set at 1,000. Today, [OWASP recommends 1,300,000][OWASP PBKDF2 Cheatsheet]:\n\nhttps://github.com/brix/crypto-js/blob/4dcaa7afd08f48cd285463b8f9499cdb242605fa/src/pbkdf2.js#L22-L26\n\n### Patches\nNo available patch. The package is not maintained.\n\n### Workarounds\nConsult the [OWASP PBKDF2 Cheatsheet]. Configure to use SHA256 with at least 250,000 iterations.\n\n### Coordinated disclosure\nThis issue was simultaneously submitted to [crypto-js](https://github.com/brix/crypto-js) and [crypto-es](https://github.com/entronad/crypto-es) on the 23rd of October 2023.\n\n### Caveats\n\nThis issue was found in a security review that was _not_ scoped to crypto-js. This report is not an indication that crypto-js has undergone a formal security assessment by the author.\n\n","url":"https://github.com/advisories/GHSA-xwcq-pm8m-c4vf"},"1096460":{"findings":[{"version":"1.1.8","paths":["playwright>fsevents>node-gyp>make-fetch-happen>socks-proxy-agent>socks>ip","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-haste-map>fsevents>node-gyp>make-fetch-happen>socks-proxy-agent>socks>ip","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>socks-proxy-agent>socks>ip","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>socks-proxy-agent>socks>ip","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>socks-proxy-agent>socks>ip","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>socks-proxy-agent>socks>ip","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>socks-proxy-agent>socks>ip","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>socks-proxy-agent>socks>ip","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>socks-proxy-agent>socks>ip","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>node-gyp>make-fetch-happen>socks-proxy-agent>socks>ip"]}],"metadata":null,"vulnerable_versions":"<=2.0.0","module_name":"ip","severity":"high","github_advisory_id":"GHSA-78xj-cgh5-2h22","cves":["CVE-2023-42282"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":0,"vectorString":null},"updated":"2024-02-12T20:17:09.000Z","recommendation":"None","cwe":[],"found_by":null,"deleted":null,"id":1096460,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-42282\n- https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html\n- https://github.com/JoshGlazebrook/socks/issues/93#issue-2128357447\n- https://github.com/github/advisory-database/pull/3504#issuecomment-1937179999\n- https://github.com/advisories/GHSA-78xj-cgh5-2h22","created":"2024-02-08T18:30:39.000Z","reported_by":null,"title":"NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks","npm_advisory_id":null,"overview":"An issue in all published versions of the NPM package `ip` allows an attacker to execute arbitrary code and obtain sensitive information via the `isPublic()` function. This can lead to potential Server-Side Request Forgery (SSRF) attacks. The core issue is the function's failure to accurately distinguish between public and private IP addresses.","url":"https://github.com/advisories/GHSA-78xj-cgh5-2h22"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":0,"moderate":17,"high":14,"critical":4},"dependencies":892,"devDependencies":6,"optionalDependencies":0,"totalDependencies":898}} From f31f6fc503c5501a4cb35c76a7b97395800bdb68 Mon Sep 17 00:00:00 2001 From: Andy Wilkins Date: Wed, 31 Jul 2024 17:53:48 +0100 Subject: [PATCH 02/37] remove deprecated defineSupportCode --- test/e2e/config/crossbrowser.conf.js | 2 +- .../acceptTermsAndConditions.steps.js | 46 +- .../step_definitions/approveOrg.steps.js | 27 +- .../createOrganisation.steps.js | 475 ++++++++-------- .../step_definitions/dataSetUp.steps.js | 81 ++- .../step_definitions/headerPage.steps.js | 13 +- .../step_definitions/inviteUser.steps.js | 273 +++++---- .../step_definitions/loginLogout.steps.js | 365 ++++++------ .../viewOrganisation.steps.js | 89 ++- .../step_definitions/viewUser.steps.js | 65 ++- test/e2e/support/hooks.js | 63 +-- .../acceptTermsAndConditions.steps.js | 47 +- .../step_definitions/approveOrg.steps.js | 27 +- .../createOrganisation.steps.js | 521 +++++++++--------- .../step_definitions/dataSetUp.steps.js | 81 ++- .../step_definitions/inviteUser.steps.js | 312 +++++------ .../viewOrganisation.steps.js | 81 +-- .../step_definitions/viewUser.steps.js | 59 +- test_codecept/e2e/support/hooks.js | 62 +-- 19 files changed, 1336 insertions(+), 1353 deletions(-) diff --git a/test/e2e/config/crossbrowser.conf.js b/test/e2e/config/crossbrowser.conf.js index 45bdc67a3..e3cc1ab3f 100644 --- a/test/e2e/config/crossbrowser.conf.js +++ b/test/e2e/config/crossbrowser.conf.js @@ -3,7 +3,7 @@ const chaiAsPromised = require('chai-as-promised'); chai.use(chaiAsPromised); const minimist = require('minimist'); const argv = minimist(process.argv.slice(2)); - +const cucumberPretty = require('cucumber-pretty'); const config = { framework: 'custom', frameworkPath: require.resolve('protractor-cucumber-framework'), diff --git a/test/e2e/features/step_definitions/acceptTermsAndConditions.steps.js b/test/e2e/features/step_definitions/acceptTermsAndConditions.steps.js index c5f6f2b50..5a4f3a980 100644 --- a/test/e2e/features/step_definitions/acceptTermsAndConditions.steps.js +++ b/test/e2e/features/step_definitions/acceptTermsAndConditions.steps.js @@ -1,3 +1,4 @@ +import { Then, When } from 'cucumber'; const acceptTermsAndConditionsPage = require('../pageObjects/termsAndConditionsConfirmPage'); const HeaderPage = require('../pageObjects/headerPage'); @@ -5,30 +6,27 @@ const HeaderPage = require('../pageObjects/headerPage'); const { config } = require('../../config/common.conf'); const browserWaits = require('../../support/customWaits'); -const { defineSupportCode } = require('cucumber'); -defineSupportCode(function ({ And, But, Given, Then, When }) { - const headerPage = new HeaderPage(); - Then('I am on Accept Terms and Conditions page', async function () { - const world = this; - if (await acceptTermsAndConditionsPage.isFeatureToggleEnabled()){ - await browserWaits.waitForElement(acceptTermsAndConditionsPage.accepttermsAndConditionsContainer); - expect(await acceptTermsAndConditionsPage.amOnPage()).to.be.true; - } else { - world.attach('Accept Terms and Conditions feature disabled in config. ../../config/common.conf.js. Validating Home page displayed'); - await headerPage.waitForPrimaryNavigationToDisplay(); - } - }); +const headerPage = new HeaderPage(); +Then('I am on Accept Terms and Conditions page', async function () { + const world = this; + if (await acceptTermsAndConditionsPage.isFeatureToggleEnabled()){ + await browserWaits.waitForElement(acceptTermsAndConditionsPage.accepttermsAndConditionsContainer); + expect(await acceptTermsAndConditionsPage.amOnPage()).to.be.true; + } else { + world.attach('Accept Terms and Conditions feature disabled in config. ../../config/common.conf.js. Validating Home page displayed'); + await headerPage.waitForPrimaryNavigationToDisplay(); + } +}); - When('I click Confirm in Accept Terms and Conditions page', async function () { - const world = this; - if (await acceptTermsAndConditionsPage.isFeatureToggleEnabled()) { - await browserWaits.waitForElement(acceptTermsAndConditionsPage.accepttermsAndConditionsContainer); - await acceptTermsAndConditionsPage.acceptTremsAndConditions(); - await headerPage.waitForPrimaryNavigationToDisplay(); - } else { - world.attach('Accept Terms and Conditions feature disabled in config. ../../config/common.conf.js.Validating Home page displayed'); - await headerPage.waitForPrimaryNavigationToDisplay(); - } - }); +When('I click Confirm in Accept Terms and Conditions page', async function () { + const world = this; + if (await acceptTermsAndConditionsPage.isFeatureToggleEnabled()) { + await browserWaits.waitForElement(acceptTermsAndConditionsPage.accepttermsAndConditionsContainer); + await acceptTermsAndConditionsPage.acceptTremsAndConditions(); + await headerPage.waitForPrimaryNavigationToDisplay(); + } else { + world.attach('Accept Terms and Conditions feature disabled in config. ../../config/common.conf.js.Validating Home page displayed'); + await headerPage.waitForPrimaryNavigationToDisplay(); + } }); diff --git a/test/e2e/features/step_definitions/approveOrg.steps.js b/test/e2e/features/step_definitions/approveOrg.steps.js index 9f8b4b7ca..132d58e90 100644 --- a/test/e2e/features/step_definitions/approveOrg.steps.js +++ b/test/e2e/features/step_definitions/approveOrg.steps.js @@ -1,24 +1,21 @@ +import { When } from 'cucumber'; const approveOrganizationService = require('../pageObjects/approveOrganizationService'); const mailinatorService = require('../pageObjects/mailinatorService'); -const { defineSupportCode } = require('cucumber'); +When('I approve organisation', { timeout: 300*1000 }, async function () { + await approveOrganizationService.init(); + await approveOrganizationService.approveOrg(global.latestOrgCreated); + await approveOrganizationService.destroy(); +},); -defineSupportCode(function ({ And, But, Given, Then, When }) { - When('I approve organisation', { timeout: 300*1000 }, async function () { - await approveOrganizationService.init(); - await approveOrganizationService.approveOrg(global.latestOrgCreated); - await approveOrganizationService.destroy(); - },); - - When('I activate approved organisation super user', { timeout: 600 * 1000 }, async function () { - await mailinatorService.init(); - mailinatorService.setLogger((message, isScreenshot) => logger(this, message, isScreenshot)); - await mailinatorService.openRegistrationEmailForUser(global.latestOrgSuperUser); - await mailinatorService.completeUserRegistrationFromEmail(); - await mailinatorService.destroy(); - }); +When('I activate approved organisation super user', { timeout: 600 * 1000 }, async function () { + await mailinatorService.init(); + mailinatorService.setLogger((message, isScreenshot) => logger(this, message, isScreenshot)); + await mailinatorService.openRegistrationEmailForUser(global.latestOrgSuperUser); + await mailinatorService.completeUserRegistrationFromEmail(); + await mailinatorService.destroy(); }); function logger(world, message, isScreenshot) { diff --git a/test/e2e/features/step_definitions/createOrganisation.steps.js b/test/e2e/features/step_definitions/createOrganisation.steps.js index d453ea1ea..377746492 100644 --- a/test/e2e/features/step_definitions/createOrganisation.steps.js +++ b/test/e2e/features/step_definitions/createOrganisation.steps.js @@ -1,7 +1,8 @@ 'use strict'; +import { Then, When } from 'cucumber'; const CreateOrganisationObjects = require('../pageObjects/createOrganisationObjects'); -const { defineSupportCode } = require('cucumber'); + const { AMAZING_DELAY, SHORT_DELAY, MID_DELAY, LONG_DELAY } = require('../../support/constants'); const { config } = require('../../config/common.conf.js'); const approveOrganizationService = require('../pageObjects/approveOrganizationService'); @@ -16,279 +17,277 @@ async function waitForElement(el) { }, 600000); } -defineSupportCode(function ({ Given, When, Then }) { - const createOrganisationObject = new CreateOrganisationObjects(); +const createOrganisationObject = new CreateOrganisationObjects(); - When(/^I navigate to EUI Manage Organisation Url$/, async function () { - await browser.driver.manage().deleteAllCookies(); - await browser.get(config.config.baseUrl + '/register-org/register'); - browser.sleep(MID_DELAY); - }); +When(/^I navigate to EUI Manage Organisation Url$/, async function () { + await browser.driver.manage().deleteAllCookies(); + await browser.get(config.config.baseUrl + '/register-org/register'); + browser.sleep(MID_DELAY); +}); - When(/^I navigate to EUI Register Organisation Url$/, async function () { - await browser.driver.manage().deleteAllCookies(); - await browser.get(config.config.baseUrl + '/register-org/register'); - browser.sleep(MID_DELAY); - }); +When(/^I navigate to EUI Register Organisation Url$/, async function () { + await browser.driver.manage().deleteAllCookies(); + await browser.get(config.config.baseUrl + '/register-org/register'); + browser.sleep(MID_DELAY); +}); - Then('I am on Register organisation start page', async function () { - await createOrganisationObject.waitForStartRegisterPage(); - await expect(createOrganisationObject.start_button.isDisplayed(), 'Create Organisation START button not present').to.eventually.be.true; - await expect(createOrganisationObject.start_button.getText(), 'Start button text not mathing with expected') - .to - .eventually - .equal('Start'); - }); +Then('I am on Register organisation start page', async function () { + await createOrganisationObject.waitForStartRegisterPage(); + await expect(createOrganisationObject.start_button.isDisplayed(), 'Create Organisation START button not present').to.eventually.be.true; + await expect(createOrganisationObject.start_button.getText(), 'Start button text not mathing with expected') + .to + .eventually + .equal('Start'); +}); - Then(/^I land on register organisation page and continue$/, { timeout: 600 * 1000 }, async function () { - // await waitForElement('govuk-heading-xl'); +Then(/^I land on register organisation page and continue$/, { timeout: 600 * 1000 }, async function () { + // await waitForElement('govuk-heading-xl'); - await BrowserWaits.retryWithActionCallback(async () => { + await BrowserWaits.retryWithActionCallback(async () => { + browser.sleep(LONG_DELAY); + try { browser.sleep(LONG_DELAY); - try { - browser.sleep(LONG_DELAY); - - await BrowserWaits.retryWithActionCallback(async () => { - await BrowserWaits.waitForElement($('.govuk-heading-xl')); - }); - - await waitForElement('govuk-heading-xl', LONG_DELAY); - await expect(createOrganisationObject.start_button.isDisplayed(), 'Create Organisation START button not present').to.eventually.be.true; - await expect(createOrganisationObject.start_button.getText()) - .to - .eventually - .equal('Start'); - await createOrganisationObject.start_button.click(); - } catch (err){ - await browser.get(config.config.baseUrl + '/register-org/register'); - throw new Error(err); - } - }); - }); - Then(/^I Enter the Organization name$/, { timeout: 600 * 1000 }, async function () { - // await waitForElement('govuk-heading-xl'); - await expect(createOrganisationObject.org_name.isDisplayed(), 'Input Organisation name nor present').to.eventually.be.true; - await createOrganisationObject.enterOrgName(); - await createOrganisationObject.continue_button.click(); - // browser.sleep(MID_DELAY); + await BrowserWaits.retryWithActionCallback(async () => { + await BrowserWaits.waitForElement($('.govuk-heading-xl')); + }); + + await waitForElement('govuk-heading-xl', LONG_DELAY); + await expect(createOrganisationObject.start_button.isDisplayed(), 'Create Organisation START button not present').to.eventually.be.true; + await expect(createOrganisationObject.start_button.getText()) + .to + .eventually + .equal('Start'); + await createOrganisationObject.start_button.click(); + } catch (err){ + await browser.get(config.config.baseUrl + '/register-org/register'); + throw new Error(err); + } }); +}); - Then(/^I Enter the Office Address details$/, { timeout: 600 * 1000 }, async function () { - // await waitForElement(createOrganisationObject.officeAddressOne); - await expect(createOrganisationObject.officeAddressOne.isDisplayed()).to.eventually.be.true; - await createOrganisationObject.officeAddressOne.sendKeys('1, Cliffinton'); - // browser.sleep(MID_DELAY); - await expect(createOrganisationObject.townName.isDisplayed()).to.eventually.be.true; - await createOrganisationObject.townName.sendKeys('London'); - await expect(createOrganisationObject.postcode.isDisplayed()).to.eventually.be.true; - await createOrganisationObject.postcode.sendKeys('SE15TY'); - await createOrganisationObject.continue_button.click(); - // browser.sleep(MID_DELAY); - }); +Then(/^I Enter the Organization name$/, { timeout: 600 * 1000 }, async function () { + // await waitForElement('govuk-heading-xl'); + await expect(createOrganisationObject.org_name.isDisplayed(), 'Input Organisation name nor present').to.eventually.be.true; + await createOrganisationObject.enterOrgName(); + await createOrganisationObject.continue_button.click(); + // browser.sleep(MID_DELAY); +}); - Then(/^I Enter the PBA1 and PBA2 details$/, async function () { - // await waitForElement('govuk-heading-xl'); - browser.sleep(MID_DELAY); - await createOrganisationObject.PBAnumber1.isDisplayed(); - await createOrganisationObject.enterPBANumber(); - // await createOrganisationObject.PBAnumber2.isDisplayed(); - // await createOrganisationObject.enterPBA2Number(); - await createOrganisationObject.continue_button.click(); - browser.sleep(MID_DELAY); - }); +Then(/^I Enter the Office Address details$/, { timeout: 600 * 1000 }, async function () { + // await waitForElement(createOrganisationObject.officeAddressOne); + await expect(createOrganisationObject.officeAddressOne.isDisplayed()).to.eventually.be.true; + await createOrganisationObject.officeAddressOne.sendKeys('1, Cliffinton'); + // browser.sleep(MID_DELAY); + await expect(createOrganisationObject.townName.isDisplayed()).to.eventually.be.true; + await createOrganisationObject.townName.sendKeys('London'); + await expect(createOrganisationObject.postcode.isDisplayed()).to.eventually.be.true; + await createOrganisationObject.postcode.sendKeys('SE15TY'); + await createOrganisationObject.continue_button.click(); + // browser.sleep(MID_DELAY); +}); - Then(/^I Enter the DX Reference details$/, { timeout: 600 * 1000 }, async function () { - await createOrganisationObject.clickDXreferenceCheck(); - browser.sleep(MID_DELAY); - await createOrganisationObject.DXNumber.isDisplayed(); - await createOrganisationObject.enterDXNumber(); - await createOrganisationObject.DXexchange.isDisplayed(); - await createOrganisationObject.enterDXENumber(); - await createOrganisationObject.continue_button.click(); - // browser.sleep(MID_DELAY); - }); +Then(/^I Enter the PBA1 and PBA2 details$/, async function () { + // await waitForElement('govuk-heading-xl'); + browser.sleep(MID_DELAY); + await createOrganisationObject.PBAnumber1.isDisplayed(); + await createOrganisationObject.enterPBANumber(); + // await createOrganisationObject.PBAnumber2.isDisplayed(); + // await createOrganisationObject.enterPBA2Number(); + await createOrganisationObject.continue_button.click(); + browser.sleep(MID_DELAY); +}); - Then(/^I Select and Enter the SRA number$/, { timeout: 600 * 1000 }, async function () { - // await waitForElement('govuk-heading-xl'); - //await expect(createOrganisationObject.SRACheckBox.isDisplayed()).to.eventually.be.true; - await createOrganisationObject.clickSRAreferenceCheck(); - // browser.sleep(MID_DELAY); - // await waitForElement('govuk-heading-xl'); - await expect(createOrganisationObject.SRANumber.isDisplayed()).to.eventually.be.true; - await createOrganisationObject.enterSRANumber(); - await createOrganisationObject.continue_button.click(); - // browser.sleep(MID_DELAY); - }); +Then(/^I Enter the DX Reference details$/, { timeout: 600 * 1000 }, async function () { + await createOrganisationObject.clickDXreferenceCheck(); + browser.sleep(MID_DELAY); + await createOrganisationObject.DXNumber.isDisplayed(); + await createOrganisationObject.enterDXNumber(); + await createOrganisationObject.DXexchange.isDisplayed(); + await createOrganisationObject.enterDXENumber(); + await createOrganisationObject.continue_button.click(); + // browser.sleep(MID_DELAY); +}); - Then(/^I Enter the firstName and lastName$/, { timeout: 600 * 1000 }, async function () { - await waitForElement('govuk-heading-xl'); - expect(createOrganisationObject.firstName.isDisplayed()).to.eventually.be.true; - await createOrganisationObject.firstName.sendKeys('Mario'); - expect(createOrganisationObject.lastName.isDisplayed()).to.eventually.be.true; - await createOrganisationObject.lastName.sendKeys('Perta'); - await createOrganisationObject.continue_button.click(); - // browser.sleep(MID_DELAY); - }); +Then(/^I Select and Enter the SRA number$/, { timeout: 600 * 1000 }, async function () { + // await waitForElement('govuk-heading-xl'); + //await expect(createOrganisationObject.SRACheckBox.isDisplayed()).to.eventually.be.true; + await createOrganisationObject.clickSRAreferenceCheck(); + // browser.sleep(MID_DELAY); + // await waitForElement('govuk-heading-xl'); + await expect(createOrganisationObject.SRANumber.isDisplayed()).to.eventually.be.true; + await createOrganisationObject.enterSRANumber(); + await createOrganisationObject.continue_button.click(); + // browser.sleep(MID_DELAY); +}); - Then(/^I Enter the Email Address$/, { timeout: 600 * 1000 }, async function () { - // await waitForElement('govuk-heading-xl'); - await expect(createOrganisationObject.emailAddr.isDisplayed()).to.eventually.be.true; +Then(/^I Enter the firstName and lastName$/, { timeout: 600 * 1000 }, async function () { + await waitForElement('govuk-heading-xl'); + expect(createOrganisationObject.firstName.isDisplayed()).to.eventually.be.true; + await createOrganisationObject.firstName.sendKeys('Mario'); + expect(createOrganisationObject.lastName.isDisplayed()).to.eventually.be.true; + await createOrganisationObject.lastName.sendKeys('Perta'); + await createOrganisationObject.continue_button.click(); + // browser.sleep(MID_DELAY); +}); - global.latestOrgSuperUser = Math.random().toString(36).substring(2) + '@mailinator.com'; - global.latestOrgSuperUserPassword = 'Monday01'; +Then(/^I Enter the Email Address$/, { timeout: 600 * 1000 }, async function () { + // await waitForElement('govuk-heading-xl'); + await expect(createOrganisationObject.emailAddr.isDisplayed()).to.eventually.be.true; - await createOrganisationObject.enterEmailAddress(global.latestOrgSuperUser); - await createOrganisationObject.continue_button.click(); + global.latestOrgSuperUser = Math.random().toString(36).substring(2) + '@mailinator.com'; + global.latestOrgSuperUserPassword = 'Monday01'; - // browser.sleep(MID_DELAY); - }); + await createOrganisationObject.enterEmailAddress(global.latestOrgSuperUser); + await createOrganisationObject.continue_button.click(); - Then(/^I land on the summary page and check submit$/, async function () { - // browser.sleep(MID_DELAY); - // await waitForElement('govuk-heading-l'); + // browser.sleep(MID_DELAY); +}); - await expect(createOrganisationObject.submit_button.isDisplayed()).to.eventually.be.true; - await expect(createOrganisationObject.submit_button.getText()) - .to - .eventually - .equal('Confirm and submit details'); - await createOrganisationObject.submit_button.click(); - }); +Then(/^I land on the summary page and check submit$/, async function () { + // browser.sleep(MID_DELAY); + // await waitForElement('govuk-heading-l'); - Then(/^I created the organisation successfully$/, async function () { - // browser.sleep(MID_DELAY); - createOrganisationObject.waitForSubmission(); - await expect(createOrganisationObject.org_success_heading.isDisplayed()).to.eventually.be.true; - await expect(createOrganisationObject.org_success_heading.getText()) - .to - .eventually - .equal('Registration details submitted'); - }); + await expect(createOrganisationObject.submit_button.isDisplayed()).to.eventually.be.true; + await expect(createOrganisationObject.submit_button.getText()) + .to + .eventually + .equal('Confirm and submit details'); + await createOrganisationObject.submit_button.click(); +}); - When(/^I am not entered Organization name$/, async function () { - createOrganisationObject.org_name.sendKeys(); - await createOrganisationObject.continue_button.click(); - browser.sleep(MID_DELAY); - }); +Then(/^I created the organisation successfully$/, async function () { + // browser.sleep(MID_DELAY); + createOrganisationObject.waitForSubmission(); + await expect(createOrganisationObject.org_success_heading.isDisplayed()).to.eventually.be.true; + await expect(createOrganisationObject.org_success_heading.getText()) + .to + .eventually + .equal('Registration details submitted'); +}); - Then(/^I should be display organization error$/, async function () { - await expect(createOrganisationObject.org_failure_error_heading.isDisplayed()).to.eventually.be.true; - await expect(createOrganisationObject.org_failure_error_heading.getText()) - .to - .eventually - .equal('There is a problem'); - }); +When(/^I am not entered Organization name$/, async function () { + createOrganisationObject.org_name.sendKeys(); + await createOrganisationObject.continue_button.click(); + browser.sleep(MID_DELAY); +}); - When(/^I am not entered the Office Address details$/, async function () { - await createOrganisationObject.officeAddressOne.sendKeys(); - await createOrganisationObject.townName.sendKeys(); - await createOrganisationObject.postcode.sendKeys(); - await createOrganisationObject.continue_button.click(); - // browser.sleep(LONG_DELAY); - }); - Then(/^I should be display Office Address error$/, async function () { - await expect(createOrganisationObject.off_address_error_heading.isDisplayed()).to.eventually.be.true; - await expect(createOrganisationObject.off_address_error_heading.getText()) - .to - .eventually - .equal('There is a problem'); - }); +Then(/^I should be display organization error$/, async function () { + await expect(createOrganisationObject.org_failure_error_heading.isDisplayed()).to.eventually.be.true; + await expect(createOrganisationObject.org_failure_error_heading.getText()) + .to + .eventually + .equal('There is a problem'); +}); - When(/^I am not entered SRA number$/, async function () { - await createOrganisationObject.clickSRAreferenceCheck(); - await createOrganisationObject.waitForPage('Enter your organisation SRA ID'); - await createOrganisationObject.SRANumber.sendKeys(); - await createOrganisationObject.continue_button.click(); - // browser.sleep(MID_DELAY); - }); +When(/^I am not entered the Office Address details$/, async function () { + await createOrganisationObject.officeAddressOne.sendKeys(); + await createOrganisationObject.townName.sendKeys(); + await createOrganisationObject.postcode.sendKeys(); + await createOrganisationObject.continue_button.click(); + // browser.sleep(LONG_DELAY); +}); +Then(/^I should be display Office Address error$/, async function () { + await expect(createOrganisationObject.off_address_error_heading.isDisplayed()).to.eventually.be.true; + await expect(createOrganisationObject.off_address_error_heading.getText()) + .to + .eventually + .equal('There is a problem'); +}); - Then(/^I should be display SRA error$/, async function () { - await createOrganisationObject.waitForPage('Enter your organisation SRA ID'); - await expect(createOrganisationObject.sra_error_heading.getText()) - .to - .eventually - .equal('There is a problem'); - }); +When(/^I am not entered SRA number$/, async function () { + await createOrganisationObject.clickSRAreferenceCheck(); + await createOrganisationObject.waitForPage('Enter your organisation SRA ID'); + await createOrganisationObject.SRANumber.sendKeys(); + await createOrganisationObject.continue_button.click(); + // browser.sleep(MID_DELAY); +}); - When(/^I am not entered the email address$/, async function () { - await expect(createOrganisationObject.emailAddr.isDisplayed()).to.eventually.be.true; - await createOrganisationObject.emailAddr.sendKeys(); - await createOrganisationObject.continue_button.click(); - // browser.sleep(MID_DELAY); - }); +Then(/^I should be display SRA error$/, async function () { + await createOrganisationObject.waitForPage('Enter your organisation SRA ID'); + await expect(createOrganisationObject.sra_error_heading.getText()) + .to + .eventually + .equal('There is a problem'); +}); - Then(/^I should be display email error$/, async function () { - await expect(createOrganisationObject.email_error_heading.isDisplayed()).to.eventually.be.true; - await expect(createOrganisationObject.email_error_heading.getText()) - .to - .eventually - .equal('There is a problem'); - }); +When(/^I am not entered the email address$/, async function () { + await expect(createOrganisationObject.emailAddr.isDisplayed()).to.eventually.be.true; + await createOrganisationObject.emailAddr.sendKeys(); + await createOrganisationObject.continue_button.click(); + // browser.sleep(MID_DELAY); +}); - When(/^I Enter the invalid PBA1 and PBA2 details$/, async function () { - await expect(createOrganisationObject.PBAnumber1.isDisplayed()).to.eventually.be.true; - await createOrganisationObject.PBAnumber1.sendKeys(1234455558); - // await createOrganisationObject.PBAnumber2.sendKeys(1233334988); - await createOrganisationObject.continue_button.click(); - // browser.sleep(LONG_DELAY); - }); +Then(/^I should be display email error$/, async function () { + await expect(createOrganisationObject.email_error_heading.isDisplayed()).to.eventually.be.true; + await expect(createOrganisationObject.email_error_heading.getText()) + .to + .eventually + .equal('There is a problem'); +}); - Then(/^I should be display PBA error$/, async function () { - await expect(createOrganisationObject.pba_error_heading.isDisplayed()).to.eventually.be.true; - await expect(createOrganisationObject.pba_error_heading.getText()) - .to - .eventually - .equal('There is a problem'); - }); +When(/^I Enter the invalid PBA1 and PBA2 details$/, async function () { + await expect(createOrganisationObject.PBAnumber1.isDisplayed()).to.eventually.be.true; + await createOrganisationObject.PBAnumber1.sendKeys(1234455558); + // await createOrganisationObject.PBAnumber2.sendKeys(1233334988); + await createOrganisationObject.continue_button.click(); + // browser.sleep(LONG_DELAY); +}); - When(/^I am not entered the firstName and lastName$/, async function () { - await expect(createOrganisationObject.firstName.isDisplayed()).to.eventually.be.true; - await createOrganisationObject.firstName.sendKeys(); - await createOrganisationObject.lastName.sendKeys(); - await createOrganisationObject.continue_button.click(); - // browser.sleep(MID_DELAY); - }); +Then(/^I should be display PBA error$/, async function () { + await expect(createOrganisationObject.pba_error_heading.isDisplayed()).to.eventually.be.true; + await expect(createOrganisationObject.pba_error_heading.getText()) + .to + .eventually + .equal('There is a problem'); +}); - Then(/^I should be display firstName and lastName error$/, async function () { - await expect(createOrganisationObject.name_error_heading.isDisplayed()).to.eventually.be.true; - await expect(createOrganisationObject.name_error_heading.getText()) - .to - .eventually - .equal('There is a problem'); - }); +When(/^I am not entered the firstName and lastName$/, async function () { + await expect(createOrganisationObject.firstName.isDisplayed()).to.eventually.be.true; + await createOrganisationObject.firstName.sendKeys(); + await createOrganisationObject.lastName.sendKeys(); + await createOrganisationObject.continue_button.click(); + // browser.sleep(MID_DELAY); +}); - When('I am on page {string} in registration step', async function (page) { - await createOrganisationObject.waitForPage(page); - }); +Then(/^I should be display firstName and lastName error$/, async function () { + await expect(createOrganisationObject.name_error_heading.isDisplayed()).to.eventually.be.true; + await expect(createOrganisationObject.name_error_heading.getText()) + .to + .eventually + .equal('There is a problem'); +}); - Then('I see content header already registered account', function () { - expect(createOrganisationObject.getAlreadyRegisteredAccountHeaderText()).to - .eventually. - equal('Already registered for a MyHMCTS account?'); - }); +When('I am on page {string} in registration step', async function (page) { + await createOrganisationObject.waitForPage(page); +}); - Then('I see manage cases link under already registered account header', function () { - expect(createOrganisationObject.isManageCasesLinkPresent()).to - .eventually. - be.true; - }); +Then('I see content header already registered account', function () { + expect(createOrganisationObject.getAlreadyRegisteredAccountHeaderText()).to + .eventually. + equal('Already registered for a MyHMCTS account?'); +}); - Then('I see manage org link under already registered account header', function () { - expect(createOrganisationObject.isManageOrgLinkPresent()).to - .eventually. - be.true; - }); +Then('I see manage cases link under already registered account header', function () { + expect(createOrganisationObject.isManageCasesLinkPresent()).to + .eventually. + be.true; +}); - Then('I click and validate MC link opens in new tab', async function () { - await createOrganisationObject.clickAndValidateMCLink(); - }); +Then('I see manage org link under already registered account header', function () { + expect(createOrganisationObject.isManageOrgLinkPresent()).to + .eventually. + be.true; +}); - Then('I click and validate MO link opens in new tab', async function () { - await createOrganisationObject.clickAndValidateMOLink(); - }); +Then('I click and validate MC link opens in new tab', async function () { + await createOrganisationObject.clickAndValidateMCLink(); +}); - When('I click back link in register org workflow', async function () { - await createOrganisationObject.clickBackLink(); - }); +Then('I click and validate MO link opens in new tab', async function () { + await createOrganisationObject.clickAndValidateMOLink(); +}); + +When('I click back link in register org workflow', async function () { + await createOrganisationObject.clickBackLink(); }); diff --git a/test/e2e/features/step_definitions/dataSetUp.steps.js b/test/e2e/features/step_definitions/dataSetUp.steps.js index b462a9bed..52f8f393a 100644 --- a/test/e2e/features/step_definitions/dataSetUp.steps.js +++ b/test/e2e/features/step_definitions/dataSetUp.steps.js @@ -1,7 +1,8 @@ 'use strict'; +import { When } from 'cucumber'; + const CreateOrganisationObjects = require('../pageObjects/createOrganisationObjects'); -const { defineSupportCode } = require('cucumber'); const { AMAZING_DELAY, SHORT_DELAY, MID_DELAY, LONG_DELAY } = require('../../support/constants'); const { config } = require('../../config/common.conf.js'); const approveOrganizationService = require('../pageObjects/approveOrganizationService'); @@ -9,51 +10,49 @@ const mailinatorService = require('../pageObjects/mailinatorService'); const EC = protractor.ExpectedConditions; -defineSupportCode(function ({ Given, When, Then }) { - const createOrganisationObject = new CreateOrganisationObjects(); +const createOrganisationObject = new CreateOrganisationObjects(); - Given('I create test read write organisation', async function () { - if (global.testorgStatus >= 1){ - return; - } - global.TestOrg_rw_name = 'AUTOTEST_RW_' + Date.now(); - global.testorg_rw_superuser_email = 'autotest_user' + Date.now() + '@mailinator.com'; +Given('I create test read write organisation', async function () { + if (global.testorgStatus >= 1){ + return; + } + global.TestOrg_rw_name = 'AUTOTEST_RW_' + Date.now(); + global.testorg_rw_superuser_email = 'autotest_user' + Date.now() + '@mailinator.com'; - await browser.get(config.config.baseUrl + '/register-org/register'); - await createOrganisationObject.createOrganisation(global.TestOrg_rw_name, global.testorg_rw_superuser_email); + await browser.get(config.config.baseUrl + '/register-org/register'); + await createOrganisationObject.createOrganisation(global.TestOrg_rw_name, global.testorg_rw_superuser_email); - global.testorgStatus = '1'; - }); + global.testorgStatus = '1'; +}); - Given('I approve test read write organisation', { timeout: 300 * 1000 }, async function () { - if (global.testorgStatus >= 2) { - return; - } - await approveOrganizationService.init(); - try { - await approveOrganizationService.approveOrg(global.TestOrg_rw_name); - global.testorgStatus = '2'; - await approveOrganizationService.destroy(); - } catch (err){ - this.attach('Error occured Approving organisation'); - await approveOrganizationService.destroy(); - logger(this, await approveOrganizationService.getScrenshot(), true); - await approveOrganizationService.destroy(); - throw err; - } - }); +Given('I approve test read write organisation', { timeout: 300 * 1000 }, async function () { + if (global.testorgStatus >= 2) { + return; + } + await approveOrganizationService.init(); + try { + await approveOrganizationService.approveOrg(global.TestOrg_rw_name); + global.testorgStatus = '2'; + await approveOrganizationService.destroy(); + } catch (err){ + this.attach('Error occured Approving organisation'); + await approveOrganizationService.destroy(); + logger(this, await approveOrganizationService.getScrenshot(), true); + await approveOrganizationService.destroy(); + throw err; + } +}); - When('I activate test read write approved organisation super user', { timeout: 300 * 1000 }, async function () { - if (global.testorgStatus >= 3) { - return; - } - await mailinatorService.init(); - mailinatorService.setLogger((message, isScreenshot) => logger(this, message, isScreenshot)); - await mailinatorService.openRegistrationEmailForUser(global.testorg_rw_superuser_email); - await mailinatorService.completeUserRegistrationFromEmail(); - await mailinatorService.destroy(); - global.testorgStatus = '3'; - }); +When('I activate test read write approved organisation super user', { timeout: 300 * 1000 }, async function () { + if (global.testorgStatus >= 3) { + return; + } + await mailinatorService.init(); + mailinatorService.setLogger((message, isScreenshot) => logger(this, message, isScreenshot)); + await mailinatorService.openRegistrationEmailForUser(global.testorg_rw_superuser_email); + await mailinatorService.completeUserRegistrationFromEmail(); + await mailinatorService.destroy(); + global.testorgStatus = '3'; }); function logger(world, message, isScreenshot) { diff --git a/test/e2e/features/step_definitions/headerPage.steps.js b/test/e2e/features/step_definitions/headerPage.steps.js index 1c8b0e39e..680bf14ef 100644 --- a/test/e2e/features/step_definitions/headerPage.steps.js +++ b/test/e2e/features/step_definitions/headerPage.steps.js @@ -1,4 +1,6 @@ +import { Then } from 'cucumber' + const HeaderPage = require('../pageObjects/headerPage'); const ViewUserPage = require('../pageObjects/viewUserPage.js'); const InviteUserPage = require('../pageObjects/inviteUserPage.js'); @@ -12,7 +14,6 @@ const EC = protractor.ExpectedConditions; const mailinatorService = require('../pageObjects/mailinatorService'); -const { defineSupportCode } = require('cucumber'); async function waitForElement(el) { await browser.wait((result) => { @@ -20,11 +21,9 @@ async function waitForElement(el) { }, 600000); } -defineSupportCode(function ({ And, But, Given, Then, When }) { - const headerPage = new HeaderPage(); +const headerPage = new HeaderPage(); - Then('I should see navigation tab in header', async function (dataTable) { - await headerPage.waitForPrimaryNavigationToDisplay(); - await headerPage.validateNavigationTabDisplayed(dataTable); - }); +Then('I should see navigation tab in header', async function (dataTable) { + await headerPage.waitForPrimaryNavigationToDisplay(); + await headerPage.validateNavigationTabDisplayed(dataTable); }); diff --git a/test/e2e/features/step_definitions/inviteUser.steps.js b/test/e2e/features/step_definitions/inviteUser.steps.js index c45a0626d..350ea0aac 100644 --- a/test/e2e/features/step_definitions/inviteUser.steps.js +++ b/test/e2e/features/step_definitions/inviteUser.steps.js @@ -1,3 +1,5 @@ +import { Then, When } from 'cucumber'; + const loginPage = require('../pageObjects/loginLogoutObjects'); const HeaderPage = require('../pageObjects/headerPage'); const ViewUserPage = require('../pageObjects/viewUserPage.js'); @@ -5,8 +7,8 @@ const InviteUserPage = require('../pageObjects/inviteUserPage.js'); const TestData = require('../../utils/TestData.js'); const { AMAZING_DELAY, SHORT_DELAY, MID_DELAY, LONG_DELAY } = require('../../support/constants'); -Dropdown = require('../pageObjects/webdriver-components/dropdown.js'); -TextField = require('../pageObjects/webdriver-components/textField.js'); +const Dropdown = require('../pageObjects/webdriver-components/dropdown.js'); +const TextField = require('../pageObjects/webdriver-components/textField.js'); const { config } = require('../../config/common.conf.js'); const EC = protractor.ExpectedConditions; @@ -14,7 +16,6 @@ const mailinatorService = require('../pageObjects/mailinatorService'); const browserWaits = require('../../support/customWaits'); const CucumberReportLogger = require('../../support/reportLogger'); -const { defineSupportCode } = require('cucumber'); const cucumberHtmlReporter = require('cucumber-html-reporter'); const { Error } = require('globalthis/implementation'); @@ -24,161 +25,159 @@ async function waitForElement(el) { }, 600000); } -defineSupportCode(function ({ And, But, Given, Then, When }) { - const inviteUserPage=new InviteUserPage(); - const viewUserPage=new ViewUserPage(); - const headerPage = new HeaderPage(); +const inviteUserPage=new InviteUserPage(); +const viewUserPage=new ViewUserPage(); +const headerPage = new HeaderPage(); - const invitedUserEmail = ''; +const invitedUserEmail = ''; - When(/^I click on invite user button$/, async function () { - await viewUserPage.clickInviteUser(); - // browser.sleep(LONG_DELAY); - }); +When(/^I click on invite user button$/, async function () { + await viewUserPage.clickInviteUser(); + // browser.sleep(LONG_DELAY); +}); - When(/^I navigate to invite user page$/, async function () { - const inviteUserPath = config.config.baseUrl.endsWith('/') ? 'users/invite-user' : '/users/invite-user'; - await browser.driver.get(config.config.baseUrl + inviteUserPath); - await inviteUserPage.waitForPage(); - }); +When(/^I navigate to invite user page$/, async function () { + const inviteUserPath = config.config.baseUrl.endsWith('/') ? 'users/invite-user' : '/users/invite-user'; + await browser.driver.get(config.config.baseUrl + inviteUserPath); + await inviteUserPage.waitForPage(); +}); - Then(/^I should be on display invite user page$/, async function () { - // browser.sleep(AMAZING_DELAY);; - await inviteUserPage.waitForPage(); - expect(await inviteUserPage.amOnPage(), 'Invite User page is not displayed').to.be.true; - }); +Then(/^I should be on display invite user page$/, async function () { + // browser.sleep(AMAZING_DELAY);; + await inviteUserPage.waitForPage(); + expect(await inviteUserPage.amOnPage(), 'Invite User page is not displayed').to.be.true; +}); - When(/^I enter mandatory fields firstname,lastname,emailaddress,permissions and click on send invitation button$/, async function () { - await inviteUserPage.waitForPage(); - await inviteUserPage.enterIntoTextFieldFirstName(TestData.firstName); - await inviteUserPage.enterIntoTextFieldLastName(TestData.lastName); +When(/^I enter mandatory fields firstname,lastname,emailaddress,permissions and click on send invitation button$/, async function () { + await inviteUserPage.waitForPage(); + await inviteUserPage.enterIntoTextFieldFirstName(TestData.firstName); + await inviteUserPage.enterIntoTextFieldLastName(TestData.lastName); - // var emailAddress =Math.random().toString(36).substring(2); - global.latestInvitedUser = Math.random().toString(36).substring(2)+'@mailinator.com'; - global.latestInvitedUserPassword = 'Monday01'; + // var emailAddress =Math.random().toString(36).substring(2); + global.latestInvitedUser = Math.random().toString(36).substring(2)+'@mailinator.com'; + global.latestInvitedUserPassword = 'Monday01'; - await inviteUserPage.enterIntoTextFieldEmailAddress(global.latestInvitedUser); - await inviteUserPage.manageUserCheckbox.click(); - browser.sleep(LONG_DELAY); + await inviteUserPage.enterIntoTextFieldEmailAddress(global.latestInvitedUser); + await inviteUserPage.manageUserCheckbox.click(); + browser.sleep(LONG_DELAY); + await inviteUserPage.clickSendInvitationButton(); + // browser.sleep(LONG_DELAY); +}); +Then(/^user should be created successfuly$/, async function () { + const world = this; + await browserWaits.retryWithAction(inviteUserPage.userInvitaionConfirmation, async (message) => { + world.attach('Retry clicking Invite user button : ' + message); + global.screenShotUtils.takeScreenshot() + .then((stream) => { + const decodedImage = new Buffer(stream.replace(/^data:image\/(png|gif|jpeg);base64,/, ''), 'base64'); + world.attach(decodedImage, 'image/png'); + }); await inviteUserPage.clickSendInvitationButton(); - // browser.sleep(LONG_DELAY); - }); - Then(/^user should be created successfuly$/, async function () { - const world = this; - await browserWaits.retryWithAction(inviteUserPage.userInvitaionConfirmation, async (message) => { - world.attach('Retry clicking Invite user button : ' + message); - global.screenShotUtils.takeScreenshot() - .then((stream) => { - const decodedImage = new Buffer(stream.replace(/^data:image\/(png|gif|jpeg);base64,/, ''), 'base64'); - world.attach(decodedImage, 'image/png'); - }); - await inviteUserPage.clickSendInvitationButton(); - }); - - expect(await inviteUserPage.amOnUserConfirmationPage()).to.be.true; }); - When(/^I not enter the mandatory fields firstname,lastname,emailaddress,permissions and click on send invitation button$/, async function () { - await inviteUserPage.enterIntoTextFieldFirstName(''); - await inviteUserPage.enterIntoTextFieldLastName(''); - await inviteUserPage.enterIntoTextFieldEmailAddress(''); - await inviteUserPage.clickSendInvitationButton(); - }); + expect(await inviteUserPage.amOnUserConfirmationPage()).to.be.true; +}); - When('I enter mandatory fields firstname,lastname,emailaddress with permissions and click on send invitation button', async function (table) { - await inviteUserPage.waitForPage(); - await inviteUserPage.enterIntoTextFieldFirstName(TestData.firstName); - await inviteUserPage.enterIntoTextFieldLastName(TestData.lastName); - global.latestInvitedUser = Math.random().toString(36).substring(2) + '@mailinator.com'; - global.latestInvitedUserPassword = 'Monday01'; - - await inviteUserPage.enterIntoTextFieldEmailAddress(global.latestInvitedUser); - const permissions = table.hashes(); - for (let permCounter = 0; permCounter < permissions.length; permCounter++){ - await inviteUserPage.selectPermission(permissions[permCounter].Permission, true); - } - await inviteUserPage.clickSendInvitationButton(); - }); +When(/^I not enter the mandatory fields firstname,lastname,emailaddress,permissions and click on send invitation button$/, async function () { + await inviteUserPage.enterIntoTextFieldFirstName(''); + await inviteUserPage.enterIntoTextFieldLastName(''); + await inviteUserPage.enterIntoTextFieldEmailAddress(''); + await inviteUserPage.clickSendInvitationButton(); +}); - When('I edit user permissions', async function (table) { - const permissions = table.hashes(); - for (let permCounter = 0; permCounter < permissions.length; permCounter++) { - await inviteUserPage.selectPermission(permissions[permCounter].Permission, permissions[permCounter].isSelected === 'true'); - } - }); +When('I enter mandatory fields firstname,lastname,emailaddress with permissions and click on send invitation button', async function (table) { + await inviteUserPage.waitForPage(); + await inviteUserPage.enterIntoTextFieldFirstName(TestData.firstName); + await inviteUserPage.enterIntoTextFieldLastName(TestData.lastName); + global.latestInvitedUser = Math.random().toString(36).substring(2) + '@mailinator.com'; + global.latestInvitedUserPassword = 'Monday01'; + + await inviteUserPage.enterIntoTextFieldEmailAddress(global.latestInvitedUser); + const permissions = table.hashes(); + for (let permCounter = 0; permCounter < permissions.length; permCounter++){ + await inviteUserPage.selectPermission(permissions[permCounter].Permission, true); + } + await inviteUserPage.clickSendInvitationButton(); +}); - Then(/^I should be display the validation error$/, async function () { - await expect(inviteUserPage.failure_error_heading.isDisplayed()).to.eventually.be.true; - await expect(inviteUserPage.failure_error_heading.getText()) - .to - .eventually - .equal('There is a problem'); - }); +When('I edit user permissions', async function (table) { + const permissions = table.hashes(); + for (let permCounter = 0; permCounter < permissions.length; permCounter++) { + await inviteUserPage.selectPermission(permissions[permCounter].Permission, permissions[permCounter].isSelected === 'true'); + } +}); - When(/^I click on back button$/, async function () { - // browser.sleep(AMAZING_DELAY); - await inviteUserPage.clickBackButton(); - }); +Then(/^I should be display the validation error$/, async function () { + await expect(inviteUserPage.failure_error_heading.isDisplayed()).to.eventually.be.true; + await expect(inviteUserPage.failure_error_heading.getText()) + .to + .eventually + .equal('There is a problem'); +}); - Then('I activate invited user', { timeout: 600 * 1000 }, async function () { - await mailinatorService.init(); - try { - mailinatorService.setLogger((message, isScreenshot) => logger(this, message, isScreenshot)); - await mailinatorService.openRegistrationEmailForUser(global.latestInvitedUser); - this.attach('Registration email received successfully.'); - await mailinatorService.completeUserRegistrationFromEmail(); - this.attach('Registration completed successfully.'); - await mailinatorService.destroy(); - } catch (err){ - await CucumberReportLogger.AddScreenshot(mailinatorService.getScreenShotUtil()); - await mailinatorService.destroy(); - throw new Error('Error occured during user activation steps', err); - } - }); +When(/^I click on back button$/, async function () { + // browser.sleep(AMAZING_DELAY); + await inviteUserPage.clickBackButton(); +}); - Then(/^I click on a Active User$/, async function () { - browser.sleep(AMAZING_DELAY); - await expect(inviteUserPage.activeUser.isDisplayed()).to.eventually.be.true; - await inviteUserPage.activeUser.click(); - }); +Then('I activate invited user', { timeout: 600 * 1000 }, async function () { + await mailinatorService.init(); + try { + mailinatorService.setLogger((message, isScreenshot) => logger(this, message, isScreenshot)); + await mailinatorService.openRegistrationEmailForUser(global.latestInvitedUser); + this.attach('Registration email received successfully.'); + await mailinatorService.completeUserRegistrationFromEmail(); + this.attach('Registration completed successfully.'); + await mailinatorService.destroy(); + } catch (err){ + await CucumberReportLogger.AddScreenshot(mailinatorService.getScreenShotUtil()); + await mailinatorService.destroy(); + throw new Error('Error occured during user activation steps', err); + } +}); - Then(/^I see change link and suspend button$/, async function () { - browser.sleep(MID_DELAY); - await expect(inviteUserPage.changeLink.isDisplayed()).to.eventually.be.true; - await expect(inviteUserPage.suspendButton.isDisplayed()).to.eventually.be.true; - }); +Then(/^I click on a Active User$/, async function () { + browser.sleep(AMAZING_DELAY); + await expect(inviteUserPage.activeUser.isDisplayed()).to.eventually.be.true; + await inviteUserPage.activeUser.click(); +}); - Then(/^I click on change link$/, async function () { - browser.sleep(MID_DELAY); - await inviteUserPage.changeLink.click(); - await expect(inviteUserPage.editUserText.isDisplayed()).to.eventually.be.true; - await expect(inviteUserPage.editUserText.getText()) - .to - .eventually - .equal('Edit user'); - }); +Then(/^I see change link and suspend button$/, async function () { + browser.sleep(MID_DELAY); + await expect(inviteUserPage.changeLink.isDisplayed()).to.eventually.be.true; + await expect(inviteUserPage.suspendButton.isDisplayed()).to.eventually.be.true; +}); - Then(/^I edit the Manage User checkbox and click submit$/, async function () { - browser.sleep(MID_DELAY); - await inviteUserPage.manageUserCheckbox.click(); - await inviteUserPage.clickSendInvitationButton(); - browser.sleep(MID_DELAY); - await viewUserPage.waitForUserDetailsPage(); - await expect(inviteUserPage.suspendButton.isDisplayed()).to.eventually.be.true; - }); +Then(/^I click on change link$/, async function () { + browser.sleep(MID_DELAY); + await inviteUserPage.changeLink.click(); + await expect(inviteUserPage.editUserText.isDisplayed()).to.eventually.be.true; + await expect(inviteUserPage.editUserText.getText()) + .to + .eventually + .equal('Edit user'); +}); - Then(/^I click the suspend button$/, async function () { - await inviteUserPage.suspendButton.click(); - }); +Then(/^I edit the Manage User checkbox and click submit$/, async function () { + browser.sleep(MID_DELAY); + await inviteUserPage.manageUserCheckbox.click(); + await inviteUserPage.clickSendInvitationButton(); + browser.sleep(MID_DELAY); + await viewUserPage.waitForUserDetailsPage(); + await expect(inviteUserPage.suspendButton.isDisplayed()).to.eventually.be.true; +}); - Then(/^I see the suspend user page$/, async function () { - browser.sleep(MID_DELAY); - await expect(inviteUserPage.editUserText.isDisplayed()).to.eventually.be.true; - await expect(inviteUserPage.editUserText.getText()) - .to - .eventually - .equal('Are you sure you want to suspend this account?'); - }); +Then(/^I click the suspend button$/, async function () { + await inviteUserPage.suspendButton.click(); +}); + +Then(/^I see the suspend user page$/, async function () { + browser.sleep(MID_DELAY); + await expect(inviteUserPage.editUserText.isDisplayed()).to.eventually.be.true; + await expect(inviteUserPage.editUserText.getText()) + .to + .eventually + .equal('Are you sure you want to suspend this account?'); }); function logger(world, message, isScreenshot){ diff --git a/test/e2e/features/step_definitions/loginLogout.steps.js b/test/e2e/features/step_definitions/loginLogout.steps.js index 28daacb05..1bea13f0a 100644 --- a/test/e2e/features/step_definitions/loginLogout.steps.js +++ b/test/e2e/features/step_definitions/loginLogout.steps.js @@ -1,7 +1,8 @@ 'use strict'; +import { Given, Then, When } from 'cucumber'; + const loginPage = require('../pageObjects/loginLogoutObjects'); -const { defineSupportCode } = require('cucumber'); const { AMAZING_DELAY, SHORT_DELAY, MID_DELAY, LONG_DELAY } = require('../../support/constants'); const { config } = require('../../config/common.conf.js'); const EC = protractor.ExpectedConditions; @@ -22,216 +23,214 @@ async function waitForElement(el) { }, 40000); } -defineSupportCode(function ({ Given, When, Then }) { - When(/^I navigate to manage organisation Url$/, { timeout: 600 * 1000 }, async function () { - const world = this; - await browser.driver.manage().deleteAllCookies(); +When(/^I navigate to manage organisation Url$/, { timeout: 600 * 1000 }, async function () { + const world = this; + await browser.driver.manage().deleteAllCookies(); + await browser.get(config.config.baseUrl); + await browserWaits.retryWithAction(loginPage.emailAddress, async function (message) { + const stream = await browser.takeScreenshot(); + const decodedImage = new Buffer(stream.replace(/^data:image\/(png|gif|jpeg);base64,/, ''), 'base64'); + world.attach(decodedImage, 'image/png'); await browser.get(config.config.baseUrl); - await browserWaits.retryWithAction(loginPage.emailAddress, async function (message) { - const stream = await browser.takeScreenshot(); - const decodedImage = new Buffer(stream.replace(/^data:image\/(png|gif|jpeg);base64,/, ''), 'base64'); - world.attach(decodedImage, 'image/png'); - await browser.get(config.config.baseUrl); - }); - await browserWaits.waitForElement(loginPage.emailAddress, LONG_DELAY, 'IDAM login page Email Address input not present'); - }); - - Then(/^I should see failure error summary$/, async function () { - await waitForElement('heading-large'); - await expect(loginPage.failure_error_heading.isDisplayed()).to.eventually.be.true; - await expect(loginPage.failure_error_heading.getText()) - .to - .eventually - .equal('Incorrect email or password'); - }); - - Then(/^I am on Idam login page$/, { timeout: 600 * 1000 }, async function () { - await waitForElement('heading-large'); - await expect(loginPage.signinTitle.isDisplayed()).to.eventually.be.true; - await expect(loginPage.signinTitle.getText()) - .to - .eventually - .equal('Sign in'); - await expect(loginPage.emailAddress.isDisplayed()).to.eventually.be.true; - await expect(loginPage.password.isDisplayed()).to.eventually.be.true; - }); - - When('I login with latest invited user', async function () { - const world = this; - this.attach('User email : ' + global.latestInvitedUser); - await loginattemptCheckAndRelogin(global.latestInvitedUser, global.latestInvitedUserPassword, world); - }); - - When(/^I enter an valid email-address and password to login$/, async function () { - await loginPage.emailAddress.sendKeys(config.config.username); //replace username and password - await loginPage.password.sendKeys(config.config.password); - // browser.sleep(SHORT_DELAY); - await loginPage.signinBtn.click(); - browser.sleep(SHORT_DELAY); }); + await browserWaits.waitForElement(loginPage.emailAddress, LONG_DELAY, 'IDAM login page Email Address input not present'); +}); - When(/^I enter an Invalid email-address and password to login$/, async function () { - await loginPage.givenIAmUnauthenticatedUser(); - }); +Then(/^I should see failure error summary$/, async function () { + await waitForElement('heading-large'); + await expect(loginPage.failure_error_heading.isDisplayed()).to.eventually.be.true; + await expect(loginPage.failure_error_heading.getText()) + .to + .eventually + .equal('Incorrect email or password'); +}); - Given(/^I should be redirected to the Idam login page$/, async function () { - browser.sleep(LONG_DELAY); - await expect(loginPage.signinTitle.getText()) - .to - .eventually - .equal('Sign in'); - browser.sleep(LONG_DELAY); - }); +Then(/^I am on Idam login page$/, { timeout: 600 * 1000 }, async function () { + await waitForElement('heading-large'); + await expect(loginPage.signinTitle.isDisplayed()).to.eventually.be.true; + await expect(loginPage.signinTitle.getText()) + .to + .eventually + .equal('Sign in'); + await expect(loginPage.emailAddress.isDisplayed()).to.eventually.be.true; + await expect(loginPage.password.isDisplayed()).to.eventually.be.true; +}); - Then(/^I select the sign out link$/, { timeout: 120 * 1000 }, async function () { - await browserWaits.waitForElement(loginPage.signOutlink, LONG_DELAY, 'Signout link not present in page'); - await expect(loginPage.signOutlink.isDisplayed()).to.eventually.be.true; - await headerPage.waitForSpinnerNotPresent(); - await loginPage.signOutlink.click(); - await browserWaits.waitForElement(loginPage.emailAddress, LONG_DELAY, 'Login page is not displayed after signout'); - }); +When('I login with latest invited user', async function () { + const world = this; + this.attach('User email : ' + global.latestInvitedUser); + await loginattemptCheckAndRelogin(global.latestInvitedUser, global.latestInvitedUserPassword, world); +}); - Then(/^I should be redirected to manage organisation dashboard page$/, async function () { - await browserWaits.waitForElement(loginPage.dashboard_header, LONG_DELAY, 'Dashboard Header not present'); - await browserWaits.waitForElement(headerPage.hmctsPrimaryNavigation, LONG_DELAY, 'Primary navigation Tab not present'); +When(/^I enter an valid email-address and password to login$/, async function () { + await loginPage.emailAddress.sendKeys(config.config.username); //replace username and password + await loginPage.password.sendKeys(config.config.password); + // browser.sleep(SHORT_DELAY); + await loginPage.signinBtn.click(); + browser.sleep(SHORT_DELAY); +}); - await expect(loginPage.dashboard_header.isDisplayed(), 'Dashboard header not displayed').to.eventually.be.true; - await expect(loginPage.dashboard_header.getText()) - .to - .eventually - .equal('Manage organisation'); +When(/^I enter an Invalid email-address and password to login$/, async function () { + await loginPage.givenIAmUnauthenticatedUser(); +}); - await expect(headerPage.isPrimaryNavigationTabDisplayed(), 'Primary navigation tabs not displayed').to.eventually.be.true; - browser.sleep(LONG_DELAY); - }); +Given(/^I should be redirected to the Idam login page$/, async function () { + browser.sleep(LONG_DELAY); + await expect(loginPage.signinTitle.getText()) + .to + .eventually + .equal('Sign in'); + browser.sleep(LONG_DELAY); +}); - // Given(/^I am logged into manage organisation with ManageOrg user details$/, async function () { - // browser.sleep(LONG_DELAY); - // await loginPage.emailAddress.sendKeys(config.config.username); - // await loginPage.password.sendKeys(config.config.password); - // await loginPage.clickSignIn(); - // browser.sleep(MID_DELAY); - // }); +Then(/^I select the sign out link$/, { timeout: 120 * 1000 }, async function () { + await browserWaits.waitForElement(loginPage.signOutlink, LONG_DELAY, 'Signout link not present in page'); + await expect(loginPage.signOutlink.isDisplayed()).to.eventually.be.true; + await headerPage.waitForSpinnerNotPresent(); + await loginPage.signOutlink.click(); + await browserWaits.waitForElement(loginPage.emailAddress, LONG_DELAY, 'Login page is not displayed after signout'); +}); - // Given(/^I am logged into manage organisation with ManageOrg user details$/, async function () { - // browser.sleep(LONG_DELAY); - // await loginPage.emailAddress.sendKeys(config.config.username); - // await loginPage.password.sendKeys(config.config.password); - // await loginPage.clickSignIn(); - // browser.sleep(MID_DELAY); - // }); +Then(/^I should be redirected to manage organisation dashboard page$/, async function () { + await browserWaits.waitForElement(loginPage.dashboard_header, LONG_DELAY, 'Dashboard Header not present'); + await browserWaits.waitForElement(headerPage.hmctsPrimaryNavigation, LONG_DELAY, 'Primary navigation Tab not present'); - Given(/^I am logged into manage organisation with ManageOrg user details$/, async function () { - // browser.sleep(LONG_DELAY); - const world = this; + await expect(loginPage.dashboard_header.isDisplayed(), 'Dashboard header not displayed').to.eventually.be.true; + await expect(loginPage.dashboard_header.getText()) + .to + .eventually + .equal('Manage organisation'); - await loginattemptCheckAndRelogin(process.env.TEST_USER1_EMAIL, process.env.TEST_USER1_PASSWORD, world); + await expect(headerPage.isPrimaryNavigationTabDisplayed(), 'Primary navigation tabs not displayed').to.eventually.be.true; + browser.sleep(LONG_DELAY); +}); - // browser.sleep(LONG_DELAY); - }); +// Given(/^I am logged into manage organisation with ManageOrg user details$/, async function () { +// browser.sleep(LONG_DELAY); +// await loginPage.emailAddress.sendKeys(config.config.username); +// await loginPage.password.sendKeys(config.config.password); +// await loginPage.clickSignIn(); +// browser.sleep(MID_DELAY); +// }); + +// Given(/^I am logged into manage organisation with ManageOrg user details$/, async function () { +// browser.sleep(LONG_DELAY); +// await loginPage.emailAddress.sendKeys(config.config.username); +// await loginPage.password.sendKeys(config.config.password); +// await loginPage.clickSignIn(); +// browser.sleep(MID_DELAY); +// }); + +Given(/^I am logged into manage organisation with ManageOrg user details$/, async function () { + // browser.sleep(LONG_DELAY); + const world = this; + + await loginattemptCheckAndRelogin(process.env.TEST_USER1_EMAIL, process.env.TEST_USER1_PASSWORD, world); + + // browser.sleep(LONG_DELAY); +}); - Given(/^I am logged into manage organisation to invite users$/, async function () { - // browser.sleep(LONG_DELAY); - const world = this; +Given(/^I am logged into manage organisation to invite users$/, async function () { + // browser.sleep(LONG_DELAY); + const world = this; - await loginattemptCheckAndRelogin(config.config.username_rw, config.config.password_rw, world); + await loginattemptCheckAndRelogin(config.config.username_rw, config.config.password_rw, world); - // browser.sleep(LONG_DELAY); - }); + // browser.sleep(LONG_DELAY); +}); - Given(/^I am logged into Townley Services Org$/, async function () { - await loginPage.emailAddress.sendKeys(config.config.townleyUser); //replace username and password - await loginPage.password.sendKeys(config.config.townleyPassword); - // browser.sleep(SHORT_DELAY); - await loginPage.signinBtn.click(); - browser.sleep(SHORT_DELAY); - }); +Given(/^I am logged into Townley Services Org$/, async function () { + await loginPage.emailAddress.sendKeys(config.config.townleyUser); //replace username and password + await loginPage.password.sendKeys(config.config.townleyPassword); + // browser.sleep(SHORT_DELAY); + await loginPage.signinBtn.click(); + browser.sleep(SHORT_DELAY); +}); - Given('I am logged into manage organisation with test org user', async function(){ - const world = this; - this.attach('Login user : ' + global.testorg_rw_superuser_email); - console.log('Login user : ' + global.testorg_rw_superuser_email); - await loginattemptCheckAndRelogin(global.testorg_rw_superuser_email, 'Monday01', world); - - const tandcfeatureToggle = await acceptTermsAndConditionsPage.isFeatureToggleEnabled(this); - if (tandcfeatureToggle){ - if (global.testorgStatus >= 4) { - console.log('User accepted T&C already'); - } else { - await waitForElement('hmcts-header__link'); - const tandcAcceptPageDisplayed = await acceptTermsAndConditionsPage.amOnPage(); - console.log('tandcAcceptPageDisplayed : ' + tandcAcceptPageDisplayed); - await acceptTermsAndConditionsPage.acceptTremsAndConditions(); - global.testorgStatus = 4; - } +Given('I am logged into manage organisation with test org user', async function(){ + const world = this; + this.attach('Login user : ' + global.testorg_rw_superuser_email); + console.log('Login user : ' + global.testorg_rw_superuser_email); + await loginattemptCheckAndRelogin(global.testorg_rw_superuser_email, 'Monday01', world); + + const tandcfeatureToggle = await acceptTermsAndConditionsPage.isFeatureToggleEnabled(this); + if (tandcfeatureToggle){ + if (global.testorgStatus >= 4) { + console.log('User accepted T&C already'); + } else { + await waitForElement('hmcts-header__link'); + const tandcAcceptPageDisplayed = await acceptTermsAndConditionsPage.amOnPage(); + console.log('tandcAcceptPageDisplayed : ' + tandcAcceptPageDisplayed); + await acceptTermsAndConditionsPage.acceptTremsAndConditions(); + global.testorgStatus = 4; } - }); + } +}); - Given('I am logged in to created approve organisation', async function () { - // browser.sleep(LONG_DELAY); - await loginattemptCheckAndRelogin(global.latestOrgSuperUser, 'Monday01', this); - browser.wait(async () => { - return !(await loginPage.emailAddress.isPresent()); - }, 30000); - - if (config.config.twoFactorAuthEnabled){ - const verificationCodeInput = element(by.css('#code')); - await browserWaits.waitForElement(verificationCodeInput); - if (await verificationCodeInput.isPresent()) { - const loginVerificationCode = await mailinatorService.getLoginVerificationEmailCode(global.latestOrgSuperUser); - await verificationCodeInput.sendKeys(loginVerificationCode); - await element(by.css('.button[type = \'submit\']')).click(); - } +Given('I am logged in to created approve organisation', async function () { + // browser.sleep(LONG_DELAY); + await loginattemptCheckAndRelogin(global.latestOrgSuperUser, 'Monday01', this); + browser.wait(async () => { + return !(await loginPage.emailAddress.isPresent()); + }, 30000); + + if (config.config.twoFactorAuthEnabled){ + const verificationCodeInput = element(by.css('#code')); + await browserWaits.waitForElement(verificationCodeInput); + if (await verificationCodeInput.isPresent()) { + const loginVerificationCode = await mailinatorService.getLoginVerificationEmailCode(global.latestOrgSuperUser); + await verificationCodeInput.sendKeys(loginVerificationCode); + await element(by.css('.button[type = \'submit\']')).click(); } - }); + } +}); - Given(/^I navigate to manage organisation Url direct link$/, async function () { +Given(/^I navigate to manage organisation Url direct link$/, async function () { + await browser.get(config.config.baseUrl + '/cases/case-filter'); + // await browser.driver.manage() + // .deleteAllCookies(); + // await browser.refresh(); + // browser.sleep(AMAZING_DELAY); +}); + +Then(/^I should be redirected back to Login page after direct link$/, { timeout: 120 * 1000 }, async function () { + // await browserWaits.waitForElement(loginPage.emailAddress); + await browserWaits.retryWithAction(loginPage.emailAddress, async () => { + console.log('ReTry for login page after direct link '); + this.attach('ReTry for login page after direct link '); await browser.get(config.config.baseUrl + '/cases/case-filter'); - // await browser.driver.manage() - // .deleteAllCookies(); - // await browser.refresh(); - // browser.sleep(AMAZING_DELAY); }); + await expect(loginPage.signinTitle.getText()) + .to + .eventually + .equal('Sign in'); + browser.sleep(LONG_DELAY); +}); - Then(/^I should be redirected back to Login page after direct link$/, { timeout: 120 * 1000 }, async function () { - // await browserWaits.waitForElement(loginPage.emailAddress); - await browserWaits.retryWithAction(loginPage.emailAddress, async () => { - console.log('ReTry for login page after direct link '); - this.attach('ReTry for login page after direct link '); - await browser.get(config.config.baseUrl + '/cases/case-filter'); - }); - await expect(loginPage.signinTitle.getText()) - .to - .eventually - .equal('Sign in'); - browser.sleep(LONG_DELAY); - }); +Then('I login to MC with invited user', { timeout: 120 * 1000 }, async function () { + await manageCasesService.init(); + manageCasesService.setLogger((message, isScreenshot) => logger(this, message, isScreenshot)); + // manageCasesService.setWorld(this); + await manageCasesService.login(global.latestInvitedUser, global.latestInvitedUserPassword); + await manageCasesService.destroy(); +}); - Then('I login to MC with invited user', { timeout: 120 * 1000 }, async function () { - await manageCasesService.init(); - manageCasesService.setLogger((message, isScreenshot) => logger(this, message, isScreenshot)); - // manageCasesService.setWorld(this); +Then('I see login to MC with invited user is {string}', { timeout: 120 * 1000 }, async function (loginStatus) { + await manageCasesService.init(); + manageCasesService.setLogger((message, isScreenshot) => logger(this, message, isScreenshot)); + try { await manageCasesService.login(global.latestInvitedUser, global.latestInvitedUserPassword); - await manageCasesService.destroy(); - }); - - Then('I see login to MC with invited user is {string}', { timeout: 120 * 1000 }, async function (loginStatus) { - await manageCasesService.init(); - manageCasesService.setLogger((message, isScreenshot) => logger(this, message, isScreenshot)); - try { - await manageCasesService.login(global.latestInvitedUser, global.latestInvitedUserPassword); - if (loginStatus.includes('success')) { - await manageCasesService.validateLoginSuccess(); - } else { - await manageCasesService.validateLoginFailure(); - } - await manageCasesService.destroy(); - } catch (err){ - await manageCasesService.attachScreenshot(); - await manageCasesService.destroy(); - throw err; + if (loginStatus.includes('success')) { + await manageCasesService.validateLoginSuccess(); + } else { + await manageCasesService.validateLoginFailure(); } - }); + await manageCasesService.destroy(); + } catch (err){ + await manageCasesService.attachScreenshot(); + await manageCasesService.destroy(); + throw err; + } }); async function loginWithCredentials(username, password, world){ diff --git a/test/e2e/features/step_definitions/viewOrganisation.steps.js b/test/e2e/features/step_definitions/viewOrganisation.steps.js index 7e6c1d409..3a17f9e78 100644 --- a/test/e2e/features/step_definitions/viewOrganisation.steps.js +++ b/test/e2e/features/step_definitions/viewOrganisation.steps.js @@ -1,3 +1,5 @@ +import { When, Then } from 'cucumber'; + const ViewOrganisationPage = require('../pageObjects/viewOrganisationPage.js'); const HeaderPage = require('../pageObjects/headerPage'); const loginPage = require('../pageObjects/loginLogoutObjects'); @@ -6,56 +8,53 @@ const EC = protractor.ExpectedConditions; const browserWaits = require('../../support/customWaits'); const { config } = require('../../config/common.conf.js'); -const { defineSupportCode } = require('cucumber'); -defineSupportCode(function ({ And, But, Given, Then, When }) { - const viewOrganisationPage=new ViewOrganisationPage(); - const headerPage = new HeaderPage(); +const viewOrganisationPage=new ViewOrganisationPage(); +const headerPage = new HeaderPage(); - When(/^I click on organisation button$/, { timeout: 600 * 1000 }, async function () { - await headerPage.clickOrganisation(); - const world = this; - await browserWaits.retryWithAction(viewOrganisationPage.header, async function (message) { - world.attach('Retrying Click Organisation : ' + message); - global.screenShotUtils.takeScreenshot() - .then((stream) => { - const decodedImage = new Buffer(stream.replace(/^data:image\/(png|gif|jpeg);base64,/, ''), 'base64'); - world.attach(decodedImage, 'image/png'); - }); - await browser.get(config.config.baseUrl + '/organisation'); - - // await headerPage.clickOrganisation(); - }); +When(/^I click on organisation button$/, { timeout: 600 * 1000 }, async function () { + await headerPage.clickOrganisation(); + const world = this; + await browserWaits.retryWithAction(viewOrganisationPage.header, async function (message) { + world.attach('Retrying Click Organisation : ' + message); + global.screenShotUtils.takeScreenshot() + .then((stream) => { + const decodedImage = new Buffer(stream.replace(/^data:image\/(png|gif|jpeg);base64,/, ''), 'base64'); + world.attach(decodedImage, 'image/png'); + }); + await browser.get(config.config.baseUrl + '/organisation'); + + // await headerPage.clickOrganisation(); }); +}); - Then(/^I should be on display the name and address details of organisation$/, { timeout: 600 * 1000 }, async function () { - // browser.sleep(LONG_DELAY); - const world = this; - await browserWaits.retryWithAction(viewOrganisationPage.header, async function (message) { - world.attach('Retrying Click Organisation : ' + message); - global.screenShotUtils.takeScreenshot() - .then((stream) => { - const decodedImage = new Buffer(stream.replace(/^data:image\/(png|gif|jpeg);base64,/, ''), 'base64'); - world.attach(decodedImage, 'image/png'); - }); - await headerPage.clickOrganisation(); - }); - expect(await viewOrganisationPage.amOnPage(), 'Organisation page not displayed').to.be.true; +Then(/^I should be on display the name and address details of organisation$/, { timeout: 600 * 1000 }, async function () { + // browser.sleep(LONG_DELAY); + const world = this; + await browserWaits.retryWithAction(viewOrganisationPage.header, async function (message) { + world.attach('Retrying Click Organisation : ' + message); + global.screenShotUtils.takeScreenshot() + .then((stream) => { + const decodedImage = new Buffer(stream.replace(/^data:image\/(png|gif|jpeg);base64,/, ''), 'base64'); + world.attach(decodedImage, 'image/png'); + }); + await headerPage.clickOrganisation(); }); + expect(await viewOrganisationPage.amOnPage(), 'Organisation page not displayed').to.be.true; +}); - Then(/^I should see name and address details of Organisation$/, async function () { - // browser.sleep(LONG_DELAY); - const world = this; - - await browserWaits.retryWithAction(viewOrganisationPage.header, async function (message) { - world.attach('Retrying Click Organisation : ' + message); - screenShotUtils.takeScreenshot() - .then((stream) => { - const decodedImage = new Buffer(stream.replace(/^data:image\/(png|gif|jpeg);base64,/, ''), 'base64'); - world.attach(decodedImage, 'image/png'); - }); - await headerPage.clickOrganisation(); - }); - expect(await viewOrganisationPage.amOnPage(), 'Organisation page not displayed').to.be.true; +Then(/^I should see name and address details of Organisation$/, async function () { + // browser.sleep(LONG_DELAY); + const world = this; + + await browserWaits.retryWithAction(viewOrganisationPage.header, async function (message) { + world.attach('Retrying Click Organisation : ' + message); + screenShotUtils.takeScreenshot() + .then((stream) => { + const decodedImage = new Buffer(stream.replace(/^data:image\/(png|gif|jpeg);base64,/, ''), 'base64'); + world.attach(decodedImage, 'image/png'); + }); + await headerPage.clickOrganisation(); }); + expect(await viewOrganisationPage.amOnPage(), 'Organisation page not displayed').to.be.true; }); diff --git a/test/e2e/features/step_definitions/viewUser.steps.js b/test/e2e/features/step_definitions/viewUser.steps.js index df202ee00..f2896c101 100644 --- a/test/e2e/features/step_definitions/viewUser.steps.js +++ b/test/e2e/features/step_definitions/viewUser.steps.js @@ -1,3 +1,5 @@ +import { Then, When } from 'cucumber'; + const ViewUserPage = require('../pageObjects/viewUserPage.js'); const HeaderPage = require('../pageObjects/headerPage'); const loginPage = require('../pageObjects/loginLogoutObjects'); @@ -6,48 +8,45 @@ const { AMAZING_DELAY, SHORT_DELAY, MID_DELAY, LONG_DELAY } = require('../../sup const EC = protractor.ExpectedConditions; const { config } = require('../../config/common.conf.js'); -const { defineSupportCode } = require('cucumber'); const browserWaits = require('../../support/customWaits'); -defineSupportCode(function ({ And, But, Given, Then, When }) { - const viewUserPage = new ViewUserPage(); - const headerPage = new HeaderPage(); +const viewUserPage = new ViewUserPage(); +const headerPage = new HeaderPage(); - When(/^I click on user button$/, { timeout: 600 * 1000 }, async function () { - // browser.sleep(LONG_DELAY); - const world = this; +When(/^I click on user button$/, { timeout: 600 * 1000 }, async function () { + // browser.sleep(LONG_DELAY); + const world = this; - await headerPage.clickUser(); + await headerPage.clickUser(); - await browserWaits.retryWithAction(viewUserPage.header, async function (message) { - world.attach('Retrying Click User : ' + message); - const stream = await global.screenShotUtils.takeScreenshot(); - const decodedImage = new Buffer(stream.replace(/^data:image\/(png|gif|jpeg);base64,/, ''), 'base64'); - world.attach(decodedImage, 'image/png'); - await browser.get(config.config.baseUrl+'/users'); - // await headerPage.clickUser(); - }); + await browserWaits.retryWithAction(viewUserPage.header, async function (message) { + world.attach('Retrying Click User : ' + message); + const stream = await global.screenShotUtils.takeScreenshot(); + const decodedImage = new Buffer(stream.replace(/^data:image\/(png|gif|jpeg);base64,/, ''), 'base64'); + world.attach(decodedImage, 'image/png'); + await browser.get(config.config.baseUrl+'/users'); + // await headerPage.clickUser(); + }); - await viewUserPage.amOnPage(); + await viewUserPage.amOnPage(); - // browser.sleep(AMAZING_DELAY); - }); + // browser.sleep(AMAZING_DELAY); +}); - Then(/^I should be on display the user details$/, async function () { - // browser.sleep(AMAZING_DELAY); - expect(await viewUserPage.amOnPage()).to.be.true; - // browser.sleep(LONG_DELAY); - }); +Then(/^I should be on display the user details$/, async function () { + // browser.sleep(AMAZING_DELAY); + expect(await viewUserPage.amOnPage()).to.be.true; + // browser.sleep(LONG_DELAY); +}); - Then('I should see invited user is listed in users table', { timeout: 300 * 1000 }, async function () { - await viewUserPage.validateUserWithEmailListed(global.latestInvitedUser); - }); +Then('I should see invited user is listed in users table', { timeout: 300 * 1000 }, async function () { + await viewUserPage.validateUserWithEmailListed(global.latestInvitedUser); +}); - Then('I should see all user details displayed in table', async function () { - await viewUserPage.validateUsersTableDisplaysAllDetails(); - }); +Then('I should see all user details displayed in table', async function () { + await viewUserPage.validateUsersTableDisplaysAllDetails(); +}); - Then('I should see no empty cells in table', async function () { - await viewUserPage.validateTableHasNoEmptyCells(); - }); +Then('I should see no empty cells in table', async function () { + await viewUserPage.validateTableHasNoEmptyCells(); }); diff --git a/test/e2e/support/hooks.js b/test/e2e/support/hooks.js index ab5692b83..aa7a25c88 100644 --- a/test/e2e/support/hooks.js +++ b/test/e2e/support/hooks.js @@ -1,6 +1,6 @@ 'use strict'; -const Cucumber = require('cucumber'); -const { defineSupportCode } = require('cucumber'); +import { Before, After } from 'cucumber'; + const fs = require('fs'); const mkdirp = require('mkdirp'); const conf = require('../config/common.conf').config; @@ -16,7 +16,6 @@ const targetJson = `${jsonReports}/cucumber_report.json`; const { Given, When, Then } = require('cucumber'); const CucumberReportLogger = require('./reportLogger'); -// defineSupportCode(function({After }) { // registerHandler("BeforeFeature", { timeout: 500 * 1000 }, function() { // var origFn = browser.driver.controlFlow().execute; // @@ -91,38 +90,36 @@ const CucumberReportLogger = require('./reportLogger'); // }); -defineSupportCode(({ Before, After }) => { - Before(function (scenario, done){ - const world = this; - CucumberReportLogger.setScenarioWorld(world); - done(); - }); +Before(function (scenario, done){ + const world = this; + CucumberReportLogger.setScenarioWorld(world); + done(); +}); - After(function(scenario, done) { - const world = this; - if (scenario.result.status === 'failed') { - screenShotUtils.takeScreenshot().then((stream) => { - const decodedImage = new Buffer(stream.replace(/^data:image\/(png|gif|jpeg);base64,/, ''), 'base64'); - world.attach(decodedImage, 'image/png'); - }) - .then(() => { - browser.manage().logs().get('browser').then(function (browserLog) { - // console.log('log: ' + require('util').inspect(browserLog)); - const browserErrorLogs = []; - for (let browserLogCounter = 0; browserLogCounter < browserLog.length; browserLogCounter++){ - if (browserLog[browserLogCounter].level.value > 900){ - browserErrorLogs.push(browserLog[browserLogCounter]); - } +After(function(scenario, done) { + const world = this; + if (scenario.result.status === 'failed') { + screenShotUtils.takeScreenshot().then((stream) => { + const decodedImage = new Buffer(stream.replace(/^data:image\/(png|gif|jpeg);base64,/, ''), 'base64'); + world.attach(decodedImage, 'image/png'); + }) + .then(() => { + browser.manage().logs().get('browser').then(function (browserLog) { + // console.log('log: ' + require('util').inspect(browserLog)); + const browserErrorLogs = []; + for (let browserLogCounter = 0; browserLogCounter < browserLog.length; browserLogCounter++){ + if (browserLog[browserLogCounter].level.value > 900){ + browserErrorLogs.push(browserLog[browserLogCounter]); } - // world.attach(JSON.stringify(browserLog, null, 2)); + } + // world.attach(JSON.stringify(browserLog, null, 2)); - world.attach(JSON.stringify(browserErrorLogs, null, 2)); - // scenario.attach(scenario); - done(); - }); + world.attach(JSON.stringify(browserErrorLogs, null, 2)); + // scenario.attach(scenario); + done(); }); - } else { - done(); - } - }); + }); + } else { + done(); + } }); diff --git a/test_codecept/e2e/features/step_definitions/acceptTermsAndConditions.steps.js b/test_codecept/e2e/features/step_definitions/acceptTermsAndConditions.steps.js index b119d967e..ff648fd21 100644 --- a/test_codecept/e2e/features/step_definitions/acceptTermsAndConditions.steps.js +++ b/test_codecept/e2e/features/step_definitions/acceptTermsAndConditions.steps.js @@ -1,3 +1,4 @@ +import { Then, When } from 'cucumber'; const acceptTermsAndConditionsPage = require('../pageObjects/termsAndConditionsConfirmPage'); const HeaderPage = require('../pageObjects/headerPage'); @@ -5,29 +6,27 @@ const HeaderPage = require('../pageObjects/headerPage'); const { config } = require('../../config/common.conf'); const browserWaits = require('../../support/customWaits'); -const { defineSupportCode } = require('cucumber'); +const headerPage = new HeaderPage(); +Then('I am on Accept Terms and Conditions page', async function () { + const world = this; + if (await acceptTermsAndConditionsPage.isFeatureToggleEnabled()){ + await browserWaits.waitForElement(acceptTermsAndConditionsPage.accepttermsAndConditionsContainer); + expect(await acceptTermsAndConditionsPage.amOnPage()).to.be.true; + } else { + world.attach('Accept Terms and Conditions feature disabled in config. ../../config/common.conf.js. Validating Home page displayed'); + await headerPage.waitForPrimaryNavigationToDisplay(); + } +}); - const headerPage = new HeaderPage(); - Then('I am on Accept Terms and Conditions page', async function () { - const world = this; - if (await acceptTermsAndConditionsPage.isFeatureToggleEnabled()){ - await browserWaits.waitForElement(acceptTermsAndConditionsPage.accepttermsAndConditionsContainer); - expect(await acceptTermsAndConditionsPage.amOnPage()).to.be.true; - } else { - world.attach('Accept Terms and Conditions feature disabled in config. ../../config/common.conf.js. Validating Home page displayed'); - await headerPage.waitForPrimaryNavigationToDisplay(); - } - }); - - When('I click Confirm in Accept Terms and Conditions page', async function () { - const world = this; - if (await acceptTermsAndConditionsPage.isFeatureToggleEnabled()) { - await browserWaits.waitForElement(acceptTermsAndConditionsPage.accepttermsAndConditionsContainer); - await acceptTermsAndConditionsPage.acceptTremsAndConditions(); - await headerPage.waitForPrimaryNavigationToDisplay(); - } else { - world.attach('Accept Terms and Conditions feature disabled in config. ../../config/common.conf.js.Validating Home page displayed'); - await headerPage.waitForPrimaryNavigationToDisplay(); - } - }); +When('I click Confirm in Accept Terms and Conditions page', async function () { + const world = this; + if (await acceptTermsAndConditionsPage.isFeatureToggleEnabled()) { + await browserWaits.waitForElement(acceptTermsAndConditionsPage.accepttermsAndConditionsContainer); + await acceptTermsAndConditionsPage.acceptTremsAndConditions(); + await headerPage.waitForPrimaryNavigationToDisplay(); + } else { + world.attach('Accept Terms and Conditions feature disabled in config. ../../config/common.conf.js.Validating Home page displayed'); + await headerPage.waitForPrimaryNavigationToDisplay(); + } +}); diff --git a/test_codecept/e2e/features/step_definitions/approveOrg.steps.js b/test_codecept/e2e/features/step_definitions/approveOrg.steps.js index d38545d71..0f4db4d1a 100644 --- a/test_codecept/e2e/features/step_definitions/approveOrg.steps.js +++ b/test_codecept/e2e/features/step_definitions/approveOrg.steps.js @@ -1,23 +1,22 @@ +import { When } from 'cucumber'; const approveOrganizationService = require('../pageObjects/approveOrganizationService'); const mailinatorService = require('../pageObjects/mailinatorService'); -const { defineSupportCode } = require('cucumber'); +When('I approve organisation', async function () { + await approveOrganizationService.init(); + await approveOrganizationService.approveOrg(global.latestOrgCreated); + await approveOrganizationService.destroy(); +},); - When('I approve organisation', async function () { - await approveOrganizationService.init(); - await approveOrganizationService.approveOrg(global.latestOrgCreated); - await approveOrganizationService.destroy(); - },); - - When('I activate approved organisation super user', async function () { - await mailinatorService.init(); - mailinatorService.setLogger((message, isScreenshot) => logger(this, message, isScreenshot)); - await mailinatorService.openRegistrationEmailForUser(global.latestOrgSuperUser); - await mailinatorService.completeUserRegistrationFromEmail(); - await mailinatorService.destroy(); - }); +When('I activate approved organisation super user', async function () { + await mailinatorService.init(); + mailinatorService.setLogger((message, isScreenshot) => logger(this, message, isScreenshot)); + await mailinatorService.openRegistrationEmailForUser(global.latestOrgSuperUser); + await mailinatorService.completeUserRegistrationFromEmail(); + await mailinatorService.destroy(); +}); function logger(world, message, isScreenshot) { diff --git a/test_codecept/e2e/features/step_definitions/createOrganisation.steps.js b/test_codecept/e2e/features/step_definitions/createOrganisation.steps.js index 9e693c418..4a72db990 100644 --- a/test_codecept/e2e/features/step_definitions/createOrganisation.steps.js +++ b/test_codecept/e2e/features/step_definitions/createOrganisation.steps.js @@ -1,7 +1,8 @@ 'use strict'; +import { Then, When } from 'cucumber'; + const CreateOrganisationObjects = require('../pageObjects/createOrganisationObjects'); -const { defineSupportCode } = require('cucumber'); const { AMAZING_DELAY, SHORT_DELAY, MID_DELAY, LONG_DELAY } = require('../../support/constants'); const { config } = require('../../config/common.conf.js'); const approveOrganizationService = require('../pageObjects/approveOrganizationService'); @@ -13,263 +14,263 @@ async function waitForElement(el) { await elementToWait.wait() } - const createOrganisationObject = new CreateOrganisationObjects(); - - When(/^I navigate to EUI Manage Organisation Url$/, async function () { - await browser.driver.manage().deleteAllCookies(); - await browser.get(config.config.baseUrl + '/register-org/register'); - browser.sleep(MID_DELAY); - }); - - When(/^I navigate to EUI Register Organisation Url$/, async function () { - await browser.driver.manage().deleteAllCookies(); - await browser.get(config.config.baseUrl + '/register-org/register'); - browser.sleep(MID_DELAY); - }); - - Then('I am on Register organisation start page', async function () { - await createOrganisationObject.waitForStartRegisterPage(); - await expect(createOrganisationObject.start_button.isDisplayed(), 'Create Organisation START button not present').to.eventually.be.true; - await expect(await createOrganisationObject.start_button.getText(), 'Start button text not mathing with expected') - .to - .includes('Start'); - }); - - Then(/^I land on register organisation page and continue$/, async function () { - // await waitForElement('govuk-heading-xl'); - - await BrowserWaits.retryWithActionCallback(async () => { - try { - await BrowserWaits.waitForElement($('.govuk-heading-xl')); - await expect(createOrganisationObject.start_button.isDisplayed(), 'Create Organisation START button not present').to.eventually.be.true; - await expect(createOrganisationObject.start_button.getText()) - .to - .eventually - .include('Start'); - await createOrganisationObject.start_button.click(); - await createOrganisationObject.waitForPage("What's the name of your organisation?"); - - } catch (err){ - await browser.get(config.config.baseUrl + '/register-org/register'); - throw new Error(err); - } - }); - }); - - Then(/^I Enter the Organization name$/, async function () { - // await waitForElement('govuk-heading-xl'); - await expect(createOrganisationObject.org_name.isDisplayed(), 'Input Organisation name nor present').to.eventually.be.true; - await createOrganisationObject.enterOrgName(); - await createOrganisationObject.continue_button.click(); - // browser.sleep(MID_DELAY); - }); - - Then(/^I Enter the Office Address details$/, async function () { - // await waitForElement(createOrganisationObject.officeAddressOne); - await expect(createOrganisationObject.officeAddressOne.isDisplayed()).to.eventually.be.true; - await createOrganisationObject.officeAddressOne.sendKeys('1, Cliffinton'); - // browser.sleep(MID_DELAY); - await expect(createOrganisationObject.townName.isDisplayed()).to.eventually.be.true; - await createOrganisationObject.townName.sendKeys('London'); - await expect(createOrganisationObject.postcode.isDisplayed()).to.eventually.be.true; - await createOrganisationObject.postcode.sendKeys('SE15TY'); - await createOrganisationObject.continue_button.click(); - // browser.sleep(MID_DELAY); - }); - - Then(/^I Enter the PBA1 and PBA2 details$/, async function () { - // await waitForElement('govuk-heading-xl'); - browser.sleep(MID_DELAY); - await createOrganisationObject.PBAnumber1.isDisplayed(); - await createOrganisationObject.enterPBANumber(); - // await createOrganisationObject.PBAnumber2.isDisplayed(); - // await createOrganisationObject.enterPBA2Number(); - await createOrganisationObject.continue_button.click(); - browser.sleep(MID_DELAY); - }); - - Then(/^I Enter the DX Reference details$/, async function () { - await createOrganisationObject.clickDXreferenceCheck(); - browser.sleep(MID_DELAY); - await createOrganisationObject.DXNumber.isDisplayed(); - await createOrganisationObject.enterDXNumber(); - await createOrganisationObject.DXexchange.isDisplayed(); - await createOrganisationObject.enterDXENumber(); - await createOrganisationObject.continue_button.click(); - // browser.sleep(MID_DELAY); - }); - - Then(/^I Select and Enter the SRA number$/, async function () { - // await waitForElement('govuk-heading-xl'); - //await expect(createOrganisationObject.SRACheckBox.isDisplayed()).to.eventually.be.true; - await createOrganisationObject.clickSRAreferenceCheck(); - // browser.sleep(MID_DELAY); - // await waitForElement('govuk-heading-xl'); - await expect(createOrganisationObject.SRANumber.isDisplayed()).to.eventually.be.true; - await createOrganisationObject.enterSRANumber(); - await createOrganisationObject.continue_button.click(); - // browser.sleep(MID_DELAY); - }); - - Then(/^I Enter the firstName and lastName$/, async function () { - await waitForElement('govuk-heading-xl'); - expect(createOrganisationObject.firstName.isDisplayed()).to.eventually.be.true; - await createOrganisationObject.firstName.sendKeys('Mario'); - expect(createOrganisationObject.lastName.isDisplayed()).to.eventually.be.true; - await createOrganisationObject.lastName.sendKeys('Perta'); - await createOrganisationObject.continue_button.click(); - // browser.sleep(MID_DELAY); - }); - - Then(/^I Enter the Email Address$/, async function () { - // await waitForElement('govuk-heading-xl'); - await expect(createOrganisationObject.emailAddr.isDisplayed()).to.eventually.be.true; - - global.latestOrgSuperUser = Math.random().toString(36).substring(2) + '@mailinator.com'; - global.latestOrgSuperUserPassword = 'Monday01'; - - await createOrganisationObject.enterEmailAddress(global.latestOrgSuperUser); - await createOrganisationObject.continue_button.click(); - - // browser.sleep(MID_DELAY); - }); - - Then(/^I land on the summary page and check submit$/, async function () { - // browser.sleep(MID_DELAY); - // await waitForElement('govuk-heading-l'); - - await expect(createOrganisationObject.submit_button.isDisplayed()).to.eventually.be.true; - await expect(await createOrganisationObject.submit_button.getText()) - .to - .includes('Confirm and submit details'); - await createOrganisationObject.submit_button.click(); - }); - - Then(/^I created the organisation successfully$/, async function () { - // browser.sleep(MID_DELAY); - await createOrganisationObject.waitForSubmission(); - await expect(createOrganisationObject.org_success_heading.isDisplayed()).to.eventually.be.true; - await expect(await createOrganisationObject.org_success_heading.getText()) - .to - .includes('Registration details submitted'); - }); - - When(/^I am not entered Organization name$/, async function () { - createOrganisationObject.org_name.sendKeys(''); - await createOrganisationObject.continue_button.click(); - browser.sleep(MID_DELAY); - }); - - Then(/^I should be display organization error$/, async function () { - await expect(createOrganisationObject.org_failure_error_heading.isDisplayed()).to.eventually.be.true; - await expect(await createOrganisationObject.org_failure_error_heading.getText()) - .to - .includes('There is a problem'); - }); - - When(/^I am not entered the Office Address details$/, async function () { - await createOrganisationObject.officeAddressOne.sendKeys(''); - await createOrganisationObject.townName.sendKeys(''); - await createOrganisationObject.postcode.sendKeys(''); - await createOrganisationObject.continue_button.click(); - // browser.sleep(LONG_DELAY); - }); - Then(/^I should be display Office Address error$/, async function () { - await expect(createOrganisationObject.off_address_error_heading.isDisplayed()).to.eventually.be.true; - await expect(await createOrganisationObject.off_address_error_heading.getText()) - .to - .includes('There is a problem'); - }); - - When(/^I am not entered SRA number$/, async function () { - await createOrganisationObject.clickSRAreferenceCheck(); - await createOrganisationObject.waitForPage('Enter your organisation SRA ID'); - await createOrganisationObject.SRANumber.sendKeys(''); - await createOrganisationObject.continue_button.click(); - // browser.sleep(MID_DELAY); - }); - - Then(/^I should be display SRA error$/, async function () { - await createOrganisationObject.waitForPage('Enter your organisation SRA ID'); - await expect(await createOrganisationObject.sra_error_heading.getText()) - .to - .includes('There is a problem'); - }); - - When(/^I am not entered the email address$/, async function () { - await expect(createOrganisationObject.emailAddr.isDisplayed()).to.eventually.be.true; - await createOrganisationObject.emailAddr.sendKeys(''); - await createOrganisationObject.continue_button.click(); - // browser.sleep(MID_DELAY); - }); - - Then(/^I should be display email error$/, async function () { - await expect(createOrganisationObject.email_error_heading.isDisplayed()).to.eventually.be.true; - await expect(await createOrganisationObject.email_error_heading.getText()) - .to - .includes('There is a problem'); - }); - - When(/^I Enter the invalid PBA1 and PBA2 details$/, async function () { - await expect(createOrganisationObject.PBAnumber1.isDisplayed()).to.eventually.be.true; - await createOrganisationObject.PBAnumber1.sendKeys(1234455558); - // await createOrganisationObject.PBAnumber2.sendKeys(1233334988); - await createOrganisationObject.continue_button.click(); - // browser.sleep(LONG_DELAY); - }); - - Then(/^I should be display PBA error$/, async function () { - await expect(createOrganisationObject.pba_error_heading.isDisplayed()).to.eventually.be.true; - await expect(await createOrganisationObject.pba_error_heading.getText()) - .to - .includes('There is a problem'); - }); - - When(/^I am not entered the firstName and lastName$/, async function () { - await expect(createOrganisationObject.firstName.isDisplayed()).to.eventually.be.true; - await createOrganisationObject.firstName.sendKeys(''); - await createOrganisationObject.lastName.sendKeys(''); - await createOrganisationObject.continue_button.click(); - // browser.sleep(MID_DELAY); - }); - - Then(/^I should be display firstName and lastName error$/, async function () { - await expect(createOrganisationObject.name_error_heading.isDisplayed()).to.eventually.be.true; - await expect(await createOrganisationObject.name_error_heading.getText()) - .to - .includes('There is a problem'); - }); - - When('I am on page {string} in registration step', async function (page) { - await createOrganisationObject.waitForPage(page); - }); - - Then('I see content header already registered account', function () { - expect(createOrganisationObject.getAlreadyRegisteredAccountHeaderText()).to - .eventually. - equal('Already registered for a MyHMCTS account?'); - }); - - Then('I see manage cases link under already registered account header', function () { - expect(createOrganisationObject.isManageCasesLinkPresent()).to - .eventually. - be.true; - }); - - Then('I see manage org link under already registered account header', async function () { - expect(await createOrganisationObject.isManageOrgLinkPresent()).to - .be.true; - }); - - Then('I click and validate MC link opens in new tab', async function () { - await createOrganisationObject.clickAndValidateMCLink(); - }); - - Then('I click and validate MO link opens in new tab', async function () { - await createOrganisationObject.clickAndValidateMOLink(); - }); - - When('I click back link in register org workflow', async function () { - await createOrganisationObject.clickBackLink(); - }); +const createOrganisationObject = new CreateOrganisationObjects(); + +When(/^I navigate to EUI Manage Organisation Url$/, async function () { + await browser.driver.manage().deleteAllCookies(); + await browser.get(config.config.baseUrl + '/register-org/register'); + browser.sleep(MID_DELAY); +}); + +When(/^I navigate to EUI Register Organisation Url$/, async function () { + await browser.driver.manage().deleteAllCookies(); + await browser.get(config.config.baseUrl + '/register-org/register'); + browser.sleep(MID_DELAY); +}); + +Then('I am on Register organisation start page', async function () { + await createOrganisationObject.waitForStartRegisterPage(); + await expect(createOrganisationObject.start_button.isDisplayed(), 'Create Organisation START button not present').to.eventually.be.true; + await expect(await createOrganisationObject.start_button.getText(), 'Start button text not mathing with expected') + .to + .includes('Start'); +}); + +Then(/^I land on register organisation page and continue$/, async function () { + // await waitForElement('govuk-heading-xl'); + + await BrowserWaits.retryWithActionCallback(async () => { + try { + await BrowserWaits.waitForElement($('.govuk-heading-xl')); + await expect(createOrganisationObject.start_button.isDisplayed(), 'Create Organisation START button not present').to.eventually.be.true; + await expect(createOrganisationObject.start_button.getText()) + .to + .eventually + .include('Start'); + await createOrganisationObject.start_button.click(); + await createOrganisationObject.waitForPage("What's the name of your organisation?"); + + } catch (err){ + await browser.get(config.config.baseUrl + '/register-org/register'); + throw new Error(err); + } + }); +}); + +Then(/^I Enter the Organization name$/, async function () { + // await waitForElement('govuk-heading-xl'); + await expect(createOrganisationObject.org_name.isDisplayed(), 'Input Organisation name nor present').to.eventually.be.true; + await createOrganisationObject.enterOrgName(); + await createOrganisationObject.continue_button.click(); + // browser.sleep(MID_DELAY); +}); + +Then(/^I Enter the Office Address details$/, async function () { + // await waitForElement(createOrganisationObject.officeAddressOne); + await expect(createOrganisationObject.officeAddressOne.isDisplayed()).to.eventually.be.true; + await createOrganisationObject.officeAddressOne.sendKeys('1, Cliffinton'); + // browser.sleep(MID_DELAY); + await expect(createOrganisationObject.townName.isDisplayed()).to.eventually.be.true; + await createOrganisationObject.townName.sendKeys('London'); + await expect(createOrganisationObject.postcode.isDisplayed()).to.eventually.be.true; + await createOrganisationObject.postcode.sendKeys('SE15TY'); + await createOrganisationObject.continue_button.click(); + // browser.sleep(MID_DELAY); +}); + +Then(/^I Enter the PBA1 and PBA2 details$/, async function () { + // await waitForElement('govuk-heading-xl'); + browser.sleep(MID_DELAY); + await createOrganisationObject.PBAnumber1.isDisplayed(); + await createOrganisationObject.enterPBANumber(); + // await createOrganisationObject.PBAnumber2.isDisplayed(); + // await createOrganisationObject.enterPBA2Number(); + await createOrganisationObject.continue_button.click(); + browser.sleep(MID_DELAY); +}); + +Then(/^I Enter the DX Reference details$/, async function () { + await createOrganisationObject.clickDXreferenceCheck(); + browser.sleep(MID_DELAY); + await createOrganisationObject.DXNumber.isDisplayed(); + await createOrganisationObject.enterDXNumber(); + await createOrganisationObject.DXexchange.isDisplayed(); + await createOrganisationObject.enterDXENumber(); + await createOrganisationObject.continue_button.click(); + // browser.sleep(MID_DELAY); +}); + +Then(/^I Select and Enter the SRA number$/, async function () { + // await waitForElement('govuk-heading-xl'); + //await expect(createOrganisationObject.SRACheckBox.isDisplayed()).to.eventually.be.true; + await createOrganisationObject.clickSRAreferenceCheck(); + // browser.sleep(MID_DELAY); + // await waitForElement('govuk-heading-xl'); + await expect(createOrganisationObject.SRANumber.isDisplayed()).to.eventually.be.true; + await createOrganisationObject.enterSRANumber(); + await createOrganisationObject.continue_button.click(); + // browser.sleep(MID_DELAY); +}); + +Then(/^I Enter the firstName and lastName$/, async function () { + await waitForElement('govuk-heading-xl'); + expect(createOrganisationObject.firstName.isDisplayed()).to.eventually.be.true; + await createOrganisationObject.firstName.sendKeys('Mario'); + expect(createOrganisationObject.lastName.isDisplayed()).to.eventually.be.true; + await createOrganisationObject.lastName.sendKeys('Perta'); + await createOrganisationObject.continue_button.click(); + // browser.sleep(MID_DELAY); +}); + +Then(/^I Enter the Email Address$/, async function () { + // await waitForElement('govuk-heading-xl'); + await expect(createOrganisationObject.emailAddr.isDisplayed()).to.eventually.be.true; + + global.latestOrgSuperUser = Math.random().toString(36).substring(2) + '@mailinator.com'; + global.latestOrgSuperUserPassword = 'Monday01'; + + await createOrganisationObject.enterEmailAddress(global.latestOrgSuperUser); + await createOrganisationObject.continue_button.click(); + + // browser.sleep(MID_DELAY); +}); + +Then(/^I land on the summary page and check submit$/, async function () { + // browser.sleep(MID_DELAY); + // await waitForElement('govuk-heading-l'); + + await expect(createOrganisationObject.submit_button.isDisplayed()).to.eventually.be.true; + await expect(await createOrganisationObject.submit_button.getText()) + .to + .includes('Confirm and submit details'); + await createOrganisationObject.submit_button.click(); +}); + +Then(/^I created the organisation successfully$/, async function () { + // browser.sleep(MID_DELAY); + await createOrganisationObject.waitForSubmission(); + await expect(createOrganisationObject.org_success_heading.isDisplayed()).to.eventually.be.true; + await expect(await createOrganisationObject.org_success_heading.getText()) + .to + .includes('Registration details submitted'); +}); + +When(/^I am not entered Organization name$/, async function () { + createOrganisationObject.org_name.sendKeys(''); + await createOrganisationObject.continue_button.click(); + browser.sleep(MID_DELAY); +}); + +Then(/^I should be display organization error$/, async function () { + await expect(createOrganisationObject.org_failure_error_heading.isDisplayed()).to.eventually.be.true; + await expect(await createOrganisationObject.org_failure_error_heading.getText()) + .to + .includes('There is a problem'); +}); + +When(/^I am not entered the Office Address details$/, async function () { + await createOrganisationObject.officeAddressOne.sendKeys(''); + await createOrganisationObject.townName.sendKeys(''); + await createOrganisationObject.postcode.sendKeys(''); + await createOrganisationObject.continue_button.click(); + // browser.sleep(LONG_DELAY); +}); +Then(/^I should be display Office Address error$/, async function () { + await expect(createOrganisationObject.off_address_error_heading.isDisplayed()).to.eventually.be.true; + await expect(await createOrganisationObject.off_address_error_heading.getText()) + .to + .includes('There is a problem'); +}); + +When(/^I am not entered SRA number$/, async function () { + await createOrganisationObject.clickSRAreferenceCheck(); + await createOrganisationObject.waitForPage('Enter your organisation SRA ID'); + await createOrganisationObject.SRANumber.sendKeys(''); + await createOrganisationObject.continue_button.click(); + // browser.sleep(MID_DELAY); +}); + +Then(/^I should be display SRA error$/, async function () { + await createOrganisationObject.waitForPage('Enter your organisation SRA ID'); + await expect(await createOrganisationObject.sra_error_heading.getText()) + .to + .includes('There is a problem'); +}); + +When(/^I am not entered the email address$/, async function () { + await expect(createOrganisationObject.emailAddr.isDisplayed()).to.eventually.be.true; + await createOrganisationObject.emailAddr.sendKeys(''); + await createOrganisationObject.continue_button.click(); + // browser.sleep(MID_DELAY); +}); + +Then(/^I should be display email error$/, async function () { + await expect(createOrganisationObject.email_error_heading.isDisplayed()).to.eventually.be.true; + await expect(await createOrganisationObject.email_error_heading.getText()) + .to + .includes('There is a problem'); +}); + +When(/^I Enter the invalid PBA1 and PBA2 details$/, async function () { + await expect(createOrganisationObject.PBAnumber1.isDisplayed()).to.eventually.be.true; + await createOrganisationObject.PBAnumber1.sendKeys(1234455558); + // await createOrganisationObject.PBAnumber2.sendKeys(1233334988); + await createOrganisationObject.continue_button.click(); + // browser.sleep(LONG_DELAY); +}); + +Then(/^I should be display PBA error$/, async function () { + await expect(createOrganisationObject.pba_error_heading.isDisplayed()).to.eventually.be.true; + await expect(await createOrganisationObject.pba_error_heading.getText()) + .to + .includes('There is a problem'); +}); + +When(/^I am not entered the firstName and lastName$/, async function () { + await expect(createOrganisationObject.firstName.isDisplayed()).to.eventually.be.true; + await createOrganisationObject.firstName.sendKeys(''); + await createOrganisationObject.lastName.sendKeys(''); + await createOrganisationObject.continue_button.click(); + // browser.sleep(MID_DELAY); +}); + +Then(/^I should be display firstName and lastName error$/, async function () { + await expect(createOrganisationObject.name_error_heading.isDisplayed()).to.eventually.be.true; + await expect(await createOrganisationObject.name_error_heading.getText()) + .to + .includes('There is a problem'); +}); + +When('I am on page {string} in registration step', async function (page) { + await createOrganisationObject.waitForPage(page); +}); + +Then('I see content header already registered account', function () { + expect(createOrganisationObject.getAlreadyRegisteredAccountHeaderText()).to + .eventually. + equal('Already registered for a MyHMCTS account?'); +}); + +Then('I see manage cases link under already registered account header', function () { + expect(createOrganisationObject.isManageCasesLinkPresent()).to + .eventually. + be.true; +}); + +Then('I see manage org link under already registered account header', async function () { + expect(await createOrganisationObject.isManageOrgLinkPresent()).to + .be.true; +}); + +Then('I click and validate MC link opens in new tab', async function () { + await createOrganisationObject.clickAndValidateMCLink(); +}); + +Then('I click and validate MO link opens in new tab', async function () { + await createOrganisationObject.clickAndValidateMOLink(); +}); + +When('I click back link in register org workflow', async function () { + await createOrganisationObject.clickBackLink(); +}); diff --git a/test_codecept/e2e/features/step_definitions/dataSetUp.steps.js b/test_codecept/e2e/features/step_definitions/dataSetUp.steps.js index a0d2c440a..da05aae43 100644 --- a/test_codecept/e2e/features/step_definitions/dataSetUp.steps.js +++ b/test_codecept/e2e/features/step_definitions/dataSetUp.steps.js @@ -1,57 +1,56 @@ 'use strict'; +import { Given, When } from 'cucumber'; const CreateOrganisationObjects = require('../pageObjects/createOrganisationObjects'); -const { defineSupportCode } = require('cucumber'); const { AMAZING_DELAY, SHORT_DELAY, MID_DELAY, LONG_DELAY } = require('../../support/constants'); const { config } = require('../../config/common.conf.js'); const approveOrganizationService = require('../pageObjects/approveOrganizationService'); const mailinatorService = require('../pageObjects/mailinatorService'); +const createOrganisationObject = new CreateOrganisationObjects(); - const createOrganisationObject = new CreateOrganisationObjects(); - - Given('I create test read write organisation', async function () { - if (global.testorgStatus >= 1){ - return; - } - global.TestOrg_rw_name = 'AUTOTEST_RW_' + Date.now(); - global.testorg_rw_superuser_email = 'autotest_user' + Date.now() + '@mailinator.com'; +Given('I create test read write organisation', async function () { + if (global.testorgStatus >= 1){ + return; + } + global.TestOrg_rw_name = 'AUTOTEST_RW_' + Date.now(); + global.testorg_rw_superuser_email = 'autotest_user' + Date.now() + '@mailinator.com'; - await browser.get(config.config.baseUrl + '/register-org/register'); - await createOrganisationObject.createOrganisation(global.TestOrg_rw_name, global.testorg_rw_superuser_email); + await browser.get(config.config.baseUrl + '/register-org/register'); + await createOrganisationObject.createOrganisation(global.TestOrg_rw_name, global.testorg_rw_superuser_email); - global.testorgStatus = '1'; - }); + global.testorgStatus = '1'; +}); - Given('I approve test read write organisation', async function () { - if (global.testorgStatus >= 2) { - return; - } - await approveOrganizationService.init(); - try { - await approveOrganizationService.approveOrg(global.TestOrg_rw_name); - global.testorgStatus = '2'; - await approveOrganizationService.destroy(); - } catch (err){ - this.attach('Error occured Approving organisation'); - await approveOrganizationService.destroy(); - logger(this, await approveOrganizationService.getScrenshot(), true); - await approveOrganizationService.destroy(); - throw err; - } - }); +Given('I approve test read write organisation', async function () { + if (global.testorgStatus >= 2) { + return; + } + await approveOrganizationService.init(); + try { + await approveOrganizationService.approveOrg(global.TestOrg_rw_name); + global.testorgStatus = '2'; + await approveOrganizationService.destroy(); + } catch (err){ + this.attach('Error occured Approving organisation'); + await approveOrganizationService.destroy(); + logger(this, await approveOrganizationService.getScrenshot(), true); + await approveOrganizationService.destroy(); + throw err; + } +}); - When('I activate test read write approved organisation super user', async function () { - if (global.testorgStatus >= 3) { - return; - } - await mailinatorService.init(); - mailinatorService.setLogger((message, isScreenshot) => logger(this, message, isScreenshot)); - await mailinatorService.openRegistrationEmailForUser(global.testorg_rw_superuser_email); - await mailinatorService.completeUserRegistrationFromEmail(); - await mailinatorService.destroy(); - global.testorgStatus = '3'; - }); +When('I activate test read write approved organisation super user', async function () { + if (global.testorgStatus >= 3) { + return; + } + await mailinatorService.init(); + mailinatorService.setLogger((message, isScreenshot) => logger(this, message, isScreenshot)); + await mailinatorService.openRegistrationEmailForUser(global.testorg_rw_superuser_email); + await mailinatorService.completeUserRegistrationFromEmail(); + await mailinatorService.destroy(); + global.testorgStatus = '3'; +}); function logger(world, message, isScreenshot) { diff --git a/test_codecept/e2e/features/step_definitions/inviteUser.steps.js b/test_codecept/e2e/features/step_definitions/inviteUser.steps.js index aba7cc38e..70b0d9c47 100644 --- a/test_codecept/e2e/features/step_definitions/inviteUser.steps.js +++ b/test_codecept/e2e/features/step_definitions/inviteUser.steps.js @@ -1,3 +1,5 @@ +import { When, Then } from 'cucumber'; + const loginPage = require('../pageObjects/loginLogoutObjects'); const HeaderPage = require('../pageObjects/headerPage'); const ViewUserPage = require('../pageObjects/viewUserPage.js'); @@ -5,172 +7,170 @@ const InviteUserPage = require('../pageObjects/inviteUserPage.js'); const TestData = require('../../utils/TestData.js'); const { AMAZING_DELAY, SHORT_DELAY, MID_DELAY, LONG_DELAY } = require('../../support/constants'); -Dropdown = require('../pageObjects/webdriver-components/dropdown.js'); -TextField = require('../pageObjects/webdriver-components/textField.js'); +const Dropdown = require('../pageObjects/webdriver-components/dropdown.js'); +const TextField = require('../pageObjects/webdriver-components/textField.js'); const { config } = require('../../config/common.conf.js'); const mailinatorService = require('../pageObjects/mailinatorService'); const browserWaits = require('../../support/customWaits'); const CucumberReportLogger = require('../../support/reportLogger'); -const { defineSupportCode } = require('cucumber'); const cucumberHtmlReporter = require('cucumber-html-reporter'); const { Error } = require('globalthis/implementation'); +const inviteUserPage=new InviteUserPage(); +const viewUserPage=new ViewUserPage(); +const headerPage = new HeaderPage(); + +const invitedUserEmail = ''; + +When(/^I click on invite user button$/, async function () { + await viewUserPage.clickInviteUser(); + // browser.sleep(LONG_DELAY); +}); + +When(/^I navigate to invite user page$/, async function () { + const inviteUserPath = config.config.baseUrl.endsWith('/') ? 'users/invite-user' : '/users/invite-user'; + await browser.get(config.config.baseUrl + inviteUserPath); + await inviteUserPage.waitForPage(); +}); + +Then(/^I should be on display invite user page$/, async function () { + // browser.sleep(AMAZING_DELAY);; + await inviteUserPage.waitForPage(); + expect(await inviteUserPage.amOnPage(), 'Invite User page is not displayed').to.be.true; +}); + +When(/^I enter mandatory fields firstname,lastname,emailaddress,permissions and click on send invitation button$/, async function () { + await inviteUserPage.waitForPage(); + await inviteUserPage.enterIntoTextFieldFirstName(TestData.firstName); + await inviteUserPage.enterIntoTextFieldLastName(TestData.lastName); + + // var emailAddress =Math.random().toString(36).substring(2); + global.latestInvitedUser = Math.random().toString(36).substring(2)+'@mailinator.com'; + global.latestInvitedUserPassword = 'Monday01'; + + await inviteUserPage.enterIntoTextFieldEmailAddress(global.latestInvitedUser); + await inviteUserPage.manageUserCheckbox.click(); + browser.sleep(LONG_DELAY); + await inviteUserPage.clickSendInvitationButton(); + // browser.sleep(LONG_DELAY); +}); +Then(/^user should be created successfuly$/, async function () { + + await browserWaits.waitForElement(inviteUserPage.userInvitaionConfirmation) + await browserWaits.retryWithActionCallback(async () => { + expect(await inviteUserPage.userInvitaionConfirmation.getText()).to.include('You\'ve invited'); + + }) +}); + +When(/^I not enter the mandatory fields firstname,lastname,emailaddress,permissions and click on send invitation button$/, async function () { + await inviteUserPage.enterIntoTextFieldFirstName(''); + await inviteUserPage.enterIntoTextFieldLastName(''); + await inviteUserPage.enterIntoTextFieldEmailAddress(''); + await inviteUserPage.clickSendInvitationButton(); +}); + +When('I enter mandatory fields firstname,lastname,emailaddress with permissions and click on send invitation button', async function (table) { + await inviteUserPage.waitForPage(); + await inviteUserPage.enterIntoTextFieldFirstName(TestData.firstName); + await inviteUserPage.enterIntoTextFieldLastName(TestData.lastName); + global.latestInvitedUser = Math.random().toString(36).substring(2) + '@mailinator.com'; + global.latestInvitedUserPassword = 'Monday01'; + + await inviteUserPage.enterIntoTextFieldEmailAddress(global.latestInvitedUser); + const permissions = table.parse().hashes(); + for (let permCounter = 0; permCounter < permissions.length; permCounter++){ + await inviteUserPage.selectPermission(permissions[permCounter].Permission, true); + } + await inviteUserPage.clickSendInvitationButton(); +}); - const inviteUserPage=new InviteUserPage(); - const viewUserPage=new ViewUserPage(); - const headerPage = new HeaderPage(); - - const invitedUserEmail = ''; - - When(/^I click on invite user button$/, async function () { - await viewUserPage.clickInviteUser(); - // browser.sleep(LONG_DELAY); - }); - - When(/^I navigate to invite user page$/, async function () { - const inviteUserPath = config.config.baseUrl.endsWith('/') ? 'users/invite-user' : '/users/invite-user'; - await browser.get(config.config.baseUrl + inviteUserPath); - await inviteUserPage.waitForPage(); - }); - - Then(/^I should be on display invite user page$/, async function () { - // browser.sleep(AMAZING_DELAY);; - await inviteUserPage.waitForPage(); - expect(await inviteUserPage.amOnPage(), 'Invite User page is not displayed').to.be.true; - }); - - When(/^I enter mandatory fields firstname,lastname,emailaddress,permissions and click on send invitation button$/, async function () { - await inviteUserPage.waitForPage(); - await inviteUserPage.enterIntoTextFieldFirstName(TestData.firstName); - await inviteUserPage.enterIntoTextFieldLastName(TestData.lastName); - - // var emailAddress =Math.random().toString(36).substring(2); - global.latestInvitedUser = Math.random().toString(36).substring(2)+'@mailinator.com'; - global.latestInvitedUserPassword = 'Monday01'; - - await inviteUserPage.enterIntoTextFieldEmailAddress(global.latestInvitedUser); - await inviteUserPage.manageUserCheckbox.click(); - browser.sleep(LONG_DELAY); - await inviteUserPage.clickSendInvitationButton(); - // browser.sleep(LONG_DELAY); - }); - Then(/^user should be created successfuly$/, async function () { - - await browserWaits.waitForElement(inviteUserPage.userInvitaionConfirmation) - await browserWaits.retryWithActionCallback(async () => { - expect(await inviteUserPage.userInvitaionConfirmation.getText()).to.include('You\'ve invited'); - - }) - }); - - When(/^I not enter the mandatory fields firstname,lastname,emailaddress,permissions and click on send invitation button$/, async function () { - await inviteUserPage.enterIntoTextFieldFirstName(''); - await inviteUserPage.enterIntoTextFieldLastName(''); - await inviteUserPage.enterIntoTextFieldEmailAddress(''); - await inviteUserPage.clickSendInvitationButton(); - }); - - When('I enter mandatory fields firstname,lastname,emailaddress with permissions and click on send invitation button', async function (table) { - await inviteUserPage.waitForPage(); - await inviteUserPage.enterIntoTextFieldFirstName(TestData.firstName); - await inviteUserPage.enterIntoTextFieldLastName(TestData.lastName); - global.latestInvitedUser = Math.random().toString(36).substring(2) + '@mailinator.com'; - global.latestInvitedUserPassword = 'Monday01'; - - await inviteUserPage.enterIntoTextFieldEmailAddress(global.latestInvitedUser); - const permissions = table.parse().hashes(); - for (let permCounter = 0; permCounter < permissions.length; permCounter++){ - await inviteUserPage.selectPermission(permissions[permCounter].Permission, true); - } - await inviteUserPage.clickSendInvitationButton(); - }); - - When('I edit user permissions', async function (table) { - const permissions = table.hashes(); - for (let permCounter = 0; permCounter < permissions.length; permCounter++) { - await inviteUserPage.selectPermission(permissions[permCounter].Permission, permissions[permCounter].isSelected === 'true'); - } - }); - - Then(/^I should be display the validation error$/, async function () { - await expect(inviteUserPage.failure_error_heading.isDisplayed()).to.eventually.be.true; - await expect(inviteUserPage.failure_error_heading.getText()) - .to - .eventually - .equal('There is a problem'); - }); - - When(/^I click on back button$/, async function () { - // browser.sleep(AMAZING_DELAY); - await inviteUserPage.clickBackButton(); - }); - - Then('I activate invited user', async function () { - await mailinatorService.init(); - try { - mailinatorService.setLogger((message, isScreenshot) => logger(this, message, isScreenshot)); - await mailinatorService.openRegistrationEmailForUser(global.latestInvitedUser); - this.attach('Registration email received successfully.'); - await mailinatorService.completeUserRegistrationFromEmail(); - this.attach('Registration completed successfully.'); - await mailinatorService.destroy(); - } catch (err){ - await CucumberReportLogger.AddScreenshot(mailinatorService.getScreenShotUtil()); - await mailinatorService.destroy(); - throw new Error('Error occured during user activation steps', err); - } - }); - - Then(/^I click on a Active User$/, async function () { - await inviteUserPage.findNextActiveUser(); - await browserWaits.waitForElement(inviteUserPage.activeUser) - await expect(inviteUserPage.activeUser.isDisplayed()).to.eventually.be.true; - await inviteUserPage.activeUser.click(); - }); - - Then(/^I see change link and suspend button$/, async function () { - - await browserWaits.waitForElement(inviteUserPage.userDetailsComponent); - await browserWaits.waitForElement(inviteUserPage.changeLink); - await browserWaits.waitForElement(inviteUserPage.suspendButton); - - await expect(inviteUserPage.changeLink.isDisplayed(), 'chnage link not displayed').to.eventually.be.true; - await expect(inviteUserPage.suspendButton.isDisplayed(), 'suspend button not displayed').to.eventually.be.true; - }); - - Then(/^I click on change link$/, async function () { - browser.sleep(MID_DELAY); - await inviteUserPage.changeLink.click(); - await expect(inviteUserPage.editUserText.isDisplayed()).to.eventually.be.true; - await expect(inviteUserPage.editUserText.getText()) - .to - .eventually - .equal('Edit user'); - }); - - Then(/^I edit the Manage User checkbox and click submit$/, async function () { - browser.sleep(MID_DELAY); - await inviteUserPage.manageUserCheckbox.click(); - await inviteUserPage.clickSendInvitationButton(); - browser.sleep(MID_DELAY); - await viewUserPage.waitForUserDetailsPage(); - await expect(inviteUserPage.suspendButton.isDisplayed()).to.eventually.be.true; - }); - - Then(/^I click the suspend button$/, async function () { - await inviteUserPage.suspendButton.click(); - }); - - Then(/^I see the suspend user page$/, async function () { - browser.sleep(MID_DELAY); - await expect(inviteUserPage.editUserText.isDisplayed()).to.eventually.be.true; - await expect(inviteUserPage.editUserText.getText()) - .to - .eventually - .equal('Are you sure you want to suspend this account?'); - }); +When('I edit user permissions', async function (table) { + const permissions = table.hashes(); + for (let permCounter = 0; permCounter < permissions.length; permCounter++) { + await inviteUserPage.selectPermission(permissions[permCounter].Permission, permissions[permCounter].isSelected === 'true'); + } +}); + +Then(/^I should be display the validation error$/, async function () { + await expect(inviteUserPage.failure_error_heading.isDisplayed()).to.eventually.be.true; + await expect(inviteUserPage.failure_error_heading.getText()) + .to + .eventually + .equal('There is a problem'); +}); + +When(/^I click on back button$/, async function () { + // browser.sleep(AMAZING_DELAY); + await inviteUserPage.clickBackButton(); +}); + +Then('I activate invited user', async function () { + await mailinatorService.init(); + try { + mailinatorService.setLogger((message, isScreenshot) => logger(this, message, isScreenshot)); + await mailinatorService.openRegistrationEmailForUser(global.latestInvitedUser); + this.attach('Registration email received successfully.'); + await mailinatorService.completeUserRegistrationFromEmail(); + this.attach('Registration completed successfully.'); + await mailinatorService.destroy(); + } catch (err){ + await CucumberReportLogger.AddScreenshot(mailinatorService.getScreenShotUtil()); + await mailinatorService.destroy(); + throw new Error('Error occured during user activation steps', err); + } +}); + +Then(/^I click on a Active User$/, async function () { + await inviteUserPage.findNextActiveUser(); + await browserWaits.waitForElement(inviteUserPage.activeUser) + await expect(inviteUserPage.activeUser.isDisplayed()).to.eventually.be.true; + await inviteUserPage.activeUser.click(); +}); + +Then(/^I see change link and suspend button$/, async function () { + + await browserWaits.waitForElement(inviteUserPage.userDetailsComponent); + await browserWaits.waitForElement(inviteUserPage.changeLink); + await browserWaits.waitForElement(inviteUserPage.suspendButton); + + await expect(inviteUserPage.changeLink.isDisplayed(), 'chnage link not displayed').to.eventually.be.true; + await expect(inviteUserPage.suspendButton.isDisplayed(), 'suspend button not displayed').to.eventually.be.true; +}); + +Then(/^I click on change link$/, async function () { + browser.sleep(MID_DELAY); + await inviteUserPage.changeLink.click(); + await expect(inviteUserPage.editUserText.isDisplayed()).to.eventually.be.true; + await expect(inviteUserPage.editUserText.getText()) + .to + .eventually + .equal('Edit user'); +}); + +Then(/^I edit the Manage User checkbox and click submit$/, async function () { + browser.sleep(MID_DELAY); + await inviteUserPage.manageUserCheckbox.click(); + await inviteUserPage.clickSendInvitationButton(); + browser.sleep(MID_DELAY); + await viewUserPage.waitForUserDetailsPage(); + await expect(inviteUserPage.suspendButton.isDisplayed()).to.eventually.be.true; +}); + +Then(/^I click the suspend button$/, async function () { + await inviteUserPage.suspendButton.click(); +}); + +Then(/^I see the suspend user page$/, async function () { + browser.sleep(MID_DELAY); + await expect(inviteUserPage.editUserText.isDisplayed()).to.eventually.be.true; + await expect(inviteUserPage.editUserText.getText()) + .to + .eventually + .equal('Are you sure you want to suspend this account?'); +}); function logger(world, message, isScreenshot){ diff --git a/test_codecept/e2e/features/step_definitions/viewOrganisation.steps.js b/test_codecept/e2e/features/step_definitions/viewOrganisation.steps.js index 21d061cf9..b06b9bf93 100644 --- a/test_codecept/e2e/features/step_definitions/viewOrganisation.steps.js +++ b/test_codecept/e2e/features/step_definitions/viewOrganisation.steps.js @@ -1,3 +1,5 @@ +import { When, Then } from 'cucumber'; + const ViewOrganisationPage = require('../pageObjects/viewOrganisationPage.js'); const HeaderPage = require('../pageObjects/headerPage'); const loginPage = require('../pageObjects/loginLogoutObjects'); @@ -5,50 +7,49 @@ const { AMAZING_DELAY, SHORT_DELAY, MID_DELAY, LONG_DELAY } = require('../../sup const browserWaits = require('../../support/customWaits'); const { config } = require('../../config/common.conf.js'); -const { defineSupportCode } = require('cucumber'); - const viewOrganisationPage=new ViewOrganisationPage(); - const headerPage = new HeaderPage(); +const viewOrganisationPage=new ViewOrganisationPage(); +const headerPage = new HeaderPage(); - When(/^I click on organisation button$/, async function () { - await headerPage.clickOrganisation(); - const world = this; - await browserWaits.retryWithAction(viewOrganisationPage.header, async function (message) { - world.attach('Retrying Click Organisation : ' + message); - global.screenShotUtils.takeScreenshot() - .then((stream) => { - const decodedImage = new Buffer(stream.replace(/^data:image\/(png|gif|jpeg);base64,/, ''), 'base64'); - world.attach(decodedImage, 'image/png'); - }); - await browser.get(config.config.baseUrl + '/organisation'); - - // await headerPage.clickOrganisation(); - }); - }); +When(/^I click on organisation button$/, async function () { + await headerPage.clickOrganisation(); + const world = this; + await browserWaits.retryWithAction(viewOrganisationPage.header, async function (message) { + world.attach('Retrying Click Organisation : ' + message); + global.screenShotUtils.takeScreenshot() + .then((stream) => { + const decodedImage = new Buffer(stream.replace(/^data:image\/(png|gif|jpeg);base64,/, ''), 'base64'); + world.attach(decodedImage, 'image/png'); + }); + await browser.get(config.config.baseUrl + '/organisation'); - Then(/^I should be on display the name and address details of organisation$/, async function () { - // browser.sleep(LONG_DELAY); - const world = this; - await browserWaits.retryWithActionCallback( async function (message) { - await headerPage.clickOrganisation(); - await browserWaits.waitForElement(viewOrganisationPage.header) - }); - expect(await viewOrganisationPage.amOnPage(), 'Organisation page not displayed').to.be.true; + // await headerPage.clickOrganisation(); }); +}); - Then(/^I should see name and address details of Organisation$/, async function () { - // browser.sleep(LONG_DELAY); - const world = this; - - await browserWaits.retryWithAction(viewOrganisationPage.header, async function (message) { - world.attach('Retrying Click Organisation : ' + message); - screenShotUtils.takeScreenshot() - .then((stream) => { - const decodedImage = new Buffer(stream.replace(/^data:image\/(png|gif|jpeg);base64,/, ''), 'base64'); - world.attach(decodedImage, 'image/png'); - }); - await headerPage.clickOrganisation(); - }); - expect(await viewOrganisationPage.amOnPage(), 'Organisation page not displayed').to.be.true; +Then(/^I should be on display the name and address details of organisation$/, async function () { + // browser.sleep(LONG_DELAY); + const world = this; + await browserWaits.retryWithActionCallback( async function (message) { + await headerPage.clickOrganisation(); + await browserWaits.waitForElement(viewOrganisationPage.header) + }); + expect(await viewOrganisationPage.amOnPage(), 'Organisation page not displayed').to.be.true; +}); + +Then(/^I should see name and address details of Organisation$/, async function () { + // browser.sleep(LONG_DELAY); + const world = this; + + await browserWaits.retryWithAction(viewOrganisationPage.header, async function (message) { + world.attach('Retrying Click Organisation : ' + message); + screenShotUtils.takeScreenshot() + .then((stream) => { + const decodedImage = new Buffer(stream.replace(/^data:image\/(png|gif|jpeg);base64,/, ''), 'base64'); + world.attach(decodedImage, 'image/png'); + }); + await headerPage.clickOrganisation(); }); + expect(await viewOrganisationPage.amOnPage(), 'Organisation page not displayed').to.be.true; +}); diff --git a/test_codecept/e2e/features/step_definitions/viewUser.steps.js b/test_codecept/e2e/features/step_definitions/viewUser.steps.js index 319a41367..56f578825 100644 --- a/test_codecept/e2e/features/step_definitions/viewUser.steps.js +++ b/test_codecept/e2e/features/step_definitions/viewUser.steps.js @@ -1,3 +1,5 @@ +import { When, Then } from 'cucumber'; + const ViewUserPage = require('../pageObjects/viewUserPage.js'); const HeaderPage = require('../pageObjects/headerPage'); const loginPage = require('../pageObjects/loginLogoutObjects'); @@ -5,44 +7,43 @@ const loginPage = require('../pageObjects/loginLogoutObjects'); const { AMAZING_DELAY, SHORT_DELAY, MID_DELAY, LONG_DELAY } = require('../../support/constants'); const { config } = require('../../config/common.conf.js'); -const { defineSupportCode } = require('cucumber'); const browserWaits = require('../../support/customWaits'); - const viewUserPage = new ViewUserPage(); - const headerPage = new HeaderPage(); +const viewUserPage = new ViewUserPage(); +const headerPage = new HeaderPage(); - When(/^I click on user button$/, async function () { - // browser.sleep(LONG_DELAY); - const world = this; +When(/^I click on user button$/, async function () { + // browser.sleep(LONG_DELAY); + const world = this; - await headerPage.clickUser(); + await headerPage.clickUser(); - await browserWaits.retryWithActionCallback( async function (message) { - await browser.get(config.config.baseUrl+'/users'); - await browserWaits.waitForElement(viewUserPage.header) - // await headerPage.clickUser(); - }); + await browserWaits.retryWithActionCallback( async function (message) { + await browser.get(config.config.baseUrl+'/users'); + await browserWaits.waitForElement(viewUserPage.header) + // await headerPage.clickUser(); + }); - await viewUserPage.amOnPage(); + await viewUserPage.amOnPage(); - // browser.sleep(AMAZING_DELAY); - }); + // browser.sleep(AMAZING_DELAY); +}); - Then(/^I should be on display the user details$/, async function () { - // browser.sleep(AMAZING_DELAY); - expect(await viewUserPage.amOnPage()).to.be.true; - // browser.sleep(LONG_DELAY); - }); +Then(/^I should be on display the user details$/, async function () { + // browser.sleep(AMAZING_DELAY); + expect(await viewUserPage.amOnPage()).to.be.true; + // browser.sleep(LONG_DELAY); +}); - Then('I should see invited user is listed in users table', async function () { - await viewUserPage.validateUserWithEmailListed(global.latestInvitedUser); - }); +Then('I should see invited user is listed in users table', async function () { + await viewUserPage.validateUserWithEmailListed(global.latestInvitedUser); +}); - Then('I should see all user details displayed in table', async function () { - await viewUserPage.validateUsersTableDisplaysAllDetails(); - }); +Then('I should see all user details displayed in table', async function () { + await viewUserPage.validateUsersTableDisplaysAllDetails(); +}); - Then('I should see no empty cells in table', async function () { - await viewUserPage.validateTableHasNoEmptyCells(); - }); +Then('I should see no empty cells in table', async function () { + await viewUserPage.validateTableHasNoEmptyCells(); +}); diff --git a/test_codecept/e2e/support/hooks.js b/test_codecept/e2e/support/hooks.js index ab5692b83..98de48e68 100644 --- a/test_codecept/e2e/support/hooks.js +++ b/test_codecept/e2e/support/hooks.js @@ -1,6 +1,7 @@ 'use strict'; +import { Before, After } from 'cucumber'; + const Cucumber = require('cucumber'); -const { defineSupportCode } = require('cucumber'); const fs = require('fs'); const mkdirp = require('mkdirp'); const conf = require('../config/common.conf').config; @@ -16,7 +17,6 @@ const targetJson = `${jsonReports}/cucumber_report.json`; const { Given, When, Then } = require('cucumber'); const CucumberReportLogger = require('./reportLogger'); -// defineSupportCode(function({After }) { // registerHandler("BeforeFeature", { timeout: 500 * 1000 }, function() { // var origFn = browser.driver.controlFlow().execute; // @@ -91,38 +91,36 @@ const CucumberReportLogger = require('./reportLogger'); // }); -defineSupportCode(({ Before, After }) => { - Before(function (scenario, done){ - const world = this; - CucumberReportLogger.setScenarioWorld(world); - done(); - }); +Before(function (scenario, done){ + const world = this; + CucumberReportLogger.setScenarioWorld(world); + done(); +}); - After(function(scenario, done) { - const world = this; - if (scenario.result.status === 'failed') { - screenShotUtils.takeScreenshot().then((stream) => { - const decodedImage = new Buffer(stream.replace(/^data:image\/(png|gif|jpeg);base64,/, ''), 'base64'); - world.attach(decodedImage, 'image/png'); - }) - .then(() => { - browser.manage().logs().get('browser').then(function (browserLog) { - // console.log('log: ' + require('util').inspect(browserLog)); - const browserErrorLogs = []; - for (let browserLogCounter = 0; browserLogCounter < browserLog.length; browserLogCounter++){ - if (browserLog[browserLogCounter].level.value > 900){ - browserErrorLogs.push(browserLog[browserLogCounter]); - } +After(function(scenario, done) { + const world = this; + if (scenario.result.status === 'failed') { + screenShotUtils.takeScreenshot().then((stream) => { + const decodedImage = new Buffer(stream.replace(/^data:image\/(png|gif|jpeg);base64,/, ''), 'base64'); + world.attach(decodedImage, 'image/png'); + }) + .then(() => { + browser.manage().logs().get('browser').then(function (browserLog) { + // console.log('log: ' + require('util').inspect(browserLog)); + const browserErrorLogs = []; + for (let browserLogCounter = 0; browserLogCounter < browserLog.length; browserLogCounter++){ + if (browserLog[browserLogCounter].level.value > 900){ + browserErrorLogs.push(browserLog[browserLogCounter]); } - // world.attach(JSON.stringify(browserLog, null, 2)); + } + // world.attach(JSON.stringify(browserLog, null, 2)); - world.attach(JSON.stringify(browserErrorLogs, null, 2)); - // scenario.attach(scenario); - done(); - }); + world.attach(JSON.stringify(browserErrorLogs, null, 2)); + // scenario.attach(scenario); + done(); }); - } else { - done(); - } - }); + }); + } else { + done(); + } }); From 4f1c7953bf80604768096f83243f5970e188a1a2 Mon Sep 17 00:00:00 2001 From: Andy Wilkins Date: Wed, 31 Jul 2024 18:03:22 +0100 Subject: [PATCH 03/37] temp enable crossbrowser tests --- Jenkinsfile_CNP | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/Jenkinsfile_CNP b/Jenkinsfile_CNP index 8c8777f37..9a7cb7b32 100644 --- a/Jenkinsfile_CNP +++ b/Jenkinsfile_CNP @@ -55,6 +55,8 @@ withPipeline(type, product, component) { loadVaultSecrets(secrets) enableAksStagingDeployment() syncBranchesWithMaster(branchesToSync) + // temp enable to test nightly function + enableCrossBrowserTest() enablePactAs([ AppPipelineDsl.PactRoles.CONSUMER @@ -191,5 +193,14 @@ withPipeline(type, product, component) { reportName : 'AAT Functional Test' ]) } - + afterSuccess('crossBrowserTest') { + publishHTML([ + allowMissing : true, + alwaysLinkToLastBuild: true, + keepAll : true, + reportDir : "reports/tests/crossbrowser/", + reportFiles : 'index.html', + reportName : 'XUI Manage Organisation Cross Browser Tests' + ]) + } } From 3e9fcc1a388f958657e0c33bcb7fc8b5cc564f8f Mon Sep 17 00:00:00 2001 From: Andy Wilkins Date: Thu, 1 Aug 2024 10:36:37 +0100 Subject: [PATCH 04/37] type module so we can use import --- package.json | 1 + 1 file changed, 1 insertion(+) diff --git a/package.json b/package.json index 7ee32076c..befdd5bbb 100644 --- a/package.json +++ b/package.json @@ -4,6 +4,7 @@ "engines": { "node": ">=18.17.0" }, + "type": "module", "scripts": { "build": "yarn build:prod && yarn build:node", "build:prod": "ng build --configuration production", From 5d36f40f4c834e8e5abb229b55ae32d74d4e92c6 Mon Sep 17 00:00:00 2001 From: Andy Wilkins Date: Thu, 1 Aug 2024 10:58:41 +0100 Subject: [PATCH 05/37] type commonjs --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index befdd5bbb..3eae81306 100644 --- a/package.json +++ b/package.json @@ -4,7 +4,7 @@ "engines": { "node": ">=18.17.0" }, - "type": "module", + "type": "commonjs", "scripts": { "build": "yarn build:prod && yarn build:node", "build:prod": "ng build --configuration production", From 2239a84c6f348756f0e65e28b9dfa495bdde2a65 Mon Sep 17 00:00:00 2001 From: Andy Wilkins Date: Fri, 2 Aug 2024 15:04:33 +0100 Subject: [PATCH 06/37] can't use import --- package.json | 1 - .../features/step_definitions/acceptTermsAndConditions.steps.js | 2 +- test/e2e/features/step_definitions/approveOrg.steps.js | 2 +- test/e2e/features/step_definitions/createOrganisation.steps.js | 2 +- test/e2e/features/step_definitions/dataSetUp.steps.js | 2 +- test/e2e/features/step_definitions/headerPage.steps.js | 2 +- test/e2e/features/step_definitions/inviteUser.steps.js | 2 +- test/e2e/features/step_definitions/loginLogout.steps.js | 2 +- test/e2e/features/step_definitions/viewOrganisation.steps.js | 2 +- test/e2e/features/step_definitions/viewUser.steps.js | 2 +- test/e2e/support/hooks.js | 2 +- .../features/step_definitions/acceptTermsAndConditions.steps.js | 2 +- test_codecept/e2e/features/step_definitions/approveOrg.steps.js | 2 +- .../e2e/features/step_definitions/createOrganisation.steps.js | 2 +- test_codecept/e2e/features/step_definitions/dataSetUp.steps.js | 2 +- test_codecept/e2e/features/step_definitions/inviteUser.steps.js | 2 +- .../e2e/features/step_definitions/viewOrganisation.steps.js | 2 +- test_codecept/e2e/features/step_definitions/viewUser.steps.js | 2 +- test_codecept/e2e/support/hooks.js | 2 +- 19 files changed, 18 insertions(+), 19 deletions(-) diff --git a/package.json b/package.json index 3eae81306..7ee32076c 100644 --- a/package.json +++ b/package.json @@ -4,7 +4,6 @@ "engines": { "node": ">=18.17.0" }, - "type": "commonjs", "scripts": { "build": "yarn build:prod && yarn build:node", "build:prod": "ng build --configuration production", diff --git a/test/e2e/features/step_definitions/acceptTermsAndConditions.steps.js b/test/e2e/features/step_definitions/acceptTermsAndConditions.steps.js index 5a4f3a980..ef8f9fabd 100644 --- a/test/e2e/features/step_definitions/acceptTermsAndConditions.steps.js +++ b/test/e2e/features/step_definitions/acceptTermsAndConditions.steps.js @@ -1,4 +1,4 @@ -import { Then, When } from 'cucumber'; +const { Then, When } = require('cucumber'); const acceptTermsAndConditionsPage = require('../pageObjects/termsAndConditionsConfirmPage'); const HeaderPage = require('../pageObjects/headerPage'); diff --git a/test/e2e/features/step_definitions/approveOrg.steps.js b/test/e2e/features/step_definitions/approveOrg.steps.js index 132d58e90..143cb8ed6 100644 --- a/test/e2e/features/step_definitions/approveOrg.steps.js +++ b/test/e2e/features/step_definitions/approveOrg.steps.js @@ -1,4 +1,4 @@ -import { When } from 'cucumber'; +const { When } = require('cucumber'); const approveOrganizationService = require('../pageObjects/approveOrganizationService'); diff --git a/test/e2e/features/step_definitions/createOrganisation.steps.js b/test/e2e/features/step_definitions/createOrganisation.steps.js index 377746492..868a88d2c 100644 --- a/test/e2e/features/step_definitions/createOrganisation.steps.js +++ b/test/e2e/features/step_definitions/createOrganisation.steps.js @@ -1,5 +1,5 @@ 'use strict'; -import { Then, When } from 'cucumber'; +const { Then, When } = require('cucumber'}; const CreateOrganisationObjects = require('../pageObjects/createOrganisationObjects'); diff --git a/test/e2e/features/step_definitions/dataSetUp.steps.js b/test/e2e/features/step_definitions/dataSetUp.steps.js index 52f8f393a..e0de17405 100644 --- a/test/e2e/features/step_definitions/dataSetUp.steps.js +++ b/test/e2e/features/step_definitions/dataSetUp.steps.js @@ -1,6 +1,6 @@ 'use strict'; -import { When } from 'cucumber'; +const { When} = require('cucumber'); const CreateOrganisationObjects = require('../pageObjects/createOrganisationObjects'); const { AMAZING_DELAY, SHORT_DELAY, MID_DELAY, LONG_DELAY } = require('../../support/constants'); diff --git a/test/e2e/features/step_definitions/headerPage.steps.js b/test/e2e/features/step_definitions/headerPage.steps.js index 680bf14ef..fed3e7b51 100644 --- a/test/e2e/features/step_definitions/headerPage.steps.js +++ b/test/e2e/features/step_definitions/headerPage.steps.js @@ -1,5 +1,5 @@ -import { Then } from 'cucumber' +const { Then} = require('cucumber') const HeaderPage = require('../pageObjects/headerPage'); const ViewUserPage = require('../pageObjects/viewUserPage.js'); diff --git a/test/e2e/features/step_definitions/inviteUser.steps.js b/test/e2e/features/step_definitions/inviteUser.steps.js index 350ea0aac..cea326d41 100644 --- a/test/e2e/features/step_definitions/inviteUser.steps.js +++ b/test/e2e/features/step_definitions/inviteUser.steps.js @@ -1,4 +1,4 @@ -import { Then, When } from 'cucumber'; +const { Then, When} = require('cucumber'); const loginPage = require('../pageObjects/loginLogoutObjects'); const HeaderPage = require('../pageObjects/headerPage'); diff --git a/test/e2e/features/step_definitions/loginLogout.steps.js b/test/e2e/features/step_definitions/loginLogout.steps.js index 1bea13f0a..ce7a5fa71 100644 --- a/test/e2e/features/step_definitions/loginLogout.steps.js +++ b/test/e2e/features/step_definitions/loginLogout.steps.js @@ -1,6 +1,6 @@ 'use strict'; -import { Given, Then, When } from 'cucumber'; +const { Given, Then, When} = require('cucumber'); const loginPage = require('../pageObjects/loginLogoutObjects'); const { AMAZING_DELAY, SHORT_DELAY, MID_DELAY, LONG_DELAY } = require('../../support/constants'); diff --git a/test/e2e/features/step_definitions/viewOrganisation.steps.js b/test/e2e/features/step_definitions/viewOrganisation.steps.js index 3a17f9e78..9e7a9e2a0 100644 --- a/test/e2e/features/step_definitions/viewOrganisation.steps.js +++ b/test/e2e/features/step_definitions/viewOrganisation.steps.js @@ -1,4 +1,4 @@ -import { When, Then } from 'cucumber'; +const { When, Then} = require('cucumber'); const ViewOrganisationPage = require('../pageObjects/viewOrganisationPage.js'); const HeaderPage = require('../pageObjects/headerPage'); diff --git a/test/e2e/features/step_definitions/viewUser.steps.js b/test/e2e/features/step_definitions/viewUser.steps.js index f2896c101..2c0d43155 100644 --- a/test/e2e/features/step_definitions/viewUser.steps.js +++ b/test/e2e/features/step_definitions/viewUser.steps.js @@ -1,4 +1,4 @@ -import { Then, When } from 'cucumber'; +const { Then, When } = require('cucumber'); const ViewUserPage = require('../pageObjects/viewUserPage.js'); const HeaderPage = require('../pageObjects/headerPage'); diff --git a/test/e2e/support/hooks.js b/test/e2e/support/hooks.js index aa7a25c88..1825588bc 100644 --- a/test/e2e/support/hooks.js +++ b/test/e2e/support/hooks.js @@ -1,5 +1,5 @@ 'use strict'; -import { Before, After } from 'cucumber'; +const { Before, After } = require('cucumber'); const fs = require('fs'); const mkdirp = require('mkdirp'); diff --git a/test_codecept/e2e/features/step_definitions/acceptTermsAndConditions.steps.js b/test_codecept/e2e/features/step_definitions/acceptTermsAndConditions.steps.js index ff648fd21..d176a43c4 100644 --- a/test_codecept/e2e/features/step_definitions/acceptTermsAndConditions.steps.js +++ b/test_codecept/e2e/features/step_definitions/acceptTermsAndConditions.steps.js @@ -1,4 +1,4 @@ -import { Then, When } from 'cucumber'; +const { Then, When} = require('cucumber'); const acceptTermsAndConditionsPage = require('../pageObjects/termsAndConditionsConfirmPage'); const HeaderPage = require('../pageObjects/headerPage'); diff --git a/test_codecept/e2e/features/step_definitions/approveOrg.steps.js b/test_codecept/e2e/features/step_definitions/approveOrg.steps.js index 0f4db4d1a..fd58f8dcc 100644 --- a/test_codecept/e2e/features/step_definitions/approveOrg.steps.js +++ b/test_codecept/e2e/features/step_definitions/approveOrg.steps.js @@ -1,4 +1,4 @@ -import { When } from 'cucumber'; +const { When} = require('cucumber'); const approveOrganizationService = require('../pageObjects/approveOrganizationService'); diff --git a/test_codecept/e2e/features/step_definitions/createOrganisation.steps.js b/test_codecept/e2e/features/step_definitions/createOrganisation.steps.js index 4a72db990..ba5e0a74c 100644 --- a/test_codecept/e2e/features/step_definitions/createOrganisation.steps.js +++ b/test_codecept/e2e/features/step_definitions/createOrganisation.steps.js @@ -1,6 +1,6 @@ 'use strict'; -import { Then, When } from 'cucumber'; +const { Then, When} = require('cucumber'); const CreateOrganisationObjects = require('../pageObjects/createOrganisationObjects'); const { AMAZING_DELAY, SHORT_DELAY, MID_DELAY, LONG_DELAY } = require('../../support/constants'); diff --git a/test_codecept/e2e/features/step_definitions/dataSetUp.steps.js b/test_codecept/e2e/features/step_definitions/dataSetUp.steps.js index da05aae43..0ee4116b0 100644 --- a/test_codecept/e2e/features/step_definitions/dataSetUp.steps.js +++ b/test_codecept/e2e/features/step_definitions/dataSetUp.steps.js @@ -1,5 +1,5 @@ 'use strict'; -import { Given, When } from 'cucumber'; +const { Given, When} = require('cucumber'); const CreateOrganisationObjects = require('../pageObjects/createOrganisationObjects'); const { AMAZING_DELAY, SHORT_DELAY, MID_DELAY, LONG_DELAY } = require('../../support/constants'); diff --git a/test_codecept/e2e/features/step_definitions/inviteUser.steps.js b/test_codecept/e2e/features/step_definitions/inviteUser.steps.js index 70b0d9c47..267b87ffe 100644 --- a/test_codecept/e2e/features/step_definitions/inviteUser.steps.js +++ b/test_codecept/e2e/features/step_definitions/inviteUser.steps.js @@ -1,4 +1,4 @@ -import { When, Then } from 'cucumber'; +const { When, Then } = require('cucumber'); const loginPage = require('../pageObjects/loginLogoutObjects'); const HeaderPage = require('../pageObjects/headerPage'); diff --git a/test_codecept/e2e/features/step_definitions/viewOrganisation.steps.js b/test_codecept/e2e/features/step_definitions/viewOrganisation.steps.js index b06b9bf93..ca47d25dd 100644 --- a/test_codecept/e2e/features/step_definitions/viewOrganisation.steps.js +++ b/test_codecept/e2e/features/step_definitions/viewOrganisation.steps.js @@ -1,4 +1,4 @@ -import { When, Then } from 'cucumber'; +const { When, Then} = require('cucumber'); const ViewOrganisationPage = require('../pageObjects/viewOrganisationPage.js'); const HeaderPage = require('../pageObjects/headerPage'); diff --git a/test_codecept/e2e/features/step_definitions/viewUser.steps.js b/test_codecept/e2e/features/step_definitions/viewUser.steps.js index 56f578825..da00aea45 100644 --- a/test_codecept/e2e/features/step_definitions/viewUser.steps.js +++ b/test_codecept/e2e/features/step_definitions/viewUser.steps.js @@ -1,4 +1,4 @@ -import { When, Then } from 'cucumber'; +const { When, Then} = require('cucumber'); const ViewUserPage = require('../pageObjects/viewUserPage.js'); const HeaderPage = require('../pageObjects/headerPage'); diff --git a/test_codecept/e2e/support/hooks.js b/test_codecept/e2e/support/hooks.js index 98de48e68..04c4c41dd 100644 --- a/test_codecept/e2e/support/hooks.js +++ b/test_codecept/e2e/support/hooks.js @@ -1,5 +1,5 @@ 'use strict'; -import { Before, After } from 'cucumber'; +const { Before, After} = require('cucumber'); const Cucumber = require('cucumber'); const fs = require('fs'); From cf62ff7af629143ef0e070de5b30a2d9432fae23 Mon Sep 17 00:00:00 2001 From: Josh Date: Mon, 9 Sep 2024 14:49:31 +0100 Subject: [PATCH 07/37] move crossbrowser step before function tests --- Jenkinsfile_CNP | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/Jenkinsfile_CNP b/Jenkinsfile_CNP index 9a7cb7b32..8a8061f94 100644 --- a/Jenkinsfile_CNP +++ b/Jenkinsfile_CNP @@ -173,6 +173,17 @@ withPipeline(type, product, component) { ]) } + afterSuccess('crossBrowserTest') { + publishHTML([ + allowMissing : true, + alwaysLinkToLastBuild: true, + keepAll : true, + reportDir : "reports/tests/crossbrowser/", + reportFiles : 'index.html', + reportName : 'XUI Manage Organisation Cross Browser Tests' + ]) + } + afterSuccess('functionalTest:aat') { publishHTML([ @@ -193,14 +204,5 @@ withPipeline(type, product, component) { reportName : 'AAT Functional Test' ]) } - afterSuccess('crossBrowserTest') { - publishHTML([ - allowMissing : true, - alwaysLinkToLastBuild: true, - keepAll : true, - reportDir : "reports/tests/crossbrowser/", - reportFiles : 'index.html', - reportName : 'XUI Manage Organisation Cross Browser Tests' - ]) - } + } From 34e8634d6d083cf67ea3452283f0c14f76497d2a Mon Sep 17 00:00:00 2001 From: Josh Date: Mon, 9 Sep 2024 15:04:05 +0100 Subject: [PATCH 08/37] move step --- Jenkinsfile_CNP | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/Jenkinsfile_CNP b/Jenkinsfile_CNP index 8a8061f94..7c7cf962f 100644 --- a/Jenkinsfile_CNP +++ b/Jenkinsfile_CNP @@ -131,6 +131,17 @@ withPipeline(type, product, component) { ]) } + afterSuccess('crossBrowserTest') { + publishHTML([ + allowMissing : true, + alwaysLinkToLastBuild: true, + keepAll : true, + reportDir : "reports/tests/crossbrowser/", + reportFiles : 'index.html', + reportName : 'XUI Manage Organisation Cross Browser Tests' + ]) + } + afterSuccess('functionalTest:preview') { publishHTML([ @@ -173,17 +184,6 @@ withPipeline(type, product, component) { ]) } - afterSuccess('crossBrowserTest') { - publishHTML([ - allowMissing : true, - alwaysLinkToLastBuild: true, - keepAll : true, - reportDir : "reports/tests/crossbrowser/", - reportFiles : 'index.html', - reportName : 'XUI Manage Organisation Cross Browser Tests' - ]) - } - afterSuccess('functionalTest:aat') { publishHTML([ From af0c62bf03238ae1740df63156be02c67bf1ab55 Mon Sep 17 00:00:00 2001 From: Josh Date: Mon, 9 Sep 2024 15:39:06 +0100 Subject: [PATCH 09/37] Fix func tests --- package.json | 1 + .../acceptTermsAndConditions.steps.js | 2 - .../step_definitions/approveOrg.steps.js | 1 - .../createOrganisation.steps.js | 1 - .../step_definitions/dataSetUp.steps.js | 1 - .../step_definitions/inviteUser.steps.js | 1 - .../viewOrganisation.steps.js | 2 +- .../step_definitions/viewUser.steps.js | 1 - yarn.lock | 498 ++++++++++++++++-- 9 files changed, 470 insertions(+), 38 deletions(-) diff --git a/package.json b/package.json index 7ee32076c..49a2df1b6 100644 --- a/package.json +++ b/package.json @@ -72,6 +72,7 @@ "@angular/platform-browser-dynamic": "^17.3.6", "@angular/router": "^17.3.6", "@circlon/angular-tree-component": "^11.0.4", + "@cucumber/cucumber": "^11.0.0", "@edium/fsm": "^2.1.2", "@hmcts/ccd-case-ui-toolkit": "7.0.40", "@hmcts/ccpay-web-component": "6.2.1", diff --git a/test_codecept/e2e/features/step_definitions/acceptTermsAndConditions.steps.js b/test_codecept/e2e/features/step_definitions/acceptTermsAndConditions.steps.js index d176a43c4..daf08eafc 100644 --- a/test_codecept/e2e/features/step_definitions/acceptTermsAndConditions.steps.js +++ b/test_codecept/e2e/features/step_definitions/acceptTermsAndConditions.steps.js @@ -1,5 +1,3 @@ -const { Then, When} = require('cucumber'); - const acceptTermsAndConditionsPage = require('../pageObjects/termsAndConditionsConfirmPage'); const HeaderPage = require('../pageObjects/headerPage'); diff --git a/test_codecept/e2e/features/step_definitions/approveOrg.steps.js b/test_codecept/e2e/features/step_definitions/approveOrg.steps.js index fd58f8dcc..6474bfa15 100644 --- a/test_codecept/e2e/features/step_definitions/approveOrg.steps.js +++ b/test_codecept/e2e/features/step_definitions/approveOrg.steps.js @@ -1,4 +1,3 @@ -const { When} = require('cucumber'); const approveOrganizationService = require('../pageObjects/approveOrganizationService'); diff --git a/test_codecept/e2e/features/step_definitions/createOrganisation.steps.js b/test_codecept/e2e/features/step_definitions/createOrganisation.steps.js index ba5e0a74c..de4e9bfee 100644 --- a/test_codecept/e2e/features/step_definitions/createOrganisation.steps.js +++ b/test_codecept/e2e/features/step_definitions/createOrganisation.steps.js @@ -1,6 +1,5 @@ 'use strict'; -const { Then, When} = require('cucumber'); const CreateOrganisationObjects = require('../pageObjects/createOrganisationObjects'); const { AMAZING_DELAY, SHORT_DELAY, MID_DELAY, LONG_DELAY } = require('../../support/constants'); diff --git a/test_codecept/e2e/features/step_definitions/dataSetUp.steps.js b/test_codecept/e2e/features/step_definitions/dataSetUp.steps.js index 0ee4116b0..d44d0e866 100644 --- a/test_codecept/e2e/features/step_definitions/dataSetUp.steps.js +++ b/test_codecept/e2e/features/step_definitions/dataSetUp.steps.js @@ -1,5 +1,4 @@ 'use strict'; -const { Given, When} = require('cucumber'); const CreateOrganisationObjects = require('../pageObjects/createOrganisationObjects'); const { AMAZING_DELAY, SHORT_DELAY, MID_DELAY, LONG_DELAY } = require('../../support/constants'); diff --git a/test_codecept/e2e/features/step_definitions/inviteUser.steps.js b/test_codecept/e2e/features/step_definitions/inviteUser.steps.js index 267b87ffe..a510b0f5d 100644 --- a/test_codecept/e2e/features/step_definitions/inviteUser.steps.js +++ b/test_codecept/e2e/features/step_definitions/inviteUser.steps.js @@ -1,4 +1,3 @@ -const { When, Then } = require('cucumber'); const loginPage = require('../pageObjects/loginLogoutObjects'); const HeaderPage = require('../pageObjects/headerPage'); diff --git a/test_codecept/e2e/features/step_definitions/viewOrganisation.steps.js b/test_codecept/e2e/features/step_definitions/viewOrganisation.steps.js index ca47d25dd..1a0b8332d 100644 --- a/test_codecept/e2e/features/step_definitions/viewOrganisation.steps.js +++ b/test_codecept/e2e/features/step_definitions/viewOrganisation.steps.js @@ -1,4 +1,4 @@ -const { When, Then} = require('cucumber'); + const ViewOrganisationPage = require('../pageObjects/viewOrganisationPage.js'); const HeaderPage = require('../pageObjects/headerPage'); diff --git a/test_codecept/e2e/features/step_definitions/viewUser.steps.js b/test_codecept/e2e/features/step_definitions/viewUser.steps.js index da00aea45..687264e1b 100644 --- a/test_codecept/e2e/features/step_definitions/viewUser.steps.js +++ b/test_codecept/e2e/features/step_definitions/viewUser.steps.js @@ -1,4 +1,3 @@ -const { When, Then} = require('cucumber'); const ViewUserPage = require('../pageObjects/viewUserPage.js'); const HeaderPage = require('../pageObjects/headerPage'); diff --git a/yarn.lock b/yarn.lock index bd23e1612..63a8bfc64 100644 --- a/yarn.lock +++ b/yarn.lock @@ -2016,6 +2016,13 @@ __metadata: languageName: node linkType: hard +"@cucumber/ci-environment@npm:10.0.1": + version: 10.0.1 + resolution: "@cucumber/ci-environment@npm:10.0.1" + checksum: c864b815f7c2d653b3f99f9d45ab5fa3580584eb48a4a0ffe8991eab0eec3ca568639fc2e8efed3c356f3471dc5ff5fba8e734e210a459f8f5f4a42c601383db + languageName: node + linkType: hard + "@cucumber/cucumber-expressions@npm:16": version: 16.1.2 resolution: "@cucumber/cucumber-expressions@npm:16.1.2" @@ -2025,6 +2032,98 @@ __metadata: languageName: node linkType: hard +"@cucumber/cucumber-expressions@npm:17.1.0": + version: 17.1.0 + resolution: "@cucumber/cucumber-expressions@npm:17.1.0" + dependencies: + regexp-match-indices: 1.0.2 + checksum: 1dcb70330893d0bc9ae851015845437b4ba56d980728bf9ac01356ad3f82e0fcba07b152ce009a1645dab54bd346f4a2f664b3b64c4426190c4638bbf64ad2e0 + languageName: node + linkType: hard + +"@cucumber/cucumber@npm:^11.0.0": + version: 11.0.0 + resolution: "@cucumber/cucumber@npm:11.0.0" + dependencies: + "@cucumber/ci-environment": 10.0.1 + "@cucumber/cucumber-expressions": 17.1.0 + "@cucumber/gherkin": 28.0.0 + "@cucumber/gherkin-streams": 5.0.1 + "@cucumber/gherkin-utils": 9.0.0 + "@cucumber/html-formatter": 21.6.0 + "@cucumber/message-streams": 4.0.1 + "@cucumber/messages": 24.1.0 + "@cucumber/tag-expressions": 6.1.0 + assertion-error-formatter: ^3.0.0 + capital-case: ^1.0.4 + chalk: ^4.1.2 + cli-table3: 0.6.3 + commander: ^10.0.0 + debug: ^4.3.4 + error-stack-parser: ^2.1.4 + figures: ^3.2.0 + glob: ^10.3.10 + has-ansi: ^4.0.1 + indent-string: ^4.0.0 + is-installed-globally: ^0.4.0 + is-stream: ^2.0.0 + knuth-shuffle-seeded: ^1.0.6 + lodash.merge: ^4.6.2 + lodash.mergewith: ^4.6.2 + luxon: 3.2.1 + mime: ^3.0.0 + mkdirp: ^2.1.5 + mz: ^2.7.0 + progress: ^2.0.3 + read-pkg-up: ^7.0.1 + resolve-pkg: ^2.0.0 + semver: 7.5.3 + string-argv: 0.3.1 + strip-ansi: 6.0.1 + supports-color: ^8.1.1 + tmp: 0.2.3 + type-fest: ^4.8.3 + util-arity: ^1.1.0 + xmlbuilder: ^15.1.1 + yaml: ^2.2.2 + yup: 1.2.0 + bin: + cucumber-js: bin/cucumber.js + checksum: 275efa5b24f2d5397f2d11c77ab1e53f80f4f81c424f7ba9ecc31c6b12fc980925f47bad4c96251247ffb129d6dc98f4c2450089490803e2224225974c8a12da + languageName: node + linkType: hard + +"@cucumber/gherkin-streams@npm:5.0.1": + version: 5.0.1 + resolution: "@cucumber/gherkin-streams@npm:5.0.1" + dependencies: + commander: 9.1.0 + source-map-support: 0.5.21 + peerDependencies: + "@cucumber/gherkin": ">=22.0.0" + "@cucumber/message-streams": ">=4.0.0" + "@cucumber/messages": ">=17.1.1" + bin: + gherkin-javascript: bin/gherkin + checksum: b8e85b60c0b6773f61adafa107bbf745ba2fc786a200913a6302a472d62d55c30355b0ce8b462fee281bccb02ede4422e95c017d95e6e90aac60e9342b114a34 + languageName: node + linkType: hard + +"@cucumber/gherkin-utils@npm:9.0.0": + version: 9.0.0 + resolution: "@cucumber/gherkin-utils@npm:9.0.0" + dependencies: + "@cucumber/gherkin": ^28.0.0 + "@cucumber/messages": ^24.0.0 + "@teppeis/multimaps": 3.0.0 + commander: 12.0.0 + source-map-support: ^0.5.21 + bin: + gherkin-utils: bin/gherkin-utils + checksum: f23a830622f1a426b288108d499593e757de0f49cd23d121d8c9d16f064f2121fe5bfc37591f06fb31e648947f5294a8b69b5d3b68e3e851cb872b6a536b91b4 + languageName: node + linkType: hard + "@cucumber/gherkin@npm:26": version: 26.2.0 resolution: "@cucumber/gherkin@npm:26.2.0" @@ -2034,6 +2133,33 @@ __metadata: languageName: node linkType: hard +"@cucumber/gherkin@npm:28.0.0, @cucumber/gherkin@npm:^28.0.0": + version: 28.0.0 + resolution: "@cucumber/gherkin@npm:28.0.0" + dependencies: + "@cucumber/messages": ">=19.1.4 <=24" + checksum: de0681fbbf4532b7529cd037d2c91faa2490d2b973c5bddad0f07bedc1b3130006b7e551286034cf21a4fa74072354bd49bbe59a2bdf7206bc7a357ab43fbd69 + languageName: node + linkType: hard + +"@cucumber/html-formatter@npm:21.6.0": + version: 21.6.0 + resolution: "@cucumber/html-formatter@npm:21.6.0" + peerDependencies: + "@cucumber/messages": ">=18" + checksum: 5a82e98b4ff453aab485630ad7be4cea114fb4c5a8e0e0e30832eb010b348ab96f7f2d8a2a239b06d5d737ec216328af166adbf4e9cb0fe29460179c0b45c521 + languageName: node + linkType: hard + +"@cucumber/message-streams@npm:4.0.1": + version: 4.0.1 + resolution: "@cucumber/message-streams@npm:4.0.1" + peerDependencies: + "@cucumber/messages": ">=17.1.1" + checksum: 1ebb05ccf90501c00e3b55237746bae438a621e9f88152ec19407d76c7632a250d09b0ab9168b4179918362c79da948d45aae68a02689a7b36a57fcc5befc883 + languageName: node + linkType: hard + "@cucumber/messages@npm:22.0.0, @cucumber/messages@npm:>=19.1.4 <=22": version: 22.0.0 resolution: "@cucumber/messages@npm:22.0.0" @@ -2046,7 +2172,7 @@ __metadata: languageName: node linkType: hard -"@cucumber/messages@npm:24.1.0": +"@cucumber/messages@npm:24.1.0, @cucumber/messages@npm:>=19.1.4 <=24, @cucumber/messages@npm:^24.0.0": version: 24.1.0 resolution: "@cucumber/messages@npm:24.1.0" dependencies: @@ -2058,6 +2184,13 @@ __metadata: languageName: node linkType: hard +"@cucumber/tag-expressions@npm:6.1.0": + version: 6.1.0 + resolution: "@cucumber/tag-expressions@npm:6.1.0" + checksum: 99f5dc032b78c00ba79dec48bcfb2f423797121fef72072cd0ac070b39c78584ae47649637a00390a19bc0e20332137bbeb17f6ec9ab87b6fd4d0c5cfd301c4d + languageName: node + linkType: hard + "@discoveryjs/json-ext@npm:0.5.7, @discoveryjs/json-ext@npm:^0.5.0": version: 0.5.7 resolution: "@discoveryjs/json-ext@npm:0.5.7" @@ -4971,6 +5104,13 @@ __metadata: languageName: node linkType: hard +"@teppeis/multimaps@npm:3.0.0": + version: 3.0.0 + resolution: "@teppeis/multimaps@npm:3.0.0" + checksum: 77ce74a3190d425738240261969205422c140db2e60afd7eb40641ab8b2244a3470c7d491a29d43acba03b6502cae0cf6c1a2094a8d8f1b50bd5b0912abed40d + languageName: node + linkType: hard + "@tootallnate/once@npm:2": version: 2.0.0 resolution: "@tootallnate/once@npm:2.0.0" @@ -5473,6 +5613,13 @@ __metadata: languageName: node linkType: hard +"@types/normalize-package-data@npm:^2.4.0": + version: 2.4.4 + resolution: "@types/normalize-package-data@npm:2.4.4" + checksum: 65dff72b543997b7be8b0265eca7ace0e34b75c3e5fee31de11179d08fa7124a7a5587265d53d0409532ecb7f7fba662c2012807963e1f9b059653ec2c83ee05 + languageName: node + linkType: hard + "@types/q@npm:1.5.5": version: 1.5.5 resolution: "@types/q@npm:1.5.5" @@ -6683,6 +6830,17 @@ __metadata: languageName: node linkType: hard +"assertion-error-formatter@npm:^3.0.0": + version: 3.0.0 + resolution: "assertion-error-formatter@npm:3.0.0" + dependencies: + diff: ^4.0.1 + pad-right: ^0.2.2 + repeat-string: ^1.6.1 + checksum: 82d7349bc0238c7b1ff514b8d3ccf833ade114cad6daeaf4df8a985528c3d92f7c7cdbcfea372e4a8fcd2b3ed9b9e898f6faae6b5608d14558e6cc354fe9ee86 + languageName: node + linkType: hard + "assertion-error@npm:^1.1.0": version: 1.1.0 resolution: "assertion-error@npm:1.1.0" @@ -7611,6 +7769,17 @@ __metadata: languageName: node linkType: hard +"capital-case@npm:^1.0.4": + version: 1.0.4 + resolution: "capital-case@npm:1.0.4" + dependencies: + no-case: ^3.0.4 + tslib: ^2.0.3 + upper-case-first: ^2.0.2 + checksum: 41fa8fa87f6d24d0835a2b4a9341a3eaecb64ac29cd7c5391f35d6175a0fa98ab044e7f2602e1ec3afc886231462ed71b5b80c590b8b41af903ec2c15e5c5931 + languageName: node + linkType: hard + "caseless@npm:~0.12.0": version: 0.12.0 resolution: "caseless@npm:0.12.0" @@ -7702,7 +7871,7 @@ __metadata: languageName: node linkType: hard -"chalk@npm:4.1.2, chalk@npm:^4.0.0, chalk@npm:^4.0.2, chalk@npm:^4.1.0": +"chalk@npm:4.1.2, chalk@npm:^4.0.0, chalk@npm:^4.0.2, chalk@npm:^4.1.0, chalk@npm:^4.1.2": version: 4.1.2 resolution: "chalk@npm:4.1.2" dependencies: @@ -7963,6 +8132,19 @@ __metadata: languageName: node linkType: hard +"cli-table3@npm:0.6.3": + version: 0.6.3 + resolution: "cli-table3@npm:0.6.3" + dependencies: + "@colors/colors": 1.5.0 + string-width: ^4.2.0 + dependenciesMeta: + "@colors/colors": + optional: true + checksum: 09897f68467973f827c04e7eaadf13b55f8aec49ecd6647cc276386ea660059322e2dd8020a8b6b84d422dbdd619597046fa89cbbbdc95b2cea149a2df7c096c + languageName: node + linkType: hard + "cli-table3@npm:0.6.5": version: 0.6.5 resolution: "cli-table3@npm:0.6.5" @@ -8278,6 +8460,13 @@ __metadata: languageName: node linkType: hard +"commander@npm:12.0.0": + version: 12.0.0 + resolution: "commander@npm:12.0.0" + checksum: bce9e243dc008baba6b8d923f95b251ad115e6e7551a15838d7568abebcca0fc832da1800cf37caf37852f35ce4b7fb794ba7a4824b88c5adb1395f9268642df + languageName: node + linkType: hard + "commander@npm:7, commander@npm:^7.0.0": version: 7.2.0 resolution: "commander@npm:7.2.0" @@ -8285,6 +8474,13 @@ __metadata: languageName: node linkType: hard +"commander@npm:9.1.0": + version: 9.1.0 + resolution: "commander@npm:9.1.0" + checksum: 1428319b6b90600a813c28fe1e413996d1be99bf01afe9ebc4a9fc6f8077ff3e75f11809b2d2f85bd9b13d7cb592154278e9bbfdb16dc5843cef97bcba6a9cfd + languageName: node + linkType: hard + "commander@npm:^10.0.0": version: 10.0.1 resolution: "commander@npm:10.0.1" @@ -10333,7 +10529,7 @@ __metadata: languageName: node linkType: hard -"error-stack-parser@npm:2.1.4, error-stack-parser@npm:^2.0.6": +"error-stack-parser@npm:2.1.4, error-stack-parser@npm:^2.0.6, error-stack-parser@npm:^2.1.4": version: 2.1.4 resolution: "error-stack-parser@npm:2.1.4" dependencies: @@ -12120,6 +12316,15 @@ __metadata: languageName: node linkType: hard +"global-dirs@npm:^3.0.0": + version: 3.0.1 + resolution: "global-dirs@npm:3.0.1" + dependencies: + ini: 2.0.0 + checksum: 70147b80261601fd40ac02a104581432325c1c47329706acd773f3a6ce99bb36d1d996038c85ccacd482ad22258ec233c586b6a91535b1a116b89663d49d6438 + languageName: node + linkType: hard + "globals@npm:^11.1.0": version: 11.12.0 resolution: "globals@npm:11.12.0" @@ -12326,6 +12531,15 @@ __metadata: languageName: node linkType: hard +"has-ansi@npm:^4.0.1": + version: 4.0.1 + resolution: "has-ansi@npm:4.0.1" + dependencies: + ansi-regex: ^4.1.0 + checksum: 44c4eb4b17d7c6121fb7529e59aa2fa1f07e9beec783e14fc30c6e55e5200b82a2a66a5ee4d6e6b0d433ca1bce3388d92b08dae4964253203b6f68e7bd8be648 + languageName: node + linkType: hard + "has-cors@npm:1.1.0": version: 1.1.0 resolution: "has-cors@npm:1.1.0" @@ -12462,6 +12676,13 @@ __metadata: languageName: node linkType: hard +"hosted-git-info@npm:^2.1.4": + version: 2.8.9 + resolution: "hosted-git-info@npm:2.8.9" + checksum: c955394bdab888a1e9bb10eb33029e0f7ce5a2ac7b3f158099dc8c486c99e73809dca609f5694b223920ca2174db33d32b12f9a2a47141dc59607c29da5a62dd + languageName: node + linkType: hard + "hosted-git-info@npm:^7.0.0": version: 7.0.2 resolution: "hosted-git-info@npm:7.0.2" @@ -12885,6 +13106,13 @@ __metadata: languageName: node linkType: hard +"ini@npm:2.0.0": + version: 2.0.0 + resolution: "ini@npm:2.0.0" + checksum: e7aadc5fb2e4aefc666d74ee2160c073995a4061556b1b5b4241ecb19ad609243b9cceafe91bae49c219519394bbd31512516cb22a3b1ca6e66d869e0447e84e + languageName: node + linkType: hard + "ini@npm:4.1.2": version: 4.1.2 resolution: "ini@npm:4.1.2" @@ -13135,6 +13363,16 @@ __metadata: languageName: node linkType: hard +"is-installed-globally@npm:^0.4.0": + version: 0.4.0 + resolution: "is-installed-globally@npm:0.4.0" + dependencies: + global-dirs: ^3.0.0 + is-path-inside: ^3.0.2 + checksum: 3359840d5982d22e9b350034237b2cda2a12bac1b48a721912e1ab8e0631dd07d45a2797a120b7b87552759a65ba03e819f1bd63f2d7ab8657ec0b44ee0bf399 + languageName: node + linkType: hard + "is-interactive@npm:^1.0.0": version: 1.0.0 resolution: "is-interactive@npm:1.0.0" @@ -13188,7 +13426,7 @@ __metadata: languageName: node linkType: hard -"is-path-inside@npm:^3.0.3": +"is-path-inside@npm:^3.0.2, is-path-inside@npm:^3.0.3": version: 3.0.3 resolution: "is-path-inside@npm:3.0.3" checksum: abd50f06186a052b349c15e55b182326f1936c89a78bf6c8f2b707412517c097ce04bc49a0ca221787bc44e1049f51f09a2ffb63d22899051988d3a618ba13e9 @@ -15170,6 +15408,15 @@ __metadata: languageName: node linkType: hard +"lower-case@npm:^2.0.2": + version: 2.0.2 + resolution: "lower-case@npm:2.0.2" + dependencies: + tslib: ^2.0.3 + checksum: 83a0a5f159ad7614bee8bf976b96275f3954335a84fad2696927f609ddae902802c4f3312d86668722e668bef41400254807e1d3a7f2e8c3eede79691aa1f010 + languageName: node + linkType: hard + "lowercase-keys@npm:^1.0.0, lowercase-keys@npm:^1.0.1": version: 1.0.1 resolution: "lowercase-keys@npm:1.0.1" @@ -15235,6 +15482,13 @@ __metadata: languageName: node linkType: hard +"luxon@npm:3.2.1": + version: 3.2.1 + resolution: "luxon@npm:3.2.1" + checksum: 3fa3def2c5f5d3032b4c46220c4da8aeb467ac979888fc9d2557adcd22195f93516b4ad5909a75862bec8dc6ddc0953b0f38e6d2f4a8ab8450ddc531a83cf20d + languageName: node + linkType: hard + "luxon@npm:^2.4.0": version: 2.5.2 resolution: "luxon@npm:2.5.2" @@ -15758,6 +16012,15 @@ __metadata: languageName: node linkType: hard +"mime@npm:^3.0.0": + version: 3.0.0 + resolution: "mime@npm:3.0.0" + bin: + mime: cli.js + checksum: f43f9b7bfa64534e6b05bd6062961681aeb406a5b53673b53b683f27fcc4e739989941836a355eef831f4478923651ecc739f4a5f6e20a76487b432bfd4db928 + languageName: node + linkType: hard + "mimic-fn@npm:^1.0.0": version: 1.2.0 resolution: "mimic-fn@npm:1.2.0" @@ -15987,6 +16250,15 @@ __metadata: languageName: node linkType: hard +"mkdirp@npm:^2.1.5": + version: 2.1.6 + resolution: "mkdirp@npm:2.1.6" + bin: + mkdirp: dist/cjs/src/bin.js + checksum: 8a1d09ffac585e55f41c54f445051f5bc33a7de99b952bb04c576cafdf1a67bb4bae8cb93736f7da6838771fbf75bc630430a3a59e1252047d2278690bd150ee + languageName: node + linkType: hard + "mobx@npm:~4.14.1": version: 4.14.1 resolution: "mobx@npm:4.14.1" @@ -16301,7 +16573,7 @@ __metadata: languageName: node linkType: hard -"mz@npm:^2.4.0": +"mz@npm:^2.4.0, mz@npm:^2.7.0": version: 2.7.0 resolution: "mz@npm:2.7.0" dependencies: @@ -16626,6 +16898,16 @@ __metadata: languageName: node linkType: hard +"no-case@npm:^3.0.4": + version: 3.0.4 + resolution: "no-case@npm:3.0.4" + dependencies: + lower-case: ^2.0.2 + tslib: ^2.0.3 + checksum: 0b2ebc113dfcf737d48dde49cfebf3ad2d82a8c3188e7100c6f375e30eafbef9e9124aadc3becef237b042fd5eb0aad2fd78669c20972d045bbe7fea8ba0be5c + languageName: node + linkType: hard + "nocache@npm:2.1.0": version: 2.1.0 resolution: "nocache@npm:2.1.0" @@ -16805,6 +17087,18 @@ __metadata: languageName: node linkType: hard +"normalize-package-data@npm:^2.5.0": + version: 2.5.0 + resolution: "normalize-package-data@npm:2.5.0" + dependencies: + hosted-git-info: ^2.1.4 + resolve: ^1.10.0 + semver: 2 || 3 || 4 || 5 + validate-npm-package-license: ^3.0.1 + checksum: 7999112efc35a6259bc22db460540cae06564aa65d0271e3bdfa86876d08b0e578b7b5b0028ee61b23f1cae9fc0e7847e4edc0948d3068a39a2a82853efc8499 + languageName: node + linkType: hard + "normalize-package-data@npm:^6.0.0": version: 6.0.1 resolution: "normalize-package-data@npm:6.0.1" @@ -17610,7 +17904,7 @@ __metadata: languageName: node linkType: hard -"parse-json@npm:^5.2.0": +"parse-json@npm:^5.0.0, parse-json@npm:^5.2.0": version: 5.2.0 resolution: "parse-json@npm:5.2.0" dependencies: @@ -18295,7 +18589,7 @@ __metadata: languageName: node linkType: hard -"progress@npm:2.0.3, progress@npm:^2.0.0, progress@npm:^2.0.1, progress@npm:~2.0.0": +"progress@npm:2.0.3, progress@npm:^2.0.0, progress@npm:^2.0.1, progress@npm:^2.0.3, progress@npm:~2.0.0": version: 2.0.3 resolution: "progress@npm:2.0.3" checksum: f67403fe7b34912148d9252cb7481266a354bd99ce82c835f79070643bb3c6583d10dbcfda4d41e04bbc1d8437e9af0fb1e1f2135727878f5308682a579429b7 @@ -18350,6 +18644,13 @@ __metadata: languageName: node linkType: hard +"property-expr@npm:^2.0.5": + version: 2.0.6 + resolution: "property-expr@npm:2.0.6" + checksum: 89977f4bb230736c1876f460dd7ca9328034502fd92e738deb40516d16564b850c0bbc4e052c3df88b5b8cd58e51c93b46a94bea049a3f23f4a022c038864cab + languageName: node + linkType: hard + "proto-list@npm:~1.2.1": version: 1.2.4 resolution: "proto-list@npm:1.2.4" @@ -18757,6 +19058,29 @@ __metadata: languageName: node linkType: hard +"read-pkg-up@npm:^7.0.1": + version: 7.0.1 + resolution: "read-pkg-up@npm:7.0.1" + dependencies: + find-up: ^4.1.0 + read-pkg: ^5.2.0 + type-fest: ^0.8.1 + checksum: e4e93ce70e5905b490ca8f883eb9e48b5d3cebc6cd4527c25a0d8f3ae2903bd4121c5ab9c5a3e217ada0141098eeb661313c86fa008524b089b8ed0b7f165e44 + languageName: node + linkType: hard + +"read-pkg@npm:^5.2.0": + version: 5.2.0 + resolution: "read-pkg@npm:5.2.0" + dependencies: + "@types/normalize-package-data": ^2.4.0 + normalize-package-data: ^2.5.0 + parse-json: ^5.0.0 + type-fest: ^0.6.0 + checksum: eb696e60528b29aebe10e499ba93f44991908c57d70f2d26f369e46b8b9afc208ef11b4ba64f67630f31df8b6872129e0a8933c8c53b7b4daf0eace536901222 + languageName: node + linkType: hard + "readable-stream@npm:^2.0.0, readable-stream@npm:^2.0.1, readable-stream@npm:^2.0.2, readable-stream@npm:^2.0.5, readable-stream@npm:^2.2.2, readable-stream@npm:^2.3.0, readable-stream@npm:~2.3.6": version: 2.3.8 resolution: "readable-stream@npm:2.3.8" @@ -19114,6 +19438,15 @@ __metadata: languageName: node linkType: hard +"resolve-pkg@npm:^2.0.0": + version: 2.0.0 + resolution: "resolve-pkg@npm:2.0.0" + dependencies: + resolve-from: ^5.0.0 + checksum: 4a14cc38effed20ff362c8f377719af9a45ebe27ee07d79d4802b4568858cd96033f4edc3a2add7fd27e361d24101a042047297a9ef9476696ba16b72e0a05fc + languageName: node + linkType: hard + "resolve-url-loader@npm:5.0.0": version: 5.0.0 resolution: "resolve-url-loader@npm:5.0.0" @@ -19134,7 +19467,7 @@ __metadata: languageName: node linkType: hard -"resolve@npm:1.22.8, resolve@npm:>=1.9.0, resolve@npm:^1.0.0, resolve@npm:^1.1.6, resolve@npm:^1.14.2, resolve@npm:^1.20.0, resolve@npm:^1.22.1, resolve@npm:^1.3.3, resolve@npm:^1.9.0": +"resolve@npm:1.22.8, resolve@npm:>=1.9.0, resolve@npm:^1.0.0, resolve@npm:^1.1.6, resolve@npm:^1.10.0, resolve@npm:^1.14.2, resolve@npm:^1.20.0, resolve@npm:^1.22.1, resolve@npm:^1.3.3, resolve@npm:^1.9.0": version: 1.22.8 resolution: "resolve@npm:1.22.8" dependencies: @@ -19147,7 +19480,7 @@ __metadata: languageName: node linkType: hard -"resolve@patch:resolve@1.22.8#~builtin, resolve@patch:resolve@>=1.9.0#~builtin, resolve@patch:resolve@^1.0.0#~builtin, resolve@patch:resolve@^1.1.6#~builtin, resolve@patch:resolve@^1.14.2#~builtin, resolve@patch:resolve@^1.20.0#~builtin, resolve@patch:resolve@^1.22.1#~builtin, resolve@patch:resolve@^1.3.3#~builtin, resolve@patch:resolve@^1.9.0#~builtin": +"resolve@patch:resolve@1.22.8#~builtin, resolve@patch:resolve@>=1.9.0#~builtin, resolve@patch:resolve@^1.0.0#~builtin, resolve@patch:resolve@^1.1.6#~builtin, resolve@patch:resolve@^1.10.0#~builtin, resolve@patch:resolve@^1.14.2#~builtin, resolve@patch:resolve@^1.20.0#~builtin, resolve@patch:resolve@^1.22.1#~builtin, resolve@patch:resolve@^1.3.3#~builtin, resolve@patch:resolve@^1.9.0#~builtin": version: 1.22.8 resolution: "resolve@patch:resolve@npm%3A1.22.8#~builtin::version=1.22.8&hash=c3c19d" dependencies: @@ -19400,6 +19733,7 @@ __metadata: "@angular/platform-browser-dynamic": ^17.3.6 "@angular/router": ^17.3.6 "@circlon/angular-tree-component": ^11.0.4 + "@cucumber/cucumber": ^11.0.0 "@edium/fsm": ^2.1.2 "@hmcts/ccd-case-ui-toolkit": 7.0.40 "@hmcts/ccpay-web-component": 6.2.1 @@ -19869,6 +20203,26 @@ __metadata: languageName: node linkType: hard +"semver@npm:2 || 3 || 4 || 5, semver@npm:^5.3.0, semver@npm:^5.4.1, semver@npm:^5.5.0, semver@npm:^5.6.0, semver@npm:^5.7.1, semver@npm:~5.7.0": + version: 5.7.2 + resolution: "semver@npm:5.7.2" + bin: + semver: bin/semver + checksum: fb4ab5e0dd1c22ce0c937ea390b4a822147a9c53dbd2a9a0132f12fe382902beef4fbf12cf51bb955248d8d15874ce8cd89532569756384f994309825f10b686 + languageName: node + linkType: hard + +"semver@npm:7.5.3": + version: 7.5.3 + resolution: "semver@npm:7.5.3" + dependencies: + lru-cache: ^6.0.0 + bin: + semver: bin/semver.js + checksum: 9d58db16525e9f749ad0a696a1f27deabaa51f66e91d2fa2b0db3de3e9644e8677de3b7d7a03f4c15bc81521e0c3916d7369e0572dbde250d9bedf5194e2a8a7 + languageName: node + linkType: hard + "semver@npm:7.6.0": version: 7.6.0 resolution: "semver@npm:7.6.0" @@ -19889,15 +20243,6 @@ __metadata: languageName: node linkType: hard -"semver@npm:^5.3.0, semver@npm:^5.4.1, semver@npm:^5.5.0, semver@npm:^5.6.0, semver@npm:^5.7.1, semver@npm:~5.7.0": - version: 5.7.2 - resolution: "semver@npm:5.7.2" - bin: - semver: bin/semver - checksum: fb4ab5e0dd1c22ce0c937ea390b4a822147a9c53dbd2a9a0132f12fe382902beef4fbf12cf51bb955248d8d15874ce8cd89532569756384f994309825f10b686 - languageName: node - linkType: hard - "semver@npm:^6.0.0, semver@npm:^6.3.0, semver@npm:^6.3.1, semver@npm:~6.3.0": version: 6.3.1 resolution: "semver@npm:6.3.1" @@ -20490,7 +20835,7 @@ __metadata: languageName: node linkType: hard -"source-map-support@npm:0.5.21, source-map-support@npm:^0.5.12, source-map-support@npm:^0.5.5, source-map-support@npm:~0.5.20": +"source-map-support@npm:0.5.21, source-map-support@npm:^0.5.12, source-map-support@npm:^0.5.21, source-map-support@npm:^0.5.5, source-map-support@npm:~0.5.20": version: 0.5.21 resolution: "source-map-support@npm:0.5.21" dependencies: @@ -20813,6 +21158,13 @@ __metadata: languageName: node linkType: hard +"string-argv@npm:0.3.1": + version: 0.3.1 + resolution: "string-argv@npm:0.3.1" + checksum: efbd0289b599bee808ce80820dfe49c9635610715429c6b7cc50750f0437e3c2f697c81e5c390208c13b5d5d12d904a1546172a88579f6ee5cbaaaa4dc9ec5cf + languageName: node + linkType: hard + "string-length@npm:^4.0.1": version: 4.0.2 resolution: "string-length@npm:4.0.2" @@ -20884,7 +21236,7 @@ __metadata: languageName: node linkType: hard -"strip-ansi-cjs@npm:strip-ansi@^6.0.1, strip-ansi@npm:^6.0.0, strip-ansi@npm:^6.0.1": +"strip-ansi-cjs@npm:strip-ansi@^6.0.1, strip-ansi@npm:6.0.1, strip-ansi@npm:^6.0.0, strip-ansi@npm:^6.0.1": version: 6.0.1 resolution: "strip-ansi@npm:6.0.1" dependencies: @@ -21022,7 +21374,7 @@ __metadata: languageName: node linkType: hard -"supports-color@npm:8.1.1, supports-color@npm:^8.0.0": +"supports-color@npm:8.1.1, supports-color@npm:^8.0.0, supports-color@npm:^8.1.1": version: 8.1.1 resolution: "supports-color@npm:8.1.1" dependencies: @@ -21330,6 +21682,13 @@ __metadata: languageName: node linkType: hard +"tiny-case@npm:^1.0.3": + version: 1.0.3 + resolution: "tiny-case@npm:1.0.3" + checksum: 3f7a30c39d5b0e1bc097b0b271bec14eb5b836093db034f35a0de26c14422380b50dc12bfd37498cf35b192f5df06f28a710712c87ead68872a9e37ad6f6049d + languageName: node + linkType: hard + "tiny-emitter@npm:^2.0.0": version: 2.1.0 resolution: "tiny-emitter@npm:2.1.0" @@ -21363,6 +21722,13 @@ __metadata: languageName: node linkType: hard +"tmp@npm:0.2.3, tmp@npm:^0.2.0, tmp@npm:^0.2.1": + version: 0.2.3 + resolution: "tmp@npm:0.2.3" + checksum: 73b5c96b6e52da7e104d9d44afb5d106bb1e16d9fa7d00dbeb9e6522e61b571fbdb165c756c62164be9a3bbe192b9b268c236d370a2a0955c7689cd2ae377b95 + languageName: node + linkType: hard + "tmp@npm:^0.0.33": version: 0.0.33 resolution: "tmp@npm:0.0.33" @@ -21372,13 +21738,6 @@ __metadata: languageName: node linkType: hard -"tmp@npm:^0.2.0, tmp@npm:^0.2.1": - version: 0.2.3 - resolution: "tmp@npm:0.2.3" - checksum: 73b5c96b6e52da7e104d9d44afb5d106bb1e16d9fa7d00dbeb9e6522e61b571fbdb165c756c62164be9a3bbe192b9b268c236d370a2a0955c7689cd2ae377b95 - languageName: node - linkType: hard - "tmpl@npm:1.0.5": version: 1.0.5 resolution: "tmpl@npm:1.0.5" @@ -21423,6 +21782,13 @@ __metadata: languageName: node linkType: hard +"toposort@npm:^2.0.2": + version: 2.0.2 + resolution: "toposort@npm:2.0.2" + checksum: d64c74b570391c9432873f48e231b439ee56bc49f7cb9780b505cfdf5cb832f808d0bae072515d93834dd6bceca5bb34448b5b4b408335e4d4716eaf68195dcb + languageName: node + linkType: hard + "touch@npm:^3.1.0": version: 3.1.1 resolution: "touch@npm:3.1.1" @@ -21686,6 +22052,13 @@ __metadata: languageName: node linkType: hard +"tslib@npm:^2.0.3": + version: 2.7.0 + resolution: "tslib@npm:2.7.0" + checksum: 1606d5c89f88d466889def78653f3aab0f88692e80bb2066d090ca6112ae250ec1cfa9dbfaab0d17b60da15a4186e8ec4d893801c67896b277c17374e36e1d28 + languageName: node + linkType: hard + "tslib@npm:~2.0.0": version: 2.0.3 resolution: "tslib@npm:2.0.3" @@ -21804,6 +22177,34 @@ __metadata: languageName: node linkType: hard +"type-fest@npm:^0.6.0": + version: 0.6.0 + resolution: "type-fest@npm:0.6.0" + checksum: b2188e6e4b21557f6e92960ec496d28a51d68658018cba8b597bd3ef757721d1db309f120ae987abeeda874511d14b776157ff809f23c6d1ce8f83b9b2b7d60f + languageName: node + linkType: hard + +"type-fest@npm:^0.8.1": + version: 0.8.1 + resolution: "type-fest@npm:0.8.1" + checksum: d61c4b2eba24009033ae4500d7d818a94fd6d1b481a8111612ee141400d5f1db46f199c014766b9fa9b31a6a7374d96fc748c6d688a78a3ce5a33123839becb7 + languageName: node + linkType: hard + +"type-fest@npm:^2.19.0": + version: 2.19.0 + resolution: "type-fest@npm:2.19.0" + checksum: a4ef07ece297c9fba78fc1bd6d85dff4472fe043ede98bd4710d2615d15776902b595abf62bd78339ed6278f021235fb28a96361f8be86ed754f778973a0d278 + languageName: node + linkType: hard + +"type-fest@npm:^4.8.3": + version: 4.26.1 + resolution: "type-fest@npm:4.26.1" + checksum: 7188db3bca82afa62c69a8043fb7c5eb74e63c45e7e28efb986da1629d844286f7181bc5a8185f38989fffff0d6c96be66fd13529b01932d1b6ebe725181d31a + languageName: node + linkType: hard + "type-is@npm:~1.6.18": version: 1.6.18 resolution: "type-is@npm:1.6.18" @@ -22095,6 +22496,15 @@ __metadata: languageName: node linkType: hard +"upper-case-first@npm:^2.0.2": + version: 2.0.2 + resolution: "upper-case-first@npm:2.0.2" + dependencies: + tslib: ^2.0.3 + checksum: 4487db4701effe3b54ced4b3e4aa4d9ab06c548f97244d04aafb642eedf96a76d5a03cf5f38f10f415531d5792d1ac6e1b50f2a76984dc6964ad530f12876409 + languageName: node + linkType: hard + "upper-case@npm:^1.0.3, upper-case@npm:^1.1.1": version: 1.1.3 resolution: "upper-case@npm:1.1.3" @@ -22144,7 +22554,7 @@ __metadata: languageName: node linkType: hard -"util-arity@npm:^1.0.2": +"util-arity@npm:^1.0.2, util-arity@npm:^1.1.0": version: 1.1.0 resolution: "util-arity@npm:1.1.0" checksum: ac30ab442dfc132a70639261f2125b0785d334634e8051acb2da5014cfaa6c0f27de325b8d1bc7e71eccca06881007609077e3b6a9bef07aa669c1f36f7510f1 @@ -22251,7 +22661,7 @@ __metadata: languageName: node linkType: hard -"validate-npm-package-license@npm:^3.0.4": +"validate-npm-package-license@npm:^3.0.1, validate-npm-package-license@npm:^3.0.4": version: 3.0.4 resolution: "validate-npm-package-license@npm:3.0.4" dependencies: @@ -23063,6 +23473,13 @@ __metadata: languageName: node linkType: hard +"xmlbuilder@npm:^15.1.1": + version: 15.1.1 + resolution: "xmlbuilder@npm:15.1.1" + checksum: 14f7302402e28d1f32823583d121594a9dca36408d40320b33f598bd589ca5163a352d076489c9c64d2dc1da19a790926a07bf4191275330d4de2b0d85bb1843 + languageName: node + linkType: hard + "xmlbuilder@npm:~11.0.0": version: 11.0.1 resolution: "xmlbuilder@npm:11.0.1" @@ -23147,6 +23564,15 @@ __metadata: languageName: node linkType: hard +"yaml@npm:^2.2.2": + version: 2.5.1 + resolution: "yaml@npm:2.5.1" + bin: + yaml: bin.mjs + checksum: 31275223863fbd0b47ba9d2b248fbdf085db8d899e4ca43fff8a3a009497c5741084da6871d11f40e555d61360951c4c910b98216c1325d2c94753c0036d8172 + languageName: node + linkType: hard + "yargs-parser@npm:20.2.4": version: 20.2.4 resolution: "yargs-parser@npm:20.2.4" @@ -23306,6 +23732,18 @@ __metadata: languageName: node linkType: hard +"yup@npm:1.2.0": + version: 1.2.0 + resolution: "yup@npm:1.2.0" + dependencies: + property-expr: ^2.0.5 + tiny-case: ^1.0.3 + toposort: ^2.0.2 + type-fest: ^2.19.0 + checksum: f0cdceb144e358c6155670f3e27404b65b090cc12594fde6db2699523661e13542aaf87ebe8e542b67f29a5f3f9bc5f23a3a3bb09e17f10d125353d35b841fac + languageName: node + linkType: hard + "zip-stream@npm:^4.1.0": version: 4.1.1 resolution: "zip-stream@npm:4.1.1" From e76258b3ed0901f3125fc278dee4921d46355d58 Mon Sep 17 00:00:00 2001 From: Josh Date: Mon, 9 Sep 2024 16:11:31 +0100 Subject: [PATCH 10/37] remove step --- Jenkinsfile_CNP | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/Jenkinsfile_CNP b/Jenkinsfile_CNP index 7c7cf962f..952823762 100644 --- a/Jenkinsfile_CNP +++ b/Jenkinsfile_CNP @@ -55,8 +55,6 @@ withPipeline(type, product, component) { loadVaultSecrets(secrets) enableAksStagingDeployment() syncBranchesWithMaster(branchesToSync) - // temp enable to test nightly function - enableCrossBrowserTest() enablePactAs([ AppPipelineDsl.PactRoles.CONSUMER @@ -131,17 +129,6 @@ withPipeline(type, product, component) { ]) } - afterSuccess('crossBrowserTest') { - publishHTML([ - allowMissing : true, - alwaysLinkToLastBuild: true, - keepAll : true, - reportDir : "reports/tests/crossbrowser/", - reportFiles : 'index.html', - reportName : 'XUI Manage Organisation Cross Browser Tests' - ]) - } - afterSuccess('functionalTest:preview') { publishHTML([ From d0738eb4f6f554f40126a5dac6b1857f20292fdd Mon Sep 17 00:00:00 2001 From: Josh Date: Mon, 9 Sep 2024 16:24:46 +0100 Subject: [PATCH 11/37] update imports --- test/e2e/support/timeout.js | 2 +- test/e2e/support/world.js | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/test/e2e/support/timeout.js b/test/e2e/support/timeout.js index 9c4127ad9..72bff79df 100644 --- a/test/e2e/support/timeout.js +++ b/test/e2e/support/timeout.js @@ -1,5 +1,5 @@ // timeout.js -const { setDefaultTimeout } = require('cucumber'); +const { setDefaultTimeout } = require('@cucumber/cucumber'); setDefaultTimeout(600 * 1000); // this timeout value is global setting impact all step definition function, // thus it doesn't means the value is more large more better. diff --git a/test/e2e/support/world.js b/test/e2e/support/world.js index ffc34d0a3..008fb2c76 100644 --- a/test/e2e/support/world.js +++ b/test/e2e/support/world.js @@ -1,10 +1,10 @@ const { expect, assert } = require('chai'); const config = require('./config'); -const { setWorldConstructor } = require('cucumber'); +const { setWorldConstructor } = require('@cucumber/cucumber'); const minimist = require('minimist'); const argv = minimist(process.argv.slice(2)); -const { setDefaultTimeout } = require('cucumber'); +const { setDefaultTimeout } = require('@cucumber/cucumber'); setDefaultTimeout(60 * 1000); From fe90819f0684738ffc925c601f09e9f16ca339fb Mon Sep 17 00:00:00 2001 From: Josh Date: Mon, 9 Sep 2024 16:31:52 +0100 Subject: [PATCH 12/37] update cucumber imports --- .../features/step_definitions/acceptTermsAndConditions.steps.js | 2 +- test/e2e/features/step_definitions/approveOrg.steps.js | 2 +- test/e2e/features/step_definitions/createOrganisation.steps.js | 2 +- test/e2e/features/step_definitions/dataSetUp.steps.js | 2 +- test/e2e/features/step_definitions/headerPage.steps.js | 2 +- test/e2e/features/step_definitions/inviteUser.steps.js | 2 +- test/e2e/features/step_definitions/loginLogout.steps.js | 2 +- test/e2e/features/step_definitions/viewOrganisation.steps.js | 2 +- test/e2e/features/step_definitions/viewUser.steps.js | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/test/e2e/features/step_definitions/acceptTermsAndConditions.steps.js b/test/e2e/features/step_definitions/acceptTermsAndConditions.steps.js index ef8f9fabd..15d943b3c 100644 --- a/test/e2e/features/step_definitions/acceptTermsAndConditions.steps.js +++ b/test/e2e/features/step_definitions/acceptTermsAndConditions.steps.js @@ -1,4 +1,4 @@ -const { Then, When } = require('cucumber'); +const { Then, When } = require('@cucumber/cucumber'); const acceptTermsAndConditionsPage = require('../pageObjects/termsAndConditionsConfirmPage'); const HeaderPage = require('../pageObjects/headerPage'); diff --git a/test/e2e/features/step_definitions/approveOrg.steps.js b/test/e2e/features/step_definitions/approveOrg.steps.js index 143cb8ed6..87a0d8eb9 100644 --- a/test/e2e/features/step_definitions/approveOrg.steps.js +++ b/test/e2e/features/step_definitions/approveOrg.steps.js @@ -1,4 +1,4 @@ -const { When } = require('cucumber'); +const { When } = require('@cucumber/cucumber'); const approveOrganizationService = require('../pageObjects/approveOrganizationService'); diff --git a/test/e2e/features/step_definitions/createOrganisation.steps.js b/test/e2e/features/step_definitions/createOrganisation.steps.js index 868a88d2c..e0a010d4b 100644 --- a/test/e2e/features/step_definitions/createOrganisation.steps.js +++ b/test/e2e/features/step_definitions/createOrganisation.steps.js @@ -1,5 +1,5 @@ 'use strict'; -const { Then, When } = require('cucumber'}; +const { Then, When } = require('@cucumber/cucumber'}; const CreateOrganisationObjects = require('../pageObjects/createOrganisationObjects'); diff --git a/test/e2e/features/step_definitions/dataSetUp.steps.js b/test/e2e/features/step_definitions/dataSetUp.steps.js index e0de17405..f02d27cff 100644 --- a/test/e2e/features/step_definitions/dataSetUp.steps.js +++ b/test/e2e/features/step_definitions/dataSetUp.steps.js @@ -1,6 +1,6 @@ 'use strict'; -const { When} = require('cucumber'); +const { When} = require('@cucumber/cucumber'); const CreateOrganisationObjects = require('../pageObjects/createOrganisationObjects'); const { AMAZING_DELAY, SHORT_DELAY, MID_DELAY, LONG_DELAY } = require('../../support/constants'); diff --git a/test/e2e/features/step_definitions/headerPage.steps.js b/test/e2e/features/step_definitions/headerPage.steps.js index fed3e7b51..b12a1cb29 100644 --- a/test/e2e/features/step_definitions/headerPage.steps.js +++ b/test/e2e/features/step_definitions/headerPage.steps.js @@ -1,5 +1,5 @@ -const { Then} = require('cucumber') +const { Then} = require('@cucumber/cucumber') const HeaderPage = require('../pageObjects/headerPage'); const ViewUserPage = require('../pageObjects/viewUserPage.js'); diff --git a/test/e2e/features/step_definitions/inviteUser.steps.js b/test/e2e/features/step_definitions/inviteUser.steps.js index cea326d41..839296a5f 100644 --- a/test/e2e/features/step_definitions/inviteUser.steps.js +++ b/test/e2e/features/step_definitions/inviteUser.steps.js @@ -1,4 +1,4 @@ -const { Then, When} = require('cucumber'); +const { Then, When} = require('@cucumber/cucumber'); const loginPage = require('../pageObjects/loginLogoutObjects'); const HeaderPage = require('../pageObjects/headerPage'); diff --git a/test/e2e/features/step_definitions/loginLogout.steps.js b/test/e2e/features/step_definitions/loginLogout.steps.js index ce7a5fa71..98bd568b5 100644 --- a/test/e2e/features/step_definitions/loginLogout.steps.js +++ b/test/e2e/features/step_definitions/loginLogout.steps.js @@ -1,6 +1,6 @@ 'use strict'; -const { Given, Then, When} = require('cucumber'); +const { Given, Then, When} = require('@cucumber/cucumber'); const loginPage = require('../pageObjects/loginLogoutObjects'); const { AMAZING_DELAY, SHORT_DELAY, MID_DELAY, LONG_DELAY } = require('../../support/constants'); diff --git a/test/e2e/features/step_definitions/viewOrganisation.steps.js b/test/e2e/features/step_definitions/viewOrganisation.steps.js index 9e7a9e2a0..33897573a 100644 --- a/test/e2e/features/step_definitions/viewOrganisation.steps.js +++ b/test/e2e/features/step_definitions/viewOrganisation.steps.js @@ -1,4 +1,4 @@ -const { When, Then} = require('cucumber'); +const { When, Then} = require('@cucumber/cucumber'); const ViewOrganisationPage = require('../pageObjects/viewOrganisationPage.js'); const HeaderPage = require('../pageObjects/headerPage'); diff --git a/test/e2e/features/step_definitions/viewUser.steps.js b/test/e2e/features/step_definitions/viewUser.steps.js index 2c0d43155..c4cb3f002 100644 --- a/test/e2e/features/step_definitions/viewUser.steps.js +++ b/test/e2e/features/step_definitions/viewUser.steps.js @@ -1,4 +1,4 @@ -const { Then, When } = require('cucumber'); +const { Then, When } = require('@cucumber/cucumber'); const ViewUserPage = require('../pageObjects/viewUserPage.js'); const HeaderPage = require('../pageObjects/headerPage'); From 7c52a82273fec77a49f72b73e7f55a5f6078a3fb Mon Sep 17 00:00:00 2001 From: Josh Date: Mon, 9 Sep 2024 16:40:03 +0100 Subject: [PATCH 13/37] update reqs --- test/e2e/support/hooks.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/e2e/support/hooks.js b/test/e2e/support/hooks.js index 1825588bc..0962af941 100644 --- a/test/e2e/support/hooks.js +++ b/test/e2e/support/hooks.js @@ -1,5 +1,5 @@ 'use strict'; -const { Before, After } = require('cucumber'); +const { Before, After } = require('@cucumber/cucumber'); const fs = require('fs'); const mkdirp = require('mkdirp'); @@ -13,7 +13,7 @@ const htmlReports = `${process.cwd()}/reports/html`; // var xmlReports = process.cwd() + "/reports/xml"; const targetJson = `${jsonReports}/cucumber_report.json`; // var targetXML = xmlReports + "/cucumber_report.xml"; -const { Given, When, Then } = require('cucumber'); +const { Given, When, Then } = require('@cucumber/cucumber'); const CucumberReportLogger = require('./reportLogger'); // registerHandler("BeforeFeature", { timeout: 500 * 1000 }, function() { From 0ed53763235586bda61ed80e18b7c4657e836751 Mon Sep 17 00:00:00 2001 From: Josh Date: Mon, 9 Sep 2024 16:49:55 +0100 Subject: [PATCH 14/37] fix missing ) --- test/e2e/features/step_definitions/createOrganisation.steps.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/e2e/features/step_definitions/createOrganisation.steps.js b/test/e2e/features/step_definitions/createOrganisation.steps.js index e0a010d4b..7de0af8ab 100644 --- a/test/e2e/features/step_definitions/createOrganisation.steps.js +++ b/test/e2e/features/step_definitions/createOrganisation.steps.js @@ -1,5 +1,5 @@ 'use strict'; -const { Then, When } = require('@cucumber/cucumber'}; +const { Then, When } = require('@cucumber/cucumber'); const CreateOrganisationObjects = require('../pageObjects/createOrganisationObjects'); From 210c924573ef4b67d381a34ea2a325fe0c34286d Mon Sep 17 00:00:00 2001 From: Josh Date: Mon, 9 Sep 2024 17:02:05 +0100 Subject: [PATCH 15/37] update import for Given --- test/e2e/features/step_definitions/dataSetUp.steps.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/e2e/features/step_definitions/dataSetUp.steps.js b/test/e2e/features/step_definitions/dataSetUp.steps.js index f02d27cff..6f0e2131b 100644 --- a/test/e2e/features/step_definitions/dataSetUp.steps.js +++ b/test/e2e/features/step_definitions/dataSetUp.steps.js @@ -1,6 +1,6 @@ 'use strict'; -const { When} = require('@cucumber/cucumber'); +const { When, Given } = require('@cucumber/cucumber'); const CreateOrganisationObjects = require('../pageObjects/createOrganisationObjects'); const { AMAZING_DELAY, SHORT_DELAY, MID_DELAY, LONG_DELAY } = require('../../support/constants'); From 8a6001d6ecc8cc1b83655bd03c7a2650e77788ba Mon Sep 17 00:00:00 2001 From: Josh Date: Mon, 9 Sep 2024 17:09:06 +0100 Subject: [PATCH 16/37] Use new cucumber pretty formatter --- package.json | 1 + test/e2e/config/crossbrowser.conf.js | 4 ++-- test/e2e/config/fullfunctional.conf.js | 2 +- test/e2e/config/functional.conf.js | 2 +- test/e2e/config/smoke.conf.js | 2 +- yarn.lock | 20 ++++++++++++++++++-- 6 files changed, 24 insertions(+), 7 deletions(-) diff --git a/package.json b/package.json index 49a2df1b6..cd2ebdf9a 100644 --- a/package.json +++ b/package.json @@ -73,6 +73,7 @@ "@angular/router": "^17.3.6", "@circlon/angular-tree-component": "^11.0.4", "@cucumber/cucumber": "^11.0.0", + "@cucumber/pretty-formatter": "^1.0.1", "@edium/fsm": "^2.1.2", "@hmcts/ccd-case-ui-toolkit": "7.0.40", "@hmcts/ccpay-web-component": "6.2.1", diff --git a/test/e2e/config/crossbrowser.conf.js b/test/e2e/config/crossbrowser.conf.js index e3cc1ab3f..62efbc273 100644 --- a/test/e2e/config/crossbrowser.conf.js +++ b/test/e2e/config/crossbrowser.conf.js @@ -3,7 +3,7 @@ const chaiAsPromised = require('chai-as-promised'); chai.use(chaiAsPromised); const minimist = require('minimist'); const argv = minimist(process.argv.slice(2)); -const cucumberPretty = require('cucumber-pretty'); +const cucumberPretty = require('@cucumber/pretty-formatter'); const config = { framework: 'custom', frameworkPath: require.resolve('protractor-cucumber-framework'), @@ -115,7 +115,7 @@ const config = { cucumberOpts: { strict: true, - format: ['node_modules/cucumber-pretty', 'json:cb_reports/saucelab_results.json'], + format: ['node_modules/@cucumber/pretty-formatter', 'json:cb_reports/saucelab_results.json'], require: ['../support/world.js', '../support/*.js', '../features/step_definitions/**/*.steps.js'], tags: ['@crossbrowser', 'not @Flaky'] }, diff --git a/test/e2e/config/fullfunctional.conf.js b/test/e2e/config/fullfunctional.conf.js index f5fa0e8e2..48f128c52 100644 --- a/test/e2e/config/fullfunctional.conf.js +++ b/test/e2e/config/fullfunctional.conf.js @@ -37,7 +37,7 @@ const config = { cucumberOpts: { strict: true, // format: ['node_modules/cucumber-pretty'], - format: ['node_modules/cucumber-pretty', 'json:reports/tests/functional/results.json'], + format: ['node_modules/@cucumber/pretty-formatter', 'json:reports/tests/functional/results.json'], tags: ['@all or @smoke or @fullFunctional or @end2end', 'not @Flaky'], // tags: ['@edit'], require: cucumberOpts diff --git a/test/e2e/config/functional.conf.js b/test/e2e/config/functional.conf.js index dae026ce7..2a13d53cb 100644 --- a/test/e2e/config/functional.conf.js +++ b/test/e2e/config/functional.conf.js @@ -37,7 +37,7 @@ const config = { cucumberOpts: { strict: true, - format: ['node_modules/cucumber-pretty', 'json:reports_json/results.json'], + format: ['node_modules/@cucumber/pretty-formatter', 'json:reports_json/results.json'], tags: ['@all or @fullFunctional', 'not @Flaky'], // tags: ['@all or @smoke or @fullFunctional or @end2end'], require: cucumberOpts diff --git a/test/e2e/config/smoke.conf.js b/test/e2e/config/smoke.conf.js index 204a94530..3f28cc985 100644 --- a/test/e2e/config/smoke.conf.js +++ b/test/e2e/config/smoke.conf.js @@ -89,7 +89,7 @@ const config = { cucumberOpts: { strict: true, // format: ['node_modules/cucumber-pretty'], - format: ['node_modules/cucumber-pretty', 'json:reports_json/results.json'], + format: ['node_modules/@cucumber/pretty-formatter', 'json:reports_json/results.json'], tags: ['@smoke', 'not @Flaky'], require: [ '../support/timeout.js', diff --git a/yarn.lock b/yarn.lock index 63a8bfc64..b3bc41ac6 100644 --- a/yarn.lock +++ b/yarn.lock @@ -2184,6 +2184,21 @@ __metadata: languageName: node linkType: hard +"@cucumber/pretty-formatter@npm:^1.0.1": + version: 1.0.1 + resolution: "@cucumber/pretty-formatter@npm:1.0.1" + dependencies: + ansi-styles: ^5.0.0 + cli-table3: ^0.6.0 + figures: ^3.2.0 + ts-dedent: ^2.0.0 + peerDependencies: + "@cucumber/cucumber": ">=7.0.0" + "@cucumber/messages": "*" + checksum: bd84ff9fcf0d0a6c8d190f5c7acec426a1ff6eb2f67c743abb8ff226768121bae482be191b9db64449df09be8aecdd93661a91ba4db708f55e3e14a7ce7dede2 + languageName: node + linkType: hard + "@cucumber/tag-expressions@npm:6.1.0": version: 6.1.0 resolution: "@cucumber/tag-expressions@npm:6.1.0" @@ -8145,7 +8160,7 @@ __metadata: languageName: node linkType: hard -"cli-table3@npm:0.6.5": +"cli-table3@npm:0.6.5, cli-table3@npm:^0.6.0": version: 0.6.5 resolution: "cli-table3@npm:0.6.5" dependencies: @@ -19734,6 +19749,7 @@ __metadata: "@angular/router": ^17.3.6 "@circlon/angular-tree-component": ^11.0.4 "@cucumber/cucumber": ^11.0.0 + "@cucumber/pretty-formatter": ^1.0.1 "@edium/fsm": ^2.1.2 "@hmcts/ccd-case-ui-toolkit": 7.0.40 "@hmcts/ccpay-web-component": 6.2.1 @@ -21887,7 +21903,7 @@ __metadata: languageName: node linkType: hard -"ts-dedent@npm:^2.2.0": +"ts-dedent@npm:^2.0.0, ts-dedent@npm:^2.2.0": version: 2.2.0 resolution: "ts-dedent@npm:2.2.0" checksum: 93ed8f7878b6d5ed3c08d99b740010eede6bccfe64bce61c5a4da06a2c17d6ddbb80a8c49c2d15251de7594a4f93ffa21dd10e7be75ef66a4dc9951b4a94e2af From df42987aae427c5c1230314d136a9bb5e93d38bd Mon Sep 17 00:00:00 2001 From: Josh Date: Mon, 9 Sep 2024 20:19:37 +0100 Subject: [PATCH 17/37] Change formatter import --- test/e2e/config/crossbrowser.conf.js | 2 +- test/e2e/config/fullfunctional.conf.js | 2 +- test/e2e/config/functional.conf.js | 2 +- test/e2e/config/smoke.conf.js | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/test/e2e/config/crossbrowser.conf.js b/test/e2e/config/crossbrowser.conf.js index 62efbc273..b181a7e5e 100644 --- a/test/e2e/config/crossbrowser.conf.js +++ b/test/e2e/config/crossbrowser.conf.js @@ -115,7 +115,7 @@ const config = { cucumberOpts: { strict: true, - format: ['node_modules/@cucumber/pretty-formatter', 'json:cb_reports/saucelab_results.json'], + format: ['@cucumber/pretty-formatter', 'json:cb_reports/saucelab_results.json'], require: ['../support/world.js', '../support/*.js', '../features/step_definitions/**/*.steps.js'], tags: ['@crossbrowser', 'not @Flaky'] }, diff --git a/test/e2e/config/fullfunctional.conf.js b/test/e2e/config/fullfunctional.conf.js index 48f128c52..480bcf828 100644 --- a/test/e2e/config/fullfunctional.conf.js +++ b/test/e2e/config/fullfunctional.conf.js @@ -37,7 +37,7 @@ const config = { cucumberOpts: { strict: true, // format: ['node_modules/cucumber-pretty'], - format: ['node_modules/@cucumber/pretty-formatter', 'json:reports/tests/functional/results.json'], + format: ['@cucumber/pretty-formatter', 'json:reports/tests/functional/results.json'], tags: ['@all or @smoke or @fullFunctional or @end2end', 'not @Flaky'], // tags: ['@edit'], require: cucumberOpts diff --git a/test/e2e/config/functional.conf.js b/test/e2e/config/functional.conf.js index 2a13d53cb..05ee96e9f 100644 --- a/test/e2e/config/functional.conf.js +++ b/test/e2e/config/functional.conf.js @@ -37,7 +37,7 @@ const config = { cucumberOpts: { strict: true, - format: ['node_modules/@cucumber/pretty-formatter', 'json:reports_json/results.json'], + format: ['@cucumber/pretty-formatter', 'json:reports_json/results.json'], tags: ['@all or @fullFunctional', 'not @Flaky'], // tags: ['@all or @smoke or @fullFunctional or @end2end'], require: cucumberOpts diff --git a/test/e2e/config/smoke.conf.js b/test/e2e/config/smoke.conf.js index 3f28cc985..d5512ff4b 100644 --- a/test/e2e/config/smoke.conf.js +++ b/test/e2e/config/smoke.conf.js @@ -89,7 +89,7 @@ const config = { cucumberOpts: { strict: true, // format: ['node_modules/cucumber-pretty'], - format: ['node_modules/@cucumber/pretty-formatter', 'json:reports_json/results.json'], + format: ['@cucumber/pretty-formatter', 'json:reports_json/results.json'], tags: ['@smoke', 'not @Flaky'], require: [ '../support/timeout.js', From 1e6b34bc1dd26df1683693dc45d234b788298072 Mon Sep 17 00:00:00 2001 From: Josh Date: Tue, 10 Sep 2024 10:27:21 +0100 Subject: [PATCH 18/37] Yarn audit --- yarn-audit-known-issues | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yarn-audit-known-issues b/yarn-audit-known-issues index ad82628f0..221637847 100644 --- a/yarn-audit-known-issues +++ b/yarn-audit-known-issues @@ -1 +1 @@ -{"actions":[],"advisories":{"1085685":{"findings":[{"version":"1.1.0","paths":["@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>yargs>os-locale>mem"]}],"metadata":null,"vulnerable_versions":"<4.0.0","module_name":"mem","severity":"moderate","github_advisory_id":"GHSA-4xcv-9jjx-gfj3","cves":[],"access":"public","patched_versions":">=4.0.0","cvss":{"score":5.1,"vectorString":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},"updated":"2023-01-09T05:01:45.000Z","recommendation":"Upgrade to version 4.0.0 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1085685,"references":"- https://github.com/sindresorhus/mem/commit/da4e4398cb27b602de3bd55f746efa9b4a31702b\n- https://bugzilla.redhat.com/show_bug.cgi?id=1623744\n- https://www.npmjs.com/advisories/1084\n- https://snyk.io/vuln/npm:mem:20180117\n- https://github.com/advisories/GHSA-4xcv-9jjx-gfj3","created":"2019-07-05T21:07:58.000Z","reported_by":null,"title":"Denial of Service in mem","npm_advisory_id":null,"overview":"Versions of `mem` prior to 4.0.0 are vulnerable to Denial of Service (DoS). The package fails to remove old values from the cache even after a value passes its `maxAge` property. This may allow attackers to exhaust the system's memory if they are able to abuse the application logging.\n\n\n## Recommendation\n\nUpgrade to version 4.0.0 or later.","url":"https://github.com/advisories/GHSA-4xcv-9jjx-gfj3"},"1088208":{"findings":[{"version":"0.8.4","paths":["git-rev-sync>shelljs"]}],"metadata":null,"vulnerable_versions":"<0.8.5","module_name":"shelljs","severity":"moderate","github_advisory_id":"GHSA-64g7-mvw6-v9qj","cves":[],"access":"public","patched_versions":">=0.8.5","cvss":{"score":0,"vectorString":null},"updated":"2023-01-11T05:03:39.000Z","recommendation":"Upgrade to version 0.8.5 or later","cwe":["CWE-269"],"found_by":null,"deleted":null,"id":1088208,"references":"- https://github.com/shelljs/shelljs/security/advisories/GHSA-64g7-mvw6-v9qj\n- https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/\n- https://github.com/advisories/GHSA-64g7-mvw6-v9qj","created":"2022-01-14T21:09:50.000Z","reported_by":null,"title":"Improper Privilege Management in shelljs","npm_advisory_id":null,"overview":"### Impact\nOutput from the synchronous version of `shell.exec()` may be visible to other users on the same system. You may be affected if you execute `shell.exec()` in multi-user Mac, Linux, or WSL environments, or if you execute `shell.exec()` as the root user.\n\nOther shelljs functions (including the asynchronous version of `shell.exec()`) are not impacted.\n\n### Patches\nPatched in shelljs 0.8.5\n\n### Workarounds\nRecommended action is to upgrade to 0.8.5.\n\n### References\nhttps://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Ask at https://github.com/shelljs/shelljs/issues/1058\n* Open an issue at https://github.com/shelljs/shelljs/issues/new\n","url":"https://github.com/advisories/GHSA-64g7-mvw6-v9qj"},"1088811":{"findings":[{"version":"8.1.0","paths":["@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>yargs>yargs-parser"]}],"metadata":null,"vulnerable_versions":">=6.0.0 <13.1.2","module_name":"yargs-parser","severity":"moderate","github_advisory_id":"GHSA-p9pc-299p-vxgp","cves":["CVE-2020-7608"],"access":"public","patched_versions":">=13.1.2","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},"updated":"2023-01-27T05:00:51.000Z","recommendation":"Upgrade to version 13.1.2 or later","cwe":["CWE-915","CWE-1321"],"found_by":null,"deleted":null,"id":1088811,"references":"- https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381\n- https://www.npmjs.com/advisories/1500\n- https://github.com/yargs/yargs-parser/commit/63810ca1ae1a24b08293a4d971e70e058c7a41e2\n- https://nvd.nist.gov/vuln/detail/CVE-2020-7608\n- https://github.com/yargs/yargs-parser/commit/1c417bd0b42b09c475ee881e36d292af4fa2cc36\n- https://github.com/advisories/GHSA-p9pc-299p-vxgp","created":"2020-09-04T18:00:54.000Z","reported_by":null,"title":"yargs-parser Vulnerable to Prototype Pollution","npm_advisory_id":null,"overview":"Affected versions of `yargs-parser` are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of `Object`, causing the addition or modification of an existing property that will exist on all objects. \nParsing the argument `--foo.__proto__.bar baz'` adds a `bar` property with value `baz` to all objects. This is only exploitable if attackers have control over the arguments being passed to `yargs-parser`.\n\n\n\n## Recommendation\n\nUpgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.","url":"https://github.com/advisories/GHSA-p9pc-299p-vxgp"},"1088948":{"findings":[{"version":"9.6.0","paths":["@hmcts/rpx-xui-node-lib>openid-client>got"]}],"metadata":null,"vulnerable_versions":"<11.8.5","module_name":"got","severity":"moderate","github_advisory_id":"GHSA-pfrx-2q88-qq97","cves":["CVE-2022-33987"],"access":"public","patched_versions":">=11.8.5","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"updated":"2023-01-27T05:05:01.000Z","recommendation":"Upgrade to version 11.8.5 or later","cwe":[],"found_by":null,"deleted":null,"id":1088948,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-33987\n- https://github.com/sindresorhus/got/pull/2047\n- https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0\n- https://github.com/sindresorhus/got/commit/861ccd9ac2237df762a9e2beed7edd88c60782dc\n- https://github.com/sindresorhus/got/releases/tag/v11.8.5\n- https://github.com/sindresorhus/got/releases/tag/v12.1.0\n- https://github.com/advisories/GHSA-pfrx-2q88-qq97","created":"2022-06-19T00:00:21.000Z","reported_by":null,"title":"Got allows a redirect to a UNIX socket","npm_advisory_id":null,"overview":"The got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.","url":"https://github.com/advisories/GHSA-pfrx-2q88-qq97"},"1089270":{"findings":[{"version":"2.7.4","paths":["ejs"]}],"metadata":null,"vulnerable_versions":"<3.1.7","module_name":"ejs","severity":"critical","github_advisory_id":"GHSA-phwq-j96m-2c2q","cves":["CVE-2022-29078"],"access":"public","patched_versions":">=3.1.7","cvss":{"score":9.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-01-30T05:02:57.000Z","recommendation":"Upgrade to version 3.1.7 or later","cwe":["CWE-74"],"found_by":null,"deleted":null,"id":1089270,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-29078\n- https://eslam.io/posts/ejs-server-side-template-injection-rce/\n- https://github.com/mde/ejs/commit/15ee698583c98dadc456639d6245580d17a24baf\n- https://github.com/mde/ejs/releases\n- https://security.netapp.com/advisory/ntap-20220804-0001/\n- https://github.com/advisories/GHSA-phwq-j96m-2c2q","created":"2022-04-26T00:00:40.000Z","reported_by":null,"title":"ejs template injection vulnerability","npm_advisory_id":null,"overview":"The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).","url":"https://github.com/advisories/GHSA-phwq-j96m-2c2q"},"1089698":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.17.0","module_name":"xlsx","severity":"moderate","github_advisory_id":"GHSA-g973-978j-2c3p","cves":["CVE-2021-32014"],"access":"public","patched_versions":">=0.17.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-02-01T05:05:54.000Z","recommendation":"Upgrade to version 0.17.0 or later","cwe":["CWE-345","CWE-400"],"found_by":null,"deleted":null,"id":1089698,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32014\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-g973-978j-2c3p","created":"2021-07-22T19:47:15.000Z","reported_by":null,"title":"Denial of Service in SheetJS Pro","npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (CPU consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js.","url":"https://github.com/advisories/GHSA-g973-978j-2c3p"},"1089699":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.17.0","module_name":"xlsx","severity":"moderate","github_advisory_id":"GHSA-3x9f-74h4-2fqr","cves":["CVE-2021-32012"],"access":"public","patched_versions":">=0.17.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-02-01T05:06:10.000Z","recommendation":"Upgrade to version 0.17.0 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1089699,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32012\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-3x9f-74h4-2fqr","created":"2021-07-22T19:48:17.000Z","reported_by":null,"title":"Denial of Service in SheetJS Pro","npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js (issue 1 of 2).","url":"https://github.com/advisories/GHSA-3x9f-74h4-2fqr"},"1089700":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.17.0","module_name":"xlsx","severity":"moderate","github_advisory_id":"GHSA-8vcr-vxm8-293m","cves":["CVE-2021-32013"],"access":"public","patched_versions":">=0.17.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-02-01T05:06:00.000Z","recommendation":"Upgrade to version 0.17.0 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1089700,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32013\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-8vcr-vxm8-293m","created":"2021-07-22T19:48:13.000Z","reported_by":null,"title":"Denial of Service in SheetsJS Pro","npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js (issue 2 of 2).","url":"https://github.com/advisories/GHSA-8vcr-vxm8-293m"},"1093639":{"findings":[{"version":"0.4.1","paths":["@hmcts/rpx-xui-node-lib>passport"]}],"metadata":null,"vulnerable_versions":"<0.6.0","module_name":"passport","severity":"moderate","github_advisory_id":"GHSA-v923-w3x8-wh69","cves":["CVE-2022-25896"],"access":"public","patched_versions":">=0.6.0","cvss":{"score":4.8,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L"},"updated":"2023-09-11T16:22:18.000Z","recommendation":"Upgrade to version 0.6.0 or later","cwe":["CWE-384"],"found_by":null,"deleted":null,"id":1093639,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25896\n- https://github.com/jaredhanson/passport/pull/900\n- https://github.com/jaredhanson/passport/commit/7e9b9cf4d7be02428e963fc729496a45baeea608\n- https://snyk.io/vuln/SNYK-JS-PASSPORT-2840631\n- https://github.com/advisories/GHSA-v923-w3x8-wh69","created":"2022-07-02T00:00:19.000Z","reported_by":null,"title":"Passport vulnerable to session regeneration when a users logs in or out","npm_advisory_id":null,"overview":"This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed.","url":"https://github.com/advisories/GHSA-v923-w3x8-wh69"},"1094599":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.19.3","module_name":"xlsx","severity":"high","github_advisory_id":"GHSA-4r6h-8v6p-xvw6","cves":["CVE-2023-30533"],"access":"public","patched_versions":">=0.19.3","cvss":{"score":7.8,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},"updated":"2023-11-06T05:04:13.000Z","recommendation":"Upgrade to version 0.19.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1094599,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-30533\n- https://cdn.sheetjs.com/advisories/CVE-2023-30533\n- https://git.sheetjs.com/sheetjs/sheetjs/src/branch/master/CHANGELOG.md\n- https://git.sheetjs.com/sheetjs/sheetjs/issues/2667\n- https://git.sheetjs.com/sheetjs/sheetjs/issues/2986\n- https://github.com/advisories/GHSA-4r6h-8v6p-xvw6","created":"2023-04-24T09:30:19.000Z","reported_by":null,"title":"Prototype Pollution in sheetJS","npm_advisory_id":null,"overview":"All versions of SheetJS CE through 0.19.2 are vulnerable to \"Prototype Pollution\" when reading specially crafted files. Workflows that do not read arbitrary files (for example, exporting data to spreadsheet files) are unaffected.\n\nA non-vulnerable version cannot be found via npm, as the repository hosted on GitHub and the npm package `xlsx` are no longer maintained.","url":"https://github.com/advisories/GHSA-4r6h-8v6p-xvw6"},"1095051":{"findings":[{"version":"0.7.0","paths":["ngx-md>marked"]}],"metadata":null,"vulnerable_versions":"<4.0.10","module_name":"marked","severity":"high","github_advisory_id":"GHSA-rrrm-qjm4-v8hf","cves":["CVE-2022-21680"],"access":"public","patched_versions":">=4.0.10","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-11-29T20:51:52.000Z","recommendation":"Upgrade to version 4.0.10 or later","cwe":["CWE-400","CWE-1333"],"found_by":null,"deleted":null,"id":1095051,"references":"- https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21680\n- https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0\n- https://github.com/markedjs/marked/releases/tag/v4.0.10\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/\n- https://github.com/advisories/GHSA-rrrm-qjm4-v8hf","created":"2022-01-14T21:04:41.000Z","reported_by":null,"title":"Inefficient Regular Expression Complexity in marked","npm_advisory_id":null,"overview":"### Impact\n\n_What kind of vulnerability is it?_\n\nDenial of service.\n\nThe regular expression `block.def` may cause catastrophic backtracking against some strings.\nPoC is the following.\n\n```javascript\nimport * as marked from \"marked\";\n\nmarked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);\n```\n\n_Who is impacted?_\n\nAnyone who runs untrusted markdown through marked and does not use a worker with a time limit.\n\n### Patches\n\n_Has the problem been patched?_\n\nYes\n\n_What versions should users upgrade to?_\n\n4.0.10\n\n### Workarounds\n\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nDo not run untrusted markdown through marked or run marked on a [worker](https://marked.js.org/using_advanced#workers) thread and set a reasonable time limit to prevent draining resources.\n\n### References\n\n_Are there any links users can visit to find out more?_\n\n- https://marked.js.org/using_advanced#workers\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [marked](https://github.com/markedjs/marked)\n","url":"https://github.com/advisories/GHSA-rrrm-qjm4-v8hf"},"1095052":{"findings":[{"version":"0.7.0","paths":["ngx-md>marked"]}],"metadata":null,"vulnerable_versions":"<4.0.10","module_name":"marked","severity":"high","github_advisory_id":"GHSA-5v2h-r2cx-5xgj","cves":["CVE-2022-21681"],"access":"public","patched_versions":">=4.0.10","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-11-29T20:51:17.000Z","recommendation":"Upgrade to version 4.0.10 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1095052,"references":"- https://github.com/markedjs/marked/security/advisories/GHSA-5v2h-r2cx-5xgj\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21681\n- https://github.com/markedjs/marked/commit/8f806573a3f6c6b7a39b8cdb66ab5ebb8d55a5f5\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/\n- https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0\n- https://github.com/advisories/GHSA-5v2h-r2cx-5xgj","created":"2022-01-14T21:04:46.000Z","reported_by":null,"title":"Inefficient Regular Expression Complexity in marked","npm_advisory_id":null,"overview":"### Impact\n\n_What kind of vulnerability is it?_\n\nDenial of service.\n\nThe regular expression `inline.reflinkSearch` may cause catastrophic backtracking against some strings.\nPoC is the following.\n\n```javascript\nimport * as marked from 'marked';\n\nconsole.log(marked.parse(`[x]: x\n\n\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](`));\n```\n\n_Who is impacted?_\n\nAnyone who runs untrusted markdown through marked and does not use a worker with a time limit.\n\n### Patches\n\n_Has the problem been patched?_\n\nYes\n\n_What versions should users upgrade to?_\n\n4.0.10\n\n### Workarounds\n\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nDo not run untrusted markdown through marked or run marked on a [worker](https://marked.js.org/using_advanced#workers) thread and set a reasonable time limit to prevent draining resources.\n\n### References\n\n_Are there any links users can visit to find out more?_\n\n- https://marked.js.org/using_advanced#workers\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [marked](https://github.com/markedjs/marked)\n","url":"https://github.com/advisories/GHSA-5v2h-r2cx-5xgj"},"1095126":{"findings":[{"version":"0.8.4","paths":["git-rev-sync>shelljs"]}],"metadata":null,"vulnerable_versions":"<0.8.5","module_name":"shelljs","severity":"high","github_advisory_id":"GHSA-4rq4-32rv-6wp6","cves":["CVE-2022-0144"],"access":"public","patched_versions":">=0.8.5","cvss":{"score":7.1,"vectorString":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H"},"updated":"2023-11-29T22:21:11.000Z","recommendation":"Upgrade to version 0.8.5 or later","cwe":["CWE-269"],"found_by":null,"deleted":null,"id":1095126,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-0144\n- https://github.com/shelljs/shelljs/commit/d919d22dd6de385edaa9d90313075a77f74b338c\n- https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c\n- https://github.com/advisories/GHSA-4rq4-32rv-6wp6","created":"2022-01-21T23:37:28.000Z","reported_by":null,"title":"Improper Privilege Management in shelljs","npm_advisory_id":null,"overview":"shelljs is vulnerable to Improper Privilege Management","url":"https://github.com/advisories/GHSA-4rq4-32rv-6wp6"},"1095531":{"findings":[{"version":"6.2.1","paths":["log4js"]}],"metadata":null,"vulnerable_versions":"<6.4.0","module_name":"log4js","severity":"moderate","github_advisory_id":"GHSA-82v2-mx6x-wq7q","cves":["CVE-2022-21704"],"access":"public","patched_versions":">=6.4.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},"updated":"2024-01-24T08:54:14.000Z","recommendation":"Upgrade to version 6.4.0 or later","cwe":["CWE-276"],"found_by":null,"deleted":null,"id":1095531,"references":"- https://github.com/log4js-node/log4js-node/security/advisories/GHSA-82v2-mx6x-wq7q\n- https://github.com/log4js-node/log4js-node/pull/1141/commits/8042252861a1b65adb66931fdf702ead34fa9b76\n- https://github.com/log4js-node/streamroller/pull/87\n- https://github.com/log4js-node/log4js-node/blob/v6.4.0/CHANGELOG.md#640\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21704\n- https://lists.debian.org/debian-lts-announce/2022/12/msg00014.html\n- https://github.com/advisories/GHSA-82v2-mx6x-wq7q","created":"2022-01-21T18:53:27.000Z","reported_by":null,"title":"Incorrect Default Permissions in log4js","npm_advisory_id":null,"overview":"### Impact\r\nDefault file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config.\r\n\r\n### Patches\r\nFixed by:\r\n* https://github.com/log4js-node/log4js-node/pull/1141\r\n* https://github.com/log4js-node/streamroller/pull/87\r\n\r\nReleased to NPM in log4js@6.4.0\r\n\r\n### Workarounds\r\nEvery version of log4js published allows passing the mode parameter to the configuration of file appenders, see the documentation for details.\r\n\r\n### References\r\n\r\nThanks to [ranjit-git](https://www.huntr.dev/users/ranjit-git) for raising the issue, and to @lamweili for fixing the problem.\r\n\r\n### For more information\r\nIf you have any questions or comments about this advisory:\r\n* Open an issue in [logj4s-node](https://github.com/log4js-node/log4js-node)\r\n* Ask a question in the [slack channel](https://join.slack.com/t/log4js-node/shared_invite/enQtODkzMDQ3MzExMDczLWUzZmY0MmI0YWI1ZjFhODY0YjI0YmU1N2U5ZTRkOTYyYzg3MjY5NWI4M2FjZThjYjdiOGM0NjU2NzBmYTJjOGI)\r\n* Email us at [gareth.nomiddlename@gmail.com](mailto:gareth.nomiddlename@gmail.com)\r\n","url":"https://github.com/advisories/GHSA-82v2-mx6x-wq7q"},"1096832":{"findings":[{"version":"1.28.2","paths":["@hmcts/rpx-xui-node-lib>openid-client>jose"]}],"metadata":null,"vulnerable_versions":"<2.0.7","module_name":"jose","severity":"moderate","github_advisory_id":"GHSA-hhhv-q57g-882q","cves":["CVE-2024-28176"],"access":"public","patched_versions":">=2.0.7","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-03-30T06:30:42.000Z","recommendation":"Upgrade to version 2.0.7 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1096832,"references":"- https://github.com/panva/jose/security/advisories/GHSA-hhhv-q57g-882q\n- https://github.com/panva/jose/commit/02a65794f7873cdaf12e81e80ad076fcdc4a9314\n- https://github.com/panva/jose/commit/1b91d88d2f8233f3477a5f4579aa5f8057b2ee8b\n- https://nvd.nist.gov/vuln/detail/CVE-2024-28176\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG\n- https://github.com/advisories/GHSA-hhhv-q57g-882q","created":"2024-03-07T17:40:57.000Z","reported_by":null,"title":"jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext","npm_advisory_id":null,"overview":"A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the [support for decompressing plaintext after its decryption](https://www.rfc-editor.org/rfc/rfc7516.html#section-4.1.3). This allows an adversary to exploit specific scenarios where the compression ratio becomes exceptionally high. As a result, the length of the JWE token, which is determined by the compressed content's size, can land below application-defined limits. In such cases, other existing application level mechanisms for preventing resource exhaustion may be rendered ineffective.\n\nNote that as per [RFC 8725](https://www.rfc-editor.org/rfc/rfc8725.html#name-avoid-compression-of-encryp) compression of data SHOULD NOT be done before encryption, because such compressed data often reveals information about the plaintext. For this reason the v5.x major version of `jose` removed support for compressed payloads entirely and is therefore NOT affected by this advisory.\n\n### Impact\n\nUnder certain conditions it is possible to have the user's environment consume unreasonable amount of CPU time or memory during JWE Decryption operations.\n\n### Affected users\n\nThe impact is limited only to Node.js users utilizing the JWE decryption APIs to decrypt JWEs from untrusted sources.\n\nYou are NOT affected if any of the following applies to you\n\n- Your code uses jose version v5.x where JWE Compression is not supported anymore\n- Your code runs in an environment other than Node.js (e.g. Deno, CF Workers), which is the only runtime where JWE Compression is implemented out of the box\n- Your code does not use the JWE decryption APIs\n- Your code only accepts JWEs produced by trusted sources\n\n### Patches\n\n`v2.0.7` and `v4.15.5` releases limit the decompression routine to only allow decompressing up to 250 kB of plaintext. In v4.x it is possible to further adjust this limit via the `inflateRaw` decryption option implementation. In v2.x it is possible to further adjust this limit via the `inflateRawSyncLimit` decryption option.\n\n### Workarounds\n\nIf you cannot upgrade and do not want to support compressed JWEs you may detect and reject these tokens early by checking the token's protected header\n\n```js\nconst { zip } = jose.decodeProtectedHeader(token)\nif (zip !== undefined) {\n throw new Error('JWE Compression is not supported')\n}\n```\n\nIf you wish to continue supporting JWEs with compressed payloads in these legacy release lines you must upgrade (v1.x and v2.x to version v2.0.7, v3.x and v4.x to version v4.15.5) and review the limits put forth by the patched releases.\n\n### For more information\nIf you have any questions or comments about this advisory please open a discussion in the project's [repository](https://github.com/panva/jose/discussions/new?category=q-a&title=GHSA-hhhv-q57g-882q%20advisory%20question)","url":"https://github.com/advisories/GHSA-hhhv-q57g-882q"},"1096911":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.20.2","module_name":"xlsx","severity":"high","github_advisory_id":"GHSA-5pgg-2g8v-p4x9","cves":["CVE-2024-22363"],"access":"public","patched_versions":">=0.20.2","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2024-04-08T13:47:06.000Z","recommendation":"Upgrade to version 0.20.2 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1096911,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-22363\n- https://cdn.sheetjs.com/advisories/CVE-2024-22363\n- https://cwe.mitre.org/data/definitions/1333.html\n- https://git.sheetjs.com/sheetjs/sheetjs/src/tag/v0.20.2\n- https://github.com/advisories/GHSA-5pgg-2g8v-p4x9","created":"2024-04-05T06:30:46.000Z","reported_by":null,"title":"SheetJS Regular Expression Denial of Service (ReDoS)","npm_advisory_id":null,"overview":"SheetJS Community Edition before 0.20.2 is vulnerable.to Regular Expression Denial of Service (ReDoS).","url":"https://github.com/advisories/GHSA-5pgg-2g8v-p4x9"},"1097504":{"findings":[{"version":"2.5.207","paths":["pdfjs-dist","@hmcts/media-viewer>pdfjs-dist"]}],"metadata":null,"vulnerable_versions":"<=4.1.392","module_name":"pdfjs-dist","severity":"high","github_advisory_id":"GHSA-wgrm-67xf-hhpq","cves":["CVE-2024-4367"],"access":"public","patched_versions":">=4.2.67","cvss":{"score":0,"vectorString":null},"updated":"2024-06-10T20:18:19.000Z","recommendation":"Upgrade to version 4.2.67 or later","cwe":[],"found_by":null,"deleted":null,"id":1097504,"references":"- https://github.com/mozilla/pdf.js/security/advisories/GHSA-wgrm-67xf-hhpq\n- https://github.com/mozilla/pdf.js/pull/18015\n- https://github.com/mozilla/pdf.js/commit/85e64b5c16c9aaef738f421733c12911a441cec6\n- https://bugzilla.mozilla.org/show_bug.cgi?id=1893645\n- https://nvd.nist.gov/vuln/detail/CVE-2024-4367\n- https://lists.debian.org/debian-lts-announce/2024/05/msg00010.html\n- https://lists.debian.org/debian-lts-announce/2024/05/msg00012.html\n- https://www.mozilla.org/security/advisories/mfsa2024-21\n- https://www.mozilla.org/security/advisories/mfsa2024-22\n- https://www.mozilla.org/security/advisories/mfsa2024-23\n- https://github.com/advisories/GHSA-wgrm-67xf-hhpq","created":"2024-05-07T10:25:08.000Z","reported_by":null,"title":"PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF","npm_advisory_id":null,"overview":"### Impact\nIf pdf.js is used to load a malicious PDF, and PDF.js is configured with `isEvalSupported` set to `true` (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.\n\n### Patches\nThe patch removes the use of `eval`:\nhttps://github.com/mozilla/pdf.js/pull/18015\n\n### Workarounds\nSet the option `isEvalSupported` to `false`. \n\n### References\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1893645","url":"https://github.com/advisories/GHSA-wgrm-67xf-hhpq"},"1097679":{"findings":[{"version":"0.26.1","paths":["axios","@hmcts/rpx-xui-node-lib>axios"]}],"metadata":null,"vulnerable_versions":">=0.8.1 <0.28.0","module_name":"axios","severity":"moderate","github_advisory_id":"GHSA-wf5p-g6vw-rhxx","cves":["CVE-2023-45857"],"access":"public","patched_versions":">=0.28.0","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},"updated":"2024-06-21T21:33:58.000Z","recommendation":"Upgrade to version 0.28.0 or later","cwe":["CWE-352"],"found_by":null,"deleted":null,"id":1097679,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-45857\n- https://github.com/axios/axios/issues/6006\n- https://github.com/axios/axios/issues/6022\n- https://github.com/axios/axios/pull/6028\n- https://github.com/axios/axios/commit/96ee232bd3ee4de2e657333d4d2191cd389e14d0\n- https://github.com/axios/axios/releases/tag/v1.6.0\n- https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459\n- https://github.com/axios/axios/pull/6091\n- https://github.com/axios/axios/commit/2755df562b9c194fba6d8b609a383443f6a6e967\n- https://github.com/axios/axios/releases/tag/v0.28.0\n- https://security.netapp.com/advisory/ntap-20240621-0006\n- https://github.com/advisories/GHSA-wf5p-g6vw-rhxx","created":"2023-11-08T21:30:37.000Z","reported_by":null,"title":"Axios Cross-Site Request Forgery Vulnerability","npm_advisory_id":null,"overview":"An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.","url":"https://github.com/advisories/GHSA-wf5p-g6vw-rhxx"},"1097682":{"findings":[{"version":"2.5.0","paths":["rx-polling-hmcts>jest-environment-jsdom>jsdom>tough-cookie"]}],"metadata":null,"vulnerable_versions":"<4.1.3","module_name":"tough-cookie","severity":"moderate","github_advisory_id":"GHSA-72xf-g2v4-qvf3","cves":["CVE-2023-26136"],"access":"public","patched_versions":">=4.1.3","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},"updated":"2024-06-21T21:33:53.000Z","recommendation":"Upgrade to version 4.1.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1097682,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ\n- https://security.netapp.com/advisory/ntap-20240621-0006\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3","created":"2023-07-01T06:30:16.000Z","reported_by":null,"title":"tough-cookie Prototype Pollution vulnerability","npm_advisory_id":null,"overview":"Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.","url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3"},"1097684":{"findings":[{"version":"8.5.1","paths":["jsonwebtoken"]}],"metadata":null,"vulnerable_versions":"<9.0.0","module_name":"jsonwebtoken","severity":"moderate","github_advisory_id":"GHSA-qwph-4952-7xr6","cves":["CVE-2022-23540"],"access":"public","patched_versions":">=9.0.0","cvss":{"score":6.4,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L"},"updated":"2024-06-21T21:34:57.000Z","recommendation":"Upgrade to version 9.0.0 or later","cwe":["CWE-287","CWE-327","CWE-347"],"found_by":null,"deleted":null,"id":1097684,"references":"- https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-qwph-4952-7xr6\n- https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3\n- https://nvd.nist.gov/vuln/detail/CVE-2022-23540\n- https://security.netapp.com/advisory/ntap-20240621-0007\n- https://github.com/advisories/GHSA-qwph-4952-7xr6","created":"2022-12-22T03:32:59.000Z","reported_by":null,"title":"jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify()","npm_advisory_id":null,"overview":"# Overview\n\nIn versions <=8.5.1 of jsonwebtoken library, lack of algorithm definition and a falsy secret or key in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification.\n\n# Am I affected?\nYou will be affected if all the following are true in the `jwt.verify()` function:\n- a token with no signature is received\n- no algorithms are specified \n- a falsy (e.g. null, false, undefined) secret or key is passed \n\n# How do I fix it?\n \nUpdate to version 9.0.0 which removes the default support for the none algorithm in the `jwt.verify()` method. \n\n# Will the fix impact my users?\n\nThere will be no impact, if you update to version 9.0.0 and you don’t need to allow for the `none` algorithm. If you need 'none' algorithm, you have to explicitly specify that in `jwt.verify()` options.\n","url":"https://github.com/advisories/GHSA-qwph-4952-7xr6"},"1097690":{"findings":[{"version":"8.5.1","paths":["jsonwebtoken"]}],"metadata":null,"vulnerable_versions":"<=8.5.1","module_name":"jsonwebtoken","severity":"high","github_advisory_id":"GHSA-8cf7-32gw-wr33","cves":["CVE-2022-23539"],"access":"public","patched_versions":">=9.0.0","cvss":{"score":8.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},"updated":"2024-06-24T21:23:39.000Z","recommendation":"Upgrade to version 9.0.0 or later","cwe":["CWE-327"],"found_by":null,"deleted":null,"id":1097690,"references":"- https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-8cf7-32gw-wr33\n- https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3\n- https://nvd.nist.gov/vuln/detail/CVE-2022-23539\n- https://security.netapp.com/advisory/ntap-20240621-0007\n- https://github.com/advisories/GHSA-8cf7-32gw-wr33","created":"2022-12-22T03:32:22.000Z","reported_by":null,"title":"jsonwebtoken unrestricted key type could lead to legacy keys usage ","npm_advisory_id":null,"overview":"# Overview\n\nVersions `<=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. \n\n# Am I affected?\n\nYou are affected if you are using an algorithm and a key type other than the combinations mentioned below\n\n| Key type | algorithm |\n|----------|------------------------------------------|\n| ec | ES256, ES384, ES512 |\n| rsa | RS256, RS384, RS512, PS256, PS384, PS512 |\n| rsa-pss | PS256, PS384, PS512 |\n\nAnd for Elliptic Curve algorithms:\n\n| `alg` | Curve |\n|-------|------------|\n| ES256 | prime256v1 |\n| ES384 | secp384r1 |\n| ES512 | secp521r1 |\n\n# How do I fix it?\n\nUpdate to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, If you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and/or `verify()` functions.\n\n# Will the fix impact my users?\n\nThere will be no impact, if you update to version 9.0.0 and you already use a valid secure combination of key type and algorithm. Otherwise, use the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and `verify()` functions to continue usage of invalid key type/algorithm combination in 9.0.0 for legacy compatibility. \n\n","url":"https://github.com/advisories/GHSA-8cf7-32gw-wr33"},"1097694":{"findings":[{"version":"8.5.1","paths":["jsonwebtoken"]}],"metadata":null,"vulnerable_versions":"<=8.5.1","module_name":"jsonwebtoken","severity":"moderate","github_advisory_id":"GHSA-hjrf-2m68-5959","cves":["CVE-2022-23541"],"access":"public","patched_versions":">=9.0.0","cvss":{"score":5,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"},"updated":"2024-06-24T21:24:07.000Z","recommendation":"Upgrade to version 9.0.0 or later","cwe":["CWE-287","CWE-1259"],"found_by":null,"deleted":null,"id":1097694,"references":"- https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-hjrf-2m68-5959\n- https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3\n- https://nvd.nist.gov/vuln/detail/CVE-2022-23541\n- https://github.com/auth0/node-jsonwebtoken/releases/tag/v9.0.0\n- https://security.netapp.com/advisory/ntap-20240621-0007\n- https://github.com/advisories/GHSA-hjrf-2m68-5959","created":"2022-12-22T03:33:19.000Z","reported_by":null,"title":"jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC","npm_advisory_id":null,"overview":"# Overview\n\nVersions `<=8.5.1` of `jsonwebtoken` library can be misconfigured so that passing a poorly implemented key retrieval function (referring to the `secretOrPublicKey` argument from the [readme link](https://github.com/auth0/node-jsonwebtoken#jwtverifytoken-secretorpublickey-options-callback)) will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. \n\n# Am I affected?\n\nYou will be affected if your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. \n\n# How do I fix it?\n \nUpdate to version 9.0.0.\n\n# Will the fix impact my users?\n\nThere is no impact for end users","url":"https://github.com/advisories/GHSA-hjrf-2m68-5959"},"1098366":{"findings":[{"version":"2.7.4","paths":["ejs"]}],"metadata":null,"vulnerable_versions":"<3.1.10","module_name":"ejs","severity":"moderate","github_advisory_id":"GHSA-ghr5-ch3p-vcr6","cves":["CVE-2024-33883"],"access":"public","patched_versions":">=3.1.10","cvss":{"score":4,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-08-02T15:45:54.000Z","recommendation":"Upgrade to version 3.1.10 or later","cwe":["CWE-693","CWE-1321"],"found_by":null,"deleted":null,"id":1098366,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-33883\n- https://github.com/mde/ejs/commit/e469741dca7df2eb400199e1cdb74621e3f89aa5\n- https://github.com/mde/ejs/compare/v3.1.9...v3.1.10\n- https://security.netapp.com/advisory/ntap-20240605-0003\n- https://github.com/advisories/GHSA-ghr5-ch3p-vcr6","created":"2024-04-28T18:30:31.000Z","reported_by":null,"title":"ejs lacks certain pollution protection","npm_advisory_id":null,"overview":"The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.","url":"https://github.com/advisories/GHSA-ghr5-ch3p-vcr6"},"1098393":{"findings":[{"version":"7.4.6","paths":["puppeteer>ws","@hmcts/media-viewer>socket.io-client>engine.io-client>ws"]}],"metadata":null,"vulnerable_versions":">=7.0.0 <7.5.10","module_name":"ws","severity":"high","github_advisory_id":"GHSA-3h5v-q93c-6h6q","cves":["CVE-2024-37890"],"access":"public","patched_versions":">=7.5.10","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2024-08-05T05:02:34.000Z","recommendation":"Upgrade to version 7.5.10 or later","cwe":["CWE-476"],"found_by":null,"deleted":null,"id":1098393,"references":"- https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q\n- https://github.com/websockets/ws/issues/2230\n- https://github.com/websockets/ws/pull/2231\n- https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f\n- https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e\n- https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c\n- https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63\n- https://github.com/advisories/GHSA-3h5v-q93c-6h6q","created":"2024-06-17T19:09:10.000Z","reported_by":null,"title":"ws affected by a DoS when handling a request with many HTTP headers","npm_advisory_id":null,"overview":"### Impact\n\nA request with a number of headers exceeding the[`server.maxHeadersCount`][] threshold could be used to crash a ws server.\n\n### Proof of concept\n\n```js\nconst http = require('http');\nconst WebSocket = require('ws');\n\nconst wss = new WebSocket.Server({ port: 0 }, function () {\n const chars = \"!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~\".split('');\n const headers = {};\n let count = 0;\n\n for (let i = 0; i < chars.length; i++) {\n if (count === 2000) break;\n\n for (let j = 0; j < chars.length; j++) {\n const key = chars[i] + chars[j];\n headers[key] = 'x';\n\n if (++count === 2000) break;\n }\n }\n\n headers.Connection = 'Upgrade';\n headers.Upgrade = 'websocket';\n headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';\n headers['Sec-WebSocket-Version'] = '13';\n\n const request = http.request({\n headers: headers,\n host: '127.0.0.1',\n port: wss.address().port\n });\n\n request.end();\n});\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@8.17.1 (https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c) and backported to ws@7.5.10 (https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f), ws@6.2.3 (https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63), and ws@5.2.4 (https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e)\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated in the following ways:\n\n1. Reduce the maximum allowed length of the request headers using the [`--max-http-header-size=size`][] and/or the [`maxHeaderSize`][] options so that no more headers than the `server.maxHeadersCount` limit can be sent.\n2. Set `server.maxHeadersCount` to `0` so that no limit is applied.\n\n### Credits\n\nThe vulnerability was reported by [Ryan LaPointe](https://github.com/rrlapointe) in https://github.com/websockets/ws/issues/2230.\n\n### References\n\n- https://github.com/websockets/ws/issues/2230\n- https://github.com/websockets/ws/pull/2231\n\n[`--max-http-header-size=size`]: https://nodejs.org/api/cli.html#--max-http-header-sizesize\n[`maxHeaderSize`]: https://nodejs.org/api/http.html#httpcreateserveroptions-requestlistener\n[`server.maxHeadersCount`]: https://nodejs.org/api/http.html#servermaxheaderscount\n","url":"https://github.com/advisories/GHSA-3h5v-q93c-6h6q"},"1098681":{"findings":[{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","@hmcts/rpx-xui-node-lib>ts-auto-mock>micromatch","@hmcts/rpx-xui-node-lib>jest-ts-auto-mock>ts-auto-mock>micromatch","rx-polling-hmcts>jest-environment-jsdom>@jest/fake-timers>jest-message-util>micromatch","rx-polling-hmcts>jest-environment-jsdom>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>expect>jest-message-util>micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-08-28T13:12:27.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098681,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/micromatch/micromatch/pull/266\n- https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade\n- https://advisory.checkmarx.net/advisory/CVE-2024-4067\n- https://github.com/micromatch/micromatch/releases/tag/4.0.8\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":0,"moderate":29,"high":10,"critical":1},"dependencies":1001,"devDependencies":5,"optionalDependencies":0,"totalDependencies":1006}} +{"actions":[],"advisories":{"1085685":{"findings":[{"version":"1.1.0","paths":["@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>yargs>os-locale>mem"]}],"metadata":null,"vulnerable_versions":"<4.0.0","module_name":"mem","severity":"moderate","github_advisory_id":"GHSA-4xcv-9jjx-gfj3","cves":[],"access":"public","patched_versions":">=4.0.0","cvss":{"score":5.1,"vectorString":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},"updated":"2023-01-09T05:01:45.000Z","recommendation":"Upgrade to version 4.0.0 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1085685,"references":"- https://github.com/sindresorhus/mem/commit/da4e4398cb27b602de3bd55f746efa9b4a31702b\n- https://bugzilla.redhat.com/show_bug.cgi?id=1623744\n- https://www.npmjs.com/advisories/1084\n- https://snyk.io/vuln/npm:mem:20180117\n- https://github.com/advisories/GHSA-4xcv-9jjx-gfj3","created":"2019-07-05T21:07:58.000Z","reported_by":null,"title":"Denial of Service in mem","npm_advisory_id":null,"overview":"Versions of `mem` prior to 4.0.0 are vulnerable to Denial of Service (DoS). The package fails to remove old values from the cache even after a value passes its `maxAge` property. This may allow attackers to exhaust the system's memory if they are able to abuse the application logging.\n\n\n## Recommendation\n\nUpgrade to version 4.0.0 or later.","url":"https://github.com/advisories/GHSA-4xcv-9jjx-gfj3"},"1088208":{"findings":[{"version":"0.8.4","paths":["git-rev-sync>shelljs"]}],"metadata":null,"vulnerable_versions":"<0.8.5","module_name":"shelljs","severity":"moderate","github_advisory_id":"GHSA-64g7-mvw6-v9qj","cves":[],"access":"public","patched_versions":">=0.8.5","cvss":{"score":0,"vectorString":null},"updated":"2023-01-11T05:03:39.000Z","recommendation":"Upgrade to version 0.8.5 or later","cwe":["CWE-269"],"found_by":null,"deleted":null,"id":1088208,"references":"- https://github.com/shelljs/shelljs/security/advisories/GHSA-64g7-mvw6-v9qj\n- https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/\n- https://github.com/advisories/GHSA-64g7-mvw6-v9qj","created":"2022-01-14T21:09:50.000Z","reported_by":null,"title":"Improper Privilege Management in shelljs","npm_advisory_id":null,"overview":"### Impact\nOutput from the synchronous version of `shell.exec()` may be visible to other users on the same system. You may be affected if you execute `shell.exec()` in multi-user Mac, Linux, or WSL environments, or if you execute `shell.exec()` as the root user.\n\nOther shelljs functions (including the asynchronous version of `shell.exec()`) are not impacted.\n\n### Patches\nPatched in shelljs 0.8.5\n\n### Workarounds\nRecommended action is to upgrade to 0.8.5.\n\n### References\nhttps://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Ask at https://github.com/shelljs/shelljs/issues/1058\n* Open an issue at https://github.com/shelljs/shelljs/issues/new\n","url":"https://github.com/advisories/GHSA-64g7-mvw6-v9qj"},"1088811":{"findings":[{"version":"8.1.0","paths":["@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>yargs>yargs-parser"]}],"metadata":null,"vulnerable_versions":">=6.0.0 <13.1.2","module_name":"yargs-parser","severity":"moderate","github_advisory_id":"GHSA-p9pc-299p-vxgp","cves":["CVE-2020-7608"],"access":"public","patched_versions":">=13.1.2","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},"updated":"2023-01-27T05:00:51.000Z","recommendation":"Upgrade to version 13.1.2 or later","cwe":["CWE-915","CWE-1321"],"found_by":null,"deleted":null,"id":1088811,"references":"- https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381\n- https://www.npmjs.com/advisories/1500\n- https://github.com/yargs/yargs-parser/commit/63810ca1ae1a24b08293a4d971e70e058c7a41e2\n- https://nvd.nist.gov/vuln/detail/CVE-2020-7608\n- https://github.com/yargs/yargs-parser/commit/1c417bd0b42b09c475ee881e36d292af4fa2cc36\n- https://github.com/advisories/GHSA-p9pc-299p-vxgp","created":"2020-09-04T18:00:54.000Z","reported_by":null,"title":"yargs-parser Vulnerable to Prototype Pollution","npm_advisory_id":null,"overview":"Affected versions of `yargs-parser` are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of `Object`, causing the addition or modification of an existing property that will exist on all objects. \nParsing the argument `--foo.__proto__.bar baz'` adds a `bar` property with value `baz` to all objects. This is only exploitable if attackers have control over the arguments being passed to `yargs-parser`.\n\n\n\n## Recommendation\n\nUpgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.","url":"https://github.com/advisories/GHSA-p9pc-299p-vxgp"},"1088948":{"findings":[{"version":"9.6.0","paths":["@hmcts/rpx-xui-node-lib>openid-client>got"]}],"metadata":null,"vulnerable_versions":"<11.8.5","module_name":"got","severity":"moderate","github_advisory_id":"GHSA-pfrx-2q88-qq97","cves":["CVE-2022-33987"],"access":"public","patched_versions":">=11.8.5","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"updated":"2023-01-27T05:05:01.000Z","recommendation":"Upgrade to version 11.8.5 or later","cwe":[],"found_by":null,"deleted":null,"id":1088948,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-33987\n- https://github.com/sindresorhus/got/pull/2047\n- https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0\n- https://github.com/sindresorhus/got/commit/861ccd9ac2237df762a9e2beed7edd88c60782dc\n- https://github.com/sindresorhus/got/releases/tag/v11.8.5\n- https://github.com/sindresorhus/got/releases/tag/v12.1.0\n- https://github.com/advisories/GHSA-pfrx-2q88-qq97","created":"2022-06-19T00:00:21.000Z","reported_by":null,"title":"Got allows a redirect to a UNIX socket","npm_advisory_id":null,"overview":"The got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.","url":"https://github.com/advisories/GHSA-pfrx-2q88-qq97"},"1089270":{"findings":[{"version":"2.7.4","paths":["ejs"]}],"metadata":null,"vulnerable_versions":"<3.1.7","module_name":"ejs","severity":"critical","github_advisory_id":"GHSA-phwq-j96m-2c2q","cves":["CVE-2022-29078"],"access":"public","patched_versions":">=3.1.7","cvss":{"score":9.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-01-30T05:02:57.000Z","recommendation":"Upgrade to version 3.1.7 or later","cwe":["CWE-74"],"found_by":null,"deleted":null,"id":1089270,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-29078\n- https://eslam.io/posts/ejs-server-side-template-injection-rce/\n- https://github.com/mde/ejs/commit/15ee698583c98dadc456639d6245580d17a24baf\n- https://github.com/mde/ejs/releases\n- https://security.netapp.com/advisory/ntap-20220804-0001/\n- https://github.com/advisories/GHSA-phwq-j96m-2c2q","created":"2022-04-26T00:00:40.000Z","reported_by":null,"title":"ejs template injection vulnerability","npm_advisory_id":null,"overview":"The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).","url":"https://github.com/advisories/GHSA-phwq-j96m-2c2q"},"1089698":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.17.0","module_name":"xlsx","severity":"moderate","github_advisory_id":"GHSA-g973-978j-2c3p","cves":["CVE-2021-32014"],"access":"public","patched_versions":">=0.17.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-02-01T05:05:54.000Z","recommendation":"Upgrade to version 0.17.0 or later","cwe":["CWE-345","CWE-400"],"found_by":null,"deleted":null,"id":1089698,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32014\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-g973-978j-2c3p","created":"2021-07-22T19:47:15.000Z","reported_by":null,"title":"Denial of Service in SheetJS Pro","npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (CPU consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js.","url":"https://github.com/advisories/GHSA-g973-978j-2c3p"},"1089699":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.17.0","module_name":"xlsx","severity":"moderate","github_advisory_id":"GHSA-3x9f-74h4-2fqr","cves":["CVE-2021-32012"],"access":"public","patched_versions":">=0.17.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-02-01T05:06:10.000Z","recommendation":"Upgrade to version 0.17.0 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1089699,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32012\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-3x9f-74h4-2fqr","created":"2021-07-22T19:48:17.000Z","reported_by":null,"title":"Denial of Service in SheetJS Pro","npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js (issue 1 of 2).","url":"https://github.com/advisories/GHSA-3x9f-74h4-2fqr"},"1089700":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.17.0","module_name":"xlsx","severity":"moderate","github_advisory_id":"GHSA-8vcr-vxm8-293m","cves":["CVE-2021-32013"],"access":"public","patched_versions":">=0.17.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-02-01T05:06:00.000Z","recommendation":"Upgrade to version 0.17.0 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1089700,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32013\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-8vcr-vxm8-293m","created":"2021-07-22T19:48:13.000Z","reported_by":null,"title":"Denial of Service in SheetsJS Pro","npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js (issue 2 of 2).","url":"https://github.com/advisories/GHSA-8vcr-vxm8-293m"},"1093639":{"findings":[{"version":"0.4.1","paths":["@hmcts/rpx-xui-node-lib>passport"]}],"metadata":null,"vulnerable_versions":"<0.6.0","module_name":"passport","severity":"moderate","github_advisory_id":"GHSA-v923-w3x8-wh69","cves":["CVE-2022-25896"],"access":"public","patched_versions":">=0.6.0","cvss":{"score":4.8,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L"},"updated":"2023-09-11T16:22:18.000Z","recommendation":"Upgrade to version 0.6.0 or later","cwe":["CWE-384"],"found_by":null,"deleted":null,"id":1093639,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25896\n- https://github.com/jaredhanson/passport/pull/900\n- https://github.com/jaredhanson/passport/commit/7e9b9cf4d7be02428e963fc729496a45baeea608\n- https://snyk.io/vuln/SNYK-JS-PASSPORT-2840631\n- https://github.com/advisories/GHSA-v923-w3x8-wh69","created":"2022-07-02T00:00:19.000Z","reported_by":null,"title":"Passport vulnerable to session regeneration when a users logs in or out","npm_advisory_id":null,"overview":"This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed.","url":"https://github.com/advisories/GHSA-v923-w3x8-wh69"},"1094599":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.19.3","module_name":"xlsx","severity":"high","github_advisory_id":"GHSA-4r6h-8v6p-xvw6","cves":["CVE-2023-30533"],"access":"public","patched_versions":">=0.19.3","cvss":{"score":7.8,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},"updated":"2023-11-06T05:04:13.000Z","recommendation":"Upgrade to version 0.19.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1094599,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-30533\n- https://cdn.sheetjs.com/advisories/CVE-2023-30533\n- https://git.sheetjs.com/sheetjs/sheetjs/src/branch/master/CHANGELOG.md\n- https://git.sheetjs.com/sheetjs/sheetjs/issues/2667\n- https://git.sheetjs.com/sheetjs/sheetjs/issues/2986\n- https://github.com/advisories/GHSA-4r6h-8v6p-xvw6","created":"2023-04-24T09:30:19.000Z","reported_by":null,"title":"Prototype Pollution in sheetJS","npm_advisory_id":null,"overview":"All versions of SheetJS CE through 0.19.2 are vulnerable to \"Prototype Pollution\" when reading specially crafted files. Workflows that do not read arbitrary files (for example, exporting data to spreadsheet files) are unaffected.\n\nA non-vulnerable version cannot be found via npm, as the repository hosted on GitHub and the npm package `xlsx` are no longer maintained.","url":"https://github.com/advisories/GHSA-4r6h-8v6p-xvw6"},"1095051":{"findings":[{"version":"0.7.0","paths":["ngx-md>marked"]}],"metadata":null,"vulnerable_versions":"<4.0.10","module_name":"marked","severity":"high","github_advisory_id":"GHSA-rrrm-qjm4-v8hf","cves":["CVE-2022-21680"],"access":"public","patched_versions":">=4.0.10","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-11-29T20:51:52.000Z","recommendation":"Upgrade to version 4.0.10 or later","cwe":["CWE-400","CWE-1333"],"found_by":null,"deleted":null,"id":1095051,"references":"- https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21680\n- https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0\n- https://github.com/markedjs/marked/releases/tag/v4.0.10\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/\n- https://github.com/advisories/GHSA-rrrm-qjm4-v8hf","created":"2022-01-14T21:04:41.000Z","reported_by":null,"title":"Inefficient Regular Expression Complexity in marked","npm_advisory_id":null,"overview":"### Impact\n\n_What kind of vulnerability is it?_\n\nDenial of service.\n\nThe regular expression `block.def` may cause catastrophic backtracking against some strings.\nPoC is the following.\n\n```javascript\nimport * as marked from \"marked\";\n\nmarked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);\n```\n\n_Who is impacted?_\n\nAnyone who runs untrusted markdown through marked and does not use a worker with a time limit.\n\n### Patches\n\n_Has the problem been patched?_\n\nYes\n\n_What versions should users upgrade to?_\n\n4.0.10\n\n### Workarounds\n\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nDo not run untrusted markdown through marked or run marked on a [worker](https://marked.js.org/using_advanced#workers) thread and set a reasonable time limit to prevent draining resources.\n\n### References\n\n_Are there any links users can visit to find out more?_\n\n- https://marked.js.org/using_advanced#workers\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [marked](https://github.com/markedjs/marked)\n","url":"https://github.com/advisories/GHSA-rrrm-qjm4-v8hf"},"1095052":{"findings":[{"version":"0.7.0","paths":["ngx-md>marked"]}],"metadata":null,"vulnerable_versions":"<4.0.10","module_name":"marked","severity":"high","github_advisory_id":"GHSA-5v2h-r2cx-5xgj","cves":["CVE-2022-21681"],"access":"public","patched_versions":">=4.0.10","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-11-29T20:51:17.000Z","recommendation":"Upgrade to version 4.0.10 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1095052,"references":"- https://github.com/markedjs/marked/security/advisories/GHSA-5v2h-r2cx-5xgj\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21681\n- https://github.com/markedjs/marked/commit/8f806573a3f6c6b7a39b8cdb66ab5ebb8d55a5f5\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/\n- https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0\n- https://github.com/advisories/GHSA-5v2h-r2cx-5xgj","created":"2022-01-14T21:04:46.000Z","reported_by":null,"title":"Inefficient Regular Expression Complexity in marked","npm_advisory_id":null,"overview":"### Impact\n\n_What kind of vulnerability is it?_\n\nDenial of service.\n\nThe regular expression `inline.reflinkSearch` may cause catastrophic backtracking against some strings.\nPoC is the following.\n\n```javascript\nimport * as marked from 'marked';\n\nconsole.log(marked.parse(`[x]: x\n\n\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](`));\n```\n\n_Who is impacted?_\n\nAnyone who runs untrusted markdown through marked and does not use a worker with a time limit.\n\n### Patches\n\n_Has the problem been patched?_\n\nYes\n\n_What versions should users upgrade to?_\n\n4.0.10\n\n### Workarounds\n\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nDo not run untrusted markdown through marked or run marked on a [worker](https://marked.js.org/using_advanced#workers) thread and set a reasonable time limit to prevent draining resources.\n\n### References\n\n_Are there any links users can visit to find out more?_\n\n- https://marked.js.org/using_advanced#workers\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [marked](https://github.com/markedjs/marked)\n","url":"https://github.com/advisories/GHSA-5v2h-r2cx-5xgj"},"1095126":{"findings":[{"version":"0.8.4","paths":["git-rev-sync>shelljs"]}],"metadata":null,"vulnerable_versions":"<0.8.5","module_name":"shelljs","severity":"high","github_advisory_id":"GHSA-4rq4-32rv-6wp6","cves":["CVE-2022-0144"],"access":"public","patched_versions":">=0.8.5","cvss":{"score":7.1,"vectorString":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H"},"updated":"2023-11-29T22:21:11.000Z","recommendation":"Upgrade to version 0.8.5 or later","cwe":["CWE-269"],"found_by":null,"deleted":null,"id":1095126,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-0144\n- https://github.com/shelljs/shelljs/commit/d919d22dd6de385edaa9d90313075a77f74b338c\n- https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c\n- https://github.com/advisories/GHSA-4rq4-32rv-6wp6","created":"2022-01-21T23:37:28.000Z","reported_by":null,"title":"Improper Privilege Management in shelljs","npm_advisory_id":null,"overview":"shelljs is vulnerable to Improper Privilege Management","url":"https://github.com/advisories/GHSA-4rq4-32rv-6wp6"},"1095531":{"findings":[{"version":"6.2.1","paths":["log4js"]}],"metadata":null,"vulnerable_versions":"<6.4.0","module_name":"log4js","severity":"moderate","github_advisory_id":"GHSA-82v2-mx6x-wq7q","cves":["CVE-2022-21704"],"access":"public","patched_versions":">=6.4.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},"updated":"2024-01-24T08:54:14.000Z","recommendation":"Upgrade to version 6.4.0 or later","cwe":["CWE-276"],"found_by":null,"deleted":null,"id":1095531,"references":"- https://github.com/log4js-node/log4js-node/security/advisories/GHSA-82v2-mx6x-wq7q\n- https://github.com/log4js-node/log4js-node/pull/1141/commits/8042252861a1b65adb66931fdf702ead34fa9b76\n- https://github.com/log4js-node/streamroller/pull/87\n- https://github.com/log4js-node/log4js-node/blob/v6.4.0/CHANGELOG.md#640\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21704\n- https://lists.debian.org/debian-lts-announce/2022/12/msg00014.html\n- https://github.com/advisories/GHSA-82v2-mx6x-wq7q","created":"2022-01-21T18:53:27.000Z","reported_by":null,"title":"Incorrect Default Permissions in log4js","npm_advisory_id":null,"overview":"### Impact\r\nDefault file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config.\r\n\r\n### Patches\r\nFixed by:\r\n* https://github.com/log4js-node/log4js-node/pull/1141\r\n* https://github.com/log4js-node/streamroller/pull/87\r\n\r\nReleased to NPM in log4js@6.4.0\r\n\r\n### Workarounds\r\nEvery version of log4js published allows passing the mode parameter to the configuration of file appenders, see the documentation for details.\r\n\r\n### References\r\n\r\nThanks to [ranjit-git](https://www.huntr.dev/users/ranjit-git) for raising the issue, and to @lamweili for fixing the problem.\r\n\r\n### For more information\r\nIf you have any questions or comments about this advisory:\r\n* Open an issue in [logj4s-node](https://github.com/log4js-node/log4js-node)\r\n* Ask a question in the [slack channel](https://join.slack.com/t/log4js-node/shared_invite/enQtODkzMDQ3MzExMDczLWUzZmY0MmI0YWI1ZjFhODY0YjI0YmU1N2U5ZTRkOTYyYzg3MjY5NWI4M2FjZThjYjdiOGM0NjU2NzBmYTJjOGI)\r\n* Email us at [gareth.nomiddlename@gmail.com](mailto:gareth.nomiddlename@gmail.com)\r\n","url":"https://github.com/advisories/GHSA-82v2-mx6x-wq7q"},"1096832":{"findings":[{"version":"1.28.2","paths":["@hmcts/rpx-xui-node-lib>openid-client>jose"]}],"metadata":null,"vulnerable_versions":"<2.0.7","module_name":"jose","severity":"moderate","github_advisory_id":"GHSA-hhhv-q57g-882q","cves":["CVE-2024-28176"],"access":"public","patched_versions":">=2.0.7","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-03-30T06:30:42.000Z","recommendation":"Upgrade to version 2.0.7 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1096832,"references":"- https://github.com/panva/jose/security/advisories/GHSA-hhhv-q57g-882q\n- https://github.com/panva/jose/commit/02a65794f7873cdaf12e81e80ad076fcdc4a9314\n- https://github.com/panva/jose/commit/1b91d88d2f8233f3477a5f4579aa5f8057b2ee8b\n- https://nvd.nist.gov/vuln/detail/CVE-2024-28176\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG\n- https://github.com/advisories/GHSA-hhhv-q57g-882q","created":"2024-03-07T17:40:57.000Z","reported_by":null,"title":"jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext","npm_advisory_id":null,"overview":"A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the [support for decompressing plaintext after its decryption](https://www.rfc-editor.org/rfc/rfc7516.html#section-4.1.3). This allows an adversary to exploit specific scenarios where the compression ratio becomes exceptionally high. As a result, the length of the JWE token, which is determined by the compressed content's size, can land below application-defined limits. In such cases, other existing application level mechanisms for preventing resource exhaustion may be rendered ineffective.\n\nNote that as per [RFC 8725](https://www.rfc-editor.org/rfc/rfc8725.html#name-avoid-compression-of-encryp) compression of data SHOULD NOT be done before encryption, because such compressed data often reveals information about the plaintext. For this reason the v5.x major version of `jose` removed support for compressed payloads entirely and is therefore NOT affected by this advisory.\n\n### Impact\n\nUnder certain conditions it is possible to have the user's environment consume unreasonable amount of CPU time or memory during JWE Decryption operations.\n\n### Affected users\n\nThe impact is limited only to Node.js users utilizing the JWE decryption APIs to decrypt JWEs from untrusted sources.\n\nYou are NOT affected if any of the following applies to you\n\n- Your code uses jose version v5.x where JWE Compression is not supported anymore\n- Your code runs in an environment other than Node.js (e.g. Deno, CF Workers), which is the only runtime where JWE Compression is implemented out of the box\n- Your code does not use the JWE decryption APIs\n- Your code only accepts JWEs produced by trusted sources\n\n### Patches\n\n`v2.0.7` and `v4.15.5` releases limit the decompression routine to only allow decompressing up to 250 kB of plaintext. In v4.x it is possible to further adjust this limit via the `inflateRaw` decryption option implementation. In v2.x it is possible to further adjust this limit via the `inflateRawSyncLimit` decryption option.\n\n### Workarounds\n\nIf you cannot upgrade and do not want to support compressed JWEs you may detect and reject these tokens early by checking the token's protected header\n\n```js\nconst { zip } = jose.decodeProtectedHeader(token)\nif (zip !== undefined) {\n throw new Error('JWE Compression is not supported')\n}\n```\n\nIf you wish to continue supporting JWEs with compressed payloads in these legacy release lines you must upgrade (v1.x and v2.x to version v2.0.7, v3.x and v4.x to version v4.15.5) and review the limits put forth by the patched releases.\n\n### For more information\nIf you have any questions or comments about this advisory please open a discussion in the project's [repository](https://github.com/panva/jose/discussions/new?category=q-a&title=GHSA-hhhv-q57g-882q%20advisory%20question)","url":"https://github.com/advisories/GHSA-hhhv-q57g-882q"},"1096911":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.20.2","module_name":"xlsx","severity":"high","github_advisory_id":"GHSA-5pgg-2g8v-p4x9","cves":["CVE-2024-22363"],"access":"public","patched_versions":">=0.20.2","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2024-04-08T13:47:06.000Z","recommendation":"Upgrade to version 0.20.2 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1096911,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-22363\n- https://cdn.sheetjs.com/advisories/CVE-2024-22363\n- https://cwe.mitre.org/data/definitions/1333.html\n- https://git.sheetjs.com/sheetjs/sheetjs/src/tag/v0.20.2\n- https://github.com/advisories/GHSA-5pgg-2g8v-p4x9","created":"2024-04-05T06:30:46.000Z","reported_by":null,"title":"SheetJS Regular Expression Denial of Service (ReDoS)","npm_advisory_id":null,"overview":"SheetJS Community Edition before 0.20.2 is vulnerable.to Regular Expression Denial of Service (ReDoS).","url":"https://github.com/advisories/GHSA-5pgg-2g8v-p4x9"},"1097504":{"findings":[{"version":"2.5.207","paths":["pdfjs-dist","@hmcts/media-viewer>pdfjs-dist"]}],"metadata":null,"vulnerable_versions":"<=4.1.392","module_name":"pdfjs-dist","severity":"high","github_advisory_id":"GHSA-wgrm-67xf-hhpq","cves":["CVE-2024-4367"],"access":"public","patched_versions":">=4.2.67","cvss":{"score":0,"vectorString":null},"updated":"2024-06-10T20:18:19.000Z","recommendation":"Upgrade to version 4.2.67 or later","cwe":[],"found_by":null,"deleted":null,"id":1097504,"references":"- https://github.com/mozilla/pdf.js/security/advisories/GHSA-wgrm-67xf-hhpq\n- https://github.com/mozilla/pdf.js/pull/18015\n- https://github.com/mozilla/pdf.js/commit/85e64b5c16c9aaef738f421733c12911a441cec6\n- https://bugzilla.mozilla.org/show_bug.cgi?id=1893645\n- https://nvd.nist.gov/vuln/detail/CVE-2024-4367\n- https://lists.debian.org/debian-lts-announce/2024/05/msg00010.html\n- https://lists.debian.org/debian-lts-announce/2024/05/msg00012.html\n- https://www.mozilla.org/security/advisories/mfsa2024-21\n- https://www.mozilla.org/security/advisories/mfsa2024-22\n- https://www.mozilla.org/security/advisories/mfsa2024-23\n- https://github.com/advisories/GHSA-wgrm-67xf-hhpq","created":"2024-05-07T10:25:08.000Z","reported_by":null,"title":"PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF","npm_advisory_id":null,"overview":"### Impact\nIf pdf.js is used to load a malicious PDF, and PDF.js is configured with `isEvalSupported` set to `true` (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.\n\n### Patches\nThe patch removes the use of `eval`:\nhttps://github.com/mozilla/pdf.js/pull/18015\n\n### Workarounds\nSet the option `isEvalSupported` to `false`. \n\n### References\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1893645","url":"https://github.com/advisories/GHSA-wgrm-67xf-hhpq"},"1097679":{"findings":[{"version":"0.26.1","paths":["axios","@hmcts/rpx-xui-node-lib>axios"]}],"metadata":null,"vulnerable_versions":">=0.8.1 <0.28.0","module_name":"axios","severity":"moderate","github_advisory_id":"GHSA-wf5p-g6vw-rhxx","cves":["CVE-2023-45857"],"access":"public","patched_versions":">=0.28.0","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},"updated":"2024-06-21T21:33:58.000Z","recommendation":"Upgrade to version 0.28.0 or later","cwe":["CWE-352"],"found_by":null,"deleted":null,"id":1097679,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-45857\n- https://github.com/axios/axios/issues/6006\n- https://github.com/axios/axios/issues/6022\n- https://github.com/axios/axios/pull/6028\n- https://github.com/axios/axios/commit/96ee232bd3ee4de2e657333d4d2191cd389e14d0\n- https://github.com/axios/axios/releases/tag/v1.6.0\n- https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459\n- https://github.com/axios/axios/pull/6091\n- https://github.com/axios/axios/commit/2755df562b9c194fba6d8b609a383443f6a6e967\n- https://github.com/axios/axios/releases/tag/v0.28.0\n- https://security.netapp.com/advisory/ntap-20240621-0006\n- https://github.com/advisories/GHSA-wf5p-g6vw-rhxx","created":"2023-11-08T21:30:37.000Z","reported_by":null,"title":"Axios Cross-Site Request Forgery Vulnerability","npm_advisory_id":null,"overview":"An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.","url":"https://github.com/advisories/GHSA-wf5p-g6vw-rhxx"},"1097682":{"findings":[{"version":"2.5.0","paths":["rx-polling-hmcts>jest-environment-jsdom>jsdom>tough-cookie"]}],"metadata":null,"vulnerable_versions":"<4.1.3","module_name":"tough-cookie","severity":"moderate","github_advisory_id":"GHSA-72xf-g2v4-qvf3","cves":["CVE-2023-26136"],"access":"public","patched_versions":">=4.1.3","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},"updated":"2024-06-21T21:33:53.000Z","recommendation":"Upgrade to version 4.1.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1097682,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ\n- https://security.netapp.com/advisory/ntap-20240621-0006\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3","created":"2023-07-01T06:30:16.000Z","reported_by":null,"title":"tough-cookie Prototype Pollution vulnerability","npm_advisory_id":null,"overview":"Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.","url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3"},"1097684":{"findings":[{"version":"8.5.1","paths":["jsonwebtoken"]}],"metadata":null,"vulnerable_versions":"<9.0.0","module_name":"jsonwebtoken","severity":"moderate","github_advisory_id":"GHSA-qwph-4952-7xr6","cves":["CVE-2022-23540"],"access":"public","patched_versions":">=9.0.0","cvss":{"score":6.4,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L"},"updated":"2024-06-21T21:34:57.000Z","recommendation":"Upgrade to version 9.0.0 or later","cwe":["CWE-287","CWE-327","CWE-347"],"found_by":null,"deleted":null,"id":1097684,"references":"- https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-qwph-4952-7xr6\n- https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3\n- https://nvd.nist.gov/vuln/detail/CVE-2022-23540\n- https://security.netapp.com/advisory/ntap-20240621-0007\n- https://github.com/advisories/GHSA-qwph-4952-7xr6","created":"2022-12-22T03:32:59.000Z","reported_by":null,"title":"jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify()","npm_advisory_id":null,"overview":"# Overview\n\nIn versions <=8.5.1 of jsonwebtoken library, lack of algorithm definition and a falsy secret or key in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification.\n\n# Am I affected?\nYou will be affected if all the following are true in the `jwt.verify()` function:\n- a token with no signature is received\n- no algorithms are specified \n- a falsy (e.g. null, false, undefined) secret or key is passed \n\n# How do I fix it?\n \nUpdate to version 9.0.0 which removes the default support for the none algorithm in the `jwt.verify()` method. \n\n# Will the fix impact my users?\n\nThere will be no impact, if you update to version 9.0.0 and you don’t need to allow for the `none` algorithm. If you need 'none' algorithm, you have to explicitly specify that in `jwt.verify()` options.\n","url":"https://github.com/advisories/GHSA-qwph-4952-7xr6"},"1097690":{"findings":[{"version":"8.5.1","paths":["jsonwebtoken"]}],"metadata":null,"vulnerable_versions":"<=8.5.1","module_name":"jsonwebtoken","severity":"high","github_advisory_id":"GHSA-8cf7-32gw-wr33","cves":["CVE-2022-23539"],"access":"public","patched_versions":">=9.0.0","cvss":{"score":8.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},"updated":"2024-06-24T21:23:39.000Z","recommendation":"Upgrade to version 9.0.0 or later","cwe":["CWE-327"],"found_by":null,"deleted":null,"id":1097690,"references":"- https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-8cf7-32gw-wr33\n- https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3\n- https://nvd.nist.gov/vuln/detail/CVE-2022-23539\n- https://security.netapp.com/advisory/ntap-20240621-0007\n- https://github.com/advisories/GHSA-8cf7-32gw-wr33","created":"2022-12-22T03:32:22.000Z","reported_by":null,"title":"jsonwebtoken unrestricted key type could lead to legacy keys usage ","npm_advisory_id":null,"overview":"# Overview\n\nVersions `<=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. \n\n# Am I affected?\n\nYou are affected if you are using an algorithm and a key type other than the combinations mentioned below\n\n| Key type | algorithm |\n|----------|------------------------------------------|\n| ec | ES256, ES384, ES512 |\n| rsa | RS256, RS384, RS512, PS256, PS384, PS512 |\n| rsa-pss | PS256, PS384, PS512 |\n\nAnd for Elliptic Curve algorithms:\n\n| `alg` | Curve |\n|-------|------------|\n| ES256 | prime256v1 |\n| ES384 | secp384r1 |\n| ES512 | secp521r1 |\n\n# How do I fix it?\n\nUpdate to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, If you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and/or `verify()` functions.\n\n# Will the fix impact my users?\n\nThere will be no impact, if you update to version 9.0.0 and you already use a valid secure combination of key type and algorithm. Otherwise, use the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and `verify()` functions to continue usage of invalid key type/algorithm combination in 9.0.0 for legacy compatibility. \n\n","url":"https://github.com/advisories/GHSA-8cf7-32gw-wr33"},"1097694":{"findings":[{"version":"8.5.1","paths":["jsonwebtoken"]}],"metadata":null,"vulnerable_versions":"<=8.5.1","module_name":"jsonwebtoken","severity":"moderate","github_advisory_id":"GHSA-hjrf-2m68-5959","cves":["CVE-2022-23541"],"access":"public","patched_versions":">=9.0.0","cvss":{"score":5,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"},"updated":"2024-06-24T21:24:07.000Z","recommendation":"Upgrade to version 9.0.0 or later","cwe":["CWE-287","CWE-1259"],"found_by":null,"deleted":null,"id":1097694,"references":"- https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-hjrf-2m68-5959\n- https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3\n- https://nvd.nist.gov/vuln/detail/CVE-2022-23541\n- https://github.com/auth0/node-jsonwebtoken/releases/tag/v9.0.0\n- https://security.netapp.com/advisory/ntap-20240621-0007\n- https://github.com/advisories/GHSA-hjrf-2m68-5959","created":"2022-12-22T03:33:19.000Z","reported_by":null,"title":"jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC","npm_advisory_id":null,"overview":"# Overview\n\nVersions `<=8.5.1` of `jsonwebtoken` library can be misconfigured so that passing a poorly implemented key retrieval function (referring to the `secretOrPublicKey` argument from the [readme link](https://github.com/auth0/node-jsonwebtoken#jwtverifytoken-secretorpublickey-options-callback)) will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. \n\n# Am I affected?\n\nYou will be affected if your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. \n\n# How do I fix it?\n \nUpdate to version 9.0.0.\n\n# Will the fix impact my users?\n\nThere is no impact for end users","url":"https://github.com/advisories/GHSA-hjrf-2m68-5959"},"1098366":{"findings":[{"version":"2.7.4","paths":["ejs"]}],"metadata":null,"vulnerable_versions":"<3.1.10","module_name":"ejs","severity":"moderate","github_advisory_id":"GHSA-ghr5-ch3p-vcr6","cves":["CVE-2024-33883"],"access":"public","patched_versions":">=3.1.10","cvss":{"score":4,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-08-02T15:45:54.000Z","recommendation":"Upgrade to version 3.1.10 or later","cwe":["CWE-693","CWE-1321"],"found_by":null,"deleted":null,"id":1098366,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-33883\n- https://github.com/mde/ejs/commit/e469741dca7df2eb400199e1cdb74621e3f89aa5\n- https://github.com/mde/ejs/compare/v3.1.9...v3.1.10\n- https://security.netapp.com/advisory/ntap-20240605-0003\n- https://github.com/advisories/GHSA-ghr5-ch3p-vcr6","created":"2024-04-28T18:30:31.000Z","reported_by":null,"title":"ejs lacks certain pollution protection","npm_advisory_id":null,"overview":"The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.","url":"https://github.com/advisories/GHSA-ghr5-ch3p-vcr6"},"1098393":{"findings":[{"version":"7.4.6","paths":["puppeteer>ws","@hmcts/media-viewer>socket.io-client>engine.io-client>ws"]}],"metadata":null,"vulnerable_versions":">=7.0.0 <7.5.10","module_name":"ws","severity":"high","github_advisory_id":"GHSA-3h5v-q93c-6h6q","cves":["CVE-2024-37890"],"access":"public","patched_versions":">=7.5.10","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2024-08-05T05:02:34.000Z","recommendation":"Upgrade to version 7.5.10 or later","cwe":["CWE-476"],"found_by":null,"deleted":null,"id":1098393,"references":"- https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q\n- https://github.com/websockets/ws/issues/2230\n- https://github.com/websockets/ws/pull/2231\n- https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f\n- https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e\n- https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c\n- https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63\n- https://github.com/advisories/GHSA-3h5v-q93c-6h6q","created":"2024-06-17T19:09:10.000Z","reported_by":null,"title":"ws affected by a DoS when handling a request with many HTTP headers","npm_advisory_id":null,"overview":"### Impact\n\nA request with a number of headers exceeding the[`server.maxHeadersCount`][] threshold could be used to crash a ws server.\n\n### Proof of concept\n\n```js\nconst http = require('http');\nconst WebSocket = require('ws');\n\nconst wss = new WebSocket.Server({ port: 0 }, function () {\n const chars = \"!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~\".split('');\n const headers = {};\n let count = 0;\n\n for (let i = 0; i < chars.length; i++) {\n if (count === 2000) break;\n\n for (let j = 0; j < chars.length; j++) {\n const key = chars[i] + chars[j];\n headers[key] = 'x';\n\n if (++count === 2000) break;\n }\n }\n\n headers.Connection = 'Upgrade';\n headers.Upgrade = 'websocket';\n headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';\n headers['Sec-WebSocket-Version'] = '13';\n\n const request = http.request({\n headers: headers,\n host: '127.0.0.1',\n port: wss.address().port\n });\n\n request.end();\n});\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@8.17.1 (https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c) and backported to ws@7.5.10 (https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f), ws@6.2.3 (https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63), and ws@5.2.4 (https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e)\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated in the following ways:\n\n1. Reduce the maximum allowed length of the request headers using the [`--max-http-header-size=size`][] and/or the [`maxHeaderSize`][] options so that no more headers than the `server.maxHeadersCount` limit can be sent.\n2. Set `server.maxHeadersCount` to `0` so that no limit is applied.\n\n### Credits\n\nThe vulnerability was reported by [Ryan LaPointe](https://github.com/rrlapointe) in https://github.com/websockets/ws/issues/2230.\n\n### References\n\n- https://github.com/websockets/ws/issues/2230\n- https://github.com/websockets/ws/pull/2231\n\n[`--max-http-header-size=size`]: https://nodejs.org/api/cli.html#--max-http-header-sizesize\n[`maxHeaderSize`]: https://nodejs.org/api/http.html#httpcreateserveroptions-requestlistener\n[`server.maxHeadersCount`]: https://nodejs.org/api/http.html#servermaxheaderscount\n","url":"https://github.com/advisories/GHSA-3h5v-q93c-6h6q"},"1098681":{"findings":[{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","@hmcts/rpx-xui-node-lib>ts-auto-mock>micromatch","@hmcts/rpx-xui-node-lib>jest-ts-auto-mock>ts-auto-mock>micromatch","rx-polling-hmcts>jest-environment-jsdom>@jest/fake-timers>jest-message-util>micromatch","rx-polling-hmcts>jest-environment-jsdom>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>expect>jest-message-util>micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-08-28T13:12:27.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098681,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/micromatch/micromatch/pull/266\n- https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade\n- https://advisory.checkmarx.net/advisory/CVE-2024-4067\n- https://github.com/micromatch/micromatch/releases/tag/4.0.8\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"},"1099500":{"findings":[{"version":"0.1.7","paths":["express>path-to-regexp","@hmcts/rpx-xui-node-lib>express>path-to-regexp"]}],"metadata":null,"vulnerable_versions":"<0.1.10","module_name":"path-to-regexp","severity":"high","github_advisory_id":"GHSA-9wv6-86v2-598j","cves":["CVE-2024-45296"],"access":"public","patched_versions":">=0.1.10","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2024-09-09T21:45:59.000Z","recommendation":"Upgrade to version 0.1.10 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1099500,"references":"- https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j\n- https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f\n- https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6\n- https://nvd.nist.gov/vuln/detail/CVE-2024-45296\n- https://github.com/advisories/GHSA-9wv6-86v2-598j","created":"2024-09-09T20:19:15.000Z","reported_by":null,"title":"path-to-regexp outputs backtracking regular expressions","npm_advisory_id":null,"overview":"### Impact\n\nIn certain cases, `path-to-regexp` will output a regular expression that can be exploited to cause poor performance.\n\n### Patches\n\nFor users of 0.1, upgrade to `0.1.10`. All other users should upgrade to `8.0.0`. \n\nVersion 0.1.10 adds backtracking protection when a custom regular expression is not provided, so it's still possible to manually create a ReDoS vulnerability if you are providing custom regular expressions.\n\nVersion 8.0.0 removes all features that can cause a ReDoS and stops exposing the regular expression directly.\n\n### Workarounds\n\nAll versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change `/:a-:b` to `/:a-:b([^-/]+)`.\n\nIf paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length. For example, halving the attack string improves performance by 4x faster.\n\n### Details\n\nBecause JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. In local benchmarks, exploiting the unsafe regex will result in performance that is over 1000x worse than the safe regex. In a more realistic environment using Express v4 and 10 concurrent connections, this translated to average latency of ~600ms vs 1ms.\n\nThe bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (`.`). For example, `/:a-:b` will produce the regular expression `/^\\/([^\\/]+?)-([^\\/]+?)\\/?$/`. This can be exploited by a path such as `/a${'-a'.repeat(8_000)}/a`. [OWASP](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS) has a good example of why this occurs, but the TL;DR is the `/a` at the end ensures this route would never match but due to naive backtracking it will still attempt every combination of the `:a-:b` on the repeated 8,000 `-a`.\n\n### References\n\n* [OWASP](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n* [Detailed blog post](https://blakeembrey.com/posts/2024-09-web-redos/)","url":"https://github.com/advisories/GHSA-9wv6-86v2-598j"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":0,"moderate":29,"high":12,"critical":1},"dependencies":1064,"devDependencies":4,"optionalDependencies":0,"totalDependencies":1068}} From f0bd334b2b64209dfd67793f9a4357ac6cf92bec Mon Sep 17 00:00:00 2001 From: Josh Date: Tue, 10 Sep 2024 10:55:06 +0100 Subject: [PATCH 19/37] update conf --- test/e2e/config/crossbrowser.conf.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/e2e/config/crossbrowser.conf.js b/test/e2e/config/crossbrowser.conf.js index b181a7e5e..f81d2a725 100644 --- a/test/e2e/config/crossbrowser.conf.js +++ b/test/e2e/config/crossbrowser.conf.js @@ -115,9 +115,9 @@ const config = { cucumberOpts: { strict: true, - format: ['@cucumber/pretty-formatter', 'json:cb_reports/saucelab_results.json'], + format: ['json:cb_reports/saucelab_results.json'], require: ['../support/world.js', '../support/*.js', '../features/step_definitions/**/*.steps.js'], - tags: ['@crossbrowser', 'not @Flaky'] + tags: ['@crossbrowser'] }, plugins: [ From 1dba9ec9dca60718ac44914a2fbecd75b6248cf0 Mon Sep 17 00:00:00 2001 From: Josh Date: Tue, 10 Sep 2024 11:07:20 +0100 Subject: [PATCH 20/37] update css selector --- test/e2e/features/pageObjects/loginLogoutObjects.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/e2e/features/pageObjects/loginLogoutObjects.js b/test/e2e/features/pageObjects/loginLogoutObjects.js index 16c004a75..2fbd356c2 100644 --- a/test/e2e/features/pageObjects/loginLogoutObjects.js +++ b/test/e2e/features/pageObjects/loginLogoutObjects.js @@ -3,7 +3,7 @@ const { SHORT_DELAY, MID_DELAY, LONG_DELAY } = require('../../support/constants'); function loginLogoutObjects() { - this.emailAddress = element(by.css('input#username')); + this.emailAddress = element(by.css('[id=\'username\']')); this.password = element(by.css('[id=\'password\']')); this.signinTitle= element(by.xpath('//h1[@class=\'heading-large\']')); //this.signinTitle = element(by.css("h1")); From 12392078f0d7eae89a90655d242fb30c7b276b4b Mon Sep 17 00:00:00 2001 From: Josh Date: Tue, 10 Sep 2024 11:23:23 +0100 Subject: [PATCH 21/37] update reqs --- test/e2e/config/crossbrowser.conf.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/e2e/config/crossbrowser.conf.js b/test/e2e/config/crossbrowser.conf.js index f81d2a725..fa34d3103 100644 --- a/test/e2e/config/crossbrowser.conf.js +++ b/test/e2e/config/crossbrowser.conf.js @@ -116,7 +116,7 @@ const config = { cucumberOpts: { strict: true, format: ['json:cb_reports/saucelab_results.json'], - require: ['../support/world.js', '../support/*.js', '../features/step_definitions/**/*.steps.js'], + require: ['../support/timeout.js', '../features/step_definitions/**/*.steps.js'], tags: ['@crossbrowser'] }, From 0767ab72786739a2304dff0bab0d483ed9de8c87 Mon Sep 17 00:00:00 2001 From: Josh Date: Tue, 10 Sep 2024 11:47:59 +0100 Subject: [PATCH 22/37] add log --- test/e2e/features/step_definitions/loginLogout.steps.js | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/test/e2e/features/step_definitions/loginLogout.steps.js b/test/e2e/features/step_definitions/loginLogout.steps.js index 98bd568b5..0a0d2d16d 100644 --- a/test/e2e/features/step_definitions/loginLogout.steps.js +++ b/test/e2e/features/step_definitions/loginLogout.steps.js @@ -234,6 +234,10 @@ Then('I see login to MC with invited user is {string}', { timeout: 120 * 1000 }, }); async function loginWithCredentials(username, password, world){ + console.log('loginWithCredentials'); + console.log(username); + console.log(password); + console.log('loginWithCredentials'); await browserWaits.retryForPageLoad(loginPage.emailAddress, async function (message) { world.attach('Retrying Login page load : ' + message); const stream = await browser.takeScreenshot(); From 1c1f7a6574c78ed314ab6ca7a81a0788bdc4afc3 Mon Sep 17 00:00:00 2001 From: Josh Date: Tue, 10 Sep 2024 11:57:15 +0100 Subject: [PATCH 23/37] match features across test files --- test/e2e/features/app/loginLogout.feature | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/e2e/features/app/loginLogout.feature b/test/e2e/features/app/loginLogout.feature index d482b5d35..9e07e136e 100644 --- a/test/e2e/features/app/loginLogout.feature +++ b/test/e2e/features/app/loginLogout.feature @@ -27,7 +27,7 @@ Feature: Login Scenario: login and log out from manage organisation as ManageOrg user - Given I am logged into manage organisation with ManageOrg user details + Given I am logged into Townley Services Org Then I should be redirected to manage organisation dashboard page When I select the sign out link Then I should be redirected to the Idam login page From 5cacafe72cdd958c991013f73155835b82458ef5 Mon Sep 17 00:00:00 2001 From: Josh Date: Tue, 10 Sep 2024 12:16:05 +0100 Subject: [PATCH 24/37] update feature file --- test/e2e/features/app/viewOrganisation.feature | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/e2e/features/app/viewOrganisation.feature b/test/e2e/features/app/viewOrganisation.feature index 2009a3dcb..78e395a20 100644 --- a/test/e2e/features/app/viewOrganisation.feature +++ b/test/e2e/features/app/viewOrganisation.feature @@ -3,6 +3,6 @@ Feature: view organisation workflow @Flaky Scenario: view organisation workflow When I navigate to manage organisation Url - Given I am logged into manage organisation with ManageOrg user details + Given I am logged into Townley Services Org Then I should be redirected to manage organisation dashboard page Then I should be on display the name and address details of organisation From c097684b563d15c32cfc5b9193138f466a8fdb02 Mon Sep 17 00:00:00 2001 From: Josh Date: Tue, 10 Sep 2024 12:21:38 +0100 Subject: [PATCH 25/37] change test --- test/e2e/features/app/loginLogout.feature | 2 +- test/e2e/features/app/viewOrganisation.feature | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/test/e2e/features/app/loginLogout.feature b/test/e2e/features/app/loginLogout.feature index 9e07e136e..a20ba4be1 100644 --- a/test/e2e/features/app/loginLogout.feature +++ b/test/e2e/features/app/loginLogout.feature @@ -25,7 +25,7 @@ Feature: Login Then I should be redirected to the Idam login page Then I should see failure error summary - + @crossbrowser Scenario: login and log out from manage organisation as ManageOrg user Given I am logged into Townley Services Org Then I should be redirected to manage organisation dashboard page diff --git a/test/e2e/features/app/viewOrganisation.feature b/test/e2e/features/app/viewOrganisation.feature index 78e395a20..33eed18b1 100644 --- a/test/e2e/features/app/viewOrganisation.feature +++ b/test/e2e/features/app/viewOrganisation.feature @@ -1,4 +1,3 @@ -@crossbrowser Feature: view organisation workflow @Flaky Scenario: view organisation workflow From 808f8cc970f273febe027476599394b17b7e4185 Mon Sep 17 00:00:00 2001 From: Josh Date: Tue, 10 Sep 2024 13:17:13 +0100 Subject: [PATCH 26/37] add config user creds --- test/e2e/config/common.conf.js | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/test/e2e/config/common.conf.js b/test/e2e/config/common.conf.js index 97ee9655f..439217b13 100644 --- a/test/e2e/config/common.conf.js +++ b/test/e2e/config/common.conf.js @@ -27,7 +27,13 @@ const localConfig = [ const config = { config: { - baseUrl: process.env.TEST_URL || 'http://localhost:3000/' + baseUrl: process.env.TEST_URL || 'http://localhost:3000/', + username: process.env.TEST_USER1_EMAIL, + password: process.env.TEST_USER1_PASSWORD, + username_rw: process.env.TEST_USER2_EMAIL, + password_rw: process.env.TEST_USER2_PASSWORD, + townleyUser: process.env.TEST_TOWNLEY_EMAIL, + townleyPassword: process.env.TEST_TOWNLEY_PASSWORD }, twoFactorAuthEnabled: false, termsAndConditionsEnabled: true From 262a0045aecdb9c4327663ea805684f22b3a5783 Mon Sep 17 00:00:00 2001 From: Josh Date: Tue, 10 Sep 2024 13:31:57 +0100 Subject: [PATCH 27/37] update conf --- test/e2e/config/crossbrowser.conf.js | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/test/e2e/config/crossbrowser.conf.js b/test/e2e/config/crossbrowser.conf.js index fa34d3103..6e5ac67ba 100644 --- a/test/e2e/config/crossbrowser.conf.js +++ b/test/e2e/config/crossbrowser.conf.js @@ -17,12 +17,16 @@ const config = { specs: ['../features/**/*.feature'], baseUrl: (process.env.TEST_URL || 'http://localhost:3000/').replace('https', 'http'), - + params: { serverUrls: process.env.TEST_URL || 'http://localhost:3000/', - targetEnv: argv.env || 'local' - //username: process.env.TEST_EMAIL, - //password: process.env.TEST_PASSWORD, + targetEnv: argv.env || 'local', + username: process.env.TEST_USER1_EMAIL, + password: process.env.TEST_USER1_PASSWORD, + username_rw: process.env.TEST_USER2_EMAIL, + password_rw: process.env.TEST_USER2_PASSWORD, + townleyUser: process.env.TEST_TOWNLEY_EMAIL, + townleyPassword: process.env.TEST_TOWNLEY_PASSWORD, }, // sauceProxy: 'http://proxyout.reform.hmcts.net:8080', // Proxy for the REST API From dff65d36ab3f236fde2b8cea90126d72c4c1d8ae Mon Sep 17 00:00:00 2001 From: Josh Date: Tue, 10 Sep 2024 13:37:40 +0100 Subject: [PATCH 28/37] use env in test --- test/e2e/config/crossbrowser.conf.js | 2 +- test/e2e/features/step_definitions/loginLogout.steps.js | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/test/e2e/config/crossbrowser.conf.js b/test/e2e/config/crossbrowser.conf.js index 6e5ac67ba..034e900fa 100644 --- a/test/e2e/config/crossbrowser.conf.js +++ b/test/e2e/config/crossbrowser.conf.js @@ -26,7 +26,7 @@ const config = { username_rw: process.env.TEST_USER2_EMAIL, password_rw: process.env.TEST_USER2_PASSWORD, townleyUser: process.env.TEST_TOWNLEY_EMAIL, - townleyPassword: process.env.TEST_TOWNLEY_PASSWORD, + townleyPassword: process.env.TEST_TOWNLEY_PASSWORD }, // sauceProxy: 'http://proxyout.reform.hmcts.net:8080', // Proxy for the REST API diff --git a/test/e2e/features/step_definitions/loginLogout.steps.js b/test/e2e/features/step_definitions/loginLogout.steps.js index 0a0d2d16d..c2a3e9f74 100644 --- a/test/e2e/features/step_definitions/loginLogout.steps.js +++ b/test/e2e/features/step_definitions/loginLogout.steps.js @@ -140,8 +140,8 @@ Given(/^I am logged into manage organisation to invite users$/, async function ( }); Given(/^I am logged into Townley Services Org$/, async function () { - await loginPage.emailAddress.sendKeys(config.config.townleyUser); //replace username and password - await loginPage.password.sendKeys(config.config.townleyPassword); + await loginPage.emailAddress.sendKeys(process.env.TEST_TOWNLEY_EMAIL); //replace username and password + await loginPage.password.sendKeys(process.env.TEST_TOWNLEY_PASSWORD); // browser.sleep(SHORT_DELAY); await loginPage.signinBtn.click(); browser.sleep(SHORT_DELAY); From 81090ae2814305f8e7288095ae721e7b282c8529 Mon Sep 17 00:00:00 2001 From: Josh Date: Tue, 10 Sep 2024 13:43:07 +0100 Subject: [PATCH 29/37] update secret vals in nightly jenkins file --- Jenkinsfile_nightly | 10 +++++++--- .../e2e/features/step_definitions/loginLogout.steps.js | 5 +++-- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/Jenkinsfile_nightly b/Jenkinsfile_nightly index 5262fe28b..626f60354 100644 --- a/Jenkinsfile_nightly +++ b/Jenkinsfile_nightly @@ -20,10 +20,14 @@ def channel = '#xui-pipeline' def secrets = [ 'rpx-${env}': [ - secret('test-email', 'TEST_EMAIL'), - secret('test-password', 'TEST_PASSWORD'), + secret('test-user1-email', 'TEST_USER1_EMAIL'), + secret('test-user1-password', 'TEST_USER1_PASSWORD'), + secret('test-user2-email', 'TEST_USER2_EMAIL'), + secret('test-user2-password', 'TEST_USER2_PASSWORD'), + secret('test-townley-email', 'TEST_TOWNLEY_EMAIL'), + secret('test-townley-password', 'TEST_TOWNLEY_PASSWORD'), secret('test-api-email', 'TEST_API_EMAIL'), - secret('test-api-password', 'TEST_API_PASSWORD'), + secret('test-api-password', 'TEST_API_PASSWORD') ], ] diff --git a/test/e2e/features/step_definitions/loginLogout.steps.js b/test/e2e/features/step_definitions/loginLogout.steps.js index c2a3e9f74..eca8ecdbe 100644 --- a/test/e2e/features/step_definitions/loginLogout.steps.js +++ b/test/e2e/features/step_definitions/loginLogout.steps.js @@ -140,8 +140,9 @@ Given(/^I am logged into manage organisation to invite users$/, async function ( }); Given(/^I am logged into Townley Services Org$/, async function () { - await loginPage.emailAddress.sendKeys(process.env.TEST_TOWNLEY_EMAIL); //replace username and password - await loginPage.password.sendKeys(process.env.TEST_TOWNLEY_PASSWORD); + console.log(config.config.townleyUser) + await loginPage.emailAddress.sendKeys(config.config.townleyUser); //replace username and password + await loginPage.password.sendKeys(config.config.townleyPassword); // browser.sleep(SHORT_DELAY); await loginPage.signinBtn.click(); browser.sleep(SHORT_DELAY); From 423e4b69522d9385e00bf2d4eb166f262fbbb849 Mon Sep 17 00:00:00 2001 From: Josh Date: Tue, 10 Sep 2024 14:02:50 +0100 Subject: [PATCH 30/37] add formatter --- test/e2e/config/crossbrowser.conf.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/e2e/config/crossbrowser.conf.js b/test/e2e/config/crossbrowser.conf.js index 034e900fa..c22167c85 100644 --- a/test/e2e/config/crossbrowser.conf.js +++ b/test/e2e/config/crossbrowser.conf.js @@ -119,7 +119,7 @@ const config = { cucumberOpts: { strict: true, - format: ['json:cb_reports/saucelab_results.json'], + format: ['@cucumber/pretty-formatter', 'json:cb_reports/saucelab_results.json'], require: ['../support/timeout.js', '../features/step_definitions/**/*.steps.js'], tags: ['@crossbrowser'] }, From 435d647344d12f761651e0feac6a974414c5c4eb Mon Sep 17 00:00:00 2001 From: Josh Date: Wed, 11 Sep 2024 11:18:01 +0100 Subject: [PATCH 31/37] Add archive to step --- Jenkinsfile_nightly | 1 + 1 file changed, 1 insertion(+) diff --git a/Jenkinsfile_nightly b/Jenkinsfile_nightly index 626f60354..fd3e8501e 100644 --- a/Jenkinsfile_nightly +++ b/Jenkinsfile_nightly @@ -128,5 +128,6 @@ withNightlyPipeline(type, product, component) { reportFiles : 'index.html', reportName : 'XUI Manage Organisation Cross Browser Tests' ]) + steps.archiveArtifacts allowEmptyArchive: true, artifacts: 'build/reports/tests/crossbrowser/**/*' } } From a2ebd0c90c5cb524473a44689fabb8c57342a8d2 Mon Sep 17 00:00:00 2001 From: Josh Date: Thu, 12 Sep 2024 12:32:00 +0100 Subject: [PATCH 32/37] add functional test step --- Jenkinsfile_nightly | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile_nightly b/Jenkinsfile_nightly index fd3e8501e..e42fe2f91 100644 --- a/Jenkinsfile_nightly +++ b/Jenkinsfile_nightly @@ -44,7 +44,7 @@ withNightlyPipeline(type, product, component) { enableSlackNotifications(channel) loadVaultSecrets(secrets) // enableFortifyScan('rpx-aat') - // enableFullFunctionalTest(60) + enableFullFunctionalTest(120) // enableSecurityScan() enableMutationTest() enableCrossBrowserTest() From 00096aeb98bc8c176b754d8da124d2965c3545ae Mon Sep 17 00:00:00 2001 From: Josh Date: Thu, 12 Sep 2024 12:45:28 +0100 Subject: [PATCH 33/37] add missing secrets for functional tests --- Jenkinsfile_nightly | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/Jenkinsfile_nightly b/Jenkinsfile_nightly index e42fe2f91..a28c1bb04 100644 --- a/Jenkinsfile_nightly +++ b/Jenkinsfile_nightly @@ -20,6 +20,13 @@ def channel = '#xui-pipeline' def secrets = [ 'rpx-${env}': [ + secret('mo-s2s-client-secret', 'S2S_SECRET'), + secret('xui-oauth2-token', 'IDAM_SECRET'), + secret('appinsights-instrumentationkey-mo', 'APPINSIGHTS_INSTRUMENTATIONKEY'), + secret('google-analytics-key', 'GOOGLE_ANALYTICS_KEY'), + secret('launch-darkly-client-id', 'LAUNCH_DARKLY_CLIENT_ID'), + secret('system-user-name', 'SYSTEM_USER_NAME'), + secret('system-user-password', 'SYSTEM_USER_PASSWORD') secret('test-user1-email', 'TEST_USER1_EMAIL'), secret('test-user1-password', 'TEST_USER1_PASSWORD'), secret('test-user2-email', 'TEST_USER2_EMAIL'), From cdd82fdae5824a682db46488ab726db953d1e538 Mon Sep 17 00:00:00 2001 From: Josh Date: Mon, 16 Sep 2024 09:16:06 +0100 Subject: [PATCH 34/37] add comma --- Jenkinsfile_nightly | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile_nightly b/Jenkinsfile_nightly index a28c1bb04..a70dc900a 100644 --- a/Jenkinsfile_nightly +++ b/Jenkinsfile_nightly @@ -26,7 +26,7 @@ def secrets = [ secret('google-analytics-key', 'GOOGLE_ANALYTICS_KEY'), secret('launch-darkly-client-id', 'LAUNCH_DARKLY_CLIENT_ID'), secret('system-user-name', 'SYSTEM_USER_NAME'), - secret('system-user-password', 'SYSTEM_USER_PASSWORD') + secret('system-user-password', 'SYSTEM_USER_PASSWORD'), secret('test-user1-email', 'TEST_USER1_EMAIL'), secret('test-user1-password', 'TEST_USER1_PASSWORD'), secret('test-user2-email', 'TEST_USER2_EMAIL'), From 212e77fdb4ec6a09b4040522da56d336ebd1bacf Mon Sep 17 00:00:00 2001 From: Josh Date: Mon, 16 Sep 2024 13:30:47 +0100 Subject: [PATCH 35/37] update audit --- Jenkinsfile_nightly | 9 +-------- yarn-audit-known-issues | 2 +- 2 files changed, 2 insertions(+), 9 deletions(-) diff --git a/Jenkinsfile_nightly b/Jenkinsfile_nightly index a70dc900a..7a9f65dba 100644 --- a/Jenkinsfile_nightly +++ b/Jenkinsfile_nightly @@ -20,13 +20,6 @@ def channel = '#xui-pipeline' def secrets = [ 'rpx-${env}': [ - secret('mo-s2s-client-secret', 'S2S_SECRET'), - secret('xui-oauth2-token', 'IDAM_SECRET'), - secret('appinsights-instrumentationkey-mo', 'APPINSIGHTS_INSTRUMENTATIONKEY'), - secret('google-analytics-key', 'GOOGLE_ANALYTICS_KEY'), - secret('launch-darkly-client-id', 'LAUNCH_DARKLY_CLIENT_ID'), - secret('system-user-name', 'SYSTEM_USER_NAME'), - secret('system-user-password', 'SYSTEM_USER_PASSWORD'), secret('test-user1-email', 'TEST_USER1_EMAIL'), secret('test-user1-password', 'TEST_USER1_PASSWORD'), secret('test-user2-email', 'TEST_USER2_EMAIL'), @@ -54,7 +47,7 @@ withNightlyPipeline(type, product, component) { enableFullFunctionalTest(120) // enableSecurityScan() enableMutationTest() - enableCrossBrowserTest() + //enableCrossBrowserTest() env.TEST_URL = 'https://manage-org.aat.platform.hmcts.net/' afterSuccess('checkout') {sh 'yarn cache clean'} diff --git a/yarn-audit-known-issues b/yarn-audit-known-issues index 221637847..91ff314dd 100644 --- a/yarn-audit-known-issues +++ b/yarn-audit-known-issues @@ -1 +1 @@ -{"actions":[],"advisories":{"1085685":{"findings":[{"version":"1.1.0","paths":["@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>yargs>os-locale>mem"]}],"metadata":null,"vulnerable_versions":"<4.0.0","module_name":"mem","severity":"moderate","github_advisory_id":"GHSA-4xcv-9jjx-gfj3","cves":[],"access":"public","patched_versions":">=4.0.0","cvss":{"score":5.1,"vectorString":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},"updated":"2023-01-09T05:01:45.000Z","recommendation":"Upgrade to version 4.0.0 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1085685,"references":"- https://github.com/sindresorhus/mem/commit/da4e4398cb27b602de3bd55f746efa9b4a31702b\n- https://bugzilla.redhat.com/show_bug.cgi?id=1623744\n- https://www.npmjs.com/advisories/1084\n- https://snyk.io/vuln/npm:mem:20180117\n- https://github.com/advisories/GHSA-4xcv-9jjx-gfj3","created":"2019-07-05T21:07:58.000Z","reported_by":null,"title":"Denial of Service in mem","npm_advisory_id":null,"overview":"Versions of `mem` prior to 4.0.0 are vulnerable to Denial of Service (DoS). The package fails to remove old values from the cache even after a value passes its `maxAge` property. This may allow attackers to exhaust the system's memory if they are able to abuse the application logging.\n\n\n## Recommendation\n\nUpgrade to version 4.0.0 or later.","url":"https://github.com/advisories/GHSA-4xcv-9jjx-gfj3"},"1088208":{"findings":[{"version":"0.8.4","paths":["git-rev-sync>shelljs"]}],"metadata":null,"vulnerable_versions":"<0.8.5","module_name":"shelljs","severity":"moderate","github_advisory_id":"GHSA-64g7-mvw6-v9qj","cves":[],"access":"public","patched_versions":">=0.8.5","cvss":{"score":0,"vectorString":null},"updated":"2023-01-11T05:03:39.000Z","recommendation":"Upgrade to version 0.8.5 or later","cwe":["CWE-269"],"found_by":null,"deleted":null,"id":1088208,"references":"- https://github.com/shelljs/shelljs/security/advisories/GHSA-64g7-mvw6-v9qj\n- https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/\n- https://github.com/advisories/GHSA-64g7-mvw6-v9qj","created":"2022-01-14T21:09:50.000Z","reported_by":null,"title":"Improper Privilege Management in shelljs","npm_advisory_id":null,"overview":"### Impact\nOutput from the synchronous version of `shell.exec()` may be visible to other users on the same system. You may be affected if you execute `shell.exec()` in multi-user Mac, Linux, or WSL environments, or if you execute `shell.exec()` as the root user.\n\nOther shelljs functions (including the asynchronous version of `shell.exec()`) are not impacted.\n\n### Patches\nPatched in shelljs 0.8.5\n\n### Workarounds\nRecommended action is to upgrade to 0.8.5.\n\n### References\nhttps://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Ask at https://github.com/shelljs/shelljs/issues/1058\n* Open an issue at https://github.com/shelljs/shelljs/issues/new\n","url":"https://github.com/advisories/GHSA-64g7-mvw6-v9qj"},"1088811":{"findings":[{"version":"8.1.0","paths":["@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>yargs>yargs-parser"]}],"metadata":null,"vulnerable_versions":">=6.0.0 <13.1.2","module_name":"yargs-parser","severity":"moderate","github_advisory_id":"GHSA-p9pc-299p-vxgp","cves":["CVE-2020-7608"],"access":"public","patched_versions":">=13.1.2","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},"updated":"2023-01-27T05:00:51.000Z","recommendation":"Upgrade to version 13.1.2 or later","cwe":["CWE-915","CWE-1321"],"found_by":null,"deleted":null,"id":1088811,"references":"- https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381\n- https://www.npmjs.com/advisories/1500\n- https://github.com/yargs/yargs-parser/commit/63810ca1ae1a24b08293a4d971e70e058c7a41e2\n- https://nvd.nist.gov/vuln/detail/CVE-2020-7608\n- https://github.com/yargs/yargs-parser/commit/1c417bd0b42b09c475ee881e36d292af4fa2cc36\n- https://github.com/advisories/GHSA-p9pc-299p-vxgp","created":"2020-09-04T18:00:54.000Z","reported_by":null,"title":"yargs-parser Vulnerable to Prototype Pollution","npm_advisory_id":null,"overview":"Affected versions of `yargs-parser` are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of `Object`, causing the addition or modification of an existing property that will exist on all objects. \nParsing the argument `--foo.__proto__.bar baz'` adds a `bar` property with value `baz` to all objects. This is only exploitable if attackers have control over the arguments being passed to `yargs-parser`.\n\n\n\n## Recommendation\n\nUpgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.","url":"https://github.com/advisories/GHSA-p9pc-299p-vxgp"},"1088948":{"findings":[{"version":"9.6.0","paths":["@hmcts/rpx-xui-node-lib>openid-client>got"]}],"metadata":null,"vulnerable_versions":"<11.8.5","module_name":"got","severity":"moderate","github_advisory_id":"GHSA-pfrx-2q88-qq97","cves":["CVE-2022-33987"],"access":"public","patched_versions":">=11.8.5","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"updated":"2023-01-27T05:05:01.000Z","recommendation":"Upgrade to version 11.8.5 or later","cwe":[],"found_by":null,"deleted":null,"id":1088948,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-33987\n- https://github.com/sindresorhus/got/pull/2047\n- https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0\n- https://github.com/sindresorhus/got/commit/861ccd9ac2237df762a9e2beed7edd88c60782dc\n- https://github.com/sindresorhus/got/releases/tag/v11.8.5\n- https://github.com/sindresorhus/got/releases/tag/v12.1.0\n- https://github.com/advisories/GHSA-pfrx-2q88-qq97","created":"2022-06-19T00:00:21.000Z","reported_by":null,"title":"Got allows a redirect to a UNIX socket","npm_advisory_id":null,"overview":"The got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.","url":"https://github.com/advisories/GHSA-pfrx-2q88-qq97"},"1089270":{"findings":[{"version":"2.7.4","paths":["ejs"]}],"metadata":null,"vulnerable_versions":"<3.1.7","module_name":"ejs","severity":"critical","github_advisory_id":"GHSA-phwq-j96m-2c2q","cves":["CVE-2022-29078"],"access":"public","patched_versions":">=3.1.7","cvss":{"score":9.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-01-30T05:02:57.000Z","recommendation":"Upgrade to version 3.1.7 or later","cwe":["CWE-74"],"found_by":null,"deleted":null,"id":1089270,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-29078\n- https://eslam.io/posts/ejs-server-side-template-injection-rce/\n- https://github.com/mde/ejs/commit/15ee698583c98dadc456639d6245580d17a24baf\n- https://github.com/mde/ejs/releases\n- https://security.netapp.com/advisory/ntap-20220804-0001/\n- https://github.com/advisories/GHSA-phwq-j96m-2c2q","created":"2022-04-26T00:00:40.000Z","reported_by":null,"title":"ejs template injection vulnerability","npm_advisory_id":null,"overview":"The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).","url":"https://github.com/advisories/GHSA-phwq-j96m-2c2q"},"1089698":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.17.0","module_name":"xlsx","severity":"moderate","github_advisory_id":"GHSA-g973-978j-2c3p","cves":["CVE-2021-32014"],"access":"public","patched_versions":">=0.17.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-02-01T05:05:54.000Z","recommendation":"Upgrade to version 0.17.0 or later","cwe":["CWE-345","CWE-400"],"found_by":null,"deleted":null,"id":1089698,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32014\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-g973-978j-2c3p","created":"2021-07-22T19:47:15.000Z","reported_by":null,"title":"Denial of Service in SheetJS Pro","npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (CPU consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js.","url":"https://github.com/advisories/GHSA-g973-978j-2c3p"},"1089699":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.17.0","module_name":"xlsx","severity":"moderate","github_advisory_id":"GHSA-3x9f-74h4-2fqr","cves":["CVE-2021-32012"],"access":"public","patched_versions":">=0.17.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-02-01T05:06:10.000Z","recommendation":"Upgrade to version 0.17.0 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1089699,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32012\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-3x9f-74h4-2fqr","created":"2021-07-22T19:48:17.000Z","reported_by":null,"title":"Denial of Service in SheetJS Pro","npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js (issue 1 of 2).","url":"https://github.com/advisories/GHSA-3x9f-74h4-2fqr"},"1089700":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.17.0","module_name":"xlsx","severity":"moderate","github_advisory_id":"GHSA-8vcr-vxm8-293m","cves":["CVE-2021-32013"],"access":"public","patched_versions":">=0.17.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-02-01T05:06:00.000Z","recommendation":"Upgrade to version 0.17.0 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1089700,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32013\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-8vcr-vxm8-293m","created":"2021-07-22T19:48:13.000Z","reported_by":null,"title":"Denial of Service in SheetsJS Pro","npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js (issue 2 of 2).","url":"https://github.com/advisories/GHSA-8vcr-vxm8-293m"},"1093639":{"findings":[{"version":"0.4.1","paths":["@hmcts/rpx-xui-node-lib>passport"]}],"metadata":null,"vulnerable_versions":"<0.6.0","module_name":"passport","severity":"moderate","github_advisory_id":"GHSA-v923-w3x8-wh69","cves":["CVE-2022-25896"],"access":"public","patched_versions":">=0.6.0","cvss":{"score":4.8,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L"},"updated":"2023-09-11T16:22:18.000Z","recommendation":"Upgrade to version 0.6.0 or later","cwe":["CWE-384"],"found_by":null,"deleted":null,"id":1093639,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25896\n- https://github.com/jaredhanson/passport/pull/900\n- https://github.com/jaredhanson/passport/commit/7e9b9cf4d7be02428e963fc729496a45baeea608\n- https://snyk.io/vuln/SNYK-JS-PASSPORT-2840631\n- https://github.com/advisories/GHSA-v923-w3x8-wh69","created":"2022-07-02T00:00:19.000Z","reported_by":null,"title":"Passport vulnerable to session regeneration when a users logs in or out","npm_advisory_id":null,"overview":"This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed.","url":"https://github.com/advisories/GHSA-v923-w3x8-wh69"},"1094599":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.19.3","module_name":"xlsx","severity":"high","github_advisory_id":"GHSA-4r6h-8v6p-xvw6","cves":["CVE-2023-30533"],"access":"public","patched_versions":">=0.19.3","cvss":{"score":7.8,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},"updated":"2023-11-06T05:04:13.000Z","recommendation":"Upgrade to version 0.19.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1094599,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-30533\n- https://cdn.sheetjs.com/advisories/CVE-2023-30533\n- https://git.sheetjs.com/sheetjs/sheetjs/src/branch/master/CHANGELOG.md\n- https://git.sheetjs.com/sheetjs/sheetjs/issues/2667\n- https://git.sheetjs.com/sheetjs/sheetjs/issues/2986\n- https://github.com/advisories/GHSA-4r6h-8v6p-xvw6","created":"2023-04-24T09:30:19.000Z","reported_by":null,"title":"Prototype Pollution in sheetJS","npm_advisory_id":null,"overview":"All versions of SheetJS CE through 0.19.2 are vulnerable to \"Prototype Pollution\" when reading specially crafted files. Workflows that do not read arbitrary files (for example, exporting data to spreadsheet files) are unaffected.\n\nA non-vulnerable version cannot be found via npm, as the repository hosted on GitHub and the npm package `xlsx` are no longer maintained.","url":"https://github.com/advisories/GHSA-4r6h-8v6p-xvw6"},"1095051":{"findings":[{"version":"0.7.0","paths":["ngx-md>marked"]}],"metadata":null,"vulnerable_versions":"<4.0.10","module_name":"marked","severity":"high","github_advisory_id":"GHSA-rrrm-qjm4-v8hf","cves":["CVE-2022-21680"],"access":"public","patched_versions":">=4.0.10","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-11-29T20:51:52.000Z","recommendation":"Upgrade to version 4.0.10 or later","cwe":["CWE-400","CWE-1333"],"found_by":null,"deleted":null,"id":1095051,"references":"- https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21680\n- https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0\n- https://github.com/markedjs/marked/releases/tag/v4.0.10\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/\n- https://github.com/advisories/GHSA-rrrm-qjm4-v8hf","created":"2022-01-14T21:04:41.000Z","reported_by":null,"title":"Inefficient Regular Expression Complexity in marked","npm_advisory_id":null,"overview":"### Impact\n\n_What kind of vulnerability is it?_\n\nDenial of service.\n\nThe regular expression `block.def` may cause catastrophic backtracking against some strings.\nPoC is the following.\n\n```javascript\nimport * as marked from \"marked\";\n\nmarked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);\n```\n\n_Who is impacted?_\n\nAnyone who runs untrusted markdown through marked and does not use a worker with a time limit.\n\n### Patches\n\n_Has the problem been patched?_\n\nYes\n\n_What versions should users upgrade to?_\n\n4.0.10\n\n### Workarounds\n\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nDo not run untrusted markdown through marked or run marked on a [worker](https://marked.js.org/using_advanced#workers) thread and set a reasonable time limit to prevent draining resources.\n\n### References\n\n_Are there any links users can visit to find out more?_\n\n- https://marked.js.org/using_advanced#workers\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [marked](https://github.com/markedjs/marked)\n","url":"https://github.com/advisories/GHSA-rrrm-qjm4-v8hf"},"1095052":{"findings":[{"version":"0.7.0","paths":["ngx-md>marked"]}],"metadata":null,"vulnerable_versions":"<4.0.10","module_name":"marked","severity":"high","github_advisory_id":"GHSA-5v2h-r2cx-5xgj","cves":["CVE-2022-21681"],"access":"public","patched_versions":">=4.0.10","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-11-29T20:51:17.000Z","recommendation":"Upgrade to version 4.0.10 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1095052,"references":"- https://github.com/markedjs/marked/security/advisories/GHSA-5v2h-r2cx-5xgj\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21681\n- https://github.com/markedjs/marked/commit/8f806573a3f6c6b7a39b8cdb66ab5ebb8d55a5f5\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/\n- https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0\n- https://github.com/advisories/GHSA-5v2h-r2cx-5xgj","created":"2022-01-14T21:04:46.000Z","reported_by":null,"title":"Inefficient Regular Expression Complexity in marked","npm_advisory_id":null,"overview":"### Impact\n\n_What kind of vulnerability is it?_\n\nDenial of service.\n\nThe regular expression `inline.reflinkSearch` may cause catastrophic backtracking against some strings.\nPoC is the following.\n\n```javascript\nimport * as marked from 'marked';\n\nconsole.log(marked.parse(`[x]: x\n\n\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](`));\n```\n\n_Who is impacted?_\n\nAnyone who runs untrusted markdown through marked and does not use a worker with a time limit.\n\n### Patches\n\n_Has the problem been patched?_\n\nYes\n\n_What versions should users upgrade to?_\n\n4.0.10\n\n### Workarounds\n\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nDo not run untrusted markdown through marked or run marked on a [worker](https://marked.js.org/using_advanced#workers) thread and set a reasonable time limit to prevent draining resources.\n\n### References\n\n_Are there any links users can visit to find out more?_\n\n- https://marked.js.org/using_advanced#workers\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [marked](https://github.com/markedjs/marked)\n","url":"https://github.com/advisories/GHSA-5v2h-r2cx-5xgj"},"1095126":{"findings":[{"version":"0.8.4","paths":["git-rev-sync>shelljs"]}],"metadata":null,"vulnerable_versions":"<0.8.5","module_name":"shelljs","severity":"high","github_advisory_id":"GHSA-4rq4-32rv-6wp6","cves":["CVE-2022-0144"],"access":"public","patched_versions":">=0.8.5","cvss":{"score":7.1,"vectorString":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H"},"updated":"2023-11-29T22:21:11.000Z","recommendation":"Upgrade to version 0.8.5 or later","cwe":["CWE-269"],"found_by":null,"deleted":null,"id":1095126,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-0144\n- https://github.com/shelljs/shelljs/commit/d919d22dd6de385edaa9d90313075a77f74b338c\n- https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c\n- https://github.com/advisories/GHSA-4rq4-32rv-6wp6","created":"2022-01-21T23:37:28.000Z","reported_by":null,"title":"Improper Privilege Management in shelljs","npm_advisory_id":null,"overview":"shelljs is vulnerable to Improper Privilege Management","url":"https://github.com/advisories/GHSA-4rq4-32rv-6wp6"},"1095531":{"findings":[{"version":"6.2.1","paths":["log4js"]}],"metadata":null,"vulnerable_versions":"<6.4.0","module_name":"log4js","severity":"moderate","github_advisory_id":"GHSA-82v2-mx6x-wq7q","cves":["CVE-2022-21704"],"access":"public","patched_versions":">=6.4.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},"updated":"2024-01-24T08:54:14.000Z","recommendation":"Upgrade to version 6.4.0 or later","cwe":["CWE-276"],"found_by":null,"deleted":null,"id":1095531,"references":"- https://github.com/log4js-node/log4js-node/security/advisories/GHSA-82v2-mx6x-wq7q\n- https://github.com/log4js-node/log4js-node/pull/1141/commits/8042252861a1b65adb66931fdf702ead34fa9b76\n- https://github.com/log4js-node/streamroller/pull/87\n- https://github.com/log4js-node/log4js-node/blob/v6.4.0/CHANGELOG.md#640\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21704\n- https://lists.debian.org/debian-lts-announce/2022/12/msg00014.html\n- https://github.com/advisories/GHSA-82v2-mx6x-wq7q","created":"2022-01-21T18:53:27.000Z","reported_by":null,"title":"Incorrect Default Permissions in log4js","npm_advisory_id":null,"overview":"### Impact\r\nDefault file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config.\r\n\r\n### Patches\r\nFixed by:\r\n* https://github.com/log4js-node/log4js-node/pull/1141\r\n* https://github.com/log4js-node/streamroller/pull/87\r\n\r\nReleased to NPM in log4js@6.4.0\r\n\r\n### Workarounds\r\nEvery version of log4js published allows passing the mode parameter to the configuration of file appenders, see the documentation for details.\r\n\r\n### References\r\n\r\nThanks to [ranjit-git](https://www.huntr.dev/users/ranjit-git) for raising the issue, and to @lamweili for fixing the problem.\r\n\r\n### For more information\r\nIf you have any questions or comments about this advisory:\r\n* Open an issue in [logj4s-node](https://github.com/log4js-node/log4js-node)\r\n* Ask a question in the [slack channel](https://join.slack.com/t/log4js-node/shared_invite/enQtODkzMDQ3MzExMDczLWUzZmY0MmI0YWI1ZjFhODY0YjI0YmU1N2U5ZTRkOTYyYzg3MjY5NWI4M2FjZThjYjdiOGM0NjU2NzBmYTJjOGI)\r\n* Email us at [gareth.nomiddlename@gmail.com](mailto:gareth.nomiddlename@gmail.com)\r\n","url":"https://github.com/advisories/GHSA-82v2-mx6x-wq7q"},"1096832":{"findings":[{"version":"1.28.2","paths":["@hmcts/rpx-xui-node-lib>openid-client>jose"]}],"metadata":null,"vulnerable_versions":"<2.0.7","module_name":"jose","severity":"moderate","github_advisory_id":"GHSA-hhhv-q57g-882q","cves":["CVE-2024-28176"],"access":"public","patched_versions":">=2.0.7","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-03-30T06:30:42.000Z","recommendation":"Upgrade to version 2.0.7 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1096832,"references":"- https://github.com/panva/jose/security/advisories/GHSA-hhhv-q57g-882q\n- https://github.com/panva/jose/commit/02a65794f7873cdaf12e81e80ad076fcdc4a9314\n- https://github.com/panva/jose/commit/1b91d88d2f8233f3477a5f4579aa5f8057b2ee8b\n- https://nvd.nist.gov/vuln/detail/CVE-2024-28176\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG\n- https://github.com/advisories/GHSA-hhhv-q57g-882q","created":"2024-03-07T17:40:57.000Z","reported_by":null,"title":"jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext","npm_advisory_id":null,"overview":"A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the [support for decompressing plaintext after its decryption](https://www.rfc-editor.org/rfc/rfc7516.html#section-4.1.3). This allows an adversary to exploit specific scenarios where the compression ratio becomes exceptionally high. As a result, the length of the JWE token, which is determined by the compressed content's size, can land below application-defined limits. In such cases, other existing application level mechanisms for preventing resource exhaustion may be rendered ineffective.\n\nNote that as per [RFC 8725](https://www.rfc-editor.org/rfc/rfc8725.html#name-avoid-compression-of-encryp) compression of data SHOULD NOT be done before encryption, because such compressed data often reveals information about the plaintext. For this reason the v5.x major version of `jose` removed support for compressed payloads entirely and is therefore NOT affected by this advisory.\n\n### Impact\n\nUnder certain conditions it is possible to have the user's environment consume unreasonable amount of CPU time or memory during JWE Decryption operations.\n\n### Affected users\n\nThe impact is limited only to Node.js users utilizing the JWE decryption APIs to decrypt JWEs from untrusted sources.\n\nYou are NOT affected if any of the following applies to you\n\n- Your code uses jose version v5.x where JWE Compression is not supported anymore\n- Your code runs in an environment other than Node.js (e.g. Deno, CF Workers), which is the only runtime where JWE Compression is implemented out of the box\n- Your code does not use the JWE decryption APIs\n- Your code only accepts JWEs produced by trusted sources\n\n### Patches\n\n`v2.0.7` and `v4.15.5` releases limit the decompression routine to only allow decompressing up to 250 kB of plaintext. In v4.x it is possible to further adjust this limit via the `inflateRaw` decryption option implementation. In v2.x it is possible to further adjust this limit via the `inflateRawSyncLimit` decryption option.\n\n### Workarounds\n\nIf you cannot upgrade and do not want to support compressed JWEs you may detect and reject these tokens early by checking the token's protected header\n\n```js\nconst { zip } = jose.decodeProtectedHeader(token)\nif (zip !== undefined) {\n throw new Error('JWE Compression is not supported')\n}\n```\n\nIf you wish to continue supporting JWEs with compressed payloads in these legacy release lines you must upgrade (v1.x and v2.x to version v2.0.7, v3.x and v4.x to version v4.15.5) and review the limits put forth by the patched releases.\n\n### For more information\nIf you have any questions or comments about this advisory please open a discussion in the project's [repository](https://github.com/panva/jose/discussions/new?category=q-a&title=GHSA-hhhv-q57g-882q%20advisory%20question)","url":"https://github.com/advisories/GHSA-hhhv-q57g-882q"},"1096911":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.20.2","module_name":"xlsx","severity":"high","github_advisory_id":"GHSA-5pgg-2g8v-p4x9","cves":["CVE-2024-22363"],"access":"public","patched_versions":">=0.20.2","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2024-04-08T13:47:06.000Z","recommendation":"Upgrade to version 0.20.2 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1096911,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-22363\n- https://cdn.sheetjs.com/advisories/CVE-2024-22363\n- https://cwe.mitre.org/data/definitions/1333.html\n- https://git.sheetjs.com/sheetjs/sheetjs/src/tag/v0.20.2\n- https://github.com/advisories/GHSA-5pgg-2g8v-p4x9","created":"2024-04-05T06:30:46.000Z","reported_by":null,"title":"SheetJS Regular Expression Denial of Service (ReDoS)","npm_advisory_id":null,"overview":"SheetJS Community Edition before 0.20.2 is vulnerable.to Regular Expression Denial of Service (ReDoS).","url":"https://github.com/advisories/GHSA-5pgg-2g8v-p4x9"},"1097504":{"findings":[{"version":"2.5.207","paths":["pdfjs-dist","@hmcts/media-viewer>pdfjs-dist"]}],"metadata":null,"vulnerable_versions":"<=4.1.392","module_name":"pdfjs-dist","severity":"high","github_advisory_id":"GHSA-wgrm-67xf-hhpq","cves":["CVE-2024-4367"],"access":"public","patched_versions":">=4.2.67","cvss":{"score":0,"vectorString":null},"updated":"2024-06-10T20:18:19.000Z","recommendation":"Upgrade to version 4.2.67 or later","cwe":[],"found_by":null,"deleted":null,"id":1097504,"references":"- https://github.com/mozilla/pdf.js/security/advisories/GHSA-wgrm-67xf-hhpq\n- https://github.com/mozilla/pdf.js/pull/18015\n- https://github.com/mozilla/pdf.js/commit/85e64b5c16c9aaef738f421733c12911a441cec6\n- https://bugzilla.mozilla.org/show_bug.cgi?id=1893645\n- https://nvd.nist.gov/vuln/detail/CVE-2024-4367\n- https://lists.debian.org/debian-lts-announce/2024/05/msg00010.html\n- https://lists.debian.org/debian-lts-announce/2024/05/msg00012.html\n- https://www.mozilla.org/security/advisories/mfsa2024-21\n- https://www.mozilla.org/security/advisories/mfsa2024-22\n- https://www.mozilla.org/security/advisories/mfsa2024-23\n- https://github.com/advisories/GHSA-wgrm-67xf-hhpq","created":"2024-05-07T10:25:08.000Z","reported_by":null,"title":"PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF","npm_advisory_id":null,"overview":"### Impact\nIf pdf.js is used to load a malicious PDF, and PDF.js is configured with `isEvalSupported` set to `true` (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.\n\n### Patches\nThe patch removes the use of `eval`:\nhttps://github.com/mozilla/pdf.js/pull/18015\n\n### Workarounds\nSet the option `isEvalSupported` to `false`. \n\n### References\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1893645","url":"https://github.com/advisories/GHSA-wgrm-67xf-hhpq"},"1097679":{"findings":[{"version":"0.26.1","paths":["axios","@hmcts/rpx-xui-node-lib>axios"]}],"metadata":null,"vulnerable_versions":">=0.8.1 <0.28.0","module_name":"axios","severity":"moderate","github_advisory_id":"GHSA-wf5p-g6vw-rhxx","cves":["CVE-2023-45857"],"access":"public","patched_versions":">=0.28.0","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},"updated":"2024-06-21T21:33:58.000Z","recommendation":"Upgrade to version 0.28.0 or later","cwe":["CWE-352"],"found_by":null,"deleted":null,"id":1097679,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-45857\n- https://github.com/axios/axios/issues/6006\n- https://github.com/axios/axios/issues/6022\n- https://github.com/axios/axios/pull/6028\n- https://github.com/axios/axios/commit/96ee232bd3ee4de2e657333d4d2191cd389e14d0\n- https://github.com/axios/axios/releases/tag/v1.6.0\n- https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459\n- https://github.com/axios/axios/pull/6091\n- https://github.com/axios/axios/commit/2755df562b9c194fba6d8b609a383443f6a6e967\n- https://github.com/axios/axios/releases/tag/v0.28.0\n- https://security.netapp.com/advisory/ntap-20240621-0006\n- https://github.com/advisories/GHSA-wf5p-g6vw-rhxx","created":"2023-11-08T21:30:37.000Z","reported_by":null,"title":"Axios Cross-Site Request Forgery Vulnerability","npm_advisory_id":null,"overview":"An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.","url":"https://github.com/advisories/GHSA-wf5p-g6vw-rhxx"},"1097682":{"findings":[{"version":"2.5.0","paths":["rx-polling-hmcts>jest-environment-jsdom>jsdom>tough-cookie"]}],"metadata":null,"vulnerable_versions":"<4.1.3","module_name":"tough-cookie","severity":"moderate","github_advisory_id":"GHSA-72xf-g2v4-qvf3","cves":["CVE-2023-26136"],"access":"public","patched_versions":">=4.1.3","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},"updated":"2024-06-21T21:33:53.000Z","recommendation":"Upgrade to version 4.1.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1097682,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ\n- https://security.netapp.com/advisory/ntap-20240621-0006\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3","created":"2023-07-01T06:30:16.000Z","reported_by":null,"title":"tough-cookie Prototype Pollution vulnerability","npm_advisory_id":null,"overview":"Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.","url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3"},"1097684":{"findings":[{"version":"8.5.1","paths":["jsonwebtoken"]}],"metadata":null,"vulnerable_versions":"<9.0.0","module_name":"jsonwebtoken","severity":"moderate","github_advisory_id":"GHSA-qwph-4952-7xr6","cves":["CVE-2022-23540"],"access":"public","patched_versions":">=9.0.0","cvss":{"score":6.4,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L"},"updated":"2024-06-21T21:34:57.000Z","recommendation":"Upgrade to version 9.0.0 or later","cwe":["CWE-287","CWE-327","CWE-347"],"found_by":null,"deleted":null,"id":1097684,"references":"- https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-qwph-4952-7xr6\n- https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3\n- https://nvd.nist.gov/vuln/detail/CVE-2022-23540\n- https://security.netapp.com/advisory/ntap-20240621-0007\n- https://github.com/advisories/GHSA-qwph-4952-7xr6","created":"2022-12-22T03:32:59.000Z","reported_by":null,"title":"jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify()","npm_advisory_id":null,"overview":"# Overview\n\nIn versions <=8.5.1 of jsonwebtoken library, lack of algorithm definition and a falsy secret or key in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification.\n\n# Am I affected?\nYou will be affected if all the following are true in the `jwt.verify()` function:\n- a token with no signature is received\n- no algorithms are specified \n- a falsy (e.g. null, false, undefined) secret or key is passed \n\n# How do I fix it?\n \nUpdate to version 9.0.0 which removes the default support for the none algorithm in the `jwt.verify()` method. \n\n# Will the fix impact my users?\n\nThere will be no impact, if you update to version 9.0.0 and you don’t need to allow for the `none` algorithm. If you need 'none' algorithm, you have to explicitly specify that in `jwt.verify()` options.\n","url":"https://github.com/advisories/GHSA-qwph-4952-7xr6"},"1097690":{"findings":[{"version":"8.5.1","paths":["jsonwebtoken"]}],"metadata":null,"vulnerable_versions":"<=8.5.1","module_name":"jsonwebtoken","severity":"high","github_advisory_id":"GHSA-8cf7-32gw-wr33","cves":["CVE-2022-23539"],"access":"public","patched_versions":">=9.0.0","cvss":{"score":8.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},"updated":"2024-06-24T21:23:39.000Z","recommendation":"Upgrade to version 9.0.0 or later","cwe":["CWE-327"],"found_by":null,"deleted":null,"id":1097690,"references":"- https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-8cf7-32gw-wr33\n- https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3\n- https://nvd.nist.gov/vuln/detail/CVE-2022-23539\n- https://security.netapp.com/advisory/ntap-20240621-0007\n- https://github.com/advisories/GHSA-8cf7-32gw-wr33","created":"2022-12-22T03:32:22.000Z","reported_by":null,"title":"jsonwebtoken unrestricted key type could lead to legacy keys usage ","npm_advisory_id":null,"overview":"# Overview\n\nVersions `<=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. \n\n# Am I affected?\n\nYou are affected if you are using an algorithm and a key type other than the combinations mentioned below\n\n| Key type | algorithm |\n|----------|------------------------------------------|\n| ec | ES256, ES384, ES512 |\n| rsa | RS256, RS384, RS512, PS256, PS384, PS512 |\n| rsa-pss | PS256, PS384, PS512 |\n\nAnd for Elliptic Curve algorithms:\n\n| `alg` | Curve |\n|-------|------------|\n| ES256 | prime256v1 |\n| ES384 | secp384r1 |\n| ES512 | secp521r1 |\n\n# How do I fix it?\n\nUpdate to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, If you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and/or `verify()` functions.\n\n# Will the fix impact my users?\n\nThere will be no impact, if you update to version 9.0.0 and you already use a valid secure combination of key type and algorithm. Otherwise, use the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and `verify()` functions to continue usage of invalid key type/algorithm combination in 9.0.0 for legacy compatibility. \n\n","url":"https://github.com/advisories/GHSA-8cf7-32gw-wr33"},"1097694":{"findings":[{"version":"8.5.1","paths":["jsonwebtoken"]}],"metadata":null,"vulnerable_versions":"<=8.5.1","module_name":"jsonwebtoken","severity":"moderate","github_advisory_id":"GHSA-hjrf-2m68-5959","cves":["CVE-2022-23541"],"access":"public","patched_versions":">=9.0.0","cvss":{"score":5,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"},"updated":"2024-06-24T21:24:07.000Z","recommendation":"Upgrade to version 9.0.0 or later","cwe":["CWE-287","CWE-1259"],"found_by":null,"deleted":null,"id":1097694,"references":"- https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-hjrf-2m68-5959\n- https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3\n- https://nvd.nist.gov/vuln/detail/CVE-2022-23541\n- https://github.com/auth0/node-jsonwebtoken/releases/tag/v9.0.0\n- https://security.netapp.com/advisory/ntap-20240621-0007\n- https://github.com/advisories/GHSA-hjrf-2m68-5959","created":"2022-12-22T03:33:19.000Z","reported_by":null,"title":"jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC","npm_advisory_id":null,"overview":"# Overview\n\nVersions `<=8.5.1` of `jsonwebtoken` library can be misconfigured so that passing a poorly implemented key retrieval function (referring to the `secretOrPublicKey` argument from the [readme link](https://github.com/auth0/node-jsonwebtoken#jwtverifytoken-secretorpublickey-options-callback)) will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. \n\n# Am I affected?\n\nYou will be affected if your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. \n\n# How do I fix it?\n \nUpdate to version 9.0.0.\n\n# Will the fix impact my users?\n\nThere is no impact for end users","url":"https://github.com/advisories/GHSA-hjrf-2m68-5959"},"1098366":{"findings":[{"version":"2.7.4","paths":["ejs"]}],"metadata":null,"vulnerable_versions":"<3.1.10","module_name":"ejs","severity":"moderate","github_advisory_id":"GHSA-ghr5-ch3p-vcr6","cves":["CVE-2024-33883"],"access":"public","patched_versions":">=3.1.10","cvss":{"score":4,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-08-02T15:45:54.000Z","recommendation":"Upgrade to version 3.1.10 or later","cwe":["CWE-693","CWE-1321"],"found_by":null,"deleted":null,"id":1098366,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-33883\n- https://github.com/mde/ejs/commit/e469741dca7df2eb400199e1cdb74621e3f89aa5\n- https://github.com/mde/ejs/compare/v3.1.9...v3.1.10\n- https://security.netapp.com/advisory/ntap-20240605-0003\n- https://github.com/advisories/GHSA-ghr5-ch3p-vcr6","created":"2024-04-28T18:30:31.000Z","reported_by":null,"title":"ejs lacks certain pollution protection","npm_advisory_id":null,"overview":"The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.","url":"https://github.com/advisories/GHSA-ghr5-ch3p-vcr6"},"1098393":{"findings":[{"version":"7.4.6","paths":["puppeteer>ws","@hmcts/media-viewer>socket.io-client>engine.io-client>ws"]}],"metadata":null,"vulnerable_versions":">=7.0.0 <7.5.10","module_name":"ws","severity":"high","github_advisory_id":"GHSA-3h5v-q93c-6h6q","cves":["CVE-2024-37890"],"access":"public","patched_versions":">=7.5.10","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2024-08-05T05:02:34.000Z","recommendation":"Upgrade to version 7.5.10 or later","cwe":["CWE-476"],"found_by":null,"deleted":null,"id":1098393,"references":"- https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q\n- https://github.com/websockets/ws/issues/2230\n- https://github.com/websockets/ws/pull/2231\n- https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f\n- https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e\n- https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c\n- https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63\n- https://github.com/advisories/GHSA-3h5v-q93c-6h6q","created":"2024-06-17T19:09:10.000Z","reported_by":null,"title":"ws affected by a DoS when handling a request with many HTTP headers","npm_advisory_id":null,"overview":"### Impact\n\nA request with a number of headers exceeding the[`server.maxHeadersCount`][] threshold could be used to crash a ws server.\n\n### Proof of concept\n\n```js\nconst http = require('http');\nconst WebSocket = require('ws');\n\nconst wss = new WebSocket.Server({ port: 0 }, function () {\n const chars = \"!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~\".split('');\n const headers = {};\n let count = 0;\n\n for (let i = 0; i < chars.length; i++) {\n if (count === 2000) break;\n\n for (let j = 0; j < chars.length; j++) {\n const key = chars[i] + chars[j];\n headers[key] = 'x';\n\n if (++count === 2000) break;\n }\n }\n\n headers.Connection = 'Upgrade';\n headers.Upgrade = 'websocket';\n headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';\n headers['Sec-WebSocket-Version'] = '13';\n\n const request = http.request({\n headers: headers,\n host: '127.0.0.1',\n port: wss.address().port\n });\n\n request.end();\n});\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@8.17.1 (https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c) and backported to ws@7.5.10 (https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f), ws@6.2.3 (https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63), and ws@5.2.4 (https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e)\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated in the following ways:\n\n1. Reduce the maximum allowed length of the request headers using the [`--max-http-header-size=size`][] and/or the [`maxHeaderSize`][] options so that no more headers than the `server.maxHeadersCount` limit can be sent.\n2. Set `server.maxHeadersCount` to `0` so that no limit is applied.\n\n### Credits\n\nThe vulnerability was reported by [Ryan LaPointe](https://github.com/rrlapointe) in https://github.com/websockets/ws/issues/2230.\n\n### References\n\n- https://github.com/websockets/ws/issues/2230\n- https://github.com/websockets/ws/pull/2231\n\n[`--max-http-header-size=size`]: https://nodejs.org/api/cli.html#--max-http-header-sizesize\n[`maxHeaderSize`]: https://nodejs.org/api/http.html#httpcreateserveroptions-requestlistener\n[`server.maxHeadersCount`]: https://nodejs.org/api/http.html#servermaxheaderscount\n","url":"https://github.com/advisories/GHSA-3h5v-q93c-6h6q"},"1098681":{"findings":[{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","@hmcts/rpx-xui-node-lib>ts-auto-mock>micromatch","@hmcts/rpx-xui-node-lib>jest-ts-auto-mock>ts-auto-mock>micromatch","rx-polling-hmcts>jest-environment-jsdom>@jest/fake-timers>jest-message-util>micromatch","rx-polling-hmcts>jest-environment-jsdom>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>expect>jest-message-util>micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-08-28T13:12:27.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098681,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/micromatch/micromatch/pull/266\n- https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade\n- https://advisory.checkmarx.net/advisory/CVE-2024-4067\n- https://github.com/micromatch/micromatch/releases/tag/4.0.8\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"},"1099500":{"findings":[{"version":"0.1.7","paths":["express>path-to-regexp","@hmcts/rpx-xui-node-lib>express>path-to-regexp"]}],"metadata":null,"vulnerable_versions":"<0.1.10","module_name":"path-to-regexp","severity":"high","github_advisory_id":"GHSA-9wv6-86v2-598j","cves":["CVE-2024-45296"],"access":"public","patched_versions":">=0.1.10","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2024-09-09T21:45:59.000Z","recommendation":"Upgrade to version 0.1.10 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1099500,"references":"- https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j\n- https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f\n- https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6\n- https://nvd.nist.gov/vuln/detail/CVE-2024-45296\n- https://github.com/advisories/GHSA-9wv6-86v2-598j","created":"2024-09-09T20:19:15.000Z","reported_by":null,"title":"path-to-regexp outputs backtracking regular expressions","npm_advisory_id":null,"overview":"### Impact\n\nIn certain cases, `path-to-regexp` will output a regular expression that can be exploited to cause poor performance.\n\n### Patches\n\nFor users of 0.1, upgrade to `0.1.10`. All other users should upgrade to `8.0.0`. \n\nVersion 0.1.10 adds backtracking protection when a custom regular expression is not provided, so it's still possible to manually create a ReDoS vulnerability if you are providing custom regular expressions.\n\nVersion 8.0.0 removes all features that can cause a ReDoS and stops exposing the regular expression directly.\n\n### Workarounds\n\nAll versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change `/:a-:b` to `/:a-:b([^-/]+)`.\n\nIf paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length. For example, halving the attack string improves performance by 4x faster.\n\n### Details\n\nBecause JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. In local benchmarks, exploiting the unsafe regex will result in performance that is over 1000x worse than the safe regex. In a more realistic environment using Express v4 and 10 concurrent connections, this translated to average latency of ~600ms vs 1ms.\n\nThe bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (`.`). For example, `/:a-:b` will produce the regular expression `/^\\/([^\\/]+?)-([^\\/]+?)\\/?$/`. This can be exploited by a path such as `/a${'-a'.repeat(8_000)}/a`. [OWASP](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS) has a good example of why this occurs, but the TL;DR is the `/a` at the end ensures this route would never match but due to naive backtracking it will still attempt every combination of the `:a-:b` on the repeated 8,000 `-a`.\n\n### References\n\n* [OWASP](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n* [Detailed blog post](https://blakeembrey.com/posts/2024-09-web-redos/)","url":"https://github.com/advisories/GHSA-9wv6-86v2-598j"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":0,"moderate":29,"high":12,"critical":1},"dependencies":1064,"devDependencies":4,"optionalDependencies":0,"totalDependencies":1068}} +{"actions":[],"advisories":{"1085685":{"findings":[{"version":"1.1.0","paths":["@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>yargs>os-locale>mem"]}],"metadata":null,"vulnerable_versions":"<4.0.0","module_name":"mem","severity":"moderate","github_advisory_id":"GHSA-4xcv-9jjx-gfj3","cves":[],"access":"public","patched_versions":">=4.0.0","cvss":{"score":5.1,"vectorString":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},"updated":"2023-01-09T05:01:45.000Z","recommendation":"Upgrade to version 4.0.0 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1085685,"references":"- https://github.com/sindresorhus/mem/commit/da4e4398cb27b602de3bd55f746efa9b4a31702b\n- https://bugzilla.redhat.com/show_bug.cgi?id=1623744\n- https://www.npmjs.com/advisories/1084\n- https://snyk.io/vuln/npm:mem:20180117\n- https://github.com/advisories/GHSA-4xcv-9jjx-gfj3","created":"2019-07-05T21:07:58.000Z","reported_by":null,"title":"Denial of Service in mem","npm_advisory_id":null,"overview":"Versions of `mem` prior to 4.0.0 are vulnerable to Denial of Service (DoS). The package fails to remove old values from the cache even after a value passes its `maxAge` property. This may allow attackers to exhaust the system's memory if they are able to abuse the application logging.\n\n\n## Recommendation\n\nUpgrade to version 4.0.0 or later.","url":"https://github.com/advisories/GHSA-4xcv-9jjx-gfj3"},"1088208":{"findings":[{"version":"0.8.4","paths":["git-rev-sync>shelljs"]}],"metadata":null,"vulnerable_versions":"<0.8.5","module_name":"shelljs","severity":"moderate","github_advisory_id":"GHSA-64g7-mvw6-v9qj","cves":[],"access":"public","patched_versions":">=0.8.5","cvss":{"score":0,"vectorString":null},"updated":"2023-01-11T05:03:39.000Z","recommendation":"Upgrade to version 0.8.5 or later","cwe":["CWE-269"],"found_by":null,"deleted":null,"id":1088208,"references":"- https://github.com/shelljs/shelljs/security/advisories/GHSA-64g7-mvw6-v9qj\n- https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/\n- https://github.com/advisories/GHSA-64g7-mvw6-v9qj","created":"2022-01-14T21:09:50.000Z","reported_by":null,"title":"Improper Privilege Management in shelljs","npm_advisory_id":null,"overview":"### Impact\nOutput from the synchronous version of `shell.exec()` may be visible to other users on the same system. You may be affected if you execute `shell.exec()` in multi-user Mac, Linux, or WSL environments, or if you execute `shell.exec()` as the root user.\n\nOther shelljs functions (including the asynchronous version of `shell.exec()`) are not impacted.\n\n### Patches\nPatched in shelljs 0.8.5\n\n### Workarounds\nRecommended action is to upgrade to 0.8.5.\n\n### References\nhttps://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Ask at https://github.com/shelljs/shelljs/issues/1058\n* Open an issue at https://github.com/shelljs/shelljs/issues/new\n","url":"https://github.com/advisories/GHSA-64g7-mvw6-v9qj"},"1088811":{"findings":[{"version":"8.1.0","paths":["@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>yargs>yargs-parser"]}],"metadata":null,"vulnerable_versions":">=6.0.0 <13.1.2","module_name":"yargs-parser","severity":"moderate","github_advisory_id":"GHSA-p9pc-299p-vxgp","cves":["CVE-2020-7608"],"access":"public","patched_versions":">=13.1.2","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},"updated":"2023-01-27T05:00:51.000Z","recommendation":"Upgrade to version 13.1.2 or later","cwe":["CWE-915","CWE-1321"],"found_by":null,"deleted":null,"id":1088811,"references":"- https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381\n- https://www.npmjs.com/advisories/1500\n- https://github.com/yargs/yargs-parser/commit/63810ca1ae1a24b08293a4d971e70e058c7a41e2\n- https://nvd.nist.gov/vuln/detail/CVE-2020-7608\n- https://github.com/yargs/yargs-parser/commit/1c417bd0b42b09c475ee881e36d292af4fa2cc36\n- https://github.com/advisories/GHSA-p9pc-299p-vxgp","created":"2020-09-04T18:00:54.000Z","reported_by":null,"title":"yargs-parser Vulnerable to Prototype Pollution","npm_advisory_id":null,"overview":"Affected versions of `yargs-parser` are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of `Object`, causing the addition or modification of an existing property that will exist on all objects. \nParsing the argument `--foo.__proto__.bar baz'` adds a `bar` property with value `baz` to all objects. This is only exploitable if attackers have control over the arguments being passed to `yargs-parser`.\n\n\n\n## Recommendation\n\nUpgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.","url":"https://github.com/advisories/GHSA-p9pc-299p-vxgp"},"1088948":{"findings":[{"version":"9.6.0","paths":["@hmcts/rpx-xui-node-lib>openid-client>got"]}],"metadata":null,"vulnerable_versions":"<11.8.5","module_name":"got","severity":"moderate","github_advisory_id":"GHSA-pfrx-2q88-qq97","cves":["CVE-2022-33987"],"access":"public","patched_versions":">=11.8.5","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"updated":"2023-01-27T05:05:01.000Z","recommendation":"Upgrade to version 11.8.5 or later","cwe":[],"found_by":null,"deleted":null,"id":1088948,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-33987\n- https://github.com/sindresorhus/got/pull/2047\n- https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0\n- https://github.com/sindresorhus/got/commit/861ccd9ac2237df762a9e2beed7edd88c60782dc\n- https://github.com/sindresorhus/got/releases/tag/v11.8.5\n- https://github.com/sindresorhus/got/releases/tag/v12.1.0\n- https://github.com/advisories/GHSA-pfrx-2q88-qq97","created":"2022-06-19T00:00:21.000Z","reported_by":null,"title":"Got allows a redirect to a UNIX socket","npm_advisory_id":null,"overview":"The got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.","url":"https://github.com/advisories/GHSA-pfrx-2q88-qq97"},"1089270":{"findings":[{"version":"2.7.4","paths":["ejs"]}],"metadata":null,"vulnerable_versions":"<3.1.7","module_name":"ejs","severity":"critical","github_advisory_id":"GHSA-phwq-j96m-2c2q","cves":["CVE-2022-29078"],"access":"public","patched_versions":">=3.1.7","cvss":{"score":9.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-01-30T05:02:57.000Z","recommendation":"Upgrade to version 3.1.7 or later","cwe":["CWE-74"],"found_by":null,"deleted":null,"id":1089270,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-29078\n- https://eslam.io/posts/ejs-server-side-template-injection-rce/\n- https://github.com/mde/ejs/commit/15ee698583c98dadc456639d6245580d17a24baf\n- https://github.com/mde/ejs/releases\n- https://security.netapp.com/advisory/ntap-20220804-0001/\n- https://github.com/advisories/GHSA-phwq-j96m-2c2q","created":"2022-04-26T00:00:40.000Z","reported_by":null,"title":"ejs template injection vulnerability","npm_advisory_id":null,"overview":"The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).","url":"https://github.com/advisories/GHSA-phwq-j96m-2c2q"},"1089698":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.17.0","module_name":"xlsx","severity":"moderate","github_advisory_id":"GHSA-g973-978j-2c3p","cves":["CVE-2021-32014"],"access":"public","patched_versions":">=0.17.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-02-01T05:05:54.000Z","recommendation":"Upgrade to version 0.17.0 or later","cwe":["CWE-345","CWE-400"],"found_by":null,"deleted":null,"id":1089698,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32014\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-g973-978j-2c3p","created":"2021-07-22T19:47:15.000Z","reported_by":null,"title":"Denial of Service in SheetJS Pro","npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (CPU consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js.","url":"https://github.com/advisories/GHSA-g973-978j-2c3p"},"1089699":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.17.0","module_name":"xlsx","severity":"moderate","github_advisory_id":"GHSA-3x9f-74h4-2fqr","cves":["CVE-2021-32012"],"access":"public","patched_versions":">=0.17.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-02-01T05:06:10.000Z","recommendation":"Upgrade to version 0.17.0 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1089699,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32012\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-3x9f-74h4-2fqr","created":"2021-07-22T19:48:17.000Z","reported_by":null,"title":"Denial of Service in SheetJS Pro","npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js (issue 1 of 2).","url":"https://github.com/advisories/GHSA-3x9f-74h4-2fqr"},"1089700":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.17.0","module_name":"xlsx","severity":"moderate","github_advisory_id":"GHSA-8vcr-vxm8-293m","cves":["CVE-2021-32013"],"access":"public","patched_versions":">=0.17.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-02-01T05:06:00.000Z","recommendation":"Upgrade to version 0.17.0 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1089700,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32013\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-8vcr-vxm8-293m","created":"2021-07-22T19:48:13.000Z","reported_by":null,"title":"Denial of Service in SheetsJS Pro","npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js (issue 2 of 2).","url":"https://github.com/advisories/GHSA-8vcr-vxm8-293m"},"1093639":{"findings":[{"version":"0.4.1","paths":["@hmcts/rpx-xui-node-lib>passport"]}],"metadata":null,"vulnerable_versions":"<0.6.0","module_name":"passport","severity":"moderate","github_advisory_id":"GHSA-v923-w3x8-wh69","cves":["CVE-2022-25896"],"access":"public","patched_versions":">=0.6.0","cvss":{"score":4.8,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L"},"updated":"2023-09-11T16:22:18.000Z","recommendation":"Upgrade to version 0.6.0 or later","cwe":["CWE-384"],"found_by":null,"deleted":null,"id":1093639,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25896\n- https://github.com/jaredhanson/passport/pull/900\n- https://github.com/jaredhanson/passport/commit/7e9b9cf4d7be02428e963fc729496a45baeea608\n- https://snyk.io/vuln/SNYK-JS-PASSPORT-2840631\n- https://github.com/advisories/GHSA-v923-w3x8-wh69","created":"2022-07-02T00:00:19.000Z","reported_by":null,"title":"Passport vulnerable to session regeneration when a users logs in or out","npm_advisory_id":null,"overview":"This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed.","url":"https://github.com/advisories/GHSA-v923-w3x8-wh69"},"1094599":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.19.3","module_name":"xlsx","severity":"high","github_advisory_id":"GHSA-4r6h-8v6p-xvw6","cves":["CVE-2023-30533"],"access":"public","patched_versions":">=0.19.3","cvss":{"score":7.8,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},"updated":"2023-11-06T05:04:13.000Z","recommendation":"Upgrade to version 0.19.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1094599,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-30533\n- https://cdn.sheetjs.com/advisories/CVE-2023-30533\n- https://git.sheetjs.com/sheetjs/sheetjs/src/branch/master/CHANGELOG.md\n- https://git.sheetjs.com/sheetjs/sheetjs/issues/2667\n- https://git.sheetjs.com/sheetjs/sheetjs/issues/2986\n- https://github.com/advisories/GHSA-4r6h-8v6p-xvw6","created":"2023-04-24T09:30:19.000Z","reported_by":null,"title":"Prototype Pollution in sheetJS","npm_advisory_id":null,"overview":"All versions of SheetJS CE through 0.19.2 are vulnerable to \"Prototype Pollution\" when reading specially crafted files. Workflows that do not read arbitrary files (for example, exporting data to spreadsheet files) are unaffected.\n\nA non-vulnerable version cannot be found via npm, as the repository hosted on GitHub and the npm package `xlsx` are no longer maintained.","url":"https://github.com/advisories/GHSA-4r6h-8v6p-xvw6"},"1095051":{"findings":[{"version":"0.7.0","paths":["ngx-md>marked"]}],"metadata":null,"vulnerable_versions":"<4.0.10","module_name":"marked","severity":"high","github_advisory_id":"GHSA-rrrm-qjm4-v8hf","cves":["CVE-2022-21680"],"access":"public","patched_versions":">=4.0.10","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-11-29T20:51:52.000Z","recommendation":"Upgrade to version 4.0.10 or later","cwe":["CWE-400","CWE-1333"],"found_by":null,"deleted":null,"id":1095051,"references":"- https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21680\n- https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0\n- https://github.com/markedjs/marked/releases/tag/v4.0.10\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/\n- https://github.com/advisories/GHSA-rrrm-qjm4-v8hf","created":"2022-01-14T21:04:41.000Z","reported_by":null,"title":"Inefficient Regular Expression Complexity in marked","npm_advisory_id":null,"overview":"### Impact\n\n_What kind of vulnerability is it?_\n\nDenial of service.\n\nThe regular expression `block.def` may cause catastrophic backtracking against some strings.\nPoC is the following.\n\n```javascript\nimport * as marked from \"marked\";\n\nmarked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);\n```\n\n_Who is impacted?_\n\nAnyone who runs untrusted markdown through marked and does not use a worker with a time limit.\n\n### Patches\n\n_Has the problem been patched?_\n\nYes\n\n_What versions should users upgrade to?_\n\n4.0.10\n\n### Workarounds\n\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nDo not run untrusted markdown through marked or run marked on a [worker](https://marked.js.org/using_advanced#workers) thread and set a reasonable time limit to prevent draining resources.\n\n### References\n\n_Are there any links users can visit to find out more?_\n\n- https://marked.js.org/using_advanced#workers\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [marked](https://github.com/markedjs/marked)\n","url":"https://github.com/advisories/GHSA-rrrm-qjm4-v8hf"},"1095052":{"findings":[{"version":"0.7.0","paths":["ngx-md>marked"]}],"metadata":null,"vulnerable_versions":"<4.0.10","module_name":"marked","severity":"high","github_advisory_id":"GHSA-5v2h-r2cx-5xgj","cves":["CVE-2022-21681"],"access":"public","patched_versions":">=4.0.10","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-11-29T20:51:17.000Z","recommendation":"Upgrade to version 4.0.10 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1095052,"references":"- https://github.com/markedjs/marked/security/advisories/GHSA-5v2h-r2cx-5xgj\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21681\n- https://github.com/markedjs/marked/commit/8f806573a3f6c6b7a39b8cdb66ab5ebb8d55a5f5\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/\n- https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0\n- https://github.com/advisories/GHSA-5v2h-r2cx-5xgj","created":"2022-01-14T21:04:46.000Z","reported_by":null,"title":"Inefficient Regular Expression Complexity in marked","npm_advisory_id":null,"overview":"### Impact\n\n_What kind of vulnerability is it?_\n\nDenial of service.\n\nThe regular expression `inline.reflinkSearch` may cause catastrophic backtracking against some strings.\nPoC is the following.\n\n```javascript\nimport * as marked from 'marked';\n\nconsole.log(marked.parse(`[x]: x\n\n\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](`));\n```\n\n_Who is impacted?_\n\nAnyone who runs untrusted markdown through marked and does not use a worker with a time limit.\n\n### Patches\n\n_Has the problem been patched?_\n\nYes\n\n_What versions should users upgrade to?_\n\n4.0.10\n\n### Workarounds\n\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nDo not run untrusted markdown through marked or run marked on a [worker](https://marked.js.org/using_advanced#workers) thread and set a reasonable time limit to prevent draining resources.\n\n### References\n\n_Are there any links users can visit to find out more?_\n\n- https://marked.js.org/using_advanced#workers\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [marked](https://github.com/markedjs/marked)\n","url":"https://github.com/advisories/GHSA-5v2h-r2cx-5xgj"},"1095126":{"findings":[{"version":"0.8.4","paths":["git-rev-sync>shelljs"]}],"metadata":null,"vulnerable_versions":"<0.8.5","module_name":"shelljs","severity":"high","github_advisory_id":"GHSA-4rq4-32rv-6wp6","cves":["CVE-2022-0144"],"access":"public","patched_versions":">=0.8.5","cvss":{"score":7.1,"vectorString":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H"},"updated":"2023-11-29T22:21:11.000Z","recommendation":"Upgrade to version 0.8.5 or later","cwe":["CWE-269"],"found_by":null,"deleted":null,"id":1095126,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-0144\n- https://github.com/shelljs/shelljs/commit/d919d22dd6de385edaa9d90313075a77f74b338c\n- https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c\n- https://github.com/advisories/GHSA-4rq4-32rv-6wp6","created":"2022-01-21T23:37:28.000Z","reported_by":null,"title":"Improper Privilege Management in shelljs","npm_advisory_id":null,"overview":"shelljs is vulnerable to Improper Privilege Management","url":"https://github.com/advisories/GHSA-4rq4-32rv-6wp6"},"1095531":{"findings":[{"version":"6.2.1","paths":["log4js"]}],"metadata":null,"vulnerable_versions":"<6.4.0","module_name":"log4js","severity":"moderate","github_advisory_id":"GHSA-82v2-mx6x-wq7q","cves":["CVE-2022-21704"],"access":"public","patched_versions":">=6.4.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},"updated":"2024-01-24T08:54:14.000Z","recommendation":"Upgrade to version 6.4.0 or later","cwe":["CWE-276"],"found_by":null,"deleted":null,"id":1095531,"references":"- https://github.com/log4js-node/log4js-node/security/advisories/GHSA-82v2-mx6x-wq7q\n- https://github.com/log4js-node/log4js-node/pull/1141/commits/8042252861a1b65adb66931fdf702ead34fa9b76\n- https://github.com/log4js-node/streamroller/pull/87\n- https://github.com/log4js-node/log4js-node/blob/v6.4.0/CHANGELOG.md#640\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21704\n- https://lists.debian.org/debian-lts-announce/2022/12/msg00014.html\n- https://github.com/advisories/GHSA-82v2-mx6x-wq7q","created":"2022-01-21T18:53:27.000Z","reported_by":null,"title":"Incorrect Default Permissions in log4js","npm_advisory_id":null,"overview":"### Impact\r\nDefault file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config.\r\n\r\n### Patches\r\nFixed by:\r\n* https://github.com/log4js-node/log4js-node/pull/1141\r\n* https://github.com/log4js-node/streamroller/pull/87\r\n\r\nReleased to NPM in log4js@6.4.0\r\n\r\n### Workarounds\r\nEvery version of log4js published allows passing the mode parameter to the configuration of file appenders, see the documentation for details.\r\n\r\n### References\r\n\r\nThanks to [ranjit-git](https://www.huntr.dev/users/ranjit-git) for raising the issue, and to @lamweili for fixing the problem.\r\n\r\n### For more information\r\nIf you have any questions or comments about this advisory:\r\n* Open an issue in [logj4s-node](https://github.com/log4js-node/log4js-node)\r\n* Ask a question in the [slack channel](https://join.slack.com/t/log4js-node/shared_invite/enQtODkzMDQ3MzExMDczLWUzZmY0MmI0YWI1ZjFhODY0YjI0YmU1N2U5ZTRkOTYyYzg3MjY5NWI4M2FjZThjYjdiOGM0NjU2NzBmYTJjOGI)\r\n* Email us at [gareth.nomiddlename@gmail.com](mailto:gareth.nomiddlename@gmail.com)\r\n","url":"https://github.com/advisories/GHSA-82v2-mx6x-wq7q"},"1096832":{"findings":[{"version":"1.28.2","paths":["@hmcts/rpx-xui-node-lib>openid-client>jose"]}],"metadata":null,"vulnerable_versions":"<2.0.7","module_name":"jose","severity":"moderate","github_advisory_id":"GHSA-hhhv-q57g-882q","cves":["CVE-2024-28176"],"access":"public","patched_versions":">=2.0.7","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-03-30T06:30:42.000Z","recommendation":"Upgrade to version 2.0.7 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1096832,"references":"- https://github.com/panva/jose/security/advisories/GHSA-hhhv-q57g-882q\n- https://github.com/panva/jose/commit/02a65794f7873cdaf12e81e80ad076fcdc4a9314\n- https://github.com/panva/jose/commit/1b91d88d2f8233f3477a5f4579aa5f8057b2ee8b\n- https://nvd.nist.gov/vuln/detail/CVE-2024-28176\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG\n- https://github.com/advisories/GHSA-hhhv-q57g-882q","created":"2024-03-07T17:40:57.000Z","reported_by":null,"title":"jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext","npm_advisory_id":null,"overview":"A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the [support for decompressing plaintext after its decryption](https://www.rfc-editor.org/rfc/rfc7516.html#section-4.1.3). This allows an adversary to exploit specific scenarios where the compression ratio becomes exceptionally high. As a result, the length of the JWE token, which is determined by the compressed content's size, can land below application-defined limits. In such cases, other existing application level mechanisms for preventing resource exhaustion may be rendered ineffective.\n\nNote that as per [RFC 8725](https://www.rfc-editor.org/rfc/rfc8725.html#name-avoid-compression-of-encryp) compression of data SHOULD NOT be done before encryption, because such compressed data often reveals information about the plaintext. For this reason the v5.x major version of `jose` removed support for compressed payloads entirely and is therefore NOT affected by this advisory.\n\n### Impact\n\nUnder certain conditions it is possible to have the user's environment consume unreasonable amount of CPU time or memory during JWE Decryption operations.\n\n### Affected users\n\nThe impact is limited only to Node.js users utilizing the JWE decryption APIs to decrypt JWEs from untrusted sources.\n\nYou are NOT affected if any of the following applies to you\n\n- Your code uses jose version v5.x where JWE Compression is not supported anymore\n- Your code runs in an environment other than Node.js (e.g. Deno, CF Workers), which is the only runtime where JWE Compression is implemented out of the box\n- Your code does not use the JWE decryption APIs\n- Your code only accepts JWEs produced by trusted sources\n\n### Patches\n\n`v2.0.7` and `v4.15.5` releases limit the decompression routine to only allow decompressing up to 250 kB of plaintext. In v4.x it is possible to further adjust this limit via the `inflateRaw` decryption option implementation. In v2.x it is possible to further adjust this limit via the `inflateRawSyncLimit` decryption option.\n\n### Workarounds\n\nIf you cannot upgrade and do not want to support compressed JWEs you may detect and reject these tokens early by checking the token's protected header\n\n```js\nconst { zip } = jose.decodeProtectedHeader(token)\nif (zip !== undefined) {\n throw new Error('JWE Compression is not supported')\n}\n```\n\nIf you wish to continue supporting JWEs with compressed payloads in these legacy release lines you must upgrade (v1.x and v2.x to version v2.0.7, v3.x and v4.x to version v4.15.5) and review the limits put forth by the patched releases.\n\n### For more information\nIf you have any questions or comments about this advisory please open a discussion in the project's [repository](https://github.com/panva/jose/discussions/new?category=q-a&title=GHSA-hhhv-q57g-882q%20advisory%20question)","url":"https://github.com/advisories/GHSA-hhhv-q57g-882q"},"1096911":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.20.2","module_name":"xlsx","severity":"high","github_advisory_id":"GHSA-5pgg-2g8v-p4x9","cves":["CVE-2024-22363"],"access":"public","patched_versions":">=0.20.2","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2024-04-08T13:47:06.000Z","recommendation":"Upgrade to version 0.20.2 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1096911,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-22363\n- https://cdn.sheetjs.com/advisories/CVE-2024-22363\n- https://cwe.mitre.org/data/definitions/1333.html\n- https://git.sheetjs.com/sheetjs/sheetjs/src/tag/v0.20.2\n- https://github.com/advisories/GHSA-5pgg-2g8v-p4x9","created":"2024-04-05T06:30:46.000Z","reported_by":null,"title":"SheetJS Regular Expression Denial of Service (ReDoS)","npm_advisory_id":null,"overview":"SheetJS Community Edition before 0.20.2 is vulnerable.to Regular Expression Denial of Service (ReDoS).","url":"https://github.com/advisories/GHSA-5pgg-2g8v-p4x9"},"1097504":{"findings":[{"version":"2.5.207","paths":["pdfjs-dist","@hmcts/media-viewer>pdfjs-dist"]}],"metadata":null,"vulnerable_versions":"<=4.1.392","module_name":"pdfjs-dist","severity":"high","github_advisory_id":"GHSA-wgrm-67xf-hhpq","cves":["CVE-2024-4367"],"access":"public","patched_versions":">=4.2.67","cvss":{"score":0,"vectorString":null},"updated":"2024-06-10T20:18:19.000Z","recommendation":"Upgrade to version 4.2.67 or later","cwe":[],"found_by":null,"deleted":null,"id":1097504,"references":"- https://github.com/mozilla/pdf.js/security/advisories/GHSA-wgrm-67xf-hhpq\n- https://github.com/mozilla/pdf.js/pull/18015\n- https://github.com/mozilla/pdf.js/commit/85e64b5c16c9aaef738f421733c12911a441cec6\n- https://bugzilla.mozilla.org/show_bug.cgi?id=1893645\n- https://nvd.nist.gov/vuln/detail/CVE-2024-4367\n- https://lists.debian.org/debian-lts-announce/2024/05/msg00010.html\n- https://lists.debian.org/debian-lts-announce/2024/05/msg00012.html\n- https://www.mozilla.org/security/advisories/mfsa2024-21\n- https://www.mozilla.org/security/advisories/mfsa2024-22\n- https://www.mozilla.org/security/advisories/mfsa2024-23\n- https://github.com/advisories/GHSA-wgrm-67xf-hhpq","created":"2024-05-07T10:25:08.000Z","reported_by":null,"title":"PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF","npm_advisory_id":null,"overview":"### Impact\nIf pdf.js is used to load a malicious PDF, and PDF.js is configured with `isEvalSupported` set to `true` (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.\n\n### Patches\nThe patch removes the use of `eval`:\nhttps://github.com/mozilla/pdf.js/pull/18015\n\n### Workarounds\nSet the option `isEvalSupported` to `false`. \n\n### References\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1893645","url":"https://github.com/advisories/GHSA-wgrm-67xf-hhpq"},"1097679":{"findings":[{"version":"0.26.1","paths":["axios","@hmcts/rpx-xui-node-lib>axios"]}],"metadata":null,"vulnerable_versions":">=0.8.1 <0.28.0","module_name":"axios","severity":"moderate","github_advisory_id":"GHSA-wf5p-g6vw-rhxx","cves":["CVE-2023-45857"],"access":"public","patched_versions":">=0.28.0","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},"updated":"2024-06-21T21:33:58.000Z","recommendation":"Upgrade to version 0.28.0 or later","cwe":["CWE-352"],"found_by":null,"deleted":null,"id":1097679,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-45857\n- https://github.com/axios/axios/issues/6006\n- https://github.com/axios/axios/issues/6022\n- https://github.com/axios/axios/pull/6028\n- https://github.com/axios/axios/commit/96ee232bd3ee4de2e657333d4d2191cd389e14d0\n- https://github.com/axios/axios/releases/tag/v1.6.0\n- https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459\n- https://github.com/axios/axios/pull/6091\n- https://github.com/axios/axios/commit/2755df562b9c194fba6d8b609a383443f6a6e967\n- https://github.com/axios/axios/releases/tag/v0.28.0\n- https://security.netapp.com/advisory/ntap-20240621-0006\n- https://github.com/advisories/GHSA-wf5p-g6vw-rhxx","created":"2023-11-08T21:30:37.000Z","reported_by":null,"title":"Axios Cross-Site Request Forgery Vulnerability","npm_advisory_id":null,"overview":"An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.","url":"https://github.com/advisories/GHSA-wf5p-g6vw-rhxx"},"1097682":{"findings":[{"version":"2.5.0","paths":["rx-polling-hmcts>jest-environment-jsdom>jsdom>tough-cookie"]}],"metadata":null,"vulnerable_versions":"<4.1.3","module_name":"tough-cookie","severity":"moderate","github_advisory_id":"GHSA-72xf-g2v4-qvf3","cves":["CVE-2023-26136"],"access":"public","patched_versions":">=4.1.3","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},"updated":"2024-06-21T21:33:53.000Z","recommendation":"Upgrade to version 4.1.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1097682,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ\n- https://security.netapp.com/advisory/ntap-20240621-0006\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3","created":"2023-07-01T06:30:16.000Z","reported_by":null,"title":"tough-cookie Prototype Pollution vulnerability","npm_advisory_id":null,"overview":"Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.","url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3"},"1097684":{"findings":[{"version":"8.5.1","paths":["jsonwebtoken"]}],"metadata":null,"vulnerable_versions":"<9.0.0","module_name":"jsonwebtoken","severity":"moderate","github_advisory_id":"GHSA-qwph-4952-7xr6","cves":["CVE-2022-23540"],"access":"public","patched_versions":">=9.0.0","cvss":{"score":6.4,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L"},"updated":"2024-06-21T21:34:57.000Z","recommendation":"Upgrade to version 9.0.0 or later","cwe":["CWE-287","CWE-327","CWE-347"],"found_by":null,"deleted":null,"id":1097684,"references":"- https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-qwph-4952-7xr6\n- https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3\n- https://nvd.nist.gov/vuln/detail/CVE-2022-23540\n- https://security.netapp.com/advisory/ntap-20240621-0007\n- https://github.com/advisories/GHSA-qwph-4952-7xr6","created":"2022-12-22T03:32:59.000Z","reported_by":null,"title":"jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify()","npm_advisory_id":null,"overview":"# Overview\n\nIn versions <=8.5.1 of jsonwebtoken library, lack of algorithm definition and a falsy secret or key in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification.\n\n# Am I affected?\nYou will be affected if all the following are true in the `jwt.verify()` function:\n- a token with no signature is received\n- no algorithms are specified \n- a falsy (e.g. null, false, undefined) secret or key is passed \n\n# How do I fix it?\n \nUpdate to version 9.0.0 which removes the default support for the none algorithm in the `jwt.verify()` method. \n\n# Will the fix impact my users?\n\nThere will be no impact, if you update to version 9.0.0 and you don’t need to allow for the `none` algorithm. If you need 'none' algorithm, you have to explicitly specify that in `jwt.verify()` options.\n","url":"https://github.com/advisories/GHSA-qwph-4952-7xr6"},"1097690":{"findings":[{"version":"8.5.1","paths":["jsonwebtoken"]}],"metadata":null,"vulnerable_versions":"<=8.5.1","module_name":"jsonwebtoken","severity":"high","github_advisory_id":"GHSA-8cf7-32gw-wr33","cves":["CVE-2022-23539"],"access":"public","patched_versions":">=9.0.0","cvss":{"score":8.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},"updated":"2024-06-24T21:23:39.000Z","recommendation":"Upgrade to version 9.0.0 or later","cwe":["CWE-327"],"found_by":null,"deleted":null,"id":1097690,"references":"- https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-8cf7-32gw-wr33\n- https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3\n- https://nvd.nist.gov/vuln/detail/CVE-2022-23539\n- https://security.netapp.com/advisory/ntap-20240621-0007\n- https://github.com/advisories/GHSA-8cf7-32gw-wr33","created":"2022-12-22T03:32:22.000Z","reported_by":null,"title":"jsonwebtoken unrestricted key type could lead to legacy keys usage ","npm_advisory_id":null,"overview":"# Overview\n\nVersions `<=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. \n\n# Am I affected?\n\nYou are affected if you are using an algorithm and a key type other than the combinations mentioned below\n\n| Key type | algorithm |\n|----------|------------------------------------------|\n| ec | ES256, ES384, ES512 |\n| rsa | RS256, RS384, RS512, PS256, PS384, PS512 |\n| rsa-pss | PS256, PS384, PS512 |\n\nAnd for Elliptic Curve algorithms:\n\n| `alg` | Curve |\n|-------|------------|\n| ES256 | prime256v1 |\n| ES384 | secp384r1 |\n| ES512 | secp521r1 |\n\n# How do I fix it?\n\nUpdate to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, If you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and/or `verify()` functions.\n\n# Will the fix impact my users?\n\nThere will be no impact, if you update to version 9.0.0 and you already use a valid secure combination of key type and algorithm. Otherwise, use the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and `verify()` functions to continue usage of invalid key type/algorithm combination in 9.0.0 for legacy compatibility. \n\n","url":"https://github.com/advisories/GHSA-8cf7-32gw-wr33"},"1097694":{"findings":[{"version":"8.5.1","paths":["jsonwebtoken"]}],"metadata":null,"vulnerable_versions":"<=8.5.1","module_name":"jsonwebtoken","severity":"moderate","github_advisory_id":"GHSA-hjrf-2m68-5959","cves":["CVE-2022-23541"],"access":"public","patched_versions":">=9.0.0","cvss":{"score":5,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"},"updated":"2024-06-24T21:24:07.000Z","recommendation":"Upgrade to version 9.0.0 or later","cwe":["CWE-287","CWE-1259"],"found_by":null,"deleted":null,"id":1097694,"references":"- https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-hjrf-2m68-5959\n- https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3\n- https://nvd.nist.gov/vuln/detail/CVE-2022-23541\n- https://github.com/auth0/node-jsonwebtoken/releases/tag/v9.0.0\n- https://security.netapp.com/advisory/ntap-20240621-0007\n- https://github.com/advisories/GHSA-hjrf-2m68-5959","created":"2022-12-22T03:33:19.000Z","reported_by":null,"title":"jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC","npm_advisory_id":null,"overview":"# Overview\n\nVersions `<=8.5.1` of `jsonwebtoken` library can be misconfigured so that passing a poorly implemented key retrieval function (referring to the `secretOrPublicKey` argument from the [readme link](https://github.com/auth0/node-jsonwebtoken#jwtverifytoken-secretorpublickey-options-callback)) will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. \n\n# Am I affected?\n\nYou will be affected if your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. \n\n# How do I fix it?\n \nUpdate to version 9.0.0.\n\n# Will the fix impact my users?\n\nThere is no impact for end users","url":"https://github.com/advisories/GHSA-hjrf-2m68-5959"},"1098366":{"findings":[{"version":"2.7.4","paths":["ejs"]}],"metadata":null,"vulnerable_versions":"<3.1.10","module_name":"ejs","severity":"moderate","github_advisory_id":"GHSA-ghr5-ch3p-vcr6","cves":["CVE-2024-33883"],"access":"public","patched_versions":">=3.1.10","cvss":{"score":4,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-08-02T15:45:54.000Z","recommendation":"Upgrade to version 3.1.10 or later","cwe":["CWE-693","CWE-1321"],"found_by":null,"deleted":null,"id":1098366,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-33883\n- https://github.com/mde/ejs/commit/e469741dca7df2eb400199e1cdb74621e3f89aa5\n- https://github.com/mde/ejs/compare/v3.1.9...v3.1.10\n- https://security.netapp.com/advisory/ntap-20240605-0003\n- https://github.com/advisories/GHSA-ghr5-ch3p-vcr6","created":"2024-04-28T18:30:31.000Z","reported_by":null,"title":"ejs lacks certain pollution protection","npm_advisory_id":null,"overview":"The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.","url":"https://github.com/advisories/GHSA-ghr5-ch3p-vcr6"},"1098393":{"findings":[{"version":"7.4.6","paths":["puppeteer>ws","@hmcts/media-viewer>socket.io-client>engine.io-client>ws"]}],"metadata":null,"vulnerable_versions":">=7.0.0 <7.5.10","module_name":"ws","severity":"high","github_advisory_id":"GHSA-3h5v-q93c-6h6q","cves":["CVE-2024-37890"],"access":"public","patched_versions":">=7.5.10","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2024-08-05T05:02:34.000Z","recommendation":"Upgrade to version 7.5.10 or later","cwe":["CWE-476"],"found_by":null,"deleted":null,"id":1098393,"references":"- https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q\n- https://github.com/websockets/ws/issues/2230\n- https://github.com/websockets/ws/pull/2231\n- https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f\n- https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e\n- https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c\n- https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63\n- https://github.com/advisories/GHSA-3h5v-q93c-6h6q","created":"2024-06-17T19:09:10.000Z","reported_by":null,"title":"ws affected by a DoS when handling a request with many HTTP headers","npm_advisory_id":null,"overview":"### Impact\n\nA request with a number of headers exceeding the[`server.maxHeadersCount`][] threshold could be used to crash a ws server.\n\n### Proof of concept\n\n```js\nconst http = require('http');\nconst WebSocket = require('ws');\n\nconst wss = new WebSocket.Server({ port: 0 }, function () {\n const chars = \"!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~\".split('');\n const headers = {};\n let count = 0;\n\n for (let i = 0; i < chars.length; i++) {\n if (count === 2000) break;\n\n for (let j = 0; j < chars.length; j++) {\n const key = chars[i] + chars[j];\n headers[key] = 'x';\n\n if (++count === 2000) break;\n }\n }\n\n headers.Connection = 'Upgrade';\n headers.Upgrade = 'websocket';\n headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';\n headers['Sec-WebSocket-Version'] = '13';\n\n const request = http.request({\n headers: headers,\n host: '127.0.0.1',\n port: wss.address().port\n });\n\n request.end();\n});\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@8.17.1 (https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c) and backported to ws@7.5.10 (https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f), ws@6.2.3 (https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63), and ws@5.2.4 (https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e)\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated in the following ways:\n\n1. Reduce the maximum allowed length of the request headers using the [`--max-http-header-size=size`][] and/or the [`maxHeaderSize`][] options so that no more headers than the `server.maxHeadersCount` limit can be sent.\n2. Set `server.maxHeadersCount` to `0` so that no limit is applied.\n\n### Credits\n\nThe vulnerability was reported by [Ryan LaPointe](https://github.com/rrlapointe) in https://github.com/websockets/ws/issues/2230.\n\n### References\n\n- https://github.com/websockets/ws/issues/2230\n- https://github.com/websockets/ws/pull/2231\n\n[`--max-http-header-size=size`]: https://nodejs.org/api/cli.html#--max-http-header-sizesize\n[`maxHeaderSize`]: https://nodejs.org/api/http.html#httpcreateserveroptions-requestlistener\n[`server.maxHeadersCount`]: https://nodejs.org/api/http.html#servermaxheaderscount\n","url":"https://github.com/advisories/GHSA-3h5v-q93c-6h6q"},"1098681":{"findings":[{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","@hmcts/rpx-xui-node-lib>ts-auto-mock>micromatch","@hmcts/rpx-xui-node-lib>jest-ts-auto-mock>ts-auto-mock>micromatch","rx-polling-hmcts>jest-environment-jsdom>@jest/fake-timers>jest-message-util>micromatch","rx-polling-hmcts>jest-environment-jsdom>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>expect>jest-message-util>micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-08-28T13:12:27.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098681,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/micromatch/micromatch/pull/266\n- https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade\n- https://advisory.checkmarx.net/advisory/CVE-2024-4067\n- https://github.com/micromatch/micromatch/releases/tag/4.0.8\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"},"1099520":{"findings":[{"version":"1.20.2","paths":["body-parser","express>body-parser","@hmcts/rpx-xui-node-lib>express>body-parser"]}],"metadata":null,"vulnerable_versions":"<1.20.3","module_name":"body-parser","severity":"high","github_advisory_id":"GHSA-qwcr-r2fm-qrc7","cves":["CVE-2024-45590"],"access":"public","patched_versions":">=1.20.3","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2024-09-10T19:01:11.000Z","recommendation":"Upgrade to version 1.20.3 or later","cwe":["CWE-405"],"found_by":null,"deleted":null,"id":1099520,"references":"- https://github.com/expressjs/body-parser/security/advisories/GHSA-qwcr-r2fm-qrc7\n- https://github.com/expressjs/body-parser/commit/b2695c4450f06ba3b0ccf48d872a229bb41c9bce\n- https://nvd.nist.gov/vuln/detail/CVE-2024-45590\n- https://github.com/advisories/GHSA-qwcr-r2fm-qrc7","created":"2024-09-10T15:52:39.000Z","reported_by":null,"title":"body-parser vulnerable to denial of service when url encoding is enabled","npm_advisory_id":null,"overview":"### Impact\n\nbody-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service.\n\n### Patches\n\nthis issue is patched in 1.20.3\n\n### References\n","url":"https://github.com/advisories/GHSA-qwcr-r2fm-qrc7"},"1099525":{"findings":[{"version":"0.18.0","paths":["express>send","@hmcts/rpx-xui-node-lib>express>send","@hmcts/rpx-xui-node-lib>express>serve-static>send"]}],"metadata":null,"vulnerable_versions":"<0.19.0","module_name":"send","severity":"moderate","github_advisory_id":"GHSA-m6fv-jmcg-4jfg","cves":["CVE-2024-43799"],"access":"public","patched_versions":">=0.19.0","cvss":{"score":5,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},"updated":"2024-09-10T19:42:42.000Z","recommendation":"Upgrade to version 0.19.0 or later","cwe":["CWE-79"],"found_by":null,"deleted":null,"id":1099525,"references":"- https://github.com/pillarjs/send/security/advisories/GHSA-m6fv-jmcg-4jfg\n- https://nvd.nist.gov/vuln/detail/CVE-2024-43799\n- https://github.com/pillarjs/send/commit/ae4f2989491b392ae2ef3b0015a019770ae65d35\n- https://github.com/advisories/GHSA-m6fv-jmcg-4jfg","created":"2024-09-10T19:42:41.000Z","reported_by":null,"title":"send vulnerable to template injection that can lead to XSS","npm_advisory_id":null,"overview":"### Impact\n\npassing untrusted user input - even after sanitizing it - to `SendStream.redirect()` may execute untrusted code\n\n### Patches\n\nthis issue is patched in send 0.19.0\n\n### Workarounds\n\nusers are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist\n\n### Details\n\nsuccessful exploitation of this vector requires the following:\n\n1. The attacker MUST control the input to response.redirect()\n1. express MUST NOT redirect before the template appears\n1. the browser MUST NOT complete redirection before:\n1. the user MUST click on the link in the template\n","url":"https://github.com/advisories/GHSA-m6fv-jmcg-4jfg"},"1099527":{"findings":[{"version":"1.15.0","paths":["express>serve-static","@hmcts/rpx-xui-node-lib>express>serve-static"]}],"metadata":null,"vulnerable_versions":"<1.16.0","module_name":"serve-static","severity":"moderate","github_advisory_id":"GHSA-cm22-4g7w-348p","cves":["CVE-2024-43800"],"access":"public","patched_versions":">=1.16.0","cvss":{"score":5,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},"updated":"2024-09-10T19:42:34.000Z","recommendation":"Upgrade to version 1.16.0 or later","cwe":["CWE-79"],"found_by":null,"deleted":null,"id":1099527,"references":"- https://github.com/expressjs/serve-static/security/advisories/GHSA-cm22-4g7w-348p\n- https://nvd.nist.gov/vuln/detail/CVE-2024-43800\n- https://github.com/expressjs/serve-static/commit/0c11fad159898cdc69fd9ab63269b72468ecaf6b\n- https://github.com/expressjs/serve-static/commit/ce730896fddce1588111d9ef6fdf20896de5c6fa\n- https://github.com/advisories/GHSA-cm22-4g7w-348p","created":"2024-09-10T19:42:33.000Z","reported_by":null,"title":"serve-static vulnerable to template injection that can lead to XSS","npm_advisory_id":null,"overview":"### Impact\n\npassing untrusted user input - even after sanitizing it - to `redirect()` may execute untrusted code\n\n### Patches\n\nthis issue is patched in serve-static 1.16.0\n\n### Workarounds\n\nusers are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist\n\n### Details\n\nsuccessful exploitation of this vector requires the following:\n\n1. The attacker MUST control the input to response.redirect()\n1. express MUST NOT redirect before the template appears\n1. the browser MUST NOT complete redirection before:\n1. the user MUST click on the link in the template\n","url":"https://github.com/advisories/GHSA-cm22-4g7w-348p"},"1099529":{"findings":[{"version":"4.19.2","paths":["express","@hmcts/rpx-xui-node-lib>express"]}],"metadata":null,"vulnerable_versions":"<4.20.0","module_name":"express","severity":"moderate","github_advisory_id":"GHSA-qw6h-vgh9-j6wx","cves":["CVE-2024-43796"],"access":"public","patched_versions":">=4.20.0","cvss":{"score":5,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},"updated":"2024-09-10T19:41:07.000Z","recommendation":"Upgrade to version 4.20.0 or later","cwe":["CWE-79"],"found_by":null,"deleted":null,"id":1099529,"references":"- https://github.com/expressjs/express/security/advisories/GHSA-qw6h-vgh9-j6wx\n- https://nvd.nist.gov/vuln/detail/CVE-2024-43796\n- https://github.com/expressjs/express/commit/54271f69b511fea198471e6ff3400ab805d6b553\n- https://github.com/advisories/GHSA-qw6h-vgh9-j6wx","created":"2024-09-10T19:41:04.000Z","reported_by":null,"title":"express vulnerable to XSS via response.redirect()","npm_advisory_id":null,"overview":"### Impact\n\nIn express <4.20.0, passing untrusted user input - even after sanitizing it - to `response.redirect()` may execute untrusted code\n\n### Patches\n\nthis issue is patched in express 4.20.0\n\n### Workarounds\n\nusers are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist\n\n### Details\n\nsuccessful exploitation of this vector requires the following:\n\n1. The attacker MUST control the input to response.redirect()\n1. express MUST NOT redirect before the template appears\n1. the browser MUST NOT complete redirection before:\n1. the user MUST click on the link in the template\n","url":"https://github.com/advisories/GHSA-qw6h-vgh9-j6wx"},"1099562":{"findings":[{"version":"0.1.7","paths":["express>path-to-regexp","@hmcts/rpx-xui-node-lib>express>path-to-regexp"]}],"metadata":null,"vulnerable_versions":"<0.1.10","module_name":"path-to-regexp","severity":"high","github_advisory_id":"GHSA-9wv6-86v2-598j","cves":["CVE-2024-45296"],"access":"public","patched_versions":">=0.1.10","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2024-09-12T17:09:43.000Z","recommendation":"Upgrade to version 0.1.10 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1099562,"references":"- https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j\n- https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f\n- https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6\n- https://nvd.nist.gov/vuln/detail/CVE-2024-45296\n- https://github.com/pillarjs/path-to-regexp/commit/925ac8e3c5780b02f58cbd4e52f95da8ad2ac485\n- https://github.com/pillarjs/path-to-regexp/commit/d31670ae8f6e69cbfd56e835742195b7d10942ef\n- https://github.com/pillarjs/path-to-regexp/commit/f1253b47b347dcb909e3e80b0eb2649109e59894\n- https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0\n- https://github.com/advisories/GHSA-9wv6-86v2-598j","created":"2024-09-09T20:19:15.000Z","reported_by":null,"title":"path-to-regexp outputs backtracking regular expressions","npm_advisory_id":null,"overview":"### Impact\n\nA bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (`.`). For example, `/:a-:b`.\n\n### Patches\n\nFor users of 0.1, upgrade to `0.1.10`. All other users should upgrade to `8.0.0`.\n\nThese versions add backtrack protection when a custom regex pattern is not provided:\n\n- [0.1.10](https://github.com/pillarjs/path-to-regexp/releases/tag/v0.1.10)\n- [1.9.0](https://github.com/pillarjs/path-to-regexp/releases/tag/v1.9.0)\n- [3.3.0](https://github.com/pillarjs/path-to-regexp/releases/tag/v3.3.0)\n- [6.3.0](https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0)\n\nThey do not protect against vulnerable user supplied capture groups. Protecting against explicit user patterns is out of scope for old versions and not considered a vulnerability.\n\nVersion [7.1.0](https://github.com/pillarjs/path-to-regexp/releases/tag/v7.1.0) can enable `strict: true` and get an error when the regular expression might be bad.\n\nVersion [8.0.0](https://github.com/pillarjs/path-to-regexp/releases/tag/v8.0.0) removes the features that can cause a ReDoS.\n\n### Workarounds\n\nAll versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change `/:a-:b` to `/:a-:b([^-/]+)`.\n\nIf paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length. For example, halving the attack string improves performance by 4x faster.\n\n### Details\n\nUsing `/:a-:b` will produce the regular expression `/^\\/([^\\/]+?)-([^\\/]+?)\\/?$/`. This can be exploited by a path such as `/a${'-a'.repeat(8_000)}/a`. [OWASP](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS) has a good example of why this occurs, but the TL;DR is the `/a` at the end ensures this route would never match but due to naive backtracking it will still attempt every combination of the `:a-:b` on the repeated 8,000 `-a`.\n\nBecause JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and can lead to a DoS. In local benchmarks, exploiting the unsafe regex will result in performance that is over 1000x worse than the safe regex. In a more realistic environment using Express v4 and 10 concurrent connections, this translated to average latency of ~600ms vs 1ms.\n\n### References\n\n* [OWASP](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n* [Detailed blog post](https://blakeembrey.com/posts/2024-09-web-redos/)","url":"https://github.com/advisories/GHSA-9wv6-86v2-598j"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":0,"moderate":36,"high":15,"critical":1},"dependencies":1064,"devDependencies":4,"optionalDependencies":0,"totalDependencies":1068}} From fc24474c58b5dcb2948fb068de85b4363147d21f Mon Sep 17 00:00:00 2001 From: Josh Date: Mon, 16 Sep 2024 13:36:14 +0100 Subject: [PATCH 36/37] fix step --- Jenkinsfile_nightly | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Jenkinsfile_nightly b/Jenkinsfile_nightly index 7a9f65dba..2dff591a0 100644 --- a/Jenkinsfile_nightly +++ b/Jenkinsfile_nightly @@ -44,10 +44,10 @@ withNightlyPipeline(type, product, component) { enableSlackNotifications(channel) loadVaultSecrets(secrets) // enableFortifyScan('rpx-aat') - enableFullFunctionalTest(120) + //enableFullFunctionalTest(120) // enableSecurityScan() enableMutationTest() - //enableCrossBrowserTest() + enableCrossBrowserTest() env.TEST_URL = 'https://manage-org.aat.platform.hmcts.net/' afterSuccess('checkout') {sh 'yarn cache clean'} From 308e9c7c0ac42200c4b45e55fe92ce92407042d4 Mon Sep 17 00:00:00 2001 From: Josh Date: Fri, 11 Oct 2024 10:19:24 +0100 Subject: [PATCH 37/37] update yarn audit --- yarn-audit-known-issues | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yarn-audit-known-issues b/yarn-audit-known-issues index 16e53db00..9f87c29da 100644 --- a/yarn-audit-known-issues +++ b/yarn-audit-known-issues @@ -1 +1 @@ -{"actions":[],"advisories":{"1085685":{"findings":[{"version":"1.1.0","paths":["@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>yargs>os-locale>mem"]}],"found_by":null,"deleted":null,"references":"- https://github.com/sindresorhus/mem/commit/da4e4398cb27b602de3bd55f746efa9b4a31702b\n- https://bugzilla.redhat.com/show_bug.cgi?id=1623744\n- https://www.npmjs.com/advisories/1084\n- https://snyk.io/vuln/npm:mem:20180117\n- https://github.com/advisories/GHSA-4xcv-9jjx-gfj3","created":"2019-07-05T21:07:58.000Z","id":1085685,"npm_advisory_id":null,"overview":"Versions of `mem` prior to 4.0.0 are vulnerable to Denial of Service (DoS). The package fails to remove old values from the cache even after a value passes its `maxAge` property. This may allow attackers to exhaust the system's memory if they are able to abuse the application logging.\n\n\n## Recommendation\n\nUpgrade to version 4.0.0 or later.","reported_by":null,"title":"Denial of Service in mem","metadata":null,"cves":[],"access":"public","severity":"moderate","module_name":"mem","vulnerable_versions":"<4.0.0","github_advisory_id":"GHSA-4xcv-9jjx-gfj3","recommendation":"Upgrade to version 4.0.0 or later","patched_versions":">=4.0.0","updated":"2023-01-09T05:01:45.000Z","cvss":{"score":5.1,"vectorString":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},"cwe":["CWE-400"],"url":"https://github.com/advisories/GHSA-4xcv-9jjx-gfj3"},"1088208":{"findings":[{"version":"0.8.4","paths":["git-rev-sync>shelljs"]}],"found_by":null,"deleted":null,"references":"- https://github.com/shelljs/shelljs/security/advisories/GHSA-64g7-mvw6-v9qj\n- https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/\n- https://github.com/advisories/GHSA-64g7-mvw6-v9qj","created":"2022-01-14T21:09:50.000Z","id":1088208,"npm_advisory_id":null,"overview":"### Impact\nOutput from the synchronous version of `shell.exec()` may be visible to other users on the same system. You may be affected if you execute `shell.exec()` in multi-user Mac, Linux, or WSL environments, or if you execute `shell.exec()` as the root user.\n\nOther shelljs functions (including the asynchronous version of `shell.exec()`) are not impacted.\n\n### Patches\nPatched in shelljs 0.8.5\n\n### Workarounds\nRecommended action is to upgrade to 0.8.5.\n\n### References\nhttps://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Ask at https://github.com/shelljs/shelljs/issues/1058\n* Open an issue at https://github.com/shelljs/shelljs/issues/new\n","reported_by":null,"title":"Improper Privilege Management in shelljs","metadata":null,"cves":[],"access":"public","severity":"moderate","module_name":"shelljs","vulnerable_versions":"<0.8.5","github_advisory_id":"GHSA-64g7-mvw6-v9qj","recommendation":"Upgrade to version 0.8.5 or later","patched_versions":">=0.8.5","updated":"2023-01-11T05:03:39.000Z","cvss":{"score":0,"vectorString":null},"cwe":["CWE-269"],"url":"https://github.com/advisories/GHSA-64g7-mvw6-v9qj"},"1088811":{"findings":[{"version":"8.1.0","paths":["@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>yargs>yargs-parser"]}],"found_by":null,"deleted":null,"references":"- https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381\n- https://www.npmjs.com/advisories/1500\n- https://github.com/yargs/yargs-parser/commit/63810ca1ae1a24b08293a4d971e70e058c7a41e2\n- https://nvd.nist.gov/vuln/detail/CVE-2020-7608\n- https://github.com/yargs/yargs-parser/commit/1c417bd0b42b09c475ee881e36d292af4fa2cc36\n- https://github.com/advisories/GHSA-p9pc-299p-vxgp","created":"2020-09-04T18:00:54.000Z","id":1088811,"npm_advisory_id":null,"overview":"Affected versions of `yargs-parser` are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of `Object`, causing the addition or modification of an existing property that will exist on all objects. \nParsing the argument `--foo.__proto__.bar baz'` adds a `bar` property with value `baz` to all objects. This is only exploitable if attackers have control over the arguments being passed to `yargs-parser`.\n\n\n\n## Recommendation\n\nUpgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.","reported_by":null,"title":"yargs-parser Vulnerable to Prototype Pollution","metadata":null,"cves":["CVE-2020-7608"],"access":"public","severity":"moderate","module_name":"yargs-parser","vulnerable_versions":">=6.0.0 <13.1.2","github_advisory_id":"GHSA-p9pc-299p-vxgp","recommendation":"Upgrade to version 13.1.2 or later","patched_versions":">=13.1.2","updated":"2023-01-27T05:00:51.000Z","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},"cwe":["CWE-915","CWE-1321"],"url":"https://github.com/advisories/GHSA-p9pc-299p-vxgp"},"1088948":{"findings":[{"version":"9.6.0","paths":["@hmcts/rpx-xui-node-lib>openid-client>got"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-33987\n- https://github.com/sindresorhus/got/pull/2047\n- https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0\n- https://github.com/sindresorhus/got/commit/861ccd9ac2237df762a9e2beed7edd88c60782dc\n- https://github.com/sindresorhus/got/releases/tag/v11.8.5\n- https://github.com/sindresorhus/got/releases/tag/v12.1.0\n- https://github.com/advisories/GHSA-pfrx-2q88-qq97","created":"2022-06-19T00:00:21.000Z","id":1088948,"npm_advisory_id":null,"overview":"The got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.","reported_by":null,"title":"Got allows a redirect to a UNIX socket","metadata":null,"cves":["CVE-2022-33987"],"access":"public","severity":"moderate","module_name":"got","vulnerable_versions":"<11.8.5","github_advisory_id":"GHSA-pfrx-2q88-qq97","recommendation":"Upgrade to version 11.8.5 or later","patched_versions":">=11.8.5","updated":"2023-01-27T05:05:01.000Z","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"cwe":[],"url":"https://github.com/advisories/GHSA-pfrx-2q88-qq97"},"1089270":{"findings":[{"version":"2.7.4","paths":["ejs"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-29078\n- https://eslam.io/posts/ejs-server-side-template-injection-rce/\n- https://github.com/mde/ejs/commit/15ee698583c98dadc456639d6245580d17a24baf\n- https://github.com/mde/ejs/releases\n- https://security.netapp.com/advisory/ntap-20220804-0001/\n- https://github.com/advisories/GHSA-phwq-j96m-2c2q","created":"2022-04-26T00:00:40.000Z","id":1089270,"npm_advisory_id":null,"overview":"The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).","reported_by":null,"title":"ejs template injection vulnerability","metadata":null,"cves":["CVE-2022-29078"],"access":"public","severity":"critical","module_name":"ejs","vulnerable_versions":"<3.1.7","github_advisory_id":"GHSA-phwq-j96m-2c2q","recommendation":"Upgrade to version 3.1.7 or later","patched_versions":">=3.1.7","updated":"2023-01-30T05:02:57.000Z","cvss":{"score":9.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},"cwe":["CWE-74"],"url":"https://github.com/advisories/GHSA-phwq-j96m-2c2q"},"1089698":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32014\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-g973-978j-2c3p","created":"2021-07-22T19:47:15.000Z","id":1089698,"npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (CPU consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js.","reported_by":null,"title":"Denial of Service in SheetJS Pro","metadata":null,"cves":["CVE-2021-32014"],"access":"public","severity":"moderate","module_name":"xlsx","vulnerable_versions":"<0.17.0","github_advisory_id":"GHSA-g973-978j-2c3p","recommendation":"Upgrade to version 0.17.0 or later","patched_versions":">=0.17.0","updated":"2023-02-01T05:05:54.000Z","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"cwe":["CWE-345","CWE-400"],"url":"https://github.com/advisories/GHSA-g973-978j-2c3p"},"1089699":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32012\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-3x9f-74h4-2fqr","created":"2021-07-22T19:48:17.000Z","id":1089699,"npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js (issue 1 of 2).","reported_by":null,"title":"Denial of Service in SheetJS Pro","metadata":null,"cves":["CVE-2021-32012"],"access":"public","severity":"moderate","module_name":"xlsx","vulnerable_versions":"<0.17.0","github_advisory_id":"GHSA-3x9f-74h4-2fqr","recommendation":"Upgrade to version 0.17.0 or later","patched_versions":">=0.17.0","updated":"2023-02-01T05:06:10.000Z","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"cwe":["CWE-400"],"url":"https://github.com/advisories/GHSA-3x9f-74h4-2fqr"},"1089700":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32013\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-8vcr-vxm8-293m","created":"2021-07-22T19:48:13.000Z","id":1089700,"npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js (issue 2 of 2).","reported_by":null,"title":"Denial of Service in SheetsJS Pro","metadata":null,"cves":["CVE-2021-32013"],"access":"public","severity":"moderate","module_name":"xlsx","vulnerable_versions":"<0.17.0","github_advisory_id":"GHSA-8vcr-vxm8-293m","recommendation":"Upgrade to version 0.17.0 or later","patched_versions":">=0.17.0","updated":"2023-02-01T05:06:00.000Z","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"cwe":["CWE-400"],"url":"https://github.com/advisories/GHSA-8vcr-vxm8-293m"},"1093639":{"findings":[{"version":"0.4.1","paths":["@hmcts/rpx-xui-node-lib>passport"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25896\n- https://github.com/jaredhanson/passport/pull/900\n- https://github.com/jaredhanson/passport/commit/7e9b9cf4d7be02428e963fc729496a45baeea608\n- https://snyk.io/vuln/SNYK-JS-PASSPORT-2840631\n- https://github.com/advisories/GHSA-v923-w3x8-wh69","created":"2022-07-02T00:00:19.000Z","id":1093639,"npm_advisory_id":null,"overview":"This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed.","reported_by":null,"title":"Passport vulnerable to session regeneration when a users logs in or out","metadata":null,"cves":["CVE-2022-25896"],"access":"public","severity":"moderate","module_name":"passport","vulnerable_versions":"<0.6.0","github_advisory_id":"GHSA-v923-w3x8-wh69","recommendation":"Upgrade to version 0.6.0 or later","patched_versions":">=0.6.0","updated":"2023-09-11T16:22:18.000Z","cvss":{"score":4.8,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L"},"cwe":["CWE-384"],"url":"https://github.com/advisories/GHSA-v923-w3x8-wh69"},"1094599":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-30533\n- https://cdn.sheetjs.com/advisories/CVE-2023-30533\n- https://git.sheetjs.com/sheetjs/sheetjs/src/branch/master/CHANGELOG.md\n- https://git.sheetjs.com/sheetjs/sheetjs/issues/2667\n- https://git.sheetjs.com/sheetjs/sheetjs/issues/2986\n- https://github.com/advisories/GHSA-4r6h-8v6p-xvw6","created":"2023-04-24T09:30:19.000Z","id":1094599,"npm_advisory_id":null,"overview":"All versions of SheetJS CE through 0.19.2 are vulnerable to \"Prototype Pollution\" when reading specially crafted files. Workflows that do not read arbitrary files (for example, exporting data to spreadsheet files) are unaffected.\n\nA non-vulnerable version cannot be found via npm, as the repository hosted on GitHub and the npm package `xlsx` are no longer maintained.","reported_by":null,"title":"Prototype Pollution in sheetJS","metadata":null,"cves":["CVE-2023-30533"],"access":"public","severity":"high","module_name":"xlsx","vulnerable_versions":"<0.19.3","github_advisory_id":"GHSA-4r6h-8v6p-xvw6","recommendation":"Upgrade to version 0.19.3 or later","patched_versions":">=0.19.3","updated":"2023-11-06T05:04:13.000Z","cvss":{"score":7.8,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},"cwe":["CWE-1321"],"url":"https://github.com/advisories/GHSA-4r6h-8v6p-xvw6"},"1095051":{"findings":[{"version":"0.7.0","paths":["ngx-md>marked"]}],"found_by":null,"deleted":null,"references":"- https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21680\n- https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0\n- https://github.com/markedjs/marked/releases/tag/v4.0.10\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/\n- https://github.com/advisories/GHSA-rrrm-qjm4-v8hf","created":"2022-01-14T21:04:41.000Z","id":1095051,"npm_advisory_id":null,"overview":"### Impact\n\n_What kind of vulnerability is it?_\n\nDenial of service.\n\nThe regular expression `block.def` may cause catastrophic backtracking against some strings.\nPoC is the following.\n\n```javascript\nimport * as marked from \"marked\";\n\nmarked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);\n```\n\n_Who is impacted?_\n\nAnyone who runs untrusted markdown through marked and does not use a worker with a time limit.\n\n### Patches\n\n_Has the problem been patched?_\n\nYes\n\n_What versions should users upgrade to?_\n\n4.0.10\n\n### Workarounds\n\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nDo not run untrusted markdown through marked or run marked on a [worker](https://marked.js.org/using_advanced#workers) thread and set a reasonable time limit to prevent draining resources.\n\n### References\n\n_Are there any links users can visit to find out more?_\n\n- https://marked.js.org/using_advanced#workers\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [marked](https://github.com/markedjs/marked)\n","reported_by":null,"title":"Inefficient Regular Expression Complexity in marked","metadata":null,"cves":["CVE-2022-21680"],"access":"public","severity":"high","module_name":"marked","vulnerable_versions":"<4.0.10","github_advisory_id":"GHSA-rrrm-qjm4-v8hf","recommendation":"Upgrade to version 4.0.10 or later","patched_versions":">=4.0.10","updated":"2023-11-29T20:51:52.000Z","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"cwe":["CWE-400","CWE-1333"],"url":"https://github.com/advisories/GHSA-rrrm-qjm4-v8hf"},"1095052":{"findings":[{"version":"0.7.0","paths":["ngx-md>marked"]}],"found_by":null,"deleted":null,"references":"- https://github.com/markedjs/marked/security/advisories/GHSA-5v2h-r2cx-5xgj\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21681\n- https://github.com/markedjs/marked/commit/8f806573a3f6c6b7a39b8cdb66ab5ebb8d55a5f5\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/\n- https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0\n- https://github.com/advisories/GHSA-5v2h-r2cx-5xgj","created":"2022-01-14T21:04:46.000Z","id":1095052,"npm_advisory_id":null,"overview":"### Impact\n\n_What kind of vulnerability is it?_\n\nDenial of service.\n\nThe regular expression `inline.reflinkSearch` may cause catastrophic backtracking against some strings.\nPoC is the following.\n\n```javascript\nimport * as marked from 'marked';\n\nconsole.log(marked.parse(`[x]: x\n\n\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](`));\n```\n\n_Who is impacted?_\n\nAnyone who runs untrusted markdown through marked and does not use a worker with a time limit.\n\n### Patches\n\n_Has the problem been patched?_\n\nYes\n\n_What versions should users upgrade to?_\n\n4.0.10\n\n### Workarounds\n\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nDo not run untrusted markdown through marked or run marked on a [worker](https://marked.js.org/using_advanced#workers) thread and set a reasonable time limit to prevent draining resources.\n\n### References\n\n_Are there any links users can visit to find out more?_\n\n- https://marked.js.org/using_advanced#workers\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [marked](https://github.com/markedjs/marked)\n","reported_by":null,"title":"Inefficient Regular Expression Complexity in marked","metadata":null,"cves":["CVE-2022-21681"],"access":"public","severity":"high","module_name":"marked","vulnerable_versions":"<4.0.10","github_advisory_id":"GHSA-5v2h-r2cx-5xgj","recommendation":"Upgrade to version 4.0.10 or later","patched_versions":">=4.0.10","updated":"2023-11-29T20:51:17.000Z","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"cwe":["CWE-1333"],"url":"https://github.com/advisories/GHSA-5v2h-r2cx-5xgj"},"1095126":{"findings":[{"version":"0.8.4","paths":["git-rev-sync>shelljs"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-0144\n- https://github.com/shelljs/shelljs/commit/d919d22dd6de385edaa9d90313075a77f74b338c\n- https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c\n- https://github.com/advisories/GHSA-4rq4-32rv-6wp6","created":"2022-01-21T23:37:28.000Z","id":1095126,"npm_advisory_id":null,"overview":"shelljs is vulnerable to Improper Privilege Management","reported_by":null,"title":"Improper Privilege Management in shelljs","metadata":null,"cves":["CVE-2022-0144"],"access":"public","severity":"high","module_name":"shelljs","vulnerable_versions":"<0.8.5","github_advisory_id":"GHSA-4rq4-32rv-6wp6","recommendation":"Upgrade to version 0.8.5 or later","patched_versions":">=0.8.5","updated":"2023-11-29T22:21:11.000Z","cvss":{"score":7.1,"vectorString":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H"},"cwe":["CWE-269"],"url":"https://github.com/advisories/GHSA-4rq4-32rv-6wp6"},"1095531":{"findings":[{"version":"6.2.1","paths":["log4js"]}],"found_by":null,"deleted":null,"references":"- https://github.com/log4js-node/log4js-node/security/advisories/GHSA-82v2-mx6x-wq7q\n- https://github.com/log4js-node/log4js-node/pull/1141/commits/8042252861a1b65adb66931fdf702ead34fa9b76\n- https://github.com/log4js-node/streamroller/pull/87\n- https://github.com/log4js-node/log4js-node/blob/v6.4.0/CHANGELOG.md#640\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21704\n- https://lists.debian.org/debian-lts-announce/2022/12/msg00014.html\n- https://github.com/advisories/GHSA-82v2-mx6x-wq7q","created":"2022-01-21T18:53:27.000Z","id":1095531,"npm_advisory_id":null,"overview":"### Impact\r\nDefault file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config.\r\n\r\n### Patches\r\nFixed by:\r\n* https://github.com/log4js-node/log4js-node/pull/1141\r\n* https://github.com/log4js-node/streamroller/pull/87\r\n\r\nReleased to NPM in log4js@6.4.0\r\n\r\n### Workarounds\r\nEvery version of log4js published allows passing the mode parameter to the configuration of file appenders, see the documentation for details.\r\n\r\n### References\r\n\r\nThanks to [ranjit-git](https://www.huntr.dev/users/ranjit-git) for raising the issue, and to @lamweili for fixing the problem.\r\n\r\n### For more information\r\nIf you have any questions or comments about this advisory:\r\n* Open an issue in [logj4s-node](https://github.com/log4js-node/log4js-node)\r\n* Ask a question in the [slack channel](https://join.slack.com/t/log4js-node/shared_invite/enQtODkzMDQ3MzExMDczLWUzZmY0MmI0YWI1ZjFhODY0YjI0YmU1N2U5ZTRkOTYyYzg3MjY5NWI4M2FjZThjYjdiOGM0NjU2NzBmYTJjOGI)\r\n* Email us at [gareth.nomiddlename@gmail.com](mailto:gareth.nomiddlename@gmail.com)\r\n","reported_by":null,"title":"Incorrect Default Permissions in log4js","metadata":null,"cves":["CVE-2022-21704"],"access":"public","severity":"moderate","module_name":"log4js","vulnerable_versions":"<6.4.0","github_advisory_id":"GHSA-82v2-mx6x-wq7q","recommendation":"Upgrade to version 6.4.0 or later","patched_versions":">=6.4.0","updated":"2024-01-24T08:54:14.000Z","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},"cwe":["CWE-276"],"url":"https://github.com/advisories/GHSA-82v2-mx6x-wq7q"},"1096832":{"findings":[{"version":"1.28.2","paths":["@hmcts/rpx-xui-node-lib>openid-client>jose"]}],"found_by":null,"deleted":null,"references":"- https://github.com/panva/jose/security/advisories/GHSA-hhhv-q57g-882q\n- https://github.com/panva/jose/commit/02a65794f7873cdaf12e81e80ad076fcdc4a9314\n- https://github.com/panva/jose/commit/1b91d88d2f8233f3477a5f4579aa5f8057b2ee8b\n- https://nvd.nist.gov/vuln/detail/CVE-2024-28176\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG\n- https://github.com/advisories/GHSA-hhhv-q57g-882q","created":"2024-03-07T17:40:57.000Z","id":1096832,"npm_advisory_id":null,"overview":"A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the [support for decompressing plaintext after its decryption](https://www.rfc-editor.org/rfc/rfc7516.html#section-4.1.3). This allows an adversary to exploit specific scenarios where the compression ratio becomes exceptionally high. As a result, the length of the JWE token, which is determined by the compressed content's size, can land below application-defined limits. In such cases, other existing application level mechanisms for preventing resource exhaustion may be rendered ineffective.\n\nNote that as per [RFC 8725](https://www.rfc-editor.org/rfc/rfc8725.html#name-avoid-compression-of-encryp) compression of data SHOULD NOT be done before encryption, because such compressed data often reveals information about the plaintext. For this reason the v5.x major version of `jose` removed support for compressed payloads entirely and is therefore NOT affected by this advisory.\n\n### Impact\n\nUnder certain conditions it is possible to have the user's environment consume unreasonable amount of CPU time or memory during JWE Decryption operations.\n\n### Affected users\n\nThe impact is limited only to Node.js users utilizing the JWE decryption APIs to decrypt JWEs from untrusted sources.\n\nYou are NOT affected if any of the following applies to you\n\n- Your code uses jose version v5.x where JWE Compression is not supported anymore\n- Your code runs in an environment other than Node.js (e.g. Deno, CF Workers), which is the only runtime where JWE Compression is implemented out of the box\n- Your code does not use the JWE decryption APIs\n- Your code only accepts JWEs produced by trusted sources\n\n### Patches\n\n`v2.0.7` and `v4.15.5` releases limit the decompression routine to only allow decompressing up to 250 kB of plaintext. In v4.x it is possible to further adjust this limit via the `inflateRaw` decryption option implementation. In v2.x it is possible to further adjust this limit via the `inflateRawSyncLimit` decryption option.\n\n### Workarounds\n\nIf you cannot upgrade and do not want to support compressed JWEs you may detect and reject these tokens early by checking the token's protected header\n\n```js\nconst { zip } = jose.decodeProtectedHeader(token)\nif (zip !== undefined) {\n throw new Error('JWE Compression is not supported')\n}\n```\n\nIf you wish to continue supporting JWEs with compressed payloads in these legacy release lines you must upgrade (v1.x and v2.x to version v2.0.7, v3.x and v4.x to version v4.15.5) and review the limits put forth by the patched releases.\n\n### For more information\nIf you have any questions or comments about this advisory please open a discussion in the project's [repository](https://github.com/panva/jose/discussions/new?category=q-a&title=GHSA-hhhv-q57g-882q%20advisory%20question)","reported_by":null,"title":"jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext","metadata":null,"cves":["CVE-2024-28176"],"access":"public","severity":"moderate","module_name":"jose","vulnerable_versions":"<2.0.7","github_advisory_id":"GHSA-hhhv-q57g-882q","recommendation":"Upgrade to version 2.0.7 or later","patched_versions":">=2.0.7","updated":"2024-03-30T06:30:42.000Z","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"cwe":["CWE-400"],"url":"https://github.com/advisories/GHSA-hhhv-q57g-882q"},"1096911":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-22363\n- https://cdn.sheetjs.com/advisories/CVE-2024-22363\n- https://cwe.mitre.org/data/definitions/1333.html\n- https://git.sheetjs.com/sheetjs/sheetjs/src/tag/v0.20.2\n- https://github.com/advisories/GHSA-5pgg-2g8v-p4x9","created":"2024-04-05T06:30:46.000Z","id":1096911,"npm_advisory_id":null,"overview":"SheetJS Community Edition before 0.20.2 is vulnerable.to Regular Expression Denial of Service (ReDoS).","reported_by":null,"title":"SheetJS Regular Expression Denial of Service (ReDoS)","metadata":null,"cves":["CVE-2024-22363"],"access":"public","severity":"high","module_name":"xlsx","vulnerable_versions":"<0.20.2","github_advisory_id":"GHSA-5pgg-2g8v-p4x9","recommendation":"Upgrade to version 0.20.2 or later","patched_versions":">=0.20.2","updated":"2024-04-08T13:47:06.000Z","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"cwe":["CWE-1333"],"url":"https://github.com/advisories/GHSA-5pgg-2g8v-p4x9"},"1097504":{"findings":[{"version":"2.5.207","paths":["pdfjs-dist","@hmcts/media-viewer>pdfjs-dist"]}],"found_by":null,"deleted":null,"references":"- https://github.com/mozilla/pdf.js/security/advisories/GHSA-wgrm-67xf-hhpq\n- https://github.com/mozilla/pdf.js/pull/18015\n- https://github.com/mozilla/pdf.js/commit/85e64b5c16c9aaef738f421733c12911a441cec6\n- https://bugzilla.mozilla.org/show_bug.cgi?id=1893645\n- https://nvd.nist.gov/vuln/detail/CVE-2024-4367\n- https://lists.debian.org/debian-lts-announce/2024/05/msg00010.html\n- https://lists.debian.org/debian-lts-announce/2024/05/msg00012.html\n- https://www.mozilla.org/security/advisories/mfsa2024-21\n- https://www.mozilla.org/security/advisories/mfsa2024-22\n- https://www.mozilla.org/security/advisories/mfsa2024-23\n- https://github.com/advisories/GHSA-wgrm-67xf-hhpq","created":"2024-05-07T10:25:08.000Z","id":1097504,"npm_advisory_id":null,"overview":"### Impact\nIf pdf.js is used to load a malicious PDF, and PDF.js is configured with `isEvalSupported` set to `true` (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.\n\n### Patches\nThe patch removes the use of `eval`:\nhttps://github.com/mozilla/pdf.js/pull/18015\n\n### Workarounds\nSet the option `isEvalSupported` to `false`. \n\n### References\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1893645","reported_by":null,"title":"PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF","metadata":null,"cves":["CVE-2024-4367"],"access":"public","severity":"high","module_name":"pdfjs-dist","vulnerable_versions":"<=4.1.392","github_advisory_id":"GHSA-wgrm-67xf-hhpq","recommendation":"Upgrade to version 4.2.67 or later","patched_versions":">=4.2.67","updated":"2024-06-10T20:18:19.000Z","cvss":{"score":0,"vectorString":null},"cwe":[],"url":"https://github.com/advisories/GHSA-wgrm-67xf-hhpq"},"1097679":{"findings":[{"version":"0.26.1","paths":["axios","@hmcts/rpx-xui-node-lib>axios"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-45857\n- https://github.com/axios/axios/issues/6006\n- https://github.com/axios/axios/issues/6022\n- https://github.com/axios/axios/pull/6028\n- https://github.com/axios/axios/commit/96ee232bd3ee4de2e657333d4d2191cd389e14d0\n- https://github.com/axios/axios/releases/tag/v1.6.0\n- https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459\n- https://github.com/axios/axios/pull/6091\n- https://github.com/axios/axios/commit/2755df562b9c194fba6d8b609a383443f6a6e967\n- https://github.com/axios/axios/releases/tag/v0.28.0\n- https://security.netapp.com/advisory/ntap-20240621-0006\n- https://github.com/advisories/GHSA-wf5p-g6vw-rhxx","created":"2023-11-08T21:30:37.000Z","id":1097679,"npm_advisory_id":null,"overview":"An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.","reported_by":null,"title":"Axios Cross-Site Request Forgery Vulnerability","metadata":null,"cves":["CVE-2023-45857"],"access":"public","severity":"moderate","module_name":"axios","vulnerable_versions":">=0.8.1 <0.28.0","github_advisory_id":"GHSA-wf5p-g6vw-rhxx","recommendation":"Upgrade to version 0.28.0 or later","patched_versions":">=0.28.0","updated":"2024-06-21T21:33:58.000Z","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},"cwe":["CWE-352"],"url":"https://github.com/advisories/GHSA-wf5p-g6vw-rhxx"},"1097682":{"findings":[{"version":"2.5.0","paths":["rx-polling-hmcts>jest-environment-jsdom>jsdom>tough-cookie"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ\n- https://security.netapp.com/advisory/ntap-20240621-0006\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3","created":"2023-07-01T06:30:16.000Z","id":1097682,"npm_advisory_id":null,"overview":"Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.","reported_by":null,"title":"tough-cookie Prototype Pollution vulnerability","metadata":null,"cves":["CVE-2023-26136"],"access":"public","severity":"moderate","module_name":"tough-cookie","vulnerable_versions":"<4.1.3","github_advisory_id":"GHSA-72xf-g2v4-qvf3","recommendation":"Upgrade to version 4.1.3 or later","patched_versions":">=4.1.3","updated":"2024-06-21T21:33:53.000Z","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},"cwe":["CWE-1321"],"url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3"},"1097684":{"findings":[{"version":"8.5.1","paths":["jsonwebtoken"]}],"found_by":null,"deleted":null,"references":"- https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-qwph-4952-7xr6\n- https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3\n- https://nvd.nist.gov/vuln/detail/CVE-2022-23540\n- https://security.netapp.com/advisory/ntap-20240621-0007\n- https://github.com/advisories/GHSA-qwph-4952-7xr6","created":"2022-12-22T03:32:59.000Z","id":1097684,"npm_advisory_id":null,"overview":"# Overview\n\nIn versions <=8.5.1 of jsonwebtoken library, lack of algorithm definition and a falsy secret or key in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification.\n\n# Am I affected?\nYou will be affected if all the following are true in the `jwt.verify()` function:\n- a token with no signature is received\n- no algorithms are specified \n- a falsy (e.g. null, false, undefined) secret or key is passed \n\n# How do I fix it?\n \nUpdate to version 9.0.0 which removes the default support for the none algorithm in the `jwt.verify()` method. \n\n# Will the fix impact my users?\n\nThere will be no impact, if you update to version 9.0.0 and you don’t need to allow for the `none` algorithm. If you need 'none' algorithm, you have to explicitly specify that in `jwt.verify()` options.\n","reported_by":null,"title":"jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify()","metadata":null,"cves":["CVE-2022-23540"],"access":"public","severity":"moderate","module_name":"jsonwebtoken","vulnerable_versions":"<9.0.0","github_advisory_id":"GHSA-qwph-4952-7xr6","recommendation":"Upgrade to version 9.0.0 or later","patched_versions":">=9.0.0","updated":"2024-06-21T21:34:57.000Z","cvss":{"score":6.4,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L"},"cwe":["CWE-287","CWE-327","CWE-347"],"url":"https://github.com/advisories/GHSA-qwph-4952-7xr6"},"1097690":{"findings":[{"version":"8.5.1","paths":["jsonwebtoken"]}],"found_by":null,"deleted":null,"references":"- https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-8cf7-32gw-wr33\n- https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3\n- https://nvd.nist.gov/vuln/detail/CVE-2022-23539\n- https://security.netapp.com/advisory/ntap-20240621-0007\n- https://github.com/advisories/GHSA-8cf7-32gw-wr33","created":"2022-12-22T03:32:22.000Z","id":1097690,"npm_advisory_id":null,"overview":"# Overview\n\nVersions `<=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. \n\n# Am I affected?\n\nYou are affected if you are using an algorithm and a key type other than the combinations mentioned below\n\n| Key type | algorithm |\n|----------|------------------------------------------|\n| ec | ES256, ES384, ES512 |\n| rsa | RS256, RS384, RS512, PS256, PS384, PS512 |\n| rsa-pss | PS256, PS384, PS512 |\n\nAnd for Elliptic Curve algorithms:\n\n| `alg` | Curve |\n|-------|------------|\n| ES256 | prime256v1 |\n| ES384 | secp384r1 |\n| ES512 | secp521r1 |\n\n# How do I fix it?\n\nUpdate to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, If you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and/or `verify()` functions.\n\n# Will the fix impact my users?\n\nThere will be no impact, if you update to version 9.0.0 and you already use a valid secure combination of key type and algorithm. Otherwise, use the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and `verify()` functions to continue usage of invalid key type/algorithm combination in 9.0.0 for legacy compatibility. \n\n","reported_by":null,"title":"jsonwebtoken unrestricted key type could lead to legacy keys usage ","metadata":null,"cves":["CVE-2022-23539"],"access":"public","severity":"high","module_name":"jsonwebtoken","vulnerable_versions":"<=8.5.1","github_advisory_id":"GHSA-8cf7-32gw-wr33","recommendation":"Upgrade to version 9.0.0 or later","patched_versions":">=9.0.0","updated":"2024-06-24T21:23:39.000Z","cvss":{"score":8.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},"cwe":["CWE-327"],"url":"https://github.com/advisories/GHSA-8cf7-32gw-wr33"},"1097694":{"findings":[{"version":"8.5.1","paths":["jsonwebtoken"]}],"found_by":null,"deleted":null,"references":"- https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-hjrf-2m68-5959\n- https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3\n- https://nvd.nist.gov/vuln/detail/CVE-2022-23541\n- https://github.com/auth0/node-jsonwebtoken/releases/tag/v9.0.0\n- https://security.netapp.com/advisory/ntap-20240621-0007\n- https://github.com/advisories/GHSA-hjrf-2m68-5959","created":"2022-12-22T03:33:19.000Z","id":1097694,"npm_advisory_id":null,"overview":"# Overview\n\nVersions `<=8.5.1` of `jsonwebtoken` library can be misconfigured so that passing a poorly implemented key retrieval function (referring to the `secretOrPublicKey` argument from the [readme link](https://github.com/auth0/node-jsonwebtoken#jwtverifytoken-secretorpublickey-options-callback)) will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. \n\n# Am I affected?\n\nYou will be affected if your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. \n\n# How do I fix it?\n \nUpdate to version 9.0.0.\n\n# Will the fix impact my users?\n\nThere is no impact for end users","reported_by":null,"title":"jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC","metadata":null,"cves":["CVE-2022-23541"],"access":"public","severity":"moderate","module_name":"jsonwebtoken","vulnerable_versions":"<=8.5.1","github_advisory_id":"GHSA-hjrf-2m68-5959","recommendation":"Upgrade to version 9.0.0 or later","patched_versions":">=9.0.0","updated":"2024-06-24T21:24:07.000Z","cvss":{"score":5,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"},"cwe":["CWE-287","CWE-1259"],"url":"https://github.com/advisories/GHSA-hjrf-2m68-5959"},"1098366":{"findings":[{"version":"2.7.4","paths":["ejs"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-33883\n- https://github.com/mde/ejs/commit/e469741dca7df2eb400199e1cdb74621e3f89aa5\n- https://github.com/mde/ejs/compare/v3.1.9...v3.1.10\n- https://security.netapp.com/advisory/ntap-20240605-0003\n- https://github.com/advisories/GHSA-ghr5-ch3p-vcr6","created":"2024-04-28T18:30:31.000Z","id":1098366,"npm_advisory_id":null,"overview":"The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.","reported_by":null,"title":"ejs lacks certain pollution protection","metadata":null,"cves":["CVE-2024-33883"],"access":"public","severity":"moderate","module_name":"ejs","vulnerable_versions":"<3.1.10","github_advisory_id":"GHSA-ghr5-ch3p-vcr6","recommendation":"Upgrade to version 3.1.10 or later","patched_versions":">=3.1.10","updated":"2024-08-02T15:45:54.000Z","cvss":{"score":4,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"cwe":["CWE-693","CWE-1321"],"url":"https://github.com/advisories/GHSA-ghr5-ch3p-vcr6"},"1098393":{"findings":[{"version":"7.4.6","paths":["puppeteer>ws","@hmcts/media-viewer>socket.io-client>engine.io-client>ws"]}],"found_by":null,"deleted":null,"references":"- https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q\n- https://github.com/websockets/ws/issues/2230\n- https://github.com/websockets/ws/pull/2231\n- https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f\n- https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e\n- https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c\n- https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63\n- https://github.com/advisories/GHSA-3h5v-q93c-6h6q","created":"2024-06-17T19:09:10.000Z","id":1098393,"npm_advisory_id":null,"overview":"### Impact\n\nA request with a number of headers exceeding the[`server.maxHeadersCount`][] threshold could be used to crash a ws server.\n\n### Proof of concept\n\n```js\nconst http = require('http');\nconst WebSocket = require('ws');\n\nconst wss = new WebSocket.Server({ port: 0 }, function () {\n const chars = \"!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~\".split('');\n const headers = {};\n let count = 0;\n\n for (let i = 0; i < chars.length; i++) {\n if (count === 2000) break;\n\n for (let j = 0; j < chars.length; j++) {\n const key = chars[i] + chars[j];\n headers[key] = 'x';\n\n if (++count === 2000) break;\n }\n }\n\n headers.Connection = 'Upgrade';\n headers.Upgrade = 'websocket';\n headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';\n headers['Sec-WebSocket-Version'] = '13';\n\n const request = http.request({\n headers: headers,\n host: '127.0.0.1',\n port: wss.address().port\n });\n\n request.end();\n});\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@8.17.1 (https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c) and backported to ws@7.5.10 (https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f), ws@6.2.3 (https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63), and ws@5.2.4 (https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e)\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated in the following ways:\n\n1. Reduce the maximum allowed length of the request headers using the [`--max-http-header-size=size`][] and/or the [`maxHeaderSize`][] options so that no more headers than the `server.maxHeadersCount` limit can be sent.\n2. Set `server.maxHeadersCount` to `0` so that no limit is applied.\n\n### Credits\n\nThe vulnerability was reported by [Ryan LaPointe](https://github.com/rrlapointe) in https://github.com/websockets/ws/issues/2230.\n\n### References\n\n- https://github.com/websockets/ws/issues/2230\n- https://github.com/websockets/ws/pull/2231\n\n[`--max-http-header-size=size`]: https://nodejs.org/api/cli.html#--max-http-header-sizesize\n[`maxHeaderSize`]: https://nodejs.org/api/http.html#httpcreateserveroptions-requestlistener\n[`server.maxHeadersCount`]: https://nodejs.org/api/http.html#servermaxheaderscount\n","reported_by":null,"title":"ws affected by a DoS when handling a request with many HTTP headers","metadata":null,"cves":["CVE-2024-37890"],"access":"public","severity":"high","module_name":"ws","vulnerable_versions":">=7.0.0 <7.5.10","github_advisory_id":"GHSA-3h5v-q93c-6h6q","recommendation":"Upgrade to version 7.5.10 or later","patched_versions":">=7.5.10","updated":"2024-08-05T05:02:34.000Z","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"cwe":["CWE-476"],"url":"https://github.com/advisories/GHSA-3h5v-q93c-6h6q"},"1098681":{"findings":[{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","@hmcts/rpx-xui-node-lib>ts-auto-mock>micromatch","@hmcts/rpx-xui-node-lib>jest-ts-auto-mock>ts-auto-mock>micromatch","rx-polling-hmcts>jest-environment-jsdom>@jest/fake-timers>jest-message-util>micromatch","rx-polling-hmcts>jest-environment-jsdom>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>expect>jest-message-util>micromatch"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/micromatch/micromatch/pull/266\n- https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade\n- https://advisory.checkmarx.net/advisory/CVE-2024-4067\n- https://github.com/micromatch/micromatch/releases/tag/4.0.8\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","id":1098681,"npm_advisory_id":null,"overview":"The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","metadata":null,"cves":["CVE-2024-4067"],"access":"public","severity":"moderate","module_name":"micromatch","vulnerable_versions":"<4.0.8","github_advisory_id":"GHSA-952p-6rrq-rcjv","recommendation":"Upgrade to version 4.0.8 or later","patched_versions":">=4.0.8","updated":"2024-08-28T13:12:27.000Z","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"cwe":["CWE-1333"],"url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"},"1099520":{"findings":[{"version":"1.20.2","paths":["body-parser","express>body-parser","@hmcts/rpx-xui-node-lib>express>body-parser"]}],"found_by":null,"deleted":null,"references":"- https://github.com/expressjs/body-parser/security/advisories/GHSA-qwcr-r2fm-qrc7\n- https://github.com/expressjs/body-parser/commit/b2695c4450f06ba3b0ccf48d872a229bb41c9bce\n- https://nvd.nist.gov/vuln/detail/CVE-2024-45590\n- https://github.com/advisories/GHSA-qwcr-r2fm-qrc7","created":"2024-09-10T15:52:39.000Z","id":1099520,"npm_advisory_id":null,"overview":"### Impact\n\nbody-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service.\n\n### Patches\n\nthis issue is patched in 1.20.3\n\n### References\n","reported_by":null,"title":"body-parser vulnerable to denial of service when url encoding is enabled","metadata":null,"cves":["CVE-2024-45590"],"access":"public","severity":"high","module_name":"body-parser","vulnerable_versions":"<1.20.3","github_advisory_id":"GHSA-qwcr-r2fm-qrc7","recommendation":"Upgrade to version 1.20.3 or later","patched_versions":">=1.20.3","updated":"2024-09-10T19:01:11.000Z","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"cwe":["CWE-405"],"url":"https://github.com/advisories/GHSA-qwcr-r2fm-qrc7"},"1099525":{"findings":[{"version":"0.18.0","paths":["express>send","@hmcts/rpx-xui-node-lib>express>send","@hmcts/rpx-xui-node-lib>express>serve-static>send"]}],"found_by":null,"deleted":null,"references":"- https://github.com/pillarjs/send/security/advisories/GHSA-m6fv-jmcg-4jfg\n- https://nvd.nist.gov/vuln/detail/CVE-2024-43799\n- https://github.com/pillarjs/send/commit/ae4f2989491b392ae2ef3b0015a019770ae65d35\n- https://github.com/advisories/GHSA-m6fv-jmcg-4jfg","created":"2024-09-10T19:42:41.000Z","id":1099525,"npm_advisory_id":null,"overview":"### Impact\n\npassing untrusted user input - even after sanitizing it - to `SendStream.redirect()` may execute untrusted code\n\n### Patches\n\nthis issue is patched in send 0.19.0\n\n### Workarounds\n\nusers are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist\n\n### Details\n\nsuccessful exploitation of this vector requires the following:\n\n1. The attacker MUST control the input to response.redirect()\n1. express MUST NOT redirect before the template appears\n1. the browser MUST NOT complete redirection before:\n1. the user MUST click on the link in the template\n","reported_by":null,"title":"send vulnerable to template injection that can lead to XSS","metadata":null,"cves":["CVE-2024-43799"],"access":"public","severity":"moderate","module_name":"send","vulnerable_versions":"<0.19.0","github_advisory_id":"GHSA-m6fv-jmcg-4jfg","recommendation":"Upgrade to version 0.19.0 or later","patched_versions":">=0.19.0","updated":"2024-09-10T19:42:42.000Z","cvss":{"score":5,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},"cwe":["CWE-79"],"url":"https://github.com/advisories/GHSA-m6fv-jmcg-4jfg"},"1099527":{"findings":[{"version":"1.15.0","paths":["express>serve-static","@hmcts/rpx-xui-node-lib>express>serve-static"]}],"found_by":null,"deleted":null,"references":"- https://github.com/expressjs/serve-static/security/advisories/GHSA-cm22-4g7w-348p\n- https://nvd.nist.gov/vuln/detail/CVE-2024-43800\n- https://github.com/expressjs/serve-static/commit/0c11fad159898cdc69fd9ab63269b72468ecaf6b\n- https://github.com/expressjs/serve-static/commit/ce730896fddce1588111d9ef6fdf20896de5c6fa\n- https://github.com/advisories/GHSA-cm22-4g7w-348p","created":"2024-09-10T19:42:33.000Z","id":1099527,"npm_advisory_id":null,"overview":"### Impact\n\npassing untrusted user input - even after sanitizing it - to `redirect()` may execute untrusted code\n\n### Patches\n\nthis issue is patched in serve-static 1.16.0\n\n### Workarounds\n\nusers are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist\n\n### Details\n\nsuccessful exploitation of this vector requires the following:\n\n1. The attacker MUST control the input to response.redirect()\n1. express MUST NOT redirect before the template appears\n1. the browser MUST NOT complete redirection before:\n1. the user MUST click on the link in the template\n","reported_by":null,"title":"serve-static vulnerable to template injection that can lead to XSS","metadata":null,"cves":["CVE-2024-43800"],"access":"public","severity":"moderate","module_name":"serve-static","vulnerable_versions":"<1.16.0","github_advisory_id":"GHSA-cm22-4g7w-348p","recommendation":"Upgrade to version 1.16.0 or later","patched_versions":">=1.16.0","updated":"2024-09-10T19:42:34.000Z","cvss":{"score":5,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},"cwe":["CWE-79"],"url":"https://github.com/advisories/GHSA-cm22-4g7w-348p"},"1099529":{"findings":[{"version":"4.19.2","paths":["express","@hmcts/rpx-xui-node-lib>express"]}],"found_by":null,"deleted":null,"references":"- https://github.com/expressjs/express/security/advisories/GHSA-qw6h-vgh9-j6wx\n- https://nvd.nist.gov/vuln/detail/CVE-2024-43796\n- https://github.com/expressjs/express/commit/54271f69b511fea198471e6ff3400ab805d6b553\n- https://github.com/advisories/GHSA-qw6h-vgh9-j6wx","created":"2024-09-10T19:41:04.000Z","id":1099529,"npm_advisory_id":null,"overview":"### Impact\n\nIn express <4.20.0, passing untrusted user input - even after sanitizing it - to `response.redirect()` may execute untrusted code\n\n### Patches\n\nthis issue is patched in express 4.20.0\n\n### Workarounds\n\nusers are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist\n\n### Details\n\nsuccessful exploitation of this vector requires the following:\n\n1. The attacker MUST control the input to response.redirect()\n1. express MUST NOT redirect before the template appears\n1. the browser MUST NOT complete redirection before:\n1. the user MUST click on the link in the template\n","reported_by":null,"title":"express vulnerable to XSS via response.redirect()","metadata":null,"cves":["CVE-2024-43796"],"access":"public","severity":"moderate","module_name":"express","vulnerable_versions":"<4.20.0","github_advisory_id":"GHSA-qw6h-vgh9-j6wx","recommendation":"Upgrade to version 4.20.0 or later","patched_versions":">=4.20.0","updated":"2024-09-10T19:41:07.000Z","cvss":{"score":5,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},"cwe":["CWE-79"],"url":"https://github.com/advisories/GHSA-qw6h-vgh9-j6wx"},"1099562":{"findings":[{"version":"0.1.7","paths":["express>path-to-regexp","@hmcts/rpx-xui-node-lib>express>path-to-regexp"]}],"found_by":null,"deleted":null,"references":"- https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j\n- https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f\n- https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6\n- https://nvd.nist.gov/vuln/detail/CVE-2024-45296\n- https://github.com/pillarjs/path-to-regexp/commit/925ac8e3c5780b02f58cbd4e52f95da8ad2ac485\n- https://github.com/pillarjs/path-to-regexp/commit/d31670ae8f6e69cbfd56e835742195b7d10942ef\n- https://github.com/pillarjs/path-to-regexp/commit/f1253b47b347dcb909e3e80b0eb2649109e59894\n- https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0\n- https://github.com/advisories/GHSA-9wv6-86v2-598j","created":"2024-09-09T20:19:15.000Z","id":1099562,"npm_advisory_id":null,"overview":"### Impact\n\nA bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (`.`). For example, `/:a-:b`.\n\n### Patches\n\nFor users of 0.1, upgrade to `0.1.10`. All other users should upgrade to `8.0.0`.\n\nThese versions add backtrack protection when a custom regex pattern is not provided:\n\n- [0.1.10](https://github.com/pillarjs/path-to-regexp/releases/tag/v0.1.10)\n- [1.9.0](https://github.com/pillarjs/path-to-regexp/releases/tag/v1.9.0)\n- [3.3.0](https://github.com/pillarjs/path-to-regexp/releases/tag/v3.3.0)\n- [6.3.0](https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0)\n\nThey do not protect against vulnerable user supplied capture groups. Protecting against explicit user patterns is out of scope for old versions and not considered a vulnerability.\n\nVersion [7.1.0](https://github.com/pillarjs/path-to-regexp/releases/tag/v7.1.0) can enable `strict: true` and get an error when the regular expression might be bad.\n\nVersion [8.0.0](https://github.com/pillarjs/path-to-regexp/releases/tag/v8.0.0) removes the features that can cause a ReDoS.\n\n### Workarounds\n\nAll versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change `/:a-:b` to `/:a-:b([^-/]+)`.\n\nIf paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length. For example, halving the attack string improves performance by 4x faster.\n\n### Details\n\nUsing `/:a-:b` will produce the regular expression `/^\\/([^\\/]+?)-([^\\/]+?)\\/?$/`. This can be exploited by a path such as `/a${'-a'.repeat(8_000)}/a`. [OWASP](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS) has a good example of why this occurs, but the TL;DR is the `/a` at the end ensures this route would never match but due to naive backtracking it will still attempt every combination of the `:a-:b` on the repeated 8,000 `-a`.\n\nBecause JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and can lead to a DoS. In local benchmarks, exploiting the unsafe regex will result in performance that is over 1000x worse than the safe regex. In a more realistic environment using Express v4 and 10 concurrent connections, this translated to average latency of ~600ms vs 1ms.\n\n### References\n\n* [OWASP](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n* [Detailed blog post](https://blakeembrey.com/posts/2024-09-web-redos/)","reported_by":null,"title":"path-to-regexp outputs backtracking regular expressions","metadata":null,"cves":["CVE-2024-45296"],"access":"public","severity":"high","module_name":"path-to-regexp","vulnerable_versions":"<0.1.10","github_advisory_id":"GHSA-9wv6-86v2-598j","recommendation":"Upgrade to version 0.1.10 or later","patched_versions":">=0.1.10","updated":"2024-09-12T17:09:43.000Z","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"cwe":["CWE-1333"],"url":"https://github.com/advisories/GHSA-9wv6-86v2-598j"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":0,"moderate":36,"high":15,"critical":1},"dependencies":1001,"devDependencies":5,"optionalDependencies":0,"totalDependencies":1006}} +{"actions":[],"advisories":{"1085685":{"findings":[{"version":"1.1.0","paths":["@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>yargs>os-locale>mem"]}],"found_by":null,"deleted":null,"references":"- https://github.com/sindresorhus/mem/commit/da4e4398cb27b602de3bd55f746efa9b4a31702b\n- https://bugzilla.redhat.com/show_bug.cgi?id=1623744\n- https://www.npmjs.com/advisories/1084\n- https://snyk.io/vuln/npm:mem:20180117\n- https://github.com/advisories/GHSA-4xcv-9jjx-gfj3","created":"2019-07-05T21:07:58.000Z","id":1085685,"npm_advisory_id":null,"overview":"Versions of `mem` prior to 4.0.0 are vulnerable to Denial of Service (DoS). The package fails to remove old values from the cache even after a value passes its `maxAge` property. This may allow attackers to exhaust the system's memory if they are able to abuse the application logging.\n\n\n## Recommendation\n\nUpgrade to version 4.0.0 or later.","reported_by":null,"title":"Denial of Service in mem","metadata":null,"cves":[],"access":"public","severity":"moderate","module_name":"mem","vulnerable_versions":"<4.0.0","github_advisory_id":"GHSA-4xcv-9jjx-gfj3","recommendation":"Upgrade to version 4.0.0 or later","patched_versions":">=4.0.0","updated":"2023-01-09T05:01:45.000Z","cvss":{"score":5.1,"vectorString":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},"cwe":["CWE-400"],"url":"https://github.com/advisories/GHSA-4xcv-9jjx-gfj3"},"1088208":{"findings":[{"version":"0.8.4","paths":["git-rev-sync>shelljs"]}],"found_by":null,"deleted":null,"references":"- https://github.com/shelljs/shelljs/security/advisories/GHSA-64g7-mvw6-v9qj\n- https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/\n- https://github.com/advisories/GHSA-64g7-mvw6-v9qj","created":"2022-01-14T21:09:50.000Z","id":1088208,"npm_advisory_id":null,"overview":"### Impact\nOutput from the synchronous version of `shell.exec()` may be visible to other users on the same system. You may be affected if you execute `shell.exec()` in multi-user Mac, Linux, or WSL environments, or if you execute `shell.exec()` as the root user.\n\nOther shelljs functions (including the asynchronous version of `shell.exec()`) are not impacted.\n\n### Patches\nPatched in shelljs 0.8.5\n\n### Workarounds\nRecommended action is to upgrade to 0.8.5.\n\n### References\nhttps://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Ask at https://github.com/shelljs/shelljs/issues/1058\n* Open an issue at https://github.com/shelljs/shelljs/issues/new\n","reported_by":null,"title":"Improper Privilege Management in shelljs","metadata":null,"cves":[],"access":"public","severity":"moderate","module_name":"shelljs","vulnerable_versions":"<0.8.5","github_advisory_id":"GHSA-64g7-mvw6-v9qj","recommendation":"Upgrade to version 0.8.5 or later","patched_versions":">=0.8.5","updated":"2023-01-11T05:03:39.000Z","cvss":{"score":0,"vectorString":null},"cwe":["CWE-269"],"url":"https://github.com/advisories/GHSA-64g7-mvw6-v9qj"},"1088811":{"findings":[{"version":"8.1.0","paths":["@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>yargs>yargs-parser"]}],"found_by":null,"deleted":null,"references":"- https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381\n- https://www.npmjs.com/advisories/1500\n- https://github.com/yargs/yargs-parser/commit/63810ca1ae1a24b08293a4d971e70e058c7a41e2\n- https://nvd.nist.gov/vuln/detail/CVE-2020-7608\n- https://github.com/yargs/yargs-parser/commit/1c417bd0b42b09c475ee881e36d292af4fa2cc36\n- https://github.com/advisories/GHSA-p9pc-299p-vxgp","created":"2020-09-04T18:00:54.000Z","id":1088811,"npm_advisory_id":null,"overview":"Affected versions of `yargs-parser` are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of `Object`, causing the addition or modification of an existing property that will exist on all objects. \nParsing the argument `--foo.__proto__.bar baz'` adds a `bar` property with value `baz` to all objects. This is only exploitable if attackers have control over the arguments being passed to `yargs-parser`.\n\n\n\n## Recommendation\n\nUpgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.","reported_by":null,"title":"yargs-parser Vulnerable to Prototype Pollution","metadata":null,"cves":["CVE-2020-7608"],"access":"public","severity":"moderate","module_name":"yargs-parser","vulnerable_versions":">=6.0.0 <13.1.2","github_advisory_id":"GHSA-p9pc-299p-vxgp","recommendation":"Upgrade to version 13.1.2 or later","patched_versions":">=13.1.2","updated":"2023-01-27T05:00:51.000Z","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},"cwe":["CWE-915","CWE-1321"],"url":"https://github.com/advisories/GHSA-p9pc-299p-vxgp"},"1088948":{"findings":[{"version":"9.6.0","paths":["@hmcts/rpx-xui-node-lib>openid-client>got"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-33987\n- https://github.com/sindresorhus/got/pull/2047\n- https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0\n- https://github.com/sindresorhus/got/commit/861ccd9ac2237df762a9e2beed7edd88c60782dc\n- https://github.com/sindresorhus/got/releases/tag/v11.8.5\n- https://github.com/sindresorhus/got/releases/tag/v12.1.0\n- https://github.com/advisories/GHSA-pfrx-2q88-qq97","created":"2022-06-19T00:00:21.000Z","id":1088948,"npm_advisory_id":null,"overview":"The got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.","reported_by":null,"title":"Got allows a redirect to a UNIX socket","metadata":null,"cves":["CVE-2022-33987"],"access":"public","severity":"moderate","module_name":"got","vulnerable_versions":"<11.8.5","github_advisory_id":"GHSA-pfrx-2q88-qq97","recommendation":"Upgrade to version 11.8.5 or later","patched_versions":">=11.8.5","updated":"2023-01-27T05:05:01.000Z","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"cwe":[],"url":"https://github.com/advisories/GHSA-pfrx-2q88-qq97"},"1089270":{"findings":[{"version":"2.7.4","paths":["ejs"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-29078\n- https://eslam.io/posts/ejs-server-side-template-injection-rce/\n- https://github.com/mde/ejs/commit/15ee698583c98dadc456639d6245580d17a24baf\n- https://github.com/mde/ejs/releases\n- https://security.netapp.com/advisory/ntap-20220804-0001/\n- https://github.com/advisories/GHSA-phwq-j96m-2c2q","created":"2022-04-26T00:00:40.000Z","id":1089270,"npm_advisory_id":null,"overview":"The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).","reported_by":null,"title":"ejs template injection vulnerability","metadata":null,"cves":["CVE-2022-29078"],"access":"public","severity":"critical","module_name":"ejs","vulnerable_versions":"<3.1.7","github_advisory_id":"GHSA-phwq-j96m-2c2q","recommendation":"Upgrade to version 3.1.7 or later","patched_versions":">=3.1.7","updated":"2023-01-30T05:02:57.000Z","cvss":{"score":9.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},"cwe":["CWE-74"],"url":"https://github.com/advisories/GHSA-phwq-j96m-2c2q"},"1089698":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32014\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-g973-978j-2c3p","created":"2021-07-22T19:47:15.000Z","id":1089698,"npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (CPU consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js.","reported_by":null,"title":"Denial of Service in SheetJS Pro","metadata":null,"cves":["CVE-2021-32014"],"access":"public","severity":"moderate","module_name":"xlsx","vulnerable_versions":"<0.17.0","github_advisory_id":"GHSA-g973-978j-2c3p","recommendation":"Upgrade to version 0.17.0 or later","patched_versions":">=0.17.0","updated":"2023-02-01T05:05:54.000Z","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"cwe":["CWE-345","CWE-400"],"url":"https://github.com/advisories/GHSA-g973-978j-2c3p"},"1089699":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32012\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-3x9f-74h4-2fqr","created":"2021-07-22T19:48:17.000Z","id":1089699,"npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js (issue 1 of 2).","reported_by":null,"title":"Denial of Service in SheetJS Pro","metadata":null,"cves":["CVE-2021-32012"],"access":"public","severity":"moderate","module_name":"xlsx","vulnerable_versions":"<0.17.0","github_advisory_id":"GHSA-3x9f-74h4-2fqr","recommendation":"Upgrade to version 0.17.0 or later","patched_versions":">=0.17.0","updated":"2023-02-01T05:06:10.000Z","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"cwe":["CWE-400"],"url":"https://github.com/advisories/GHSA-3x9f-74h4-2fqr"},"1089700":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32013\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-8vcr-vxm8-293m","created":"2021-07-22T19:48:13.000Z","id":1089700,"npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js (issue 2 of 2).","reported_by":null,"title":"Denial of Service in SheetsJS Pro","metadata":null,"cves":["CVE-2021-32013"],"access":"public","severity":"moderate","module_name":"xlsx","vulnerable_versions":"<0.17.0","github_advisory_id":"GHSA-8vcr-vxm8-293m","recommendation":"Upgrade to version 0.17.0 or later","patched_versions":">=0.17.0","updated":"2023-02-01T05:06:00.000Z","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"cwe":["CWE-400"],"url":"https://github.com/advisories/GHSA-8vcr-vxm8-293m"},"1093639":{"findings":[{"version":"0.4.1","paths":["@hmcts/rpx-xui-node-lib>passport"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25896\n- https://github.com/jaredhanson/passport/pull/900\n- https://github.com/jaredhanson/passport/commit/7e9b9cf4d7be02428e963fc729496a45baeea608\n- https://snyk.io/vuln/SNYK-JS-PASSPORT-2840631\n- https://github.com/advisories/GHSA-v923-w3x8-wh69","created":"2022-07-02T00:00:19.000Z","id":1093639,"npm_advisory_id":null,"overview":"This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed.","reported_by":null,"title":"Passport vulnerable to session regeneration when a users logs in or out","metadata":null,"cves":["CVE-2022-25896"],"access":"public","severity":"moderate","module_name":"passport","vulnerable_versions":"<0.6.0","github_advisory_id":"GHSA-v923-w3x8-wh69","recommendation":"Upgrade to version 0.6.0 or later","patched_versions":">=0.6.0","updated":"2023-09-11T16:22:18.000Z","cvss":{"score":4.8,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L"},"cwe":["CWE-384"],"url":"https://github.com/advisories/GHSA-v923-w3x8-wh69"},"1094599":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-30533\n- https://cdn.sheetjs.com/advisories/CVE-2023-30533\n- https://git.sheetjs.com/sheetjs/sheetjs/src/branch/master/CHANGELOG.md\n- https://git.sheetjs.com/sheetjs/sheetjs/issues/2667\n- https://git.sheetjs.com/sheetjs/sheetjs/issues/2986\n- https://github.com/advisories/GHSA-4r6h-8v6p-xvw6","created":"2023-04-24T09:30:19.000Z","id":1094599,"npm_advisory_id":null,"overview":"All versions of SheetJS CE through 0.19.2 are vulnerable to \"Prototype Pollution\" when reading specially crafted files. Workflows that do not read arbitrary files (for example, exporting data to spreadsheet files) are unaffected.\n\nA non-vulnerable version cannot be found via npm, as the repository hosted on GitHub and the npm package `xlsx` are no longer maintained.","reported_by":null,"title":"Prototype Pollution in sheetJS","metadata":null,"cves":["CVE-2023-30533"],"access":"public","severity":"high","module_name":"xlsx","vulnerable_versions":"<0.19.3","github_advisory_id":"GHSA-4r6h-8v6p-xvw6","recommendation":"Upgrade to version 0.19.3 or later","patched_versions":">=0.19.3","updated":"2023-11-06T05:04:13.000Z","cvss":{"score":7.8,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},"cwe":["CWE-1321"],"url":"https://github.com/advisories/GHSA-4r6h-8v6p-xvw6"},"1095051":{"findings":[{"version":"0.7.0","paths":["ngx-md>marked"]}],"found_by":null,"deleted":null,"references":"- https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21680\n- https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0\n- https://github.com/markedjs/marked/releases/tag/v4.0.10\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/\n- https://github.com/advisories/GHSA-rrrm-qjm4-v8hf","created":"2022-01-14T21:04:41.000Z","id":1095051,"npm_advisory_id":null,"overview":"### Impact\n\n_What kind of vulnerability is it?_\n\nDenial of service.\n\nThe regular expression `block.def` may cause catastrophic backtracking against some strings.\nPoC is the following.\n\n```javascript\nimport * as marked from \"marked\";\n\nmarked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);\n```\n\n_Who is impacted?_\n\nAnyone who runs untrusted markdown through marked and does not use a worker with a time limit.\n\n### Patches\n\n_Has the problem been patched?_\n\nYes\n\n_What versions should users upgrade to?_\n\n4.0.10\n\n### Workarounds\n\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nDo not run untrusted markdown through marked or run marked on a [worker](https://marked.js.org/using_advanced#workers) thread and set a reasonable time limit to prevent draining resources.\n\n### References\n\n_Are there any links users can visit to find out more?_\n\n- https://marked.js.org/using_advanced#workers\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [marked](https://github.com/markedjs/marked)\n","reported_by":null,"title":"Inefficient Regular Expression Complexity in marked","metadata":null,"cves":["CVE-2022-21680"],"access":"public","severity":"high","module_name":"marked","vulnerable_versions":"<4.0.10","github_advisory_id":"GHSA-rrrm-qjm4-v8hf","recommendation":"Upgrade to version 4.0.10 or later","patched_versions":">=4.0.10","updated":"2023-11-29T20:51:52.000Z","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"cwe":["CWE-400","CWE-1333"],"url":"https://github.com/advisories/GHSA-rrrm-qjm4-v8hf"},"1095052":{"findings":[{"version":"0.7.0","paths":["ngx-md>marked"]}],"found_by":null,"deleted":null,"references":"- https://github.com/markedjs/marked/security/advisories/GHSA-5v2h-r2cx-5xgj\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21681\n- https://github.com/markedjs/marked/commit/8f806573a3f6c6b7a39b8cdb66ab5ebb8d55a5f5\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/\n- https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0\n- https://github.com/advisories/GHSA-5v2h-r2cx-5xgj","created":"2022-01-14T21:04:46.000Z","id":1095052,"npm_advisory_id":null,"overview":"### Impact\n\n_What kind of vulnerability is it?_\n\nDenial of service.\n\nThe regular expression `inline.reflinkSearch` may cause catastrophic backtracking against some strings.\nPoC is the following.\n\n```javascript\nimport * as marked from 'marked';\n\nconsole.log(marked.parse(`[x]: x\n\n\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](`));\n```\n\n_Who is impacted?_\n\nAnyone who runs untrusted markdown through marked and does not use a worker with a time limit.\n\n### Patches\n\n_Has the problem been patched?_\n\nYes\n\n_What versions should users upgrade to?_\n\n4.0.10\n\n### Workarounds\n\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nDo not run untrusted markdown through marked or run marked on a [worker](https://marked.js.org/using_advanced#workers) thread and set a reasonable time limit to prevent draining resources.\n\n### References\n\n_Are there any links users can visit to find out more?_\n\n- https://marked.js.org/using_advanced#workers\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [marked](https://github.com/markedjs/marked)\n","reported_by":null,"title":"Inefficient Regular Expression Complexity in marked","metadata":null,"cves":["CVE-2022-21681"],"access":"public","severity":"high","module_name":"marked","vulnerable_versions":"<4.0.10","github_advisory_id":"GHSA-5v2h-r2cx-5xgj","recommendation":"Upgrade to version 4.0.10 or later","patched_versions":">=4.0.10","updated":"2023-11-29T20:51:17.000Z","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"cwe":["CWE-1333"],"url":"https://github.com/advisories/GHSA-5v2h-r2cx-5xgj"},"1095126":{"findings":[{"version":"0.8.4","paths":["git-rev-sync>shelljs"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-0144\n- https://github.com/shelljs/shelljs/commit/d919d22dd6de385edaa9d90313075a77f74b338c\n- https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c\n- https://github.com/advisories/GHSA-4rq4-32rv-6wp6","created":"2022-01-21T23:37:28.000Z","id":1095126,"npm_advisory_id":null,"overview":"shelljs is vulnerable to Improper Privilege Management","reported_by":null,"title":"Improper Privilege Management in shelljs","metadata":null,"cves":["CVE-2022-0144"],"access":"public","severity":"high","module_name":"shelljs","vulnerable_versions":"<0.8.5","github_advisory_id":"GHSA-4rq4-32rv-6wp6","recommendation":"Upgrade to version 0.8.5 or later","patched_versions":">=0.8.5","updated":"2023-11-29T22:21:11.000Z","cvss":{"score":7.1,"vectorString":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H"},"cwe":["CWE-269"],"url":"https://github.com/advisories/GHSA-4rq4-32rv-6wp6"},"1095531":{"findings":[{"version":"6.2.1","paths":["log4js"]}],"found_by":null,"deleted":null,"references":"- https://github.com/log4js-node/log4js-node/security/advisories/GHSA-82v2-mx6x-wq7q\n- https://github.com/log4js-node/log4js-node/pull/1141/commits/8042252861a1b65adb66931fdf702ead34fa9b76\n- https://github.com/log4js-node/streamroller/pull/87\n- https://github.com/log4js-node/log4js-node/blob/v6.4.0/CHANGELOG.md#640\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21704\n- https://lists.debian.org/debian-lts-announce/2022/12/msg00014.html\n- https://github.com/advisories/GHSA-82v2-mx6x-wq7q","created":"2022-01-21T18:53:27.000Z","id":1095531,"npm_advisory_id":null,"overview":"### Impact\r\nDefault file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config.\r\n\r\n### Patches\r\nFixed by:\r\n* https://github.com/log4js-node/log4js-node/pull/1141\r\n* https://github.com/log4js-node/streamroller/pull/87\r\n\r\nReleased to NPM in log4js@6.4.0\r\n\r\n### Workarounds\r\nEvery version of log4js published allows passing the mode parameter to the configuration of file appenders, see the documentation for details.\r\n\r\n### References\r\n\r\nThanks to [ranjit-git](https://www.huntr.dev/users/ranjit-git) for raising the issue, and to @lamweili for fixing the problem.\r\n\r\n### For more information\r\nIf you have any questions or comments about this advisory:\r\n* Open an issue in [logj4s-node](https://github.com/log4js-node/log4js-node)\r\n* Ask a question in the [slack channel](https://join.slack.com/t/log4js-node/shared_invite/enQtODkzMDQ3MzExMDczLWUzZmY0MmI0YWI1ZjFhODY0YjI0YmU1N2U5ZTRkOTYyYzg3MjY5NWI4M2FjZThjYjdiOGM0NjU2NzBmYTJjOGI)\r\n* Email us at [gareth.nomiddlename@gmail.com](mailto:gareth.nomiddlename@gmail.com)\r\n","reported_by":null,"title":"Incorrect Default Permissions in log4js","metadata":null,"cves":["CVE-2022-21704"],"access":"public","severity":"moderate","module_name":"log4js","vulnerable_versions":"<6.4.0","github_advisory_id":"GHSA-82v2-mx6x-wq7q","recommendation":"Upgrade to version 6.4.0 or later","patched_versions":">=6.4.0","updated":"2024-01-24T08:54:14.000Z","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},"cwe":["CWE-276"],"url":"https://github.com/advisories/GHSA-82v2-mx6x-wq7q"},"1096832":{"findings":[{"version":"1.28.2","paths":["@hmcts/rpx-xui-node-lib>openid-client>jose"]}],"found_by":null,"deleted":null,"references":"- https://github.com/panva/jose/security/advisories/GHSA-hhhv-q57g-882q\n- https://github.com/panva/jose/commit/02a65794f7873cdaf12e81e80ad076fcdc4a9314\n- https://github.com/panva/jose/commit/1b91d88d2f8233f3477a5f4579aa5f8057b2ee8b\n- https://nvd.nist.gov/vuln/detail/CVE-2024-28176\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG\n- https://github.com/advisories/GHSA-hhhv-q57g-882q","created":"2024-03-07T17:40:57.000Z","id":1096832,"npm_advisory_id":null,"overview":"A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the [support for decompressing plaintext after its decryption](https://www.rfc-editor.org/rfc/rfc7516.html#section-4.1.3). This allows an adversary to exploit specific scenarios where the compression ratio becomes exceptionally high. As a result, the length of the JWE token, which is determined by the compressed content's size, can land below application-defined limits. In such cases, other existing application level mechanisms for preventing resource exhaustion may be rendered ineffective.\n\nNote that as per [RFC 8725](https://www.rfc-editor.org/rfc/rfc8725.html#name-avoid-compression-of-encryp) compression of data SHOULD NOT be done before encryption, because such compressed data often reveals information about the plaintext. For this reason the v5.x major version of `jose` removed support for compressed payloads entirely and is therefore NOT affected by this advisory.\n\n### Impact\n\nUnder certain conditions it is possible to have the user's environment consume unreasonable amount of CPU time or memory during JWE Decryption operations.\n\n### Affected users\n\nThe impact is limited only to Node.js users utilizing the JWE decryption APIs to decrypt JWEs from untrusted sources.\n\nYou are NOT affected if any of the following applies to you\n\n- Your code uses jose version v5.x where JWE Compression is not supported anymore\n- Your code runs in an environment other than Node.js (e.g. Deno, CF Workers), which is the only runtime where JWE Compression is implemented out of the box\n- Your code does not use the JWE decryption APIs\n- Your code only accepts JWEs produced by trusted sources\n\n### Patches\n\n`v2.0.7` and `v4.15.5` releases limit the decompression routine to only allow decompressing up to 250 kB of plaintext. In v4.x it is possible to further adjust this limit via the `inflateRaw` decryption option implementation. In v2.x it is possible to further adjust this limit via the `inflateRawSyncLimit` decryption option.\n\n### Workarounds\n\nIf you cannot upgrade and do not want to support compressed JWEs you may detect and reject these tokens early by checking the token's protected header\n\n```js\nconst { zip } = jose.decodeProtectedHeader(token)\nif (zip !== undefined) {\n throw new Error('JWE Compression is not supported')\n}\n```\n\nIf you wish to continue supporting JWEs with compressed payloads in these legacy release lines you must upgrade (v1.x and v2.x to version v2.0.7, v3.x and v4.x to version v4.15.5) and review the limits put forth by the patched releases.\n\n### For more information\nIf you have any questions or comments about this advisory please open a discussion in the project's [repository](https://github.com/panva/jose/discussions/new?category=q-a&title=GHSA-hhhv-q57g-882q%20advisory%20question)","reported_by":null,"title":"jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext","metadata":null,"cves":["CVE-2024-28176"],"access":"public","severity":"moderate","module_name":"jose","vulnerable_versions":"<2.0.7","github_advisory_id":"GHSA-hhhv-q57g-882q","recommendation":"Upgrade to version 2.0.7 or later","patched_versions":">=2.0.7","updated":"2024-03-30T06:30:42.000Z","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"cwe":["CWE-400"],"url":"https://github.com/advisories/GHSA-hhhv-q57g-882q"},"1096911":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-22363\n- https://cdn.sheetjs.com/advisories/CVE-2024-22363\n- https://cwe.mitre.org/data/definitions/1333.html\n- https://git.sheetjs.com/sheetjs/sheetjs/src/tag/v0.20.2\n- https://github.com/advisories/GHSA-5pgg-2g8v-p4x9","created":"2024-04-05T06:30:46.000Z","id":1096911,"npm_advisory_id":null,"overview":"SheetJS Community Edition before 0.20.2 is vulnerable.to Regular Expression Denial of Service (ReDoS).","reported_by":null,"title":"SheetJS Regular Expression Denial of Service (ReDoS)","metadata":null,"cves":["CVE-2024-22363"],"access":"public","severity":"high","module_name":"xlsx","vulnerable_versions":"<0.20.2","github_advisory_id":"GHSA-5pgg-2g8v-p4x9","recommendation":"Upgrade to version 0.20.2 or later","patched_versions":">=0.20.2","updated":"2024-04-08T13:47:06.000Z","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"cwe":["CWE-1333"],"url":"https://github.com/advisories/GHSA-5pgg-2g8v-p4x9"},"1097504":{"findings":[{"version":"2.5.207","paths":["pdfjs-dist","@hmcts/media-viewer>pdfjs-dist"]}],"found_by":null,"deleted":null,"references":"- https://github.com/mozilla/pdf.js/security/advisories/GHSA-wgrm-67xf-hhpq\n- https://github.com/mozilla/pdf.js/pull/18015\n- https://github.com/mozilla/pdf.js/commit/85e64b5c16c9aaef738f421733c12911a441cec6\n- https://bugzilla.mozilla.org/show_bug.cgi?id=1893645\n- https://nvd.nist.gov/vuln/detail/CVE-2024-4367\n- https://lists.debian.org/debian-lts-announce/2024/05/msg00010.html\n- https://lists.debian.org/debian-lts-announce/2024/05/msg00012.html\n- https://www.mozilla.org/security/advisories/mfsa2024-21\n- https://www.mozilla.org/security/advisories/mfsa2024-22\n- https://www.mozilla.org/security/advisories/mfsa2024-23\n- https://github.com/advisories/GHSA-wgrm-67xf-hhpq","created":"2024-05-07T10:25:08.000Z","id":1097504,"npm_advisory_id":null,"overview":"### Impact\nIf pdf.js is used to load a malicious PDF, and PDF.js is configured with `isEvalSupported` set to `true` (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.\n\n### Patches\nThe patch removes the use of `eval`:\nhttps://github.com/mozilla/pdf.js/pull/18015\n\n### Workarounds\nSet the option `isEvalSupported` to `false`. \n\n### References\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1893645","reported_by":null,"title":"PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF","metadata":null,"cves":["CVE-2024-4367"],"access":"public","severity":"high","module_name":"pdfjs-dist","vulnerable_versions":"<=4.1.392","github_advisory_id":"GHSA-wgrm-67xf-hhpq","recommendation":"Upgrade to version 4.2.67 or later","patched_versions":">=4.2.67","updated":"2024-06-10T20:18:19.000Z","cvss":{"score":0,"vectorString":null},"cwe":[],"url":"https://github.com/advisories/GHSA-wgrm-67xf-hhpq"},"1097679":{"findings":[{"version":"0.26.1","paths":["axios","@hmcts/rpx-xui-node-lib>axios"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-45857\n- https://github.com/axios/axios/issues/6006\n- https://github.com/axios/axios/issues/6022\n- https://github.com/axios/axios/pull/6028\n- https://github.com/axios/axios/commit/96ee232bd3ee4de2e657333d4d2191cd389e14d0\n- https://github.com/axios/axios/releases/tag/v1.6.0\n- https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459\n- https://github.com/axios/axios/pull/6091\n- https://github.com/axios/axios/commit/2755df562b9c194fba6d8b609a383443f6a6e967\n- https://github.com/axios/axios/releases/tag/v0.28.0\n- https://security.netapp.com/advisory/ntap-20240621-0006\n- https://github.com/advisories/GHSA-wf5p-g6vw-rhxx","created":"2023-11-08T21:30:37.000Z","id":1097679,"npm_advisory_id":null,"overview":"An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.","reported_by":null,"title":"Axios Cross-Site Request Forgery Vulnerability","metadata":null,"cves":["CVE-2023-45857"],"access":"public","severity":"moderate","module_name":"axios","vulnerable_versions":">=0.8.1 <0.28.0","github_advisory_id":"GHSA-wf5p-g6vw-rhxx","recommendation":"Upgrade to version 0.28.0 or later","patched_versions":">=0.28.0","updated":"2024-06-21T21:33:58.000Z","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},"cwe":["CWE-352"],"url":"https://github.com/advisories/GHSA-wf5p-g6vw-rhxx"},"1097682":{"findings":[{"version":"2.5.0","paths":["rx-polling-hmcts>jest-environment-jsdom>jsdom>tough-cookie"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ\n- https://security.netapp.com/advisory/ntap-20240621-0006\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3","created":"2023-07-01T06:30:16.000Z","id":1097682,"npm_advisory_id":null,"overview":"Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.","reported_by":null,"title":"tough-cookie Prototype Pollution vulnerability","metadata":null,"cves":["CVE-2023-26136"],"access":"public","severity":"moderate","module_name":"tough-cookie","vulnerable_versions":"<4.1.3","github_advisory_id":"GHSA-72xf-g2v4-qvf3","recommendation":"Upgrade to version 4.1.3 or later","patched_versions":">=4.1.3","updated":"2024-06-21T21:33:53.000Z","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},"cwe":["CWE-1321"],"url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3"},"1097684":{"findings":[{"version":"8.5.1","paths":["jsonwebtoken"]}],"found_by":null,"deleted":null,"references":"- https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-qwph-4952-7xr6\n- https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3\n- https://nvd.nist.gov/vuln/detail/CVE-2022-23540\n- https://security.netapp.com/advisory/ntap-20240621-0007\n- https://github.com/advisories/GHSA-qwph-4952-7xr6","created":"2022-12-22T03:32:59.000Z","id":1097684,"npm_advisory_id":null,"overview":"# Overview\n\nIn versions <=8.5.1 of jsonwebtoken library, lack of algorithm definition and a falsy secret or key in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification.\n\n# Am I affected?\nYou will be affected if all the following are true in the `jwt.verify()` function:\n- a token with no signature is received\n- no algorithms are specified \n- a falsy (e.g. null, false, undefined) secret or key is passed \n\n# How do I fix it?\n \nUpdate to version 9.0.0 which removes the default support for the none algorithm in the `jwt.verify()` method. \n\n# Will the fix impact my users?\n\nThere will be no impact, if you update to version 9.0.0 and you don’t need to allow for the `none` algorithm. If you need 'none' algorithm, you have to explicitly specify that in `jwt.verify()` options.\n","reported_by":null,"title":"jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify()","metadata":null,"cves":["CVE-2022-23540"],"access":"public","severity":"moderate","module_name":"jsonwebtoken","vulnerable_versions":"<9.0.0","github_advisory_id":"GHSA-qwph-4952-7xr6","recommendation":"Upgrade to version 9.0.0 or later","patched_versions":">=9.0.0","updated":"2024-06-21T21:34:57.000Z","cvss":{"score":6.4,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L"},"cwe":["CWE-287","CWE-327","CWE-347"],"url":"https://github.com/advisories/GHSA-qwph-4952-7xr6"},"1097690":{"findings":[{"version":"8.5.1","paths":["jsonwebtoken"]}],"found_by":null,"deleted":null,"references":"- https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-8cf7-32gw-wr33\n- https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3\n- https://nvd.nist.gov/vuln/detail/CVE-2022-23539\n- https://security.netapp.com/advisory/ntap-20240621-0007\n- https://github.com/advisories/GHSA-8cf7-32gw-wr33","created":"2022-12-22T03:32:22.000Z","id":1097690,"npm_advisory_id":null,"overview":"# Overview\n\nVersions `<=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. \n\n# Am I affected?\n\nYou are affected if you are using an algorithm and a key type other than the combinations mentioned below\n\n| Key type | algorithm |\n|----------|------------------------------------------|\n| ec | ES256, ES384, ES512 |\n| rsa | RS256, RS384, RS512, PS256, PS384, PS512 |\n| rsa-pss | PS256, PS384, PS512 |\n\nAnd for Elliptic Curve algorithms:\n\n| `alg` | Curve |\n|-------|------------|\n| ES256 | prime256v1 |\n| ES384 | secp384r1 |\n| ES512 | secp521r1 |\n\n# How do I fix it?\n\nUpdate to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, If you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and/or `verify()` functions.\n\n# Will the fix impact my users?\n\nThere will be no impact, if you update to version 9.0.0 and you already use a valid secure combination of key type and algorithm. Otherwise, use the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and `verify()` functions to continue usage of invalid key type/algorithm combination in 9.0.0 for legacy compatibility. \n\n","reported_by":null,"title":"jsonwebtoken unrestricted key type could lead to legacy keys usage ","metadata":null,"cves":["CVE-2022-23539"],"access":"public","severity":"high","module_name":"jsonwebtoken","vulnerable_versions":"<=8.5.1","github_advisory_id":"GHSA-8cf7-32gw-wr33","recommendation":"Upgrade to version 9.0.0 or later","patched_versions":">=9.0.0","updated":"2024-06-24T21:23:39.000Z","cvss":{"score":8.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},"cwe":["CWE-327"],"url":"https://github.com/advisories/GHSA-8cf7-32gw-wr33"},"1097694":{"findings":[{"version":"8.5.1","paths":["jsonwebtoken"]}],"found_by":null,"deleted":null,"references":"- https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-hjrf-2m68-5959\n- https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3\n- https://nvd.nist.gov/vuln/detail/CVE-2022-23541\n- https://github.com/auth0/node-jsonwebtoken/releases/tag/v9.0.0\n- https://security.netapp.com/advisory/ntap-20240621-0007\n- https://github.com/advisories/GHSA-hjrf-2m68-5959","created":"2022-12-22T03:33:19.000Z","id":1097694,"npm_advisory_id":null,"overview":"# Overview\n\nVersions `<=8.5.1` of `jsonwebtoken` library can be misconfigured so that passing a poorly implemented key retrieval function (referring to the `secretOrPublicKey` argument from the [readme link](https://github.com/auth0/node-jsonwebtoken#jwtverifytoken-secretorpublickey-options-callback)) will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. \n\n# Am I affected?\n\nYou will be affected if your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. \n\n# How do I fix it?\n \nUpdate to version 9.0.0.\n\n# Will the fix impact my users?\n\nThere is no impact for end users","reported_by":null,"title":"jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC","metadata":null,"cves":["CVE-2022-23541"],"access":"public","severity":"moderate","module_name":"jsonwebtoken","vulnerable_versions":"<=8.5.1","github_advisory_id":"GHSA-hjrf-2m68-5959","recommendation":"Upgrade to version 9.0.0 or later","patched_versions":">=9.0.0","updated":"2024-06-24T21:24:07.000Z","cvss":{"score":5,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"},"cwe":["CWE-287","CWE-1259"],"url":"https://github.com/advisories/GHSA-hjrf-2m68-5959"},"1098366":{"findings":[{"version":"2.7.4","paths":["ejs"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-33883\n- https://github.com/mde/ejs/commit/e469741dca7df2eb400199e1cdb74621e3f89aa5\n- https://github.com/mde/ejs/compare/v3.1.9...v3.1.10\n- https://security.netapp.com/advisory/ntap-20240605-0003\n- https://github.com/advisories/GHSA-ghr5-ch3p-vcr6","created":"2024-04-28T18:30:31.000Z","id":1098366,"npm_advisory_id":null,"overview":"The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.","reported_by":null,"title":"ejs lacks certain pollution protection","metadata":null,"cves":["CVE-2024-33883"],"access":"public","severity":"moderate","module_name":"ejs","vulnerable_versions":"<3.1.10","github_advisory_id":"GHSA-ghr5-ch3p-vcr6","recommendation":"Upgrade to version 3.1.10 or later","patched_versions":">=3.1.10","updated":"2024-08-02T15:45:54.000Z","cvss":{"score":4,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"cwe":["CWE-693","CWE-1321"],"url":"https://github.com/advisories/GHSA-ghr5-ch3p-vcr6"},"1098393":{"findings":[{"version":"7.4.6","paths":["puppeteer>ws","@hmcts/media-viewer>socket.io-client>engine.io-client>ws"]}],"found_by":null,"deleted":null,"references":"- https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q\n- https://github.com/websockets/ws/issues/2230\n- https://github.com/websockets/ws/pull/2231\n- https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f\n- https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e\n- https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c\n- https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63\n- https://github.com/advisories/GHSA-3h5v-q93c-6h6q","created":"2024-06-17T19:09:10.000Z","id":1098393,"npm_advisory_id":null,"overview":"### Impact\n\nA request with a number of headers exceeding the[`server.maxHeadersCount`][] threshold could be used to crash a ws server.\n\n### Proof of concept\n\n```js\nconst http = require('http');\nconst WebSocket = require('ws');\n\nconst wss = new WebSocket.Server({ port: 0 }, function () {\n const chars = \"!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~\".split('');\n const headers = {};\n let count = 0;\n\n for (let i = 0; i < chars.length; i++) {\n if (count === 2000) break;\n\n for (let j = 0; j < chars.length; j++) {\n const key = chars[i] + chars[j];\n headers[key] = 'x';\n\n if (++count === 2000) break;\n }\n }\n\n headers.Connection = 'Upgrade';\n headers.Upgrade = 'websocket';\n headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';\n headers['Sec-WebSocket-Version'] = '13';\n\n const request = http.request({\n headers: headers,\n host: '127.0.0.1',\n port: wss.address().port\n });\n\n request.end();\n});\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@8.17.1 (https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c) and backported to ws@7.5.10 (https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f), ws@6.2.3 (https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63), and ws@5.2.4 (https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e)\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated in the following ways:\n\n1. Reduce the maximum allowed length of the request headers using the [`--max-http-header-size=size`][] and/or the [`maxHeaderSize`][] options so that no more headers than the `server.maxHeadersCount` limit can be sent.\n2. Set `server.maxHeadersCount` to `0` so that no limit is applied.\n\n### Credits\n\nThe vulnerability was reported by [Ryan LaPointe](https://github.com/rrlapointe) in https://github.com/websockets/ws/issues/2230.\n\n### References\n\n- https://github.com/websockets/ws/issues/2230\n- https://github.com/websockets/ws/pull/2231\n\n[`--max-http-header-size=size`]: https://nodejs.org/api/cli.html#--max-http-header-sizesize\n[`maxHeaderSize`]: https://nodejs.org/api/http.html#httpcreateserveroptions-requestlistener\n[`server.maxHeadersCount`]: https://nodejs.org/api/http.html#servermaxheaderscount\n","reported_by":null,"title":"ws affected by a DoS when handling a request with many HTTP headers","metadata":null,"cves":["CVE-2024-37890"],"access":"public","severity":"high","module_name":"ws","vulnerable_versions":">=7.0.0 <7.5.10","github_advisory_id":"GHSA-3h5v-q93c-6h6q","recommendation":"Upgrade to version 7.5.10 or later","patched_versions":">=7.5.10","updated":"2024-08-05T05:02:34.000Z","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"cwe":["CWE-476"],"url":"https://github.com/advisories/GHSA-3h5v-q93c-6h6q"},"1098681":{"findings":[{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","@hmcts/rpx-xui-node-lib>ts-auto-mock>micromatch","@hmcts/rpx-xui-node-lib>jest-ts-auto-mock>ts-auto-mock>micromatch","rx-polling-hmcts>jest-environment-jsdom>@jest/fake-timers>jest-message-util>micromatch","rx-polling-hmcts>jest-environment-jsdom>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>expect>jest-message-util>micromatch"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/micromatch/micromatch/pull/266\n- https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade\n- https://advisory.checkmarx.net/advisory/CVE-2024-4067\n- https://github.com/micromatch/micromatch/releases/tag/4.0.8\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","id":1098681,"npm_advisory_id":null,"overview":"The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","metadata":null,"cves":["CVE-2024-4067"],"access":"public","severity":"moderate","module_name":"micromatch","vulnerable_versions":"<4.0.8","github_advisory_id":"GHSA-952p-6rrq-rcjv","recommendation":"Upgrade to version 4.0.8 or later","patched_versions":">=4.0.8","updated":"2024-08-28T13:12:27.000Z","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"cwe":["CWE-1333"],"url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"},"1099520":{"findings":[{"version":"1.20.2","paths":["body-parser","express>body-parser","@hmcts/rpx-xui-node-lib>express>body-parser"]}],"found_by":null,"deleted":null,"references":"- https://github.com/expressjs/body-parser/security/advisories/GHSA-qwcr-r2fm-qrc7\n- https://github.com/expressjs/body-parser/commit/b2695c4450f06ba3b0ccf48d872a229bb41c9bce\n- https://nvd.nist.gov/vuln/detail/CVE-2024-45590\n- https://github.com/advisories/GHSA-qwcr-r2fm-qrc7","created":"2024-09-10T15:52:39.000Z","id":1099520,"npm_advisory_id":null,"overview":"### Impact\n\nbody-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service.\n\n### Patches\n\nthis issue is patched in 1.20.3\n\n### References\n","reported_by":null,"title":"body-parser vulnerable to denial of service when url encoding is enabled","metadata":null,"cves":["CVE-2024-45590"],"access":"public","severity":"high","module_name":"body-parser","vulnerable_versions":"<1.20.3","github_advisory_id":"GHSA-qwcr-r2fm-qrc7","recommendation":"Upgrade to version 1.20.3 or later","patched_versions":">=1.20.3","updated":"2024-09-10T19:01:11.000Z","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"cwe":["CWE-405"],"url":"https://github.com/advisories/GHSA-qwcr-r2fm-qrc7"},"1099525":{"findings":[{"version":"0.18.0","paths":["express>send","@hmcts/rpx-xui-node-lib>express>send","@hmcts/rpx-xui-node-lib>express>serve-static>send"]}],"found_by":null,"deleted":null,"references":"- https://github.com/pillarjs/send/security/advisories/GHSA-m6fv-jmcg-4jfg\n- https://nvd.nist.gov/vuln/detail/CVE-2024-43799\n- https://github.com/pillarjs/send/commit/ae4f2989491b392ae2ef3b0015a019770ae65d35\n- https://github.com/advisories/GHSA-m6fv-jmcg-4jfg","created":"2024-09-10T19:42:41.000Z","id":1099525,"npm_advisory_id":null,"overview":"### Impact\n\npassing untrusted user input - even after sanitizing it - to `SendStream.redirect()` may execute untrusted code\n\n### Patches\n\nthis issue is patched in send 0.19.0\n\n### Workarounds\n\nusers are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist\n\n### Details\n\nsuccessful exploitation of this vector requires the following:\n\n1. The attacker MUST control the input to response.redirect()\n1. express MUST NOT redirect before the template appears\n1. the browser MUST NOT complete redirection before:\n1. the user MUST click on the link in the template\n","reported_by":null,"title":"send vulnerable to template injection that can lead to XSS","metadata":null,"cves":["CVE-2024-43799"],"access":"public","severity":"moderate","module_name":"send","vulnerable_versions":"<0.19.0","github_advisory_id":"GHSA-m6fv-jmcg-4jfg","recommendation":"Upgrade to version 0.19.0 or later","patched_versions":">=0.19.0","updated":"2024-09-10T19:42:42.000Z","cvss":{"score":5,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},"cwe":["CWE-79"],"url":"https://github.com/advisories/GHSA-m6fv-jmcg-4jfg"},"1099527":{"findings":[{"version":"1.15.0","paths":["express>serve-static","@hmcts/rpx-xui-node-lib>express>serve-static"]}],"found_by":null,"deleted":null,"references":"- https://github.com/expressjs/serve-static/security/advisories/GHSA-cm22-4g7w-348p\n- https://nvd.nist.gov/vuln/detail/CVE-2024-43800\n- https://github.com/expressjs/serve-static/commit/0c11fad159898cdc69fd9ab63269b72468ecaf6b\n- https://github.com/expressjs/serve-static/commit/ce730896fddce1588111d9ef6fdf20896de5c6fa\n- https://github.com/advisories/GHSA-cm22-4g7w-348p","created":"2024-09-10T19:42:33.000Z","id":1099527,"npm_advisory_id":null,"overview":"### Impact\n\npassing untrusted user input - even after sanitizing it - to `redirect()` may execute untrusted code\n\n### Patches\n\nthis issue is patched in serve-static 1.16.0\n\n### Workarounds\n\nusers are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist\n\n### Details\n\nsuccessful exploitation of this vector requires the following:\n\n1. The attacker MUST control the input to response.redirect()\n1. express MUST NOT redirect before the template appears\n1. the browser MUST NOT complete redirection before:\n1. the user MUST click on the link in the template\n","reported_by":null,"title":"serve-static vulnerable to template injection that can lead to XSS","metadata":null,"cves":["CVE-2024-43800"],"access":"public","severity":"moderate","module_name":"serve-static","vulnerable_versions":"<1.16.0","github_advisory_id":"GHSA-cm22-4g7w-348p","recommendation":"Upgrade to version 1.16.0 or later","patched_versions":">=1.16.0","updated":"2024-09-10T19:42:34.000Z","cvss":{"score":5,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},"cwe":["CWE-79"],"url":"https://github.com/advisories/GHSA-cm22-4g7w-348p"},"1099529":{"findings":[{"version":"4.19.2","paths":["express","@hmcts/rpx-xui-node-lib>express"]}],"found_by":null,"deleted":null,"references":"- https://github.com/expressjs/express/security/advisories/GHSA-qw6h-vgh9-j6wx\n- https://nvd.nist.gov/vuln/detail/CVE-2024-43796\n- https://github.com/expressjs/express/commit/54271f69b511fea198471e6ff3400ab805d6b553\n- https://github.com/advisories/GHSA-qw6h-vgh9-j6wx","created":"2024-09-10T19:41:04.000Z","id":1099529,"npm_advisory_id":null,"overview":"### Impact\n\nIn express <4.20.0, passing untrusted user input - even after sanitizing it - to `response.redirect()` may execute untrusted code\n\n### Patches\n\nthis issue is patched in express 4.20.0\n\n### Workarounds\n\nusers are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist\n\n### Details\n\nsuccessful exploitation of this vector requires the following:\n\n1. The attacker MUST control the input to response.redirect()\n1. express MUST NOT redirect before the template appears\n1. the browser MUST NOT complete redirection before:\n1. the user MUST click on the link in the template\n","reported_by":null,"title":"express vulnerable to XSS via response.redirect()","metadata":null,"cves":["CVE-2024-43796"],"access":"public","severity":"moderate","module_name":"express","vulnerable_versions":"<4.20.0","github_advisory_id":"GHSA-qw6h-vgh9-j6wx","recommendation":"Upgrade to version 4.20.0 or later","patched_versions":">=4.20.0","updated":"2024-09-10T19:41:07.000Z","cvss":{"score":5,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},"cwe":["CWE-79"],"url":"https://github.com/advisories/GHSA-qw6h-vgh9-j6wx"},"1099562":{"findings":[{"version":"0.1.7","paths":["express>path-to-regexp","@hmcts/rpx-xui-node-lib>express>path-to-regexp"]}],"found_by":null,"deleted":null,"references":"- https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j\n- https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f\n- https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6\n- https://nvd.nist.gov/vuln/detail/CVE-2024-45296\n- https://github.com/pillarjs/path-to-regexp/commit/925ac8e3c5780b02f58cbd4e52f95da8ad2ac485\n- https://github.com/pillarjs/path-to-regexp/commit/d31670ae8f6e69cbfd56e835742195b7d10942ef\n- https://github.com/pillarjs/path-to-regexp/commit/f1253b47b347dcb909e3e80b0eb2649109e59894\n- https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0\n- https://github.com/advisories/GHSA-9wv6-86v2-598j","created":"2024-09-09T20:19:15.000Z","id":1099562,"npm_advisory_id":null,"overview":"### Impact\n\nA bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (`.`). For example, `/:a-:b`.\n\n### Patches\n\nFor users of 0.1, upgrade to `0.1.10`. All other users should upgrade to `8.0.0`.\n\nThese versions add backtrack protection when a custom regex pattern is not provided:\n\n- [0.1.10](https://github.com/pillarjs/path-to-regexp/releases/tag/v0.1.10)\n- [1.9.0](https://github.com/pillarjs/path-to-regexp/releases/tag/v1.9.0)\n- [3.3.0](https://github.com/pillarjs/path-to-regexp/releases/tag/v3.3.0)\n- [6.3.0](https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0)\n\nThey do not protect against vulnerable user supplied capture groups. Protecting against explicit user patterns is out of scope for old versions and not considered a vulnerability.\n\nVersion [7.1.0](https://github.com/pillarjs/path-to-regexp/releases/tag/v7.1.0) can enable `strict: true` and get an error when the regular expression might be bad.\n\nVersion [8.0.0](https://github.com/pillarjs/path-to-regexp/releases/tag/v8.0.0) removes the features that can cause a ReDoS.\n\n### Workarounds\n\nAll versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change `/:a-:b` to `/:a-:b([^-/]+)`.\n\nIf paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length. For example, halving the attack string improves performance by 4x faster.\n\n### Details\n\nUsing `/:a-:b` will produce the regular expression `/^\\/([^\\/]+?)-([^\\/]+?)\\/?$/`. This can be exploited by a path such as `/a${'-a'.repeat(8_000)}/a`. [OWASP](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS) has a good example of why this occurs, but the TL;DR is the `/a` at the end ensures this route would never match but due to naive backtracking it will still attempt every combination of the `:a-:b` on the repeated 8,000 `-a`.\n\nBecause JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and can lead to a DoS. In local benchmarks, exploiting the unsafe regex will result in performance that is over 1000x worse than the safe regex. In a more realistic environment using Express v4 and 10 concurrent connections, this translated to average latency of ~600ms vs 1ms.\n\n### References\n\n* [OWASP](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n* [Detailed blog post](https://blakeembrey.com/posts/2024-09-web-redos/)","reported_by":null,"title":"path-to-regexp outputs backtracking regular expressions","metadata":null,"cves":["CVE-2024-45296"],"access":"public","severity":"high","module_name":"path-to-regexp","vulnerable_versions":"<0.1.10","github_advisory_id":"GHSA-9wv6-86v2-598j","recommendation":"Upgrade to version 0.1.10 or later","patched_versions":">=0.1.10","updated":"2024-09-12T17:09:43.000Z","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"cwe":["CWE-1333"],"url":"https://github.com/advisories/GHSA-9wv6-86v2-598j"},"1099846":{"findings":[{"version":"0.4.2","paths":["express-session>cookie","@hmcts/rpx-xui-node-lib>csurf>cookie"]}],"found_by":null,"deleted":null,"references":"- https://github.com/jshttp/cookie/security/advisories/GHSA-pxg6-pf52-xh8x\n- https://github.com/jshttp/cookie/pull/167\n- https://github.com/jshttp/cookie/commit/e10042845354fea83bd8f34af72475eed1dadf5c\n- https://github.com/advisories/GHSA-pxg6-pf52-xh8x","created":"2024-10-04T20:31:00.000Z","id":1099846,"npm_advisory_id":null,"overview":"### Impact\n\nThe cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, `serialize(\"userName=; Max-Age=2592000; a\", value)` would result in `\"userName=; Max-Age=2592000; a=test\"`, setting `userName` cookie to `