Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Security upgrade eta from 1.12.3 to 2.0.0 #2707

Open
wants to merge 287 commits into
base: main
Choose a base branch
from

Conversation

bot-linagora
Copy link

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • twake/backend/node/package.json
    • twake/backend/node/package-lock.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 798/1000
Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 8.1
Remote Code Execution (RCE)
SNYK-JS-ETA-2936803
Yes Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Remote Code Execution (RCE)

stephanevieira75 and others added 30 commits February 16, 2022 11:37
* Add esperanto

* Add new language to all possible languages
* Fix #1818

* Fix #1963

* Fix #1861

* Fix #1964

* Fix #1790

* Keep company total member up to date #1901

* Fix frontend loop

* Version update and changelogs

* Fix tests

* No parameters

* Just one

* Remove unused and broken decorator

* Improve mentions logging

* Fix events for mentions

* Add spellcheck to editor

* Update changelog

* Using right pubsub service

* Add more logs

* More logs

* Fix typo

* Fix recent_workspaces camelcase

* Update default notification in mentions

* Fixing tests

* Fix mention specs

* Add timout

* Set notification level on creation

* Should be good

* Fix member update event
* #1934 Move channel members types in features/channel-members/types

* #1934 Update channel-members-api-client.ts

* #1934 Add channel members state in features/channel-members

* #1934 Add use channel members hook in features/channel-members

* #1934 Implement channel members and pending emails state

* #1934 Add use channel guests hook

* #1927 Upgrade antd from 4.16.13 to 4.18.3

* #1928 Upgrade react-i18next from 11.12.0 to 11.15.3

* #1934 Implement Channel Members real time

Co-authored-by: Romaric Mourgues <[email protected]>
* Fix translation and limit value

* Fix how we manage active features

* Fix join error 500

* Fix set request_url

* Add link to go to the console see all the company members

* Disable elasticsearch source
* Fix err 500 on join

* Fix useless call to backend

* Improve mentions test
add more verbose messages to start.sh
* Finaly, do not change all the versions

* Get back to master versions

* Types are magically ok now

* Update amqplib

* Update lock

* Add redis to the list

* Retry new versions

* Add logs

* Correctly init fastify and socket.io

* Fix duplicated io

* Try to see readyness issue

* Put back code

* Put back code

* Fastify init before

* Test 2

* Add a onReady function

* Add binding

* Not undefined

* Add allowEIO3: true

* Add some logs

* Fix auth process

* Execute all the tests
* Send mobile configuration from backend

* Fix #1985

* Implements #1929

* Fix #1997

* Fix removing users

* Fix #1969

* Fix #1999

* Remove console log
* Update dependancies

* Update sass

* Fix new types in Antd
* Set consistency level to quorum

* Fix test configuration

* Create utilities to fix db broken repair

* Add fix thread tool

* Prepare cluster migrator

* Soon it will work

* Fix import

* Select only the dest columns

* Add more fixes

* Fix and add emojis

* Add forceUpdateAll parameter

* WIP

* Add counters table ignored

* Remove logs forgotten in #1987

* Add special fields handlers

* Fixes from server tests

* Add a script to copy messages specifically
* Channel + search changes

* Add logs when es index is droped

* Add option to reindex messages, also add options to the search endpoint

* Add files in message searchable content

* Fix addUsersToChannel in tests

* Fix other stuff

* Is this stuff used in tests ?

* Fix search messages

* Fix search prefixes

* Fix tests for mongo too
* Avoid sending "members" in api response for non direct channels

* Fix mobile redirection again

* Fix css

* Fix bug

* Fix snake case / camel case

* Fix tests for applications
* search impove

* fix tests for casandra

* fixed cache stuff

* sender and has_files impl

* some small last fixes

* some small last fixes
* #1960 Implement users list search in frontend

* #1960 Implement workspace list in user object

* #1960 Add missing translations in workspace members table

* #1960 Filter results in channel participants popup

* #1960 Add guests in user list state

* #1960 Allow mentions to use user list state

* #1960 Add ellipsis in member channel row

* #1960 Resolve threads
* Fix is writing css

* Re-implement mentions highlighting

* Typo + prepare large version of files

* Update popup page view

* Finish large view of files

* Fix typo

* Fix css for isWriting

* Back to previous yarn.lock

* FIx download route using findOne

* Fix sending message before upload finishes

* Update changelog.md
* 🌍Translated using Weblate (French)

Currently translated at 100.0% (872 of 872 strings)

🌍Translated using Weblate (German)

Currently translated at 97.3% (849 of 872 strings)

Merge remote-tracking branch 'origin/develop' into develop

Merge remote-tracking branch 'origin/develop' into develop

Merge remote-tracking branch 'origin/develop' into develop

🌍Translated using Weblate (German)

Currently translated at 97.3% (849 of 872 strings)

🌍Translated using Weblate (French)

Currently translated at 100.0% (872 of 872 strings)

🌍Translated using Weblate (Esperanto)

Currently translated at 0.0% (0 of 872 strings)

🌍Translated using Weblate (Italian)

Currently translated at 99.1% (865 of 872 strings)

🌍Translated using Weblate (Sinhala)

Currently translated at 95.8% (836 of 872 strings)

🌍Translated using Weblate (Chinese (Simplified))

Currently translated at 95.9% (837 of 872 strings)

🌍Translated using Weblate (Norwegian Bokmål)

Currently translated at 95.9% (837 of 872 strings)

🌍Translated using Weblate (Turkish)

Currently translated at 95.9% (837 of 872 strings)

🌍Translated using Weblate (Finnish)

Currently translated at 95.9% (837 of 872 strings)

🌍Translated using Weblate (Basque)

Currently translated at 96.4% (841 of 872 strings)

🌍Translated using Weblate (Vietnamese)

Currently translated at 99.0% (864 of 872 strings)

🌍Translated using Weblate (Russian)

Currently translated at 99.8% (871 of 872 strings)

🌍Translated using Weblate (Japanese)

Currently translated at 95.9% (837 of 872 strings)

🌍Translated using Weblate (Spanish)

Currently translated at 97.3% (849 of 872 strings)

Co-authored-by: Anonymous <[email protected]>
Co-authored-by: Hosted Weblate <[email protected]>
Co-authored-by: J. Lavoie <[email protected]>
Translate-URL: https://hosted.weblate.org/projects/linagora/twake-chat-web/de/
Translate-URL: https://hosted.weblate.org/projects/linagora/twake-chat-web/eo/
Translate-URL: https://hosted.weblate.org/projects/linagora/twake-chat-web/es/
Translate-URL: https://hosted.weblate.org/projects/linagora/twake-chat-web/eu/
Translate-URL: https://hosted.weblate.org/projects/linagora/twake-chat-web/fi/
Translate-URL: https://hosted.weblate.org/projects/linagora/twake-chat-web/fr/
Translate-URL: https://hosted.weblate.org/projects/linagora/twake-chat-web/it/
Translate-URL: https://hosted.weblate.org/projects/linagora/twake-chat-web/ja/
Translate-URL: https://hosted.weblate.org/projects/linagora/twake-chat-web/nb_NO/
Translate-URL: https://hosted.weblate.org/projects/linagora/twake-chat-web/ru/
Translate-URL: https://hosted.weblate.org/projects/linagora/twake-chat-web/si/
Translate-URL: https://hosted.weblate.org/projects/linagora/twake-chat-web/tr/
Translate-URL: https://hosted.weblate.org/projects/linagora/twake-chat-web/vi/
Translate-URL: https://hosted.weblate.org/projects/linagora/twake-chat-web/zh_Hans/
Translation: Linagora/Twake Chat Web

* Fix missing pinned messages

* Update version

Co-authored-by: Hosted Weblate <[email protected]>
Co-authored-by: Anonymous <[email protected]>
Co-authored-by: J. Lavoie <[email protected]>
* Start cleanup

* Fix width for not large pictures

* Improve preview generation, jwt cleaning, apps command

* Make channels menus async loaded to have faster channels

* Fixing state management bugs

* FIx openDiscussion

* Fix direct channels list not everywhere

* Remove channels.js deprecated service

* Put back auto select channel

* Fix preview file before send + load bar

* Add ascii folding

* Update pinned view API and add flat option

* Update dockers

* Fix the dockers

* Fix package.json and backend build

* Fix docker

* Add logs

* Fix mongo search test

* FIx typo in elasticsearch

* Add logs for ES

* Try to show the log

* Fix #2031

* Fix #2031

* Fix direct chat not reordered automatically

* Fix "Bar" channel is empty and won't load

* Show the logs in es tests

* Fix to locale lower case

* Remove useless logs

* Make sure users are deleted from where they should be deleted

* Update comment + rm console.log
* Fix 500 error on ensureBadgesAreReachable

* Fix error

* Fix indexing command error
* app management

* #2001 Refacto application management in frontend part 1

* #2001 Refacto application management in frontend part 2

* #2001 Fix backend applications schema

* #2001 Add translations part 1

* Add options to run-all.js

* Fix create application schema

* Fix request auth on apps

* Fix response code for tests

* #2001 Add missing translations

Co-authored-by: romka <[email protected]>
Co-authored-by: Romaric Mourgues <[email protected]>
* Put back minimal stuff for search

* Fix mention search with accents

* Fix mention search with accents
* Fix include_users for flat=1 api

* Debug

* Fix tests
Oubchid and others added 28 commits September 23, 2022 13:47
* 🌟 Add notifications preferences

* 🌟 Add notif page + change email notif delay

* 🌟 Add translations
* Fix notifications preferences, add realtime update of channel counter

* Fix participants not loading

* Improving #2488
🌟 added migration command to set every old messages as seen by everyone in public channels
* Update knowledge graph

* Fix #2546

* Fix #2527
* 🌟 Add sound type notification

* 🌟 Add sound in push desktop notification

* Try to find test error origin

* Fixing frontend tests

Co-authored-by: Romaric Mourgues <[email protected]>
* Fix potential not set cache

* Fix minor frontend bug

* Fix old mention stuff
* 🛠 Fix online service typo

* Remove code
* Do not return files that doesn't exists anymore

* Fix filter
* 🛠 Fix scrollbar on documents

* Fix helpbar
* Refactored Dockerfiles to reduce excessive RUNs

This will make docker builds use less layers for building images.
Build time will also be increased (due to caching for fewer layers)
Moved nginx images to multi-stage build and restructured the build steps

* Readded missing slash

* Modified the compose for local development

* Changed to latest LTS and force legacy peer deps
* Fix https://huntr.dev/bounties/bfd935f4-2d1d-4d3f-8b59-522abe7dd065/

* Fix access control over posting messages to channels / threads

* Fix typo

* Fix some tests

* Fix one of the tests

* Fix test

* Fix another test

* Still fixing the search one

* Fix 2 tests cases

* Fixed some stuff

* Fixed some stuff

* Finished fixing tests
🎉 Yesterday we decided to change our software licenses to AGPL v3.

We will adopt the AGPL v3 (without any modification) for Twake. It concerns 100% of the source code of the software.
This approach is part of our plan to clarify LINAGORA's positioning and also to facilitate stronger links with our ecosystem.
…k.json to reduce vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-ETA-2936803
@RomaricMourgues RomaricMourgues force-pushed the main branch 2 times, most recently from d9b9f0a to 224f83d Compare March 24, 2023 09:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.