Merge branch 'develop' into dependabot/npm_and_yarn/semver-5.7.2

.github/workflows/build-and-test-prs.yml

@@ -9,20 +9,20 @@ jobs:
     name: Build & test
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
       - name: Get yarn cache directory path
         id: yarn-cache-dir-path
         run: echo "::set-output name=dir::$(yarn cache dir)"
       - name: Cache node_modules
-        uses: actions/cache@v2
+        uses: actions/cache@v3
         id: yarn-cache # use this to check for `cache-hit` (`steps.yarn-cache.outputs.cache-hit != 'true'`)
         with:
           path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
           key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}
           restore-keys: |
             ${{ runner.os }}-yarn-
       - name: Use NodeJs
-        uses: actions/setup-node@v1
+        uses: actions/setup-node@v3
         with:
           node-version: '16.x'
 

.github/workflows/codeql-analysis.yml

@@ -9,14 +9,14 @@
 # the `language` matrix defined below to confirm you have the correct set of
 # supported CodeQL languages.
 #
-name: "CodeQL"
+name: 'CodeQL'
 
 on:
   push:
-    branches: [ ]
+    branches: []
   pull_request:
     # The branches below must be a subset of the branches above
-    branches: [ develop ]
+    branches: [develop]
   schedule:
     - cron: '42 12 * * 1'
 
@@ -32,39 +32,39 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        language: [ 'javascript' ]
+        language: ['javascript']
         # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
         # Learn more about CodeQL language support at https://git.io/codeql-language-support
 
     steps:
-    - name: Checkout repository
-      uses: actions/checkout@v3
+      - name: Checkout repository
+        uses: actions/checkout@v4
 
-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
-      with:
-        languages: ${{ matrix.language }}
-        # If you wish to specify custom queries, you can do so here or in a config file.
-        # By default, queries listed here will override any specified in a config file.
-        # Prefix the list here with "+" to use these queries and those in the config file.
-        # queries: ./path/to/local/query, your-org/your-repo/queries@main
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: ${{ matrix.language }}
+          # If you wish to specify custom queries, you can do so here or in a config file.
+          # By default, queries listed here will override any specified in a config file.
+          # Prefix the list here with "+" to use these queries and those in the config file.
+          # queries: ./path/to/local/query, your-org/your-repo/queries@main
 
-    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
-    # If this step fails, then you should remove it and run the build manually (see below)
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+      # If this step fails, then you should remove it and run the build manually (see below)
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v2
 
-    # ℹ️ Command-line programs to run using the OS shell.
-    # 📚 https://git.io/JvXDl
+      # ℹ️ Command-line programs to run using the OS shell.
+      # 📚 https://git.io/JvXDl
 
-    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
-    #    and modify them (or add more) to build your code if your project
-    #    uses a compiled language
+      # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+      #    and modify them (or add more) to build your code if your project
+      #    uses a compiled language
 
-    #- run: |
-    #   make bootstrap
-    #   make release
+      #- run: |
+      #   make bootstrap
+      #   make release
 
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2

.github/workflows/cypress-test.yml

@@ -14,20 +14,20 @@ jobs:
     name: Build
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
       - name: Get yarn cache directory path
         id: yarn-cache-dir-path
         run: echo "::set-output name=dir::$(yarn cache dir)"
       - name: Cache node_modules
-        uses: actions/cache@v2
+        uses: actions/cache@v3
         id: yarn-cache # use this to check for `cache-hit` (`steps.yarn-cache.outputs.cache-hit != 'true'`)
         with:
           path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
           key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}
           restore-keys: |
             ${{ runner.os }}-yarn-
       - name: Use NodeJs
-        uses: actions/setup-node@v1
+        uses: actions/setup-node@v3
         with:
           node-version: '16.x'
 
@@ -60,7 +60,7 @@ jobs:
         containers: [1, 2, 3]
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
       - name: Run cypress
         uses: cypress-io/[email protected]
         with:

.github/workflows/deploy-to-prod.yml

@@ -6,47 +6,10 @@ on:
       - main
 
 jobs:
-  build-and-test:
-    name: Build & test
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-      - name: Get yarn cache directory path
-        id: yarn-cache-dir-path
-        run: echo "::set-output name=dir::$(yarn cache dir)"
-      - name: Cache node_modules
-        uses: actions/cache@v2
-        id: yarn-cache # use this to check for `cache-hit` (`steps.yarn-cache.outputs.cache-hit != 'true'`)
-        with:
-          path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
-          key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}
-          restore-keys: |
-            ${{ runner.os }}-yarn-
-      - name: Use NodeJs
-        uses: actions/setup-node@v1
-        with:
-          node-version: '16.x'
-
-      - name: Install dependencies
-        run: yarn install --frozen-lockfile --non-interactive
-
-      - name: Run linting
-        run: yarn lint
-
-      - name: Build app
-        run: yarn build
-        env:
-          NEXT_PUBLIC_ROLLBAR_ENV: CI
-          NEXT_PUBLIC_FIREBASE_API_KEY: ${{ secrets.NEXT_PUBLIC_FIREBASE_API_KEY }}
-          NEXT_PUBLIC_ROLLBAR_CLIENT_TOKEN: ${{ secrets.NEXT_PUBLIC_ROLLBAR_CLIENT_TOKEN }}
-          NEXT_PUBLIC_STORYBLOK_TOKEN: ${{ secrets.NEXT_PUBLIC_STORYBLOK_TOKEN }}
-      - name: Test app
-        run: yarn test
   deploy-to-prod:
-    needs: build-and-test
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
       - uses: akhileshns/[email protected] # This is the action
         with:
           heroku_api_key: ${{secrets.HEROKU_API_KEY}}

.github/workflows/deploy-to-staging.yml

@@ -6,48 +6,11 @@ on:
       - develop
 
 jobs:
-  build-and-test:
-    name: Build & test
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-      - name: Get yarn cache directory path
-        id: yarn-cache-dir-path
-        run: echo "::set-output name=dir::$(yarn cache dir)"
-      - name: Cache node_modules
-        uses: actions/cache@v2
-        id: yarn-cache # use this to check for `cache-hit` (`steps.yarn-cache.outputs.cache-hit != 'true'`)
-        with:
-          path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
-          key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}
-          restore-keys: |
-            ${{ runner.os }}-yarn-
-      - name: Use NodeJs
-        uses: actions/setup-node@v1
-        with:
-          node-version: '16.x'
-
-      - name: Install dependencies
-        run: yarn install --frozen-lockfile --non-interactive
-
-      - name: Run linting
-        run: yarn lint
-
-      - name: Build app
-        run: yarn build
-        env:
-          NEXT_PUBLIC_ROLLBAR_ENV: CI
-          NEXT_PUBLIC_FIREBASE_API_KEY: ${{ secrets.NEXT_PUBLIC_FIREBASE_API_KEY }}
-          NEXT_PUBLIC_ROLLBAR_CLIENT_TOKEN: ${{ secrets.NEXT_PUBLIC_ROLLBAR_CLIENT_TOKEN }}
-          NEXT_PUBLIC_STORYBLOK_TOKEN: ${{ secrets.NEXT_PUBLIC_STORYBLOK_TOKEN }}
-      - name: Test app
-        run: yarn test
   deploy-to-staging:
     name: Deploy to staging
-    needs: build-and-test
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
       - uses: akhileshns/[email protected] # This is the action
         with:
           heroku_api_key: ${{secrets.HEROKU_API_KEY}}
@@ -70,9 +33,9 @@ jobs:
         containers: [1, 2, 3]
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
       - name: Run cypress
-        uses: cypress-io/github-action@v5.0.9
+        uses: cypress-io/github-action@v6
         with:
           browser: chrome
           spec: cypress/**/*.cy.tsx

SECURITY.md

@@ -0,0 +1,26 @@
+# Chayn Security Policy
+
+## Report a Vulnerability
+
+To report a security issue, please email [email protected] with the following information:
+
+1. **The Chayn product** with the vulnerability.
+2. **A short summary of the problem.** Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server.
+3. Complete instructions, including specific configuration details, to **reproduce the vulnerability.**
+
+  Optional information to include if applicable:
+- Propose a remediation suggestion if you have one. Make it clear that this is just a suggestion, as the maintainer might have a better idea to fix the issue.
+- Credit: List all researchers who contributed to this disclosure. If you found the vulnerability with a specific tool, you can also credit this tool.
+- Contact information for further collaboration. If the vulernerability is accepted, we will be happy to collaborate with you, and review your fix to make sure that all corner cases are covered. 
+
+You will receive an email from us confirming we have received your bug report.
+
+## Disclosure Policy
+
+Chayn is dedicated to working closely with the open source community and with projects that are affected by a vulnerability, in order to protect users and ensure a coordinated disclosure.
+
+If the project team responds and agrees the issue poses a security risk, we will work with the project security team or maintainers to communicate the vulnerability in detail, and agree on the process for public disclosure. Responsibility for developing and releasing a patch lies firmly with the project team, though we aim to facilitate this by providing detailed information about the vulnerability.
+
+Our disclosure deadline for publicly disclosing a vulnerability is: 90 days after the first report to the project team.
+
+We **appreciate the hard work** contributors and maintainers put into fixing vulnerabilities and understand that sometimes more time is required to properly address an issue. We want project maintainers and contributors to succeed and because of that we are always open to discuss our disclosure policy to fit your specific requirements, when warranted.

components/storyblok/StoryblokAudio.tsx

@@ -1,5 +1,5 @@
 import { Box } from '@mui/system';
-import ReactPlayer from 'react-player';
+import ReactPlayer from 'react-player/lazy';
 import { richtextContentStyle } from '../../styles/common';
 
 const audioContainerStyle = {

components/storyblok/StoryblokVideo.tsx

@@ -1,5 +1,5 @@
 import { Box } from '@mui/system';
-import ReactPlayer from 'react-player';
+import ReactPlayer from 'react-player/lazy';
 import { richtextContentStyle } from '../../styles/common';
 
 const videoContainerStyle = {
@@ -70,6 +70,7 @@ const StoryblokVideo = (props: StoryblokVideoProps) => {
           style={videoStyle}
           width="100%"
           height="100%"
+          light={true}
           url={video.url}
           controls
           modestbranding={1}

components/video/Video.tsx

@@ -1,9 +1,8 @@
 import { Theme } from '@mui/material';
 import Box from '@mui/material/Box';
 import { SxProps } from '@mui/system';
-import * as React from 'react';
 import { Dispatch, SetStateAction, useRef, useState } from 'react';
-import ReactPlayer from 'react-player/youtube';
+import ReactPlayer from 'react-player/lazy';
 import logEvent from '../../utils/logEvent';
 
 const videoContainerStyle = {
@@ -77,6 +76,7 @@ const Video = (props: VideoProps) => {
       <Box sx={videoContainerStyle}>
         <ReactPlayer
           ref={player}
+          light={true}
           onDuration={(duration) => setVideoDuration(duration)}
           onStart={videoStarted}
           onPause={() => videoPausedOrPlayed(false)}

cypress/integration/activities.cy.tsx

@@ -5,7 +5,7 @@ describe('A logged in user should be able to navigate to activities and do an ex
   });
 
   it('Should go to the activities page and click on an exercise', () => {
-    cy.get(`[qa-id=secondary-nav-activities-button]`).should('exist').click(); //navigate to activities
+    cy.get(`[qa-id=secondary-nav-activities-button]`).should('exist').click().click(); //navigate to activities - double clicking just in case
     // Default timeout is 4 seconds so extended to 8 to avoid racy tests
     cy.get('h3', { timeout: 8000 }).contains('Thought diaries').should('exist').click(); //check click first  exercise exists and open it
 

cypress/integration/user-course-session-behaviour.cy.tsx

@@ -1,4 +1,4 @@
-describe('A logged in user should be able to navigate to a course session and complete it', () => {
+describe.only('A logged in user should be able to navigate to a course session and complete it', () => {
   const newUserEmail = `cypresstestemail+${Date.now()}@chayn.co`;
   const password = 'testpassword';
 
@@ -18,25 +18,24 @@ describe('A logged in user should be able to navigate to a course session and co
     cy.get(`[qa-id=secondary-nav-courses-button]`).should('exist').click(); //navigate to courses
 
     cy.get('a[href*="healing-from-sexual-trauma"]', {
-      timeout: 4000,
+      timeout: 8000,
     })
       .first()
       .click(); //click on a course when link load
 
     // cy.getIframeBody().find('button').click(); Attempting to watch the session video. iframe isnt working at the moment
 
     cy.get('a[href*="what-is-sexual-trauma"]', {
-      timeout: 4000,
+      timeout: 8000,
     })
       .first()
       .click(); //click on a session when link loads
   });
 
   it('Should read activity & bonus content and complete session', () => {
     cy.visit('/courses/healing-from-sexual-trauma/what-is-sexual-trauma');
-    cy.wait(5000);
 
-    cy.get('h3').contains('Activity').click(); //open activities
+    cy.get('h3', { timeout: 10000 }).contains('Activity').click(); //open activities
 
     cy.get('h3').contains('Bonus content').click(); //open bonus content