From debc003d5eb30781b5f2dd1eb75a1c3c09493f4c Mon Sep 17 00:00:00 2001 From: Ben Polinsky Date: Mon, 8 Jul 2024 09:44:27 -0400 Subject: [PATCH] mitigate ws and braces vulnerabilities --- common/config/rush/pnpm-config.json | 7 ++ common/config/rush/pnpm-lock.yaml | 105 +++++------------- .../apps/desktop-viewer-test/package.json | 3 +- packages/apps/web-viewer-test/package.json | 3 +- rush.json | 3 - 5 files changed, 38 insertions(+), 83 deletions(-) create mode 100644 common/config/rush/pnpm-config.json diff --git a/common/config/rush/pnpm-config.json b/common/config/rush/pnpm-config.json new file mode 100644 index 00000000..d342f8a4 --- /dev/null +++ b/common/config/rush/pnpm-config.json @@ -0,0 +1,7 @@ +{ + "$schema": "https://developer.microsoft.com/json-schemas/rush/v5/pnpm-config.schema.json", + "useWorkspaces": true, + "globalOverrides": { + "braces": "^3.0.3" + } +} \ No newline at end of file diff --git a/common/config/rush/pnpm-lock.yaml b/common/config/rush/pnpm-lock.yaml index c7d5d954..68df5d5c 100644 --- a/common/config/rush/pnpm-lock.yaml +++ b/common/config/rush/pnpm-lock.yaml @@ -1,5 +1,8 @@ lockfileVersion: 5.4 +overrides: + braces: ^3.0.3 + importers: .: @@ -54,6 +57,7 @@ importers: '@types/node': ^18.17.1 '@types/react': ^18.2.18 '@types/react-dom': ^18.2.7 + braces: ^3.0.3 cpx2: 4.2.0 cross-env: ^5.2.1 dotenv-flow: ^3.2.0 @@ -71,6 +75,7 @@ importers: sass: ^1.64.2 typescript: ~5.0.4 webpack: ^5.1.2 + ws: ^7.5.10 dependencies: '@bentley/icons-generic-webfont': 1.0.34 '@itwin/appui-abstract': 4.4.4_@itwin+core-bentley@4.4.4 @@ -129,6 +134,7 @@ importers: '@types/node': 18.19.21 '@types/react': 18.2.62 '@types/react-dom': 18.2.19 + braces: 3.0.3 cpx2: 4.2.0 cross-env: 5.2.1 electron-devtools-installer: 2.2.4 @@ -137,6 +143,7 @@ importers: sass: 1.71.1 typescript: 5.0.4 webpack: 5.90.3 + ws: 7.5.10 ../../packages/apps/web-viewer-test: specifiers: @@ -184,6 +191,7 @@ importers: react-router-dom: ^6.14.2 redux: ^4.2.1 typescript: ~5.0.4 + ws: ^8.17.1 dependencies: '@bentley/icons-generic': 1.0.34 '@itwin/appui-abstract': 4.4.4_@itwin+core-bentley@4.4.4 @@ -230,6 +238,7 @@ importers: '@types/react': 18.2.62 '@types/react-dom': 18.2.19 typescript: 5.0.4 + ws: 8.18.0 ../../packages/modules/desktop-viewer-react: specifiers: @@ -2967,7 +2976,7 @@ packages: reflect-metadata: 0.1.14 semver: 7.6.0 touch: 3.1.0 - ws: 7.5.9 + ws: 7.5.10 transitivePeerDependencies: - bufferutil - debug @@ -5940,11 +5949,6 @@ packages: engines: {node: '>=0.10.0'} dev: true - /arr-flatten/1.1.0: - resolution: {integrity: sha512-L3hKV5R/p5o81R7O02IGnwpDmkp6E982XhtbuwSe3O4qOtMMMtodicASA1Cny2U+aCXcNpml+m4dPsvsJ3jatg==} - engines: {node: '>=0.10.0'} - dev: true - /arr-union/3.1.0: resolution: {integrity: sha512-sKpyeERZ02v1FeCZT8lrfJq5u6goHCtpTAzPwJYe7c8SPFOboNjNg1vz2L4VTn9T4PQxEx13TbXLmYUcS6Ug7Q==} engines: {node: '>=0.10.0'} @@ -6511,27 +6515,11 @@ packages: balanced-match: 1.0.2 dev: true - /braces/2.3.2: - resolution: {integrity: sha512-aNdbnj9P8PjdXU4ybaWLK2IF3jc/EoDYbC7AazW6to3TRsfXxscC9UXOB5iDiEQrkyIbWp2SLQda4+QAa7nc3w==} - engines: {node: '>=0.10.0'} - dependencies: - arr-flatten: 1.1.0 - array-unique: 0.3.2 - extend-shallow: 2.0.1 - fill-range: 4.0.0 - isobject: 3.0.1 - repeat-element: 1.1.4 - snapdragon: 0.8.2 - snapdragon-node: 2.1.1 - split-string: 3.1.0 - to-regex: 3.0.2 - dev: true - - /braces/3.0.2: - resolution: {integrity: sha512-b8um+L1RzM3WDSzvhm6gIz1yfTbBt6YTlcEKAvsmqCZZFw46z626lVj9j1yEPW33H5H+lBQpZMP1k8l+78Ha0A==} + /braces/3.0.3: + resolution: {integrity: sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==} engines: {node: '>=8'} dependencies: - fill-range: 7.0.1 + fill-range: 7.1.1 dev: true /browser-process-hrtime/1.0.0: @@ -6768,7 +6756,7 @@ packages: engines: {node: '>= 8.10.0'} dependencies: anymatch: 3.1.3 - braces: 3.0.2 + braces: 3.0.3 glob-parent: 5.1.2 is-binary-path: 2.1.0 is-glob: 4.0.3 @@ -6783,7 +6771,7 @@ packages: engines: {node: '>= 8.10.0'} dependencies: anymatch: 3.1.3 - braces: 3.0.2 + braces: 3.0.3 glob-parent: 5.1.2 is-binary-path: 2.1.0 is-glob: 4.0.3 @@ -9214,7 +9202,7 @@ packages: express: ^4.0.0 || ^5.0.0-alpha.1 dependencies: express: 4.19.2 - ws: 7.5.9 + ws: 7.5.10 transitivePeerDependencies: - bufferutil - utf-8-validate @@ -9414,18 +9402,8 @@ packages: engines: {node: '>= 0.4.0'} dev: true - /fill-range/4.0.0: - resolution: {integrity: sha512-VcpLTWqWDiTerugjj8e3+esbg+skS3M9e54UuR3iCeIDMXCLTsAH8hTSzDQU/X6/6t3eYkOKoZSef2PlU6U1XQ==} - engines: {node: '>=0.10.0'} - dependencies: - extend-shallow: 2.0.1 - is-number: 3.0.0 - repeat-string: 1.6.1 - to-regex-range: 2.1.1 - dev: true - - /fill-range/7.0.1: - resolution: {integrity: sha512-qOo9F+dMUmC2Lcb4BbVvnKJxTPjCm+RRpe4gDuGrzkL7mEVl/djYSu2OdQ2Pa302N4oqkSg9ir6jaLWJ2USVpQ==} + /fill-range/7.1.1: + resolution: {integrity: sha512-YsGpe3WHLK8ZYi4tWDg2Jy3ebRz2rXowDxnld4bkQB00cc/1Zw9AWnC0i9ztDJitivtQvaI9KaLyKrc+hBW0yg==} engines: {node: '>=8'} dependencies: to-regex-range: 5.0.1 @@ -12021,7 +11999,7 @@ packages: whatwg-encoding: 1.0.5 whatwg-mimetype: 2.3.0 whatwg-url: 8.7.0 - ws: 7.5.9 + ws: 7.5.10 xml-name-validator: 3.0.0 transitivePeerDependencies: - bufferutil @@ -12062,7 +12040,7 @@ packages: whatwg-encoding: 2.0.0 whatwg-mimetype: 3.0.0 whatwg-url: 11.0.0 - ws: 8.16.0 + ws: 8.18.0 xml-name-validator: 4.0.0 transitivePeerDependencies: - bufferutil @@ -12694,7 +12672,7 @@ packages: dependencies: arr-diff: 4.0.0 array-unique: 0.3.2 - braces: 2.3.2 + braces: 3.0.3 define-property: 1.0.0 extend-shallow: 2.0.1 extglob: 2.0.4 @@ -12711,7 +12689,7 @@ packages: resolution: {integrity: sha512-DMy+ERcEW2q8Z2Po+WNXuw3c5YaUSFjAO5GsJqfEl7UjvtIuFKO6ZrKvcItdy98dwFI2N1tg3zNIdKaQT+aNdA==} engines: {node: '>=8.6'} dependencies: - braces: 3.0.2 + braces: 3.0.3 picomatch: 2.3.1 dev: true @@ -15154,11 +15132,6 @@ packages: strip-ansi: 6.0.1 dev: true - /repeat-element/1.1.4: - resolution: {integrity: sha512-LFiNfRcSu7KK3evMyYOuCzv3L10TW7yC1G2/+StMjK8Y6Vqd2MG7r/Qjw4ghtuCOjFvlnms/iMmLqpvW/ES/WQ==} - engines: {node: '>=0.10.0'} - dev: true - /repeat-string/1.6.1: resolution: {integrity: sha512-PV0dzCYDNfRi1jCDbJzpW7jNNDRuCOG/jI5ctQcGKt/clZD+YcPS3yIlWuTJMmESC8aevCFmWJy5wjAFgNqN6w==} engines: {node: '>=0.10'} @@ -15794,22 +15767,6 @@ packages: is-fullwidth-code-point: 3.0.0 dev: true - /snapdragon-node/2.1.1: - resolution: {integrity: sha512-O27l4xaMYt/RSQ5TR3vpWCAB5Kb/czIcqUFOM/C4fYcLnbZUc1PkjTAMjof2pBWaSTwOUd6qUHcFGVGj7aIwnw==} - engines: {node: '>=0.10.0'} - dependencies: - define-property: 1.0.0 - isobject: 3.0.1 - snapdragon-util: 3.0.1 - dev: true - - /snapdragon-util/3.0.1: - resolution: {integrity: sha512-mbKkMdQKsjX4BAL4bRYTj21edOf8cN7XHdYUJEe+Zn99hVEYcMvKPct1IqNe7+AZPirn8BCDOQBHQZknqmKlZQ==} - engines: {node: '>=0.10.0'} - dependencies: - kind-of: 3.2.2 - dev: true - /snapdragon/0.8.2: resolution: {integrity: sha512-FtyOnWN/wCHTVXOMwvSv26d+ko5vWlIDD6zoUJ7LW8vh+ZBC8QdljveRP+crNrtBwioEUWy/4dMtbBjA4ioNlg==} engines: {node: '>=0.10.0'} @@ -16711,14 +16668,6 @@ packages: kind-of: 3.2.2 dev: true - /to-regex-range/2.1.1: - resolution: {integrity: sha512-ZZWNfCjUokXXDGXFpZehJIkZqq91BcULFq/Pi7M5i4JnxXdhMKAK682z8bCW3o8Hj1wuuzoKcW3DfVzaP6VuNg==} - engines: {node: '>=0.10.0'} - dependencies: - is-number: 3.0.0 - repeat-string: 1.6.1 - dev: true - /to-regex-range/5.0.1: resolution: {integrity: sha512-65P7iz6X5yEr1cwcgvQxbbIw7Uk3gOy5dIdtZ4rDveLqhrdJP+Li/Hx6tyK0NEb+2GCyneCMJiGqrADCSNk8sQ==} engines: {node: '>=8.0'} @@ -17474,7 +17423,7 @@ packages: spdy: 4.0.2 webpack: 5.90.3 webpack-dev-middleware: 5.3.4_webpack@5.90.3 - ws: 8.16.0 + ws: 8.18.0 transitivePeerDependencies: - bufferutil - debug @@ -17933,8 +17882,8 @@ packages: signal-exit: 3.0.7 dev: true - /ws/7.5.9: - resolution: {integrity: sha512-F+P9Jil7UiSKSkppIiD94dN07AwvFixvLIj1Og1Rl9GGMuNipJnV9JzjD6XuqmAeiswGvUmNLjr5cFuXwNS77Q==} + /ws/7.5.10: + resolution: {integrity: sha512-+dbF1tHwZpXcbOJdVOkzLDxZP1ailvSxM6ZweXTegylPny803bFhA+vqBYw4s31NSAk4S2Qz+AKXK9a4wkdjcQ==} engines: {node: '>=8.3.0'} peerDependencies: bufferutil: ^4.0.1 @@ -17945,8 +17894,8 @@ packages: utf-8-validate: optional: true - /ws/8.16.0: - resolution: {integrity: sha512-HS0c//TP7Ina87TfiPUz1rQzMhHrl/SG2guqRcTOIUYD2q8uhUdNHZYJUaQ8aTGPzCh+c6oawMKW35nFl1dxyQ==} + /ws/8.18.0: + resolution: {integrity: sha512-8VbfWfHLbbwu3+N6OKsOMpBdT4kXPDDB9cJk2bJ6mh9ucxdlnNvH1e+roYkKmN9Nxw2yjz7VzeO9oOz2zJ04Pw==} engines: {node: '>=10.0.0'} peerDependencies: bufferutil: ^4.0.1 diff --git a/packages/apps/desktop-viewer-test/package.json b/packages/apps/desktop-viewer-test/package.json index e4b521f4..9a060177 100644 --- a/packages/apps/desktop-viewer-test/package.json +++ b/packages/apps/desktop-viewer-test/package.json @@ -96,7 +96,8 @@ "rimraf": "^3.0.2", "sass": "^1.64.2", "typescript": "~5.0.4", - "webpack": "^5.1.2" + "webpack": "^5.1.2", + "ws": "^7.5.10" }, "eslintConfig": { "extends": [ diff --git a/packages/apps/web-viewer-test/package.json b/packages/apps/web-viewer-test/package.json index 1a56141a..8552d81f 100644 --- a/packages/apps/web-viewer-test/package.json +++ b/packages/apps/web-viewer-test/package.json @@ -48,7 +48,8 @@ "@types/node": "^18.17.1", "@types/react": "^18.2.18", "@types/react-dom": "^18.2.7", - "typescript": "~5.0.4" + "typescript": "~5.0.4", + "ws": "^8.17.1" }, "browserslist": [ ">0.2%", diff --git a/rush.json b/rush.json index 6f7645b0..deafe0e4 100644 --- a/rush.json +++ b/rush.json @@ -2,9 +2,6 @@ "$schema": "https://developer.microsoft.com/json-schemas/rush/v5/rush.schema.json", "rushVersion": "5.112.2", "pnpmVersion": "7.32.2", - "pnpmOptions": { - "useWorkspaces": true - }, "nodeSupportedVersionRange": "^18.12.0 || ^20.9.0", "projectFolderMinDepth": 2, "projectFolderMaxDepth": 3,