Upgrade specific JS/TS dependencies to close vulns

[darrenpmeyer]

Endor Labs in partnership with NetSkope Threat Labs examined this project for possible risks with dependencies for an internal project.

Most issues from prior releases have already been updated in the default branch (kudos! This speaks to amazing community practices), however we did find a few JavaScript/TypeScript dependencies that could be safely upgraded to fix/avoid vulnerabilities. This PR fixes those that we were able to revise without causing new npm test failures.

Note: these fixes were prepared and tested manually, this is not an automated PR. If there are quesstions or concerns, please feel free to reply directly.

Repaired in this PR:

• Upgrade pegjs-loader from 0.5.6 -> 0.5.8 (fix GHSA-76p3-8jx3-jpfq prototype pollution in [email protected], a dep of [email protected])

  npm test
  ...
  Test Suites: 2 skipped, 1063 passed, 1063 of 1065 total
  Tests:       5 skipped, 1 todo, 6595 passed, 6601 total
  Snapshots:   16 passed, 16 total
  Time:        182.893 s
  

• Upgrade react-router from 3.2.0 -> 3.2.6 (fix GHSA-r683-j2x4-v87g and GHSA-w7rc-rwvf-8q5r in [email protected], a dep of [email protected])

  npm test
  ...
  Test Suites: 2 skipped, 1063 passed, 1063 of 1065 total
  Tests:       5 skipped, 1 todo, 6595 passed, 6601 total
  Snapshots:   16 passed, 16 total
  Time:        184.996 s
  

• Upgrade Resolution of postcss from 8.4.27 -> 8.4.33 (fix GHSA-7fh5-64p2-3v2j line return parsing error)

  Test Suites: 2 skipped, 1063 passed, 1063 of 1065 total
  Tests:       5 skipped, 1 todo, 6595 passed, 6601 total
  Snapshots:   16 passed, 16 total
  Time:        193.247 s
  
  
  
  

Recommended future work -- not done in this PR:

• Upgrade marked from 0.7.0 -> 11.1.1 (0.7.0 is very outdated and contains a RegEx inefficiency bug; see GHSA-5v2h-r2cx-5xgj)

  • suggested minimum upgrade >= 9.0.3
  • remove @types/marked dependency as marked now provides its own types with newer versions
  • Why not fixed: make test-js reports many more errors after upgrade attempt; additional dev work is required for update

• Upgrade react-router to 6.21.x (come up to date to make future lifts easier)

  • Why not fixed: introduction of upgraded version caused excessive test failures

    Test Suites: 399 failed, 1 skipped, 665 passed, 1064 of 1065 total
    Tests:       567 failed, 3 skipped, 4451 passed, 5021 total
    Snapshots:   13 passed, 13 total
    Time:        216.466 s
    

• Force Upgrade json5 from 0.5.1 (and other versions) -> 2.2.3 (fix GHSA-9c47-m6qq-7p4h prototype pollution); using resolutions to override

  • Why not fixed: risk of change too high compared to vulnerability risk

  • experimented with using resolutions stanza "json5": "2.2.3" to override; tests do pass, but uncomfortable submitting patch for this change
    alongside other lower-risk changes, as it may require deeper testing to verify

    npm test
    ...
    Test Suites: 2 skipped, 1063 passed, 1063 of 1065 total
    Tests:       5 skipped, 1 todo, 6595 passed, 6601 total
    Snapshots:   16 passed, 16 total
    Time:        221.054 s
    

• Monitor crptyo-browserify for upgrade above 3.12.0 that includes browserify-sign>=4.2.2 (fix GHSA-x9w5-v3q2-3rhw signature forgery attack)

  • Why not fixed: This dependency does not currently have a new version, but has a relevant advisory related to it using an outdated browserify-sign

• Monitor json-refs for upgrade above 3.0.15 that includes cookiejar>=2.1.4 (fix GHSA-h452-7996-h45h ReDOS)

  • Why not fixed: This dependency does not currently have a new version, but has a relevant advisory related to it using an outdated cookiejar

• Monitor po-catalog-loader for upgrade above 2.0.0 to fix advisories related to [email protected]

  • Why not fixed: This dependency does not currently have a new version, but has three relevant advisories related to it using an outdated loader-utils
  • GHSA-76p3-8jx3-jpfq (prototype pollution in webpack)
  • GHSA-3rfm-jhwj-7488 and GHSA-hhq3-ff78-jv3g (ReDOS issues in regex parsing)

Legal Boilerplate

Look, I get it. The entity doing business as "Sentry" was incorporated in the State of Delaware in 2015 as Functional Software, Inc. and is gonna need some rights from me in order to utilize my contributions in this here PR. So here's the deal: I retain all rights, title and interest in and to my contributions, and by keeping this boilerplate intact I confirm that Sentry can use, modify, copy, and redistribute my contributions, under Sentry's choice of terms.

[getsantry]

This issue has gone three weeks without activity. In another week, I will close it.

But! If you comment or otherwise update it, I will reset the clock, and if you remove the label Waiting for: Community, I will leave it alone ... forever!

---

"A weed is but an unloved flower." ― Ella Wheeler Wilcox 🥀

[chadwhitacre]

PR fell through the cracks, on my radar through an email thread with Netskope.

@getsentry/security @getsentry/dev-infra can you take a look?

[evanpurkhiser]

Hey @darrenpmeyer thanks for bumping these.

It's looking like the loader utils bump is causing the pegjs grammars to fail to compile

ERROR in ./app/components/searchSyntax/grammar.pegjs
Module build failed (from ../node_modules/pegjs-loader/lib/index.js):
Error: A valid query string passed to parseQuery should begin with '?'
    at Object.parseQuery (/home/runner/work/sentry/sentry/node_modules/pegjs-loader/node_modules/loader-utils/lib/parseQuery.js:13:11)
    at Object.loader (/home/runner/work/sentry/sentry/node_modules/pegjs-loader/lib/index.js:33:40)
 @ ./app/components/searchSyntax/parser.tsx 6:0-38 727:11-24
 @ ./app/components/modals/widgetViewerModal.tsx 23:0-68 304:48-59
 @ ./app/actionCreators/modal.tsx
 @ ./app/bootstrap/exportGlobals.tsx 42:9-[47](https://github.com/getsentry/sentry/actions/runs/7575692162/job/20632861540?pr=63470#step:8:48)
 @ ./app/bootstrap/initializeApp.tsx 2:0-25
 @ ./app/bootstrap/initializeMain.tsx
 @ ./app/index.tsx

Could you take a look at what's going on there? Thank you so much!

[darrenpmeyer]

Hey @darrenpmeyer thanks for bumping these.

It's looking like the loader utils bump is causing the pegjs grammars to fail to compile

I can't seem to get this to replicate on my side, @evanpurkhiser; if you'd like, we could pull that version bump out into a separate PR to not block this one while we figure out what's going on here?

[getsantry]

This pull request has gone three weeks without activity. In another week, I will close it.

But! If you comment or otherwise update it, I will reset the clock, and if you add the label WIP, I will leave it alone unless WIP is removed ... forever!

---

"A weed is but an unloved flower." ― Ella Wheeler Wilcox 🥀

[chadwhitacre]

Oof. Sucks we didn't get to this, sorry. 😭 I've filed getsentry/eng-pipes#789 to address the underlying issue with PRs falling through the cracks of our custom GitHub notifications (clearly not optimized for external contributors 🙃).

Ftr, @scttcper upgraded react-router in #68926. He also said he removed all crypto dependencies recently but I don't have links. I guess we're in a position to revisit pegjs-loader separately if desired.