Merge pull request #15004 from Budibase/security-updates

dependency upgrades for security scanners
2024-11-20 16:14:14 +00:00 · 2024-11-20 16:14:14 +00:00 · 739457ca42
parent 0a3000e3ac e5e0563546
commit 739457ca42
11 changed files with 2183 additions and 1655 deletions
--- a/package.json
+++ b/package.json
@ -109,7 +109,7 @@
    "semver": "7.5.3",
    "http-cache-semantics": "4.1.1",
    "msgpackr": "1.10.1",
-    "axios": "1.6.3",
+    "axios": "1.7.7",
    "xml2js": "0.6.2",
    "unset-value": "2.0.1",
    "passport": "0.6.0",
@ -119,6 +119,5 @@
  },
  "engines": {
    "node": ">=20.0.0 <21.0.0"
-  },
+  }
  "dependencies": {}
 }
--- a/packages/backend-core/package.json
+++ b/packages/backend-core/package.json
@ -33,14 +33,17 @@
    "@budibase/pouchdb-replication-stream": "1.2.11",
    "@budibase/shared-core": "0.0.0",
    "@budibase/types": "0.0.0",
    "@techpass/passport-openidconnect": "0.3.3",
    "aws-cloudfront-sign": "3.0.2",
-    "aws-sdk": "2.1030.0",
+    "aws-sdk": "2.1692.0",
    "bcrypt": "5.1.0",
    "bcryptjs": "2.4.3",
    "bull": "4.10.1",
    "correlation-id": "4.0.0",
-    "dd-trace": "5.2.0",
+    "dd-trace": "5.23.0",
    "dotenv": "16.0.1",
    "google-auth-library": "^8.0.1",
    "google-spreadsheet": "npm:@budibase/google-spreadsheet@4.1.5",
    "ioredis": "5.3.2",
    "joi": "17.6.0",
    "jsonwebtoken": "9.0.2",
@ -55,17 +58,14 @@
    "pino": "8.11.0",
    "pino-http": "8.3.3",
    "posthog-node": "4.0.1",
-    "pouchdb": "7.3.0",
+    "pouchdb": "9.0.0",
-    "pouchdb-find": "7.2.2",
+    "pouchdb-find": "9.0.0",
    "redlock": "4.2.0",
    "rotating-file-stream": "3.1.0",
    "sanitize-s3-objectkey": "0.0.1",
    "semver": "^7.5.4",
    "tar-fs": "2.1.1",
-    "uuid": "^8.3.2",
+    "uuid": "^8.3.2"
    "@techpass/passport-openidconnect": "0.3.3",
    "google-auth-library": "^8.0.1",
    "google-spreadsheet": "npm:@budibase/google-spreadsheet@4.1.5"
  },
  "devDependencies": {
    "@jest/types": "^29.6.3",
@ -78,7 +78,7 @@
    "@types/lodash": "4.14.200",
    "@types/node": "^22.9.0",
    "@types/node-fetch": "2.6.4",
-    "@types/pouchdb": "6.4.0",
+    "@types/pouchdb": "6.4.2",
    "@types/redlock": "4.0.7",
    "@types/semver": "7.3.7",
    "@types/tar-fs": "2.0.1",
--- a/packages/pro
+++ b/packages/pro
@ -1 +1 @@
-Subproject commit bfeece324a03a3a5f25137bf3f8c66d5ed6103d8
+Subproject commit 4facf6a44ee52a405794845f71584168b9db652c
--- a/packages/server/package.json
+++ b/packages/server/package.json
@ -63,13 +63,13 @@
    "@bull-board/koa": "5.10.2",
    "@elastic/elasticsearch": "7.10.0",
    "@google-cloud/firestore": "7.8.0",
-    "@koa/router": "8.0.8",
+    "@koa/router": "13.1.0",
    "@socket.io/redis-adapter": "^8.2.1",
    "@types/xml2js": "^0.4.14",
    "airtable": "0.12.2",
    "arangojs": "7.2.0",
    "archiver": "7.0.1",
-    "aws-sdk": "2.1030.0",
+    "aws-sdk": "2.1692.0",
    "bcrypt": "5.1.0",
    "bcryptjs": "2.4.3",
    "bson": "^6.9.0",
@ -80,8 +80,8 @@
    "cookies": "0.8.0",
    "csvtojson": "2.0.10",
    "curlconverter": "3.21.0",
    "dd-trace": "5.23.0",
    "dayjs": "^1.10.8",
    "dd-trace": "5.2.0",
    "dotenv": "8.2.0",
    "form-data": "4.0.0",
    "global-agent": "3.0.0",
@ -89,7 +89,7 @@
    "google-spreadsheet": "npm:@budibase/google-spreadsheet@4.1.5",
    "ioredis": "5.3.2",
    "isolated-vm": "^4.7.2",
-    "jimp": "0.22.12",
+    "jimp": "1.1.4",
    "joi": "17.6.0",
    "js-yaml": "4.1.0",
    "jsonschema": "1.4.0",
@ -104,7 +104,7 @@
    "lodash": "4.17.21",
    "memorystream": "0.3.1",
    "mongodb": "6.7.0",
-    "mssql": "10.0.1",
+    "mssql": "11.0.1",
    "mysql2": "3.9.8",
    "node-fetch": "2.6.7",
    "object-sizeof": "2.6.1",
@ -112,15 +112,15 @@
    "openapi-types": "9.3.1",
    "oracledb": "6.5.1",
    "pg": "8.10.0",
-    "pouchdb": "7.3.0",
+    "pouchdb": "9.0.0",
    "pouchdb-all-dbs": "1.1.1",
-    "pouchdb-find": "7.2.2",
+    "pouchdb-find": "9.0.0",
    "redis": "4",
    "semver": "^7.5.4",
    "serialize-error": "^7.0.1",
    "server-destroy": "1.0.1",
-    "snowflake-promise": "^4.5.0",
+    "snowflake-sdk": "^1.15.0",
-    "socket.io": "4.7.5",
+    "socket.io": "4.8.1",
    "svelte": "^4.2.10",
    "tar": "6.2.1",
    "tmp": "0.2.3",
@ -128,7 +128,7 @@
    "uuid": "^8.3.2",
    "validate.js": "0.13.1",
    "worker-farm": "1.7.0",
-    "xml2js": "0.5.0"
+    "xml2js": "0.6.2"
  },
  "devDependencies": {
    "@babel/preset-env": "7.16.11",
@ -140,13 +140,14 @@
    "@types/jest": "29.5.5",
    "@types/koa": "2.13.4",
    "@types/koa-send": "^4.1.6",
-    "@types/koa__router": "8.0.8",
+    "@types/koa__router": "12.0.4",
    "@types/lodash": "4.14.200",
-    "@types/mssql": "9.1.4",
+    "@types/mssql": "9.1.5",
    "@types/node": "^22.9.0",
    "@types/node-fetch": "2.6.4",
    "@types/oracledb": "6.5.1",
    "@types/pg": "8.6.6",
    "@types/pouchdb": "6.4.2",
    "@types/server-destroy": "1.0.1",
    "@types/supertest": "2.0.14",
    "@types/tar": "6.1.5",
--- a/packages/server/src/api/controllers/query/import/sources/curl.ts
+++ b/packages/server/src/api/controllers/query/import/sources/curl.ts
@ -4,7 +4,7 @@ import { URL } from "url"
 const curlconverter = require("curlconverter")
-const parseCurl = (data: string): any => {
+const parseCurl = (data: string): Promise<any> => {
  const curlJson = curlconverter.toJsonString(data)
  return JSON.parse(curlJson)
 }
@ -53,8 +53,7 @@ export class Curl extends ImportSource {
  isSupported = async (data: string): Promise<boolean> => {
    try {
-      const curl = parseCurl(data)
+      this.curl = parseCurl(data)
      this.curl = curl
    } catch (err) {
      return false
    }
--- a/packages/server/src/integrations/microsoftSqlServer.ts
+++ b/packages/server/src/integrations/microsoftSqlServer.ts
@ -281,8 +281,14 @@ class SqlServerIntegration extends Sql implements DatasourcePlus {
        case MSSQLConfigAuthType.NTLM: {
          const { domain, trustServerCertificate } =
            this.config.ntlmConfig || {}
          if (!domain) {
            throw Error("Domain must be provided for NTLM config")
          }
          clientCfg.authentication = {
            type: "ntlm",
            // @ts-expect-error - username and password not required for NTLM
            options: {
              domain,
            },
--- a/packages/server/src/integrations/snowflake.ts
+++ b/packages/server/src/integrations/snowflake.ts
@ -6,7 +6,8 @@ import {
  QueryType,
  SqlQuery,
 } from "@budibase/types"
-import { Snowflake } from "snowflake-promise"
+import snowflakeSdk, { SnowflakeError } from "snowflake-sdk"
 import { promisify } from "util"
 interface SnowflakeConfig {
  account: string
@ -71,11 +72,52 @@ const SCHEMA: Integration = {
  },
 }
-class SnowflakeIntegration {
+class SnowflakePromise {
-  private client: Snowflake
+  config: SnowflakeConfig
  client?: snowflakeSdk.Connection
  constructor(config: SnowflakeConfig) {
-    this.client = new Snowflake(config)
+    this.config = config
  }
  async connect() {
    if (this.client?.isUp()) return
    this.client = snowflakeSdk.createConnection(this.config)
    const connectAsync = promisify(this.client.connect.bind(this.client))
    return connectAsync()
  }
  async execute(sql: string) {
    return new Promise((resolve, reject) => {
      if (!this.client) {
        throw Error(
          "No snowflake client present to execute query. Run connect() first to initialise."
        )
      }
      this.client.execute({
        sqlText: sql,
        complete: function (
          err: SnowflakeError | undefined,
          statementExecuted: any,
          rows: any
        ) {
          if (err) {
            return reject(err)
          }
          resolve(rows)
        },
      })
    })
  }
 }
 class SnowflakeIntegration {
  private client: SnowflakePromise
  constructor(config: SnowflakeConfig) {
    this.client = new SnowflakePromise(config)
  }
  async testConnection(): Promise<ConnectionInfo> {
--- a/packages/server/src/utilities/fileSystem/processor.ts
+++ b/packages/server/src/utilities/fileSystem/processor.ts
@ -1,4 +1,4 @@
-import jimp from "jimp"
+import { Jimp } from "jimp"
 const FORMATS = {
  IMAGES: ["png", "jpg", "jpeg", "gif", "bmp", "tiff"],
@ -6,8 +6,8 @@ const FORMATS = {
 function processImage(file: { path: string }) {
  // this will overwrite the temp file
-  return jimp.read(file.path).then(img => {
+  return Jimp.read(file.path).then(img => {
-    return img.resize(300, jimp.AUTO).write(file.path)
+    return img.resize({ w: 256 }).write(file.path as `${string}.${string}`)
  })
 }
--- a/packages/worker/package.json
+++ b/packages/worker/package.json
@ -40,17 +40,17 @@
  "dependencies": {
    "@budibase/backend-core": "0.0.0",
    "@budibase/pro": "0.0.0",
    "@budibase/shared-core": "0.0.0",
    "@budibase/string-templates": "0.0.0",
    "@budibase/types": "0.0.0",
-    "@budibase/shared-core": "0.0.0",
+    "@koa/router": "13.1.0",
    "@koa/router": "8.0.8",
    "@techpass/passport-openidconnect": "0.3.3",
    "@types/global-agent": "2.1.1",
-    "aws-sdk": "2.1030.0",
+    "aws-sdk": "2.1692.0",
    "bcrypt": "5.1.0",
    "bcryptjs": "2.4.3",
    "bull": "4.10.1",
-    "dd-trace": "5.2.0",
+    "dd-trace": "5.23.0",
    "dotenv": "8.6.0",
    "global-agent": "3.0.0",
    "ical-generator": "4.1.0",
@ -82,7 +82,7 @@
    "@types/jest": "29.5.5",
    "@types/jsonwebtoken": "9.0.3",
    "@types/koa": "2.13.4",
-    "@types/koa__router": "8.0.8",
+    "@types/koa__router": "12.0.4",
    "@types/lodash": "4.14.200",
    "@types/node": "^22.9.0",
    "@types/node-fetch": "2.6.4",
--- a/packages/worker/src/api/controllers/global/users.ts
+++ b/packages/worker/src/api/controllers/global/users.ts
@ -40,6 +40,7 @@ import {
 import { checkAnyUserExists } from "../../../utilities/users"
 import { isEmailConfigured } from "../../../utilities/email"
 import { BpmStatusKey, BpmStatusValue, utils } from "@budibase/shared-core"
 import crypto from "crypto"
 const MAX_USERS_UPLOAD_LIMIT = 1000
--- a/yarn.lock
+++ b/yarn.lock
		`@ -1 +1 @@`
			`Subproject commit bfeece324a03a3a5f25137bf3f8c66d5ed6103d8`				`Subproject commit 4facf6a44ee52a405794845f71584168b9db652c`