Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: Remove CVE-2022-23539 vulnerability by updating the jsonwebtoken packages #4706

Merged
merged 1 commit into from
Jul 8, 2024

Conversation

sw-joelmut
Copy link
Collaborator

Addresses #4684
#minor

Description

This PR updates the version of the jsonwebtoken package from 8.x to 9.x to fix the CVE-2022-23539 (https://github.com/microsoft/botbuilder-js/security/dependabot/243) vulnerability.
Along the way, the following vulnerabilities were also fixed in this PR:

This PR also improves the browser-functional project and pipeline to work with latest Chrome and Firefox drivers, avoiding using npm dependencies for these, and have a clear way to test them locally.

Specific Changes

  • Added lodash.pick internal project that acts as a proxy between vulnerable lodash.pick version and lodash. So it doesn't reintroduce the CVE-2020-8203 vulnerability.
  • Removed jsonwebtoken resolution, as it's no longer needed with the new version of botframework-webchat.
  • Updated botframework-webchat inside browser-echo-bot from 4.5.0 to 4.16.0 (note: 4.17.0 has node 18 limitation).
  • Added browserify, react, and react-dom as devDependencies, since they are required in the webpack server.
  • Added sanitize-html resolution to update the version from 2.11 to 2.13. The rest of sanitize-html vulnerabilities (moderate) have been solved after updating botframework-webchat.
  • Added use browser drivers step in the browser-functional pipeline to copy the Chrome and Firefox drivers from the current running pipeline machine.
  • Nightwatch tests improvements
    • npm geckodriver has been replaced with using the geckodriver.exe directly.
    • chromedriver.exe has been removed to be provided by the user or pipeline step. Mostly to use the latest version or a specific one.
    • Fixed issues with webchat, since it changed from version 4.5 to 4.16, and required DOM element references to be updated.
    • Added validation steps before all tests run, checking if the requirements like "drivers" and "browser" meet the requirements. Otherwise, it shows a message to install them.

Testing

The following images show the browser-functional validations, the tests and pipeline passing.
image
image
image

@sw-joelmut sw-joelmut requested a review from a team as a code owner July 4, 2024 19:19
@coveralls
Copy link

coveralls commented Jul 4, 2024

Pull Request Test Coverage Report for Build 9799065989

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage decreased (-0.4%) to 84.078%

Totals Coverage Status
Change from base Build 9767028772: -0.4%
Covered Lines: 20347
Relevant Lines: 22904

💛 - Coveralls

@coveralls
Copy link

coveralls commented Jul 4, 2024

Pull Request Test Coverage Report for Build 9799065989

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 84.433%

Totals Coverage Status
Change from base Build 9767028772: 0.0%
Covered Lines: 20429
Relevant Lines: 22904

💛 - Coveralls

@tracyboehrer tracyboehrer merged commit 24da6c5 into main Jul 8, 2024
12 checks passed
@tracyboehrer tracyboehrer deleted the southworks/update/browser-functional branch July 8, 2024 19:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants