From ef9f42a2506507f954b318cae6d8f8a4754be7b5 Mon Sep 17 00:00:00 2001
From: Harold Wanyama <hwanyama@contractor.linuxfoundation.org>
Date: Fri, 9 Aug 2024 20:25:55 +0300
Subject: [PATCH] Bug/Vulnerability Fixes

- Addressed fast-xml-parser and ws vulnerability issues
- Added AWS credentials

Signed-off-by: Harold Wanyama <hwanyama@contractor.linuxfoundation.org>
---
 .github/workflows/build-pr.yml | 13 ++++++-------
 cla-backend-go/package.json    |  5 +++--
 cla-backend-go/yarn.lock       | 16 ++++++++--------
 cla-backend/package.json       |  5 +++--
 cla-backend/yarn.lock          | 16 ++++++++--------
 5 files changed, 28 insertions(+), 27 deletions(-)

diff --git a/.github/workflows/build-pr.yml b/.github/workflows/build-pr.yml
index 8bdf66dbe..9f254f903 100644
--- a/.github/workflows/build-pr.yml
+++ b/.github/workflows/build-pr.yml
@@ -8,11 +8,13 @@ on:
     branches:
       - main
 
+
 env:
+  AWS_REGION: us-east-1
   STAGE: dev
 
 jobs:
-  build-pr:
+  build-deploy-dev:
     runs-on: ubuntu-latest
     environment: dev
     steps:
@@ -36,7 +38,7 @@ jobs:
         uses: actions/cache@v2
         with:
           path: ${{ github.workspace }}/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}-${{ github.run_id }}
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
           restore-keys: |
             ${{ runner.os }}-go-
 
@@ -78,10 +80,7 @@ jobs:
 
       - name: Go Dependencies
         working-directory: cla-backend-go
-        run: |
-          go mod tidy
-          go mod download
-          make deps
+        run: make deps
 
       - name: Go Swagger Generate
         working-directory: cla-backend-go
@@ -100,4 +99,4 @@ jobs:
 
       - name: Go Lint
         working-directory: cla-backend-go
-        run: make lint
+        run: make lint
\ No newline at end of file
diff --git a/cla-backend-go/package.json b/cla-backend-go/package.json
index ba99feec8..07fd70dae 100644
--- a/cla-backend-go/package.json
+++ b/cla-backend-go/package.json
@@ -45,7 +45,8 @@
     "qs": "^6.11.0",
     "set-value": "^4.0.1",
     "simple-git": "^3.16.0",
-    "ws": "^7.4.6",
-    "xmlhttprequest-ssl": "^1.6.2"
+    "ws": ">=7.5.10",
+    "xmlhttprequest-ssl": "^1.6.2",
+    "fast-xml-parser": ">=4.4.1"
   }
 }
diff --git a/cla-backend-go/yarn.lock b/cla-backend-go/yarn.lock
index ee29a016f..071fc62e4 100644
--- a/cla-backend-go/yarn.lock
+++ b/cla-backend-go/yarn.lock
@@ -2903,10 +2903,10 @@ fast-safe-stringify@^2.1.1:
   resolved "https://registry.yarnpkg.com/fast-safe-stringify/-/fast-safe-stringify-2.1.1.tgz#c406a83b6e70d9e35ce3b30a81141df30aeba884"
   integrity sha512-W+KJc2dmILlPplD/H4K9l9LcAHAfPtP6BY84uVLXQ6Evcz9Lcg33Y2z1IVblT6xdY54PXYVHEv+0Wpq8Io6zkA==
 
-fast-xml-parser@4.2.5:
-  version "4.2.5"
-  resolved "https://registry.yarnpkg.com/fast-xml-parser/-/fast-xml-parser-4.2.5.tgz#a6747a09296a6cb34f2ae634019bf1738f3b421f"
-  integrity sha512-B9/wizE4WngqQftFPmdaMYlXoJlJOYxGQOanC77fq9k8+Z0v5dDSVh+3glErdIROP//s/jgb7ZuxKfB8nVyo0g==
+fast-xml-parser@4.2.5, fast-xml-parser@>=4.4.1:
+  version "4.4.1"
+  resolved "https://registry.yarnpkg.com/fast-xml-parser/-/fast-xml-parser-4.4.1.tgz#86dbf3f18edf8739326447bcaac31b4ae7f6514f"
+  integrity sha512-xkjOecfnKGkSsOwtZ5Pz7Us/T6mrbPQrq0nh+aCO5V9nk5NLWmasAHumTKjiPJPWANe+kAZ84Jc8ooJkzZ88Sw==
   dependencies:
     strnum "^1.0.5"
 
@@ -5448,10 +5448,10 @@ write-file-atomic@^4.0.2:
     imurmurhash "^0.1.4"
     signal-exit "^3.0.7"
 
-ws@^7.4.6, ws@^7.5.3, ws@^7.5.9:
-  version "7.5.9"
-  resolved "https://registry.yarnpkg.com/ws/-/ws-7.5.9.tgz#54fa7db29f4c7cec68b1ddd3a89de099942bb591"
-  integrity sha512-F+P9Jil7UiSKSkppIiD94dN07AwvFixvLIj1Og1Rl9GGMuNipJnV9JzjD6XuqmAeiswGvUmNLjr5cFuXwNS77Q==
+ws@>=7.5.10, ws@^7.5.3, ws@^7.5.9:
+  version "8.18.0"
+  resolved "https://registry.yarnpkg.com/ws/-/ws-8.18.0.tgz#0d7505a6eafe2b0e712d232b42279f53bc289bbc"
+  integrity sha512-8VbfWfHLbbwu3+N6OKsOMpBdT4kXPDDB9cJk2bJ6mh9ucxdlnNvH1e+roYkKmN9Nxw2yjz7VzeO9oOz2zJ04Pw==
 
 xml2js@0.6.2:
   version "0.6.2"
diff --git a/cla-backend/package.json b/cla-backend/package.json
index 46dfa16d9..7737152cb 100644
--- a/cla-backend/package.json
+++ b/cla-backend/package.json
@@ -66,7 +66,8 @@
     "set-value": "^4.0.1",
     "shell-quote": "^1.7.3",
     "simple-git": "^3.16.0",
-    "ws": "^7.4.6",
-    "xmlhttprequest-ssl": "^1.6.2"
+    "ws": ">=7.5.10",
+    "xmlhttprequest-ssl": "^1.6.2",
+    "fast-xml-parser": ">=4.4.1"
   }
 }
diff --git a/cla-backend/yarn.lock b/cla-backend/yarn.lock
index c3f41ba70..5331fc1f3 100644
--- a/cla-backend/yarn.lock
+++ b/cla-backend/yarn.lock
@@ -2742,10 +2742,10 @@ fast-glob@^3.2.7, fast-glob@^3.2.9, fast-glob@^3.3.1:
     merge2 "^1.3.0"
     micromatch "^4.0.4"
 
-fast-xml-parser@4.2.5:
-  version "4.2.5"
-  resolved "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-4.2.5.tgz"
-  integrity sha512-B9/wizE4WngqQftFPmdaMYlXoJlJOYxGQOanC77fq9k8+Z0v5dDSVh+3glErdIROP//s/jgb7ZuxKfB8nVyo0g==
+fast-xml-parser@4.2.5, fast-xml-parser@>=4.4.1:
+  version "4.4.1"
+  resolved "https://registry.yarnpkg.com/fast-xml-parser/-/fast-xml-parser-4.4.1.tgz#86dbf3f18edf8739326447bcaac31b4ae7f6514f"
+  integrity sha512-xkjOecfnKGkSsOwtZ5Pz7Us/T6mrbPQrq0nh+aCO5V9nk5NLWmasAHumTKjiPJPWANe+kAZ84Jc8ooJkzZ88Sw==
   dependencies:
     strnum "^1.0.5"
 
@@ -5006,10 +5006,10 @@ write-file-atomic@^4.0.2:
     imurmurhash "^0.1.4"
     signal-exit "^3.0.7"
 
-ws@^7.4.6, ws@^7.5.3, ws@^7.5.9:
-  version "7.5.9"
-  resolved "https://registry.yarnpkg.com/ws/-/ws-7.5.9.tgz#54fa7db29f4c7cec68b1ddd3a89de099942bb591"
-  integrity sha512-F+P9Jil7UiSKSkppIiD94dN07AwvFixvLIj1Og1Rl9GGMuNipJnV9JzjD6XuqmAeiswGvUmNLjr5cFuXwNS77Q==
+ws@>=7.5.10, ws@^7.5.3, ws@^7.5.9:
+  version "8.18.0"
+  resolved "https://registry.yarnpkg.com/ws/-/ws-8.18.0.tgz#0d7505a6eafe2b0e712d232b42279f53bc289bbc"
+  integrity sha512-8VbfWfHLbbwu3+N6OKsOMpBdT4kXPDDB9cJk2bJ6mh9ucxdlnNvH1e+roYkKmN9Nxw2yjz7VzeO9oOz2zJ04Pw==
 
 xml2js@0.6.2:
   version "0.6.2"