fix: Remove CVE-2022-23539 vulnerability by updating the jsonwebtoken packages #4706
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Addresses #4684
#minor
Description
This PR updates the version of the
jsonwebtoken
package from8.x
to9.x
to fix the CVE-2022-23539 (https://github.com/microsoft/botbuilder-js/security/dependabot/243) vulnerability.Along the way, the following vulnerabilities were also fixed in this PR:
This PR also improves the browser-functional project and pipeline to work with latest Chrome and Firefox drivers, avoiding using npm dependencies for these, and have a clear way to test them locally.
Specific Changes
lodash.pick
internal project that acts as a proxy between vulnerablelodash.pick
version andlodash
. So it doesn't reintroduce the CVE-2020-8203 vulnerability.jsonwebtoken
resolution, as it's no longer needed with the new version ofbotframework-webchat
.botframework-webchat
insidebrowser-echo-bot
from4.5.0
to4.16.0
(note: 4.17.0 has node 18 limitation).browserify
,react
, andreact-dom
as devDependencies, since they are required in the webpack server.sanitize-html
resolution to update the version from2.11
to2.13
. The rest ofsanitize-html
vulnerabilities (moderate) have been solved after updatingbotframework-webchat
.use browser drivers
step in thebrowser-functional
pipeline to copy the Chrome and Firefox drivers from the current running pipeline machine.Testing
The following images show the
browser-functional
validations, the tests and pipeline passing.