-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependabot Alert: Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS #334
Labels
Comments
334 Acceptance Criteria
Comments/Additional Notes ADA Compliance (Automated scan via Chrome Lighthouse)
Passed 10/15/2024 - JSD |
Thanks for explaining on the demo, I am moving to Done. |
felder101
added a commit
that referenced
this issue
Oct 18, 2024
felder101
added a commit
that referenced
this issue
Nov 19, 2024
* Gsa/staging/production release (#148) * Bump get-func-name from 2.0.0 to 2.0.2 in /front-end Bumps [get-func-name](https://github.com/chaijs/get-func-name) from 2.0.0 to 2.0.2. - [Release notes](https://github.com/chaijs/get-func-name/releases) - [Commits](https://github.com/chaijs/get-func-name/commits/v2.0.2) --- updated-dependencies: - dependency-name: get-func-name dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> * Bump @vue/eslint-config-prettier from 7.1.0 to 8.0.0 in /front-end Bumps [@vue/eslint-config-prettier](https://github.com/vuejs/eslint-config-prettier) from 7.1.0 to 8.0.0. - [Release notes](https://github.com/vuejs/eslint-config-prettier/releases) - [Changelog](https://github.com/vuejs/eslint-config-prettier/blob/main/CHANGELOG.md) - [Commits](vuejs/eslint-config-prettier@v7.1.0...v8.0.0) --- updated-dependencies: - dependency-name: "@vue/eslint-config-prettier" dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> * Bump eslint-plugin-vue from 9.16.1 to 9.17.0 in /front-end Bumps [eslint-plugin-vue](https://github.com/vuejs/eslint-plugin-vue) from 9.16.1 to 9.17.0. - [Release notes](https://github.com/vuejs/eslint-plugin-vue/releases) - [Commits](vuejs/eslint-plugin-vue@v9.16.1...v9.17.0) --- updated-dependencies: - dependency-name: eslint-plugin-vue dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * Bump wheel from 0.41.1 to 0.41.2 Bumps [wheel](https://github.com/pypa/wheel) from 0.41.1 to 0.41.2. - [Changelog](https://github.com/pypa/wheel/blob/main/docs/news.rst) - [Commits](pypa/wheel@0.41.1...0.41.2) --- updated-dependencies: - dependency-name: wheel dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * Bump @rushstack/eslint-patch from 1.3.2 to 1.5.1 in /front-end Bumps [@rushstack/eslint-patch](https://github.com/microsoft/rushstack/tree/HEAD/eslint/eslint-patch) from 1.3.2 to 1.5.1. - [Changelog](https://github.com/microsoft/rushstack/blob/main/eslint/eslint-patch/CHANGELOG.md) - [Commits](https://github.com/microsoft/rushstack/commits/@rushstack/eslint-patch_v1.5.1/eslint/eslint-patch) --- updated-dependencies: - dependency-name: "@rushstack/eslint-patch" dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * Bump @cypress/request and cypress in /front-end Bumps [@cypress/request](https://github.com/cypress-io/request) to 3.0.1 and updates ancestor dependency [cypress](https://github.com/cypress-io/cypress). These dependencies need to be updated together. Updates `@cypress/request` from 2.88.12 to 3.0.1 - [Release notes](https://github.com/cypress-io/request/releases) - [Changelog](https://github.com/cypress-io/request/blob/master/CHANGELOG.md) - [Commits](cypress-io/request@v2.88.12...v3.0.1) Updates `cypress` from 12.17.3 to 13.2.0 - [Release notes](https://github.com/cypress-io/cypress/releases) - [Changelog](https://github.com/cypress-io/cypress/blob/develop/CHANGELOG.md) - [Commits](cypress-io/cypress@v12.17.3...v13.2.0) --- updated-dependencies: - dependency-name: "@cypress/request" dependency-type: indirect - dependency-name: cypress dependency-type: direct:development ... Signed-off-by: dependabot[bot] <[email protected]> * Updating build and run scripts In part, the new top-level `npm run dev` command will run both the backend and the frontend together. * Updating .nvmrc * Further updates to package build, run, and test scripts * Updating README python instructions Minor errors in fixed * Updating lint config `npm run lint` should now work correctly,with some initial settings for Vue * Undo linting changes * Updating eslint config to specify JS files as modules * Update README.md * Update README.md * Bump eslint from 8.47.0 to 8.51.0 in /front-end Bumps [eslint](https://github.com/eslint/eslint) from 8.47.0 to 8.51.0. - [Release notes](https://github.com/eslint/eslint/releases) - [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md) - [Commits](eslint/eslint@v8.47.0...v8.51.0) --- updated-dependencies: - dependency-name: eslint dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * update eslint to fix version conflict with prettier. Fix various linting errors * add test coverage check * revert prettier formatting from uswds files * remove coverage-c8 dependency * add workflow for front-end tests * make test for date use UTC explicitly * make utc explicit in date formating * use recommended eslint settings from Eric - thank you - and fix additional linter warnings * merge * Combining READMEs * Removing flaky test suite * Fixing typo * Adding top-level links to jump straight to instructions Lets devs jump right to what they probably care about most at first * Updating SAM key link * Adding note about e2e tests * Updated uswds version from 3.6.0 to 3.6.1 * Updated footer based on Issue 123. Added NASA logo to the project to display in the footer. * Updated footer css layout for responsiveness * Updated footer logo placement on mobile. Fixed footer broken unit test. * Updated footer format to support mobile. Override uswds default settings to allow more flex options. --------- Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Mark Meyer <[email protected]> Co-authored-by: eric-gade <[email protected]> Co-authored-by: Eric Gade <[email protected]> Co-authored-by: Tim Hollosy <[email protected]> * Gsa/issue 166/alert banner (#168) * Added alert to home page to notify user possible issues with the search tool. * Updated alert language based client feedback. * Updated the alert message for search issue. * Gsa/release/staging (#171) * Updated uswds version from 3.6.1 to 3.7.1 (#164) --------- Co-authored-by: Mark Meyer <[email protected]> Co-authored-by: eric-gade <[email protected]> Co-authored-by: Eric Gade <[email protected]> Co-authored-by: Tim Hollosy <[email protected]> * Addressed various dependency vulnerabilities in front-end and back-end that were flagged by dependabot. (#189) * Sprint 25 (#201) Issue #190 Dependabot Alert: FastAPI Content-Type Header ReDoS * Production Release (#207) Sprint 26 Changes: Issue #200 889 Footer Identifier Update to include Domain * Production Release (#211) Includes the following issue(s): Issue #203 Update USWDS from 3.71 to 3.8 | 889 Tool * Production Release (#223) Includes the following issues: Issue #218 Dependabot Alert: Request smuggling leading to endpoint restriction bypass in Gunicorn * Production Release (#249) Sprint 32 Issues: Update USWDS from 3.8 to 3.8.1 |889 Tool #237 Dependabot Alert: Werkzeug debugger vulnerable to remote execution when interacting with attacker controlled domain #228 Dependabot Alert: follow-redirects' Proxy-Authorization header kept across hosts #208 * Production Release (#259) Sprint 33 include(s) the following issues: Improve performance by adding explicit height and width to image elements #146 Interactive elements indicate their purpose and state #185 * Production Release (#277) Includes Spring 34 and 35 issues. Implement the Link Checker on the 889 Tool #151 Research Issues found with Lighthouse #162 Research Issues found with Lighthouse and address if applicable #269 Dependabot Alert: WS Affected by a DoS When Handlin a Request with many HTTP Headers #261 * Spell out FOUO (#284) remove banner. (#285) * Update to the latest version of USWDS 3.8.2 | 889 Tool #299 Dependabot Alert: Axios Cross-Site Request Forgery #278 * Production Release (#336) * Commit includes the following:: Add Expiration Date field to the Search Results Information Displayed on the Results Screen #318 Dependabot Alert: Regular Expression Denial of Service (ReDoS) in micromatch #319 * Update packages. * Production Release (#352) Issue #333 Dependabot Alert: path-to-regexp outputs backtracking regular expressions Issue #332 Dependabot Alert: DOMPurify allows tampering by prototype pollution Issue #346 Research SAM.gov to determine why vendors/contractors marked to be shared are not appearing in the 889 Tool Issue #327 Bug: Accessibility Issue; Lists do not contain only <li> elements and script supporting elements ( <script> and <template>) * Production Release (Sprint 41) (#361) Dependabot Alert: Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS #334 Dependabot Alert: Vite's server.fs.deny is bypassed when using ?import&raw #335 * Sprint 42 (#372) * Merged staging into main (#379) --------- Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: Mark Meyer <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: eric-gade <[email protected]> Co-authored-by: Eric Gade <[email protected]> Co-authored-by: Tim Hollosy <[email protected]> Co-authored-by: John Labbate <[email protected]> Co-authored-by: John Labbate <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
No description provided.
The text was updated successfully, but these errors were encountered: