fix: Vulnerable Dependencies (#433)

* chore(frontend): Auto-update dependencies * fix(frontend): Add resolutions for vulnerably dependencies * fix(frontend): Update other dependencies * fix(services): Add resolutions for vulnerably dependencies * chore(services): Auto-update dependencies * chore(backend): Update dependencies * fix(backend): Override backend jetty versions to fix vulnerabilities
fujaba · Oct 8, 2024 · eb68406 · eb68406
1 parent 9fa884c
commit eb68406
Show file tree

Hide file tree

Showing 6 changed files with 1,495 additions and 1,450 deletions.
diff --git a/backend/build.gradle b/backend/build.gradle
@@ -30,6 +30,8 @@ repositories {
 }
 
 ext {
+	// IMPORTANT: When changing these versions, also update the constants in ProjectZipControllerTest.java
+
 	// https://mvnrepository.com/artifact/org.fulib/fulib
 	fulibDependency = [ group: 'org.fulib', name: 'fulib', version: '1.6.2' ]
 
@@ -49,15 +51,15 @@ ext {
 	junitDependency = [ group: 'junit', name: 'junit', version: '4.13.2' ]
 
 	// https://mvnrepository.com/artifact/org.slf4j/slf4j-simple
-	slf4jDependency = [ group: 'org.slf4j', name: 'slf4j-simple', version: '2.0.13' ]
+	slf4jDependency = [ group: 'org.slf4j', name: 'slf4j-simple', version: '2.0.16' ]
 }
 
 dependencies {
 	// --------------- Dagger (Dependency Injection) ---------------
 
 	// https://mvnrepository.com/artifact/com.google.dagger/dagger
-	implementation 'com.google.dagger:dagger:2.51.1'
-	annotationProcessor 'com.google.dagger:dagger-compiler:2.51.1'
+	implementation 'com.google.dagger:dagger:2.52'
+	annotationProcessor 'com.google.dagger:dagger-compiler:2.52'
 
 	// --------------- Fulib Libraries ---------------
 
@@ -77,7 +79,17 @@ dependencies {
 	implementation group: 'commons-io', name: 'commons-io', version: '2.17.0'
 
 	// https://mvnrepository.com/artifact/com.sparkjava/spark-core
-	implementation group: 'com.sparkjava', name: 'spark-core', version: '2.9.4'
+	implementation group: 'com.sparkjava', name: 'spark-core', version: '2.9.4', {
+		// Older Jetty versions required by Spark are vulnerable
+		// See https://mvnrepository.com/artifact/org.eclipse.jetty/jetty-server/9.4.48.v20220622
+		exclude group: 'org.eclipse.jetty', module: 'jetty-server'
+		exclude group: 'org.eclipse.jetty', module: 'jetty-webapp'
+	}
+
+	// https://mvnrepository.com/artifact/org.eclipse.jetty/jetty-server
+	implementation group: 'org.eclipse.jetty', name: 'jetty-server', version: '9.4.56.v20240826'
+	// https://mvnrepository.com/artifact/org.eclipse.jetty/jetty-webapp
+	implementation group: 'org.eclipse.jetty', name: 'jetty-webapp', version: '9.4.56.v20240826'
 
 	// https://mvnrepository.com/artifact/org.json/json
 	implementation group: 'org.json', name: 'json', version: '20240303'
@@ -91,7 +103,7 @@ dependencies {
 	testImplementation slf4jDependency
 
 	// https://mvnrepository.com/artifact/org.mockito/mockito-core
-	testImplementation group: 'org.mockito', name: 'mockito-core', version: '5.12.0'
+	testImplementation group: 'org.mockito', name: 'mockito-core', version: '5.14.1'
 }
 
 // --------------- Version Injection ---------------

diff --git a/backend/src/test/java/org/fulib/webapp/projectzip/ProjectZipControllerTest.java b/backend/src/test/java/org/fulib/webapp/projectzip/ProjectZipControllerTest.java
@@ -57,7 +57,7 @@ public class ProjectZipControllerTest
 			\tfulibScenarios group: 'org.fulib', name: 'fulibScenarios', version: '1.7.1'
 
 			\t// https://mvnrepository.com/artifact/org.slf4j/slf4j-simple
-			\tfulibScenarios group: 'org.slf4j', name: 'slf4j-simple', version: '2.0.13'
+			\tfulibScenarios group: 'org.slf4j', name: 'slf4j-simple', version: '2.0.16'
 
 			\t// https://mvnrepository.com/artifact/org.fulib/fulibTools
 			\ttestImplementation group: 'org.fulib', name: 'fulibTools', version: '1.6.0'
@@ -69,7 +69,7 @@ public class ProjectZipControllerTest
 			\ttestImplementation group: 'junit', name: 'junit', version: '4.13.2'
 
 			\t// https://mvnrepository.com/artifact/org.slf4j/slf4j-simple
-			\ttestImplementation group: 'org.slf4j', name: 'slf4j-simple', version: '2.0.13'
+			\ttestImplementation group: 'org.slf4j', name: 'slf4j-simple', version: '2.0.16'
 			}
 
 			generateScenarioSource {

diff --git a/frontend/package.json b/frontend/package.json
@@ -11,59 +11,59 @@
   },
   "private": true,
   "dependencies": {
-    "@angular/animations": "^18.2.6",
-    "@angular/cdk": "^18.2.6",
-    "@angular/common": "^18.2.6",
-    "@angular/compiler": "^18.2.6",
-    "@angular/core": "^18.2.6",
-    "@angular/forms": "^18.2.6",
-    "@angular/localize": "^18.2.6",
-    "@angular/platform-browser": "^18.2.6",
-    "@angular/platform-browser-dynamic": "^18.2.6",
-    "@angular/router": "^18.2.6",
-    "@angular/service-worker": "^18.2.6",
+    "@angular/animations": "^18.2.7",
+    "@angular/cdk": "^18.2.7",
+    "@angular/common": "^18.2.7",
+    "@angular/compiler": "^18.2.7",
+    "@angular/core": "^18.2.7",
+    "@angular/forms": "^18.2.7",
+    "@angular/localize": "^18.2.7",
+    "@angular/platform-browser": "^18.2.7",
+    "@angular/platform-browser-dynamic": "^18.2.7",
+    "@angular/router": "^18.2.7",
+    "@angular/service-worker": "^18.2.7",
     "@ctrl/ngx-codemirror": "^7.0.0",
     "@mean-stream/ngbx": "^0.13.0",
-    "@ng-bootstrap/ng-bootstrap": "^16.0.0",
+    "@ng-bootstrap/ng-bootstrap": "^17.0.1",
     "@popperjs/core": "^2.11.8",
     "@sentry/angular-ivy": "^7.114.0",
-    "angular-gridster2": "^17.0.0",
+    "angular-gridster2": "^18.0.1",
     "angular-split": "^17.2.0",
     "bootstrap": "~5.3.3",
     "bootstrap-icons": "^1.11.3",
     "class-transformer": "^0.5.1",
     "class-validator": "^0.14.1",
     "codemirror": "^5.65.18",
-    "diff": "^5.2.0",
+    "diff": "^7.0.0",
     "file-saver": "^2.0.5",
     "highlight.js": "^11.10.0",
-    "keycloak-angular": "^15.3.0",
+    "keycloak-angular": "^16.0.1",
     "keycloak-js": "21.1.2",
     "markdown-it": "^14.1.0",
     "ngx-clipboard": "^16.0.0",
-    "ngx-drag-drop": "^17.0.0",
+    "ngx-drag-drop": "^18.0.2",
     "rxjs": "~7.8.1",
     "tslib": "^2.7.0",
     "turndown": "^7.2.0",
     "zone.js": "^0.14.10"
   },
   "devDependencies": {
-    "@angular-devkit/build-angular": "^18.2.6",
+    "@angular-devkit/build-angular": "^18.2.7",
     "@angular-eslint/builder": "^18.3.1",
     "@angular-eslint/eslint-plugin": "^18.3.1",
     "@angular-eslint/eslint-plugin-template": "^18.3.1",
     "@angular-eslint/schematics": "^18.3.1",
     "@angular-eslint/template-parser": "^18.3.1",
-    "@angular/cli": "^18.2.6",
-    "@angular/compiler-cli": "^18.2.6",
-    "@angular/language-service": "^18.2.6",
+    "@angular/cli": "^18.2.7",
+    "@angular/compiler-cli": "^18.2.7",
+    "@angular/language-service": "^18.2.7",
     "@types/codemirror": "^5.60.15",
-    "@types/diff": "^5.2.2",
+    "@types/diff": "^5.2.3",
     "@types/file-saver": "^2.0.7",
     "@types/jasmine": "~4.3.6",
     "@types/jasminewd2": "~2.0.13",
-    "@types/markdown-it": "^13.0.9",
-    "@types/node": "^20.16.10",
+    "@types/markdown-it": "^14.1.2",
+    "@types/node": "^22.7.5",
     "@types/turndown": "^5.0.5",
     "@typescript-eslint/eslint-plugin": "^6.21.0",
     "@typescript-eslint/parser": "^6.21.0",
@@ -80,7 +80,9 @@
   },
   "resolutions": {
     "axios": "^1.6.0",
-    "webpack-dev-middleware": "^6.1.2"
+    "webpack-dev-middleware": "^6.1.2",
+    "cookie@<0.7.0": ">=0.7.0",
+    "@sentry/browser@<7.119.1": "^7.119.1"
   },
   "packageManager": "[email protected]+sha512.0a203ffaed5a3f63242cd064c8fb5892366c103e328079318f78062f24ea8c9d50bc6a47aa3567cabefd824d170e78fa2745ed1f16b132e16436146b7688f19b"
 }