Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Updates April 2024 #140

Merged
merged 5 commits into from
Apr 2, 2024
Merged

Security Updates April 2024 #140

merged 5 commits into from
Apr 2, 2024

Conversation

betsyecastro
Copy link
Contributor

1. Composer dependencies update:

Package operations: 8 installs, 83 updates, 0 removals
  - Upgrading php-http/discovery (1.19.1 => 1.19.2): Extracting archive
  - Upgrading symfony/polyfill-php80 (v1.27.0 => v1.28.0): Extracting archive
  - Upgrading symfony/polyfill-mbstring (v1.27.0 => v1.28.0): Extracting archive
  - Upgrading symfony/polyfill-ctype (v1.27.0 => v1.28.0): Extracting archive
  - Upgrading phpoption/phpoption (1.9.1 => 1.9.2): Extracting archive
  - Upgrading graham-campbell/result-type (v1.1.1 => v1.1.2): Extracting archive
  - Upgrading vlucas/phpdotenv (v5.5.0 => v5.6.0): Extracting archive
  - Upgrading tijsverkoyen/css-to-inline-styles (2.2.6 => v2.2.7): Extracting archive
  - Upgrading symfony/polyfill-uuid (v1.27.0 => v1.28.0): Extracting archive
  - Upgrading symfony/polyfill-php72 (v1.27.0 => v1.28.0): Extracting archive
  - Upgrading symfony/polyfill-intl-normalizer (v1.27.0 => v1.28.0): Extracting archive
  - Upgrading symfony/polyfill-intl-idn (v1.27.0 => v1.28.0): Extracting archive
  - Upgrading doctrine/deprecations (v1.1.1 => 1.1.3): Extracting archive
  - Upgrading symfony/polyfill-intl-grapheme (v1.27.0 => v1.28.0): Extracting archive
  - Upgrading symfony/polyfill-php81 (v1.27.0 => v1.28.0): Extracting archive
  - Upgrading ramsey/uuid (4.7.4 => 4.7.5): Extracting archive
  - Installing psr/clock (1.0.0): Extracting archive
  - Installing carbonphp/carbon-doctrine-types (1.0.0): Extracting archive
  - Upgrading nesbot/carbon (2.68.1 => 2.72.3): Extracting archive
  - Upgrading monolog/monolog (2.9.1 => 2.9.2): Extracting archive
  - Upgrading league/mime-type-detection (1.11.0 => 1.15.0): Extracting archive
  - Upgrading league/flysystem (3.15.1 => 3.23.1): Extracting archive
  - Upgrading league/flysystem-local (3.15.0 => 3.23.1): Extracting archive
  - Upgrading nette/utils (v4.0.0 => v4.0.4): Extracting archive
  - Upgrading nette/schema (v1.2.3 => v1.2.5): Extracting archive
  - Upgrading league/commonmark (2.4.0 => 2.4.1): Extracting archive
  - Upgrading laravel/serializable-closure (v1.3.0 => v1.3.3): Extracting archive
  - Upgrading guzzlehttp/uri-template (v1.0.1 => v1.0.3): Extracting archive
  - Upgrading fruitcake/php-cors (v1.2.0 => v1.3.0): Extracting archive
  - Upgrading dragonmantank/cron-expression (v3.3.2 => v3.3.3): Extracting archive
  - Upgrading doctrine/inflector (2.0.8 => 2.0.9): Extracting archive
  - Upgrading laravel/framework (v9.52.10 => v9.52.16): Extracting archive
  - Upgrading aws/aws-crt-php (v1.2.1 => v1.2.4): Extracting archive
  - Upgrading composer/pcre (3.1.0 => 3.1.1): Extracting archive
  - Upgrading psr/http-client (1.0.2 => 1.0.3): Extracting archive
  - Upgrading guzzlehttp/psr7 (2.5.0 => 2.6.2): Extracting archive
  - Upgrading guzzlehttp/promises (1.5.3 => 2.0.2): Extracting archive
  - Upgrading guzzlehttp/guzzle (7.7.0 => 7.8.1): Extracting archive
  - Upgrading laravel/telescope (v4.15.2 => v4.17.5): Extracting archive
  - Upgrading mtdowling/jmespath.php (2.6.1 => 2.7.0): Extracting archive
  - Upgrading aws/aws-sdk-php (3.276.2 => 3.298.1): Extracting archive
  - Upgrading league/flysystem-aws-s3-v3 (3.15.0 => 3.23.1): Extracting archive
  - Upgrading livewire/livewire (v2.12.3 => v2.12.6): Extracting archive
  - Upgrading mockery/mockery (1.6.4 => 1.6.7): Extracting archive
  - Upgrading filp/whoops (2.15.3 => 2.15.4): Extracting archive
  - Installing orchestra/canvas-core (v7.7.0): Extracting archive
  - Installing symfony/polyfill-php83 (v1.28.0): Extracting archive
  - Upgrading symfony/polyfill-iconv (v1.27.0 => v1.28.0): Extracting archive
  - Upgrading spatie/ray (1.37.2 => 1.41.1): Extracting archive
  - Installing phpstan/phpstan (1.10.57): Extracting archive
  - Installing rector/rector (0.19.5): Extracting archive
  - Upgrading spatie/laravel-ray (1.32.6 => 1.34.0): Extracting archive
  - Upgrading orchestra/testbench-core (v7.25.0 => v7.40.1): Extracting archive
  - Installing orchestra/canvas (v7.11.1): Extracting archive
  - Upgrading nikic/php-parser (v4.16.0 => v4.18.0): Extracting archive
  - Upgrading psy/psysh (v0.11.19 => v0.12.0): Extracting archive
  - Upgrading laravel/tinker (v2.8.1 => v2.9.0): Extracting archive
  - Upgrading fakerphp/faker (v1.23.0 => v1.23.1): Extracting archive
  - Installing orchestra/workbench (v7.2.0): Extracting archive
  - Upgrading owen-it/laravel-auditing (v13.5.1 => v13.6.4): Extracting archive
  - Upgrading clue/stream-filter (v1.6.0 => v1.7.0): Extracting archive
  - Upgrading php-http/promise (1.1.0 => 1.3.0): Extracting archive
  - Upgrading php-http/client-common (2.7.0 => 2.7.1): Extracting archive
  - Upgrading phpstan/phpdoc-parser (1.22.1 => 1.25.0): Extracting archive
  - Upgrading phpdocumentor/type-resolver (1.7.2 => 1.8.0): Extracting archive
  - Upgrading sebastian/global-state (5.0.5 => 5.0.6): Extracting archive
  - Upgrading theseer/tokenizer (1.2.1 => 1.2.2): Extracting archive
  - Upgrading sebastian/lines-of-code (1.0.3 => 1.0.4): Extracting archive
  - Upgrading sebastian/complexity (2.0.2 => 2.0.3): Extracting archive
  - Upgrading phpunit/php-code-coverage (9.2.26 => 9.2.30): Extracting archive
  - Upgrading phpunit/phpunit (9.6.10 => 9.6.16): Extracting archive
  - Upgrading netresearch/jsonmapper (v4.2.0 => v4.4.1): Extracting archive
  - Upgrading composer/semver (3.3.2 => 3.4.0): Extracting archive
  - Upgrading orchestra/testbench (v7.25.0 => v7.40.1): Extracting archive
  - Upgrading symfony/psr-http-message-bridge (v2.2.0 => v2.3.1): Extracting archive
  - Upgrading nyholm/psr7 (1.8.0 => 1.8.1): Extracting archive
  - Upgrading sentry/sentry (3.20.1 => 3.22.1): Extracting archive
  - Upgrading sentry/sdk (3.5.0 => 3.6.0)
  - Upgrading spatie/temporary-directory (2.1.2 => 2.2.1): Extracting archive
  - Upgrading spatie/image-optimizer (1.6.4 => 1.7.2): Extracting archive
  - Upgrading spatie/image (2.2.6 => 2.2.7): Extracting archive
  - Upgrading spatie/browsershot (3.58.1 => 3.61.0): Extracting archive
  - Upgrading spatie/laravel-package-tools (1.15.0 => 1.16.2): Extracting archive
  - Upgrading spatie/db-dumper (3.4.0 => 3.4.2): Extracting archive
  - Upgrading spatie/laravel-backup (8.1.11 => 8.2.0): Extracting archive
  - Upgrading spatie/flare-client-php (1.4.1 => 1.4.4): Extracting archive
  - Upgrading spatie/ignition (1.9.0 => 1.12.0): Extracting archive
  - Upgrading spatie/laravel-medialibrary (10.10.1 => 10.15.0): Extracting archive
  - Upgrading spatie/laravel-translatable (6.5.3 => 6.5.5): Extracting archive
  - Upgrading spatie/laravel-tags (4.5.0 => 4.5.2): Extracting archive
  - Upgrading ezyang/htmlpurifier (v4.16.0 => v4.17.0): Extracting archive
Package adldap2/adldap2 is abandoned, you should avoid using it. No replacement was suggested.
Package adldap2/adldap2-laravel is abandoned, you should avoid using it. No replacement was suggested.
Package laravelcollective/html is abandoned, you should avoid using it. Use spatie/laravel-html instead.
Package php-http/message-factory is abandoned, you should avoid using it. Use psr/http-factory instead.
Package webmozart/path-util is abandoned, you should avoid using it. Use symfony/filesystem instead.

2. Adds database migration to create jobs table

3. npm audit

# npm audit report
@babel/traverse  <7.23.2
Severity: critical
Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code - https://github.com/advisories/GHSA-67hx-6x53-jw92
fix available via `npm audit fix`
node_modules/@babel/traverse

browserify-sign  2.6.0 - 4.2.1
Severity: high
browserify-sign upper bound check issue in `dsaVerify` leads to a signature forgery attack - https://github.com/advisories/GHSA-x9w5-v3q2-3rhw
fix available via `npm audit fix`
node_modules/browserify-sign

follow-redirects  <1.15.4
Severity: moderate
Follow Redirects improperly handles URLs in the url.parse() function - https://github.com/advisories/GHSA-jchw-25xp-jwwc
fix available via `npm audit fix`
node_modules/follow-redirects

postcss  <8.4.31
Severity: moderate
PostCSS line return parsing error - https://github.com/advisories/GHSA-7fh5-64p2-3v2j
fix available via `npm audit fix`
node_modules/postcss

4 vulnerabilities (2 moderate, 1 high, 1 critical)

4. npm dependencies update:

node_modules/@babel/code-frame: 7.22.5 => 7.23.5
  @babel/highlight: ^7.22.5 =>  ^7.23.4
  chalk: ^2.4.2
node_modules/@babel/code-frame/node_modules/ansi-styles: 3.2.1
  color-convert: ^1.9.0
node_modules/@babel/code-frame/node_modules/chalk: 2.4.2
  ansi-style: ^3.2.1
  escape-strng-regexp: ^1.0.5
node_modules/@babel/code-frame/node_modules/color-convert: 1.9.3
  color-name: 1.1.3
node_modules/@babel/code-frame/node_modules/color-name: 1.1.3
node_modules/@babel/code-frame/node_modules/has-flag: 3.0.0
node_modules/@babel/code-frame/node_modules/supports-color: 5.5.0
  has-flag: ^3.0.0
node_modules/@babel/generator: 7.22.9 => 7.23.6
  @babel/types: ^7.22.5 => ^7.23.6,
node_modules/@babel/helper-environment-visitor: 7.22.5 => 7.22.20
node_modules/@babel/helper-function-name: 7.22.5 => 7.23.0
  @babel/template: ^7.22.5 => ^7.22.15
  @babel/types: ^7.22.5 => ^7.23.0
node_modules/@babel/helper-string-parser: 7.22.5 => 7.23.4
node_modules/@babel/helper-validator-identifier: 77.22.5 => 7.22.20
node_modules/@babel/highlight: 7.22.5 => 7.23.4
  @babel/helper-validator-identifier: 7.22.5 => ^7.22.20
  chalk: ^2.0.0 => ^2.4.2
node_modules/@babel/parser: ^7.22.7 => 7.23.9
node_modules/@babel/template: ^7.22.5 => 7.23.9
  @babel/code-frame: ^7.22.5 => ^7.23.5
  @babel/parser: ^7.22.5 => ^7.23.9
  @babel/types: ^7.22.5 => ^7.23.9
node_modules/@babel/traverse: ^7.22.8 => 7.23.9
  @babel/code-frame: ^7.22.5 => ^7.23.5
  @babel/generator: ^7.22.7 => ^7.23.6
  @babel/helper-environment-visitor: ^7.22.5 => ^7.22.20
  @babel/helper-function-name: ^7.22.5 => ^7.23.0
  @babel/parser: ^7.22.7 => ^7.23.9
  @babel/types: ^7.22.5 => ^7.23.9
  debug: ^4.1.0 => ^4.3.1
 node_modules/@babel/types: ^7.22.5 => 7.23.9
  @babel/helper-string-parser: ^7.22.5 => ^7.23.4
  @babel/helper-validator-identifier: ^7.22.5 => ^7.22.20
node_modules/browserify-signversion: 4.2.1 => 4.2.2
  bn.js: ^5.1.1 => ^5.2.1
  browserify-rsa: ^4.0.1 => ^4.1.0
  elliptic: ^6.5.3 => ^6.5.4
  parse-asn1: ^5.1.5 => ^5.1.6
  readable-stream: ^3.6.0 => ^3.6.2
  safe-buffer: ^5.2.0 => ^5.2.1
node_modules/follow-redirects: 1.15.2 => 1.15.5
node_modules/nanoid: 3.3.6 => 3.3.7
node_modules/postcss: 8.4.27 => 8.4.35
  nanoid: ^3.3.6 => ^3.3.7
@babel/code-frame: 7.22.5 => 7.23.5
  @babel/highlight: ^7.22.5 => ^7.23.4
  chalk: ^2.4.2
  ansi-styles: 3.2.1
    color-convert: ^1.9.0
  chalk: 2.4.2
    ansi-styles: ^3.2.1
  color-convert: 1.9.3
    color-name: 1.1.3
  color-name: 1.1.3
  has-flag: 3.0.0
  supports-color: 5.5.0
    has-flag: ^3.0.0
@babel/generator: 7.22.9 => 7.23.6
  @babel/types: ^7.22.5 => ^7.23.6
@babel/helper-environment-visitor: 7.22.5 => 7.22.20
@babel/helper-function-name: 7.22.5 => 7.23.0
  @babel/template: ^7.22.5 => ^7.22.15
  @babel/types: ^7.22.5 => ^7.23.0
@babel/helper-string-parser: 7.22.5 => 7.23.4
@babel/helper-validator-identifier: 7.22.5 => 7.22.20
@babel/highlight: 7.22.5 => 7.23.4
  @babel/helper-validator-identifier: ^7.22.5 => ^7.22.20
  chalk: ^2.2.0 => ^2.4.2
@babel/parser: 7.22.7 => 7.23.9
@babel/template: 7.22.5 => 7.23.9
  @babel/code-frame: ^7.22.5 => ^7.23.5
  @babel/parser: ^7.22.5 => ^7.23.9
  @babel/types: ^7.22.5 => ^7.23.9
@babel/traverse: 7.22.8 => 7.23.9
  @babel/code-frame: ^7.22.5 => ^7.23.5
  @babel/generator: ^7.22.7 => ^7.23.6
  @babel/helper-environment-visitor: ^7.22.5 => ^7.22.20
  @babel/helper-function-name: ^7.22.5 => ^7.23.0
  @babel/parser: ^7.22.7 => ^7.23.9
  @babel/types: ^7.22.5 => ^7.23.9
  debug: ^4.1.0 => ^4.3.1
@babel/types: 7.22.5 => 7.23.9
  @babel/helper-string-parser: ^7.22.5 => ^7.23.4
  @babel/helper-validator-identifier: ^7.22.5 => ^7.22.20
browserify-sign: 4.2.1 => 4.2.2
  bn.js: ^5.1.1 => ^5.2.1
  browserify-rsa: ^4.0.1 => ^4.1.0
  elliptic: ^6.5.3 => ^6.5.4
  parse-asn1: ^5.1.5 => ^5.1.6
  readable-stream: ^3.6.0 => ^3.6.2
  safe-buffer: ^5.2.0 => ^5.2.1
follow-redirects: 1.15.2 => 1.15.5
nanoid: 3.2.6 => 3.3.7
postcss: 8.4.27 => 8.4.35
  nanoid: ^3.3.6 => ^3.3.7

@betsyecastro betsyecastro added the 🔒 security Security-related label Feb 14, 2024
@betsyecastro betsyecastro self-assigned this Feb 14, 2024
@betsyecastro
Copy link
Contributor Author

Composer and NPM dependencies update completed.
Security check fails due to 5 abandoned packages.
PR ready for review @wunc

@betsyecastro betsyecastro marked this pull request as ready for review February 15, 2024 15:36
@wunc wunc changed the title Security Updates February 2024 Security Updates April 2024 Apr 2, 2024
@wunc wunc merged commit 5311f64 into develop Apr 2, 2024
2 checks passed
@wunc wunc deleted the security-updates-february-2024 branch April 2, 2024 20:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@betsyecastro betsyecastro

Labels
🔒 security Security-related
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@betsyecastro @wunc