Snyk July Review (#7895)

* updated packages for frontend and backend

* ran yarn add babel-jest to fix error Jest encountered an unexpected token

* fixed syntax error

* updated the dependency axios for smartystreets-javascript-sdk package update

* added transformIgnorePattern for axios, there is a known issue with the axios upgrade axios/axios#5101

* downgraded smartystreets and its dependencies down to original versions

* removed axios ignore and moved axios and babel-jest under devDependencies

backend/build.gradle

@@ -37,7 +37,7 @@ dependencies {
     implementation 'org.springframework.boot:spring-boot-actuator-autoconfigure'
 
     // graphql
-    implementation 'org.springframework.boot:spring-boot-starter-graphql'
+    implementation 'org.springframework.boot:spring-boot-starter-graphql:3.1.10'
     testImplementation 'org.springframework:spring-webflux'
     testImplementation 'org.springframework.graphql:spring-graphql-test'
     // graphql-java-extended-validation schema directives
@@ -56,12 +56,15 @@ dependencies {
      * Please do NOT scatter packages elsewhere around the file. Scattered packages make it easy for pins to become
      * stale.
      *
-     * DevSecOps verifies these packages at least once per month. LAST VERIFIED: 15 Feb 2024.
+     * DevSecOps verifies these packages at least once per month. LAST VERIFIED: 10 July 2024.
      */
     implementation 'com.squareup.okio:okio:3.9.0'
     implementation 'org.springframework:spring-core:6.0.16'
     implementation 'org.springframework.security:spring-security-core:6.1.8'
     implementation 'org.springframework.security:spring-security-oauth2-client:6.3.1'
+    implementation 'org.apache.tomcat.embed:tomcat-embed-core:10.1.25'
+    implementation 'org.apache.tomcat.embed:tomcat-embed-websocket:10.1.19'
+    implementation 'org.springframework.security:spring-security-web:6.1.7'
 
     // non-pinned security dependencies
     implementation 'org.owasp.encoder:encoder:1.2'

backend/gradle.lockfile

@@ -144,9 +144,10 @@ org.apache.httpcomponents:httpclient:4.5.13=compileClasspath,runtimeClasspath
 org.apache.httpcomponents:httpcore:4.4.16=compileClasspath,runtimeClasspath
 org.apache.logging.log4j:log4j-api:2.20.0=compileClasspath,runtimeClasspath
 org.apache.logging.log4j:log4j-to-slf4j:2.20.0=compileClasspath,runtimeClasspath
-org.apache.tomcat.embed:tomcat-embed-core:10.1.17=compileClasspath,runtimeClasspath
+org.apache.tomcat.embed:tomcat-embed-core:10.1.25=compileClasspath,runtimeClasspath
 org.apache.tomcat.embed:tomcat-embed-el:10.1.17=compileClasspath,runtimeClasspath
-org.apache.tomcat.embed:tomcat-embed-websocket:10.1.17=compileClasspath,runtimeClasspath
+org.apache.tomcat.embed:tomcat-embed-websocket:10.1.19=compileClasspath,runtimeClasspath
+org.apache.tomcat:tomcat-annotations-api:10.1.17=compileClasspath,runtimeClasspath
 org.aspectj:aspectjweaver:1.9.21=compileClasspath,runtimeClasspath
 org.attoparser:attoparser:2.0.7.RELEASE=compileClasspath,runtimeClasspath
 org.bouncycastle:bcpkix-jdk18on:1.73=compileClasspath
@@ -188,7 +189,7 @@ org.springframework.boot:spring-boot-devtools:3.1.7=runtimeClasspath
 org.springframework.boot:spring-boot-starter-aop:3.1.7=compileClasspath,runtimeClasspath
 org.springframework.boot:spring-boot-starter-cache:3.1.7=compileClasspath,runtimeClasspath
 org.springframework.boot:spring-boot-starter-data-jpa:3.1.7=compileClasspath,runtimeClasspath
-org.springframework.boot:spring-boot-starter-graphql:3.1.7=compileClasspath,runtimeClasspath
+org.springframework.boot:spring-boot-starter-graphql:3.1.10=compileClasspath,runtimeClasspath
 org.springframework.boot:spring-boot-starter-jdbc:3.1.7=compileClasspath,runtimeClasspath
 org.springframework.boot:spring-boot-starter-json:3.1.7=compileClasspath,runtimeClasspath
 org.springframework.boot:spring-boot-starter-logging:3.1.7=compileClasspath,runtimeClasspath
@@ -218,7 +219,7 @@ org.springframework.security:spring-security-oauth2-core:6.1.6=compileClasspath,
 org.springframework.security:spring-security-oauth2-jose:6.1.6=compileClasspath,runtimeClasspath
 org.springframework.security:spring-security-oauth2-resource-server:6.1.6=compileClasspath,runtimeClasspath
 org.springframework.security:spring-security-rsa:1.0.12.RELEASE=compileClasspath,runtimeClasspath
-org.springframework.security:spring-security-web:6.1.6=compileClasspath,runtimeClasspath
+org.springframework.security:spring-security-web:6.1.7=compileClasspath,runtimeClasspath
 org.springframework.session:spring-session-core:3.1.4=runtimeClasspath
 org.springframework.session:spring-session-jdbc:3.1.4=runtimeClasspath
 org.springframework:spring-aop:6.0.15=compileClasspath,runtimeClasspath

frontend/package.json

@@ -229,7 +229,9 @@
     "stylelint": "^13.13.1",
     "stylelint-config-standard": "^22.0.0",
     "typescript": "^5.3.2",
-    "webpack": "^5.76.0"
+    "webpack": "^5.76.0",
+    "axios": "^1.7.2",
+    "babel-jest": "^29.7.0"
   },
   "resolutions": {
     "http-cache-semantics": "4.1.1",

frontend/yarn.lock

@@ -5494,9 +5494,9 @@
     "@types/node" "*"
 
 "@types/smartystreets-javascript-sdk@^1.6.4":
-  version "1.6.6"
-  resolved "https://registry.yarnpkg.com/@types/smartystreets-javascript-sdk/-/smartystreets-javascript-sdk-1.6.6.tgz#89cec045f1dc30a91f096eaa263d7f56d56e1bbf"
-  integrity sha512-/+2rUeAcy8zy4tOPd+IfD2XKv8lLGHebxoo5skClW1NUYoIfcttbTF1yYitaGxMTXMDzUlzGw3i6PzxiEv7jVg==
+  version "1.6.10"
+  resolved "https://registry.yarnpkg.com/@types/smartystreets-javascript-sdk/-/smartystreets-javascript-sdk-1.6.10.tgz#d22d037d582091c28caf549424ee582636311773"
+  integrity sha512-WFbVCaojrbtyD81Pr7jM+R5lPQOhr2SjnF1jIDBw+FiRnYelYE3TXuRXF51KA7eOwnLT+kZsQ/ywdQHLp0ZcPA==
   dependencies:
     "@types/express" "*"
 
@@ -6781,6 +6781,15 @@ axios@^0.26.1:
   dependencies:
     follow-redirects "^1.14.8"
 
+axios@^1.7.2:
+  version "1.7.2"
+  resolved "https://registry.yarnpkg.com/axios/-/axios-1.7.2.tgz#b625db8a7051fbea61c35a3cbb3a1daa7b9c7621"
+  integrity sha512-2A8QhOMrbomlDuiLeK9XibIBzuHeRcqqNOHp0Cyp5EoJ1IFDh+XZH3A6BkXtv0K4gFGCI0Y4BM7B1wOEi0Rmgw==
+  dependencies:
+    follow-redirects "^1.15.6"
+    form-data "^4.0.0"
+    proxy-from-env "^1.1.0"
+
 axobject-query@^2.2.0:
   version "2.2.0"
   resolved "https://registry.yarnpkg.com/axobject-query/-/axobject-query-2.2.0.tgz#943d47e10c0b704aa42275e20edf3722648989be"
@@ -9722,7 +9731,7 @@ focus-trap@^7.5.4:
   dependencies:
     tabbable "^6.2.0"
 
-follow-redirects@^1.0.0, follow-redirects@^1.14.8:
+follow-redirects@^1.0.0, follow-redirects@^1.14.8, follow-redirects@^1.15.6:
   version "1.15.6"
   resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.15.6.tgz#7f815c0cda4249c74ff09e95ef97c23b5fd0399b"
   integrity sha512-wWN62YITEaOpSK584EZXJafH1AGpO8RVgElfkuXbTOrPX4fIfOyEpW/CsiNd8JdYrAoOvafRTOEnvsO++qCqFA==
@@ -9771,7 +9780,7 @@ fork-ts-checker-webpack-plugin@^8.0.0:
     semver "^7.3.5"
     tapable "^2.2.1"
 
-[email protected]:
+[email protected], form-data@^4.0.0:
   version "4.0.0"
   resolved "https://registry.yarnpkg.com/form-data/-/form-data-4.0.0.tgz#93919daeaf361ee529584b9b31664dc12c9fa452"
   integrity sha512-ETEklSGi5t0QMZuiXoA/Q6vcnxcLQP5vdugSpuAyi6SVGi2clPPp+xgEhuMaHC+zGgn31Kd235W35f7Hykkaww==
@@ -14405,6 +14414,11 @@ proxy-addr@~2.0.7:
     forwarded "0.2.0"
     ipaddr.js "1.9.1"
 
+proxy-from-env@^1.1.0:
+  version "1.1.0"
+  resolved "https://registry.yarnpkg.com/proxy-from-env/-/proxy-from-env-1.1.0.tgz#e102f16ca355424865755d2c9e8ea4f24d58c3e2"
+  integrity sha512-D+zkORCbA9f1tdWRK0RaCR3GPv50cMxcrz4X8k5LTSUD1Dkw47mKJEZQNunItRTkWwgtaUSo1RVFRIG9ZXiFYg==
+
 psl@^1.1.33:
   version "1.9.0"
   resolved "https://registry.yarnpkg.com/psl/-/psl-1.9.0.tgz#d0df2a137f00794565fcaf3b2c00cd09f8d5a5a7"
@@ -15678,9 +15692,9 @@ slice-ansi@^4.0.0:
     is-fullwidth-code-point "^3.0.0"
 
 smartystreets-javascript-sdk@^3.2.0:
-  version "3.2.0"
-  resolved "https://registry.yarnpkg.com/smartystreets-javascript-sdk/-/smartystreets-javascript-sdk-3.2.0.tgz#1f6f0e9353298a5f87755cb3fe1dd523fd033257"
-  integrity sha512-+67s2ISG9vivWMwduOl9d4Vba72ooqxw3TPf5KMXY4GUU4YbLF2/XMSBSM62Aou0GMrwjEHGAjC21k1F54lkQg==
+  version "3.3.0"
+  resolved "https://registry.yarnpkg.com/smartystreets-javascript-sdk/-/smartystreets-javascript-sdk-3.3.0.tgz#759d2e2af5dc785cbe683185826c597f02d24fce"
+  integrity sha512-GnQsELshuVTmDIsnptU+1ubluXHcvxICIIOO2jFHso06PQvB6Ql9iQnJxptpx46kyCSH/zoeCcUsKeHjrdj0ZA==
   dependencies:
     axios "^0.26.1"
     axios-retry "3.2.0"