Validate App Id input vs NPM Spec and normalize DB user/name to SQL s…

…pec. (#219)

* Validate AppId against NPM Specs and normalize DB Name/User to SQL specs

* Added changeset

* fix: CVEs

* fix(ui): type errors

---------

Co-authored-by: Ben Stickley <bestickley@gmail.com>
Co-authored-by: Ben Stickley <35735118+bestickley@users.noreply.github.com>

.changeset/silver-taxis-count.md

@@ -0,0 +1,5 @@
+---
+"gboost": patch
+---
+
+Validate AppId input against NPM Spec, and normalize DB user, name against SQL Spec

docs/docs/contributing.md

@@ -2,7 +2,7 @@
 
 First clone the repository: `git clone https://github.com/awslabs/green-boost.git` and install dependencies: `pnpm i`.
 
-## Developing Libraries
+## Developing and Testing Libraries
 
 To develop `gboost-ui` or `gboost-infra` or `gboost-common` in your Green Boost application repository (created with `gboost create`), run `pnpm add ../path/to/gboost/packages/gboost-*` replacing the path with the path to wherever the package is locally. This will change your package.json.
 
@@ -44,4 +44,16 @@ Note: you'll need to run `pnpm build` within green-boost/packages/gboost-infra i
 1. Create changeset with: `pnpm changeset` in root of repo. Answer prompts, typically you'll be creating a minor change
 1. Stage changes _including_ changeset file (i.e. `git add -A`)
 1. Commit changes. Husky git commits should trigger lint-staged to run validating your staged files
-1. Push branch and create a PR into main ensuring status checks run successfully
+1. Push branch and create a PR into main ensuring status checks run successfully
+
+## Update Dependencies
+GB dependencies should be updated regularly. To update all patch and minor NPM versions, run `pnpm -r up -i`. This will launch an interactive CLI UI that allows you to pick which dependencies you want to updated. You can type `a` to update them all. For patch and minor version updated, you *should* be safe to do this.
+
+You'll also want to check for major package upgrades but tread cautiously as these new versions contain breaking changes that may or may not break GB. For major version upgrades run `pnpm -r up -i --latest`. For any major upgrades, make sure to check out the realease notes or changelog for the package on GitHub.
+
+## Fix Audit Issues
+On each PR, `pnpm audit` is used to detect [CVEs](https://www.redhat.com/en/topics/security/what-is-cve). The GitHub Actions Workflow will fail if any CVEs >= moderate severity are found by running the command `pnpm audit --audit-level moderate`. If the dependency is a direct dependency of your project, you should try to [update dependencies](#update-dependencies). You can learn why a dependency is in your project (dependency hierarchy) with `pnpm why <package-name>`. If the dependency is a transitive dependency (dependency of dependency), you'll need to use PNPM's [pnpm.overrides feature](https://pnpm.io/package_json#pnpmoverrides) by adding to the `package.json#pnpm.overrides` object a key/value pair like: `"<package-name>@<vulnerable-version>": "<patched-version>"`. Then run `pnpm i` to update your dependencies.
+
+Periodically, `pnpm.overrides` should be cleaned up as libraries overtime will update to patched version of packages.
+
+If there is no patched version of the library and you can safely ignore the CVE, you can add it to `pnpm.auditConfig.ignoreCves`.

docs/package.json

@@ -18,7 +18,7 @@
   "dependencies": {
     "@docusaurus/core": "2.3.1",
     "@docusaurus/preset-classic": "2.3.1",
-    "@docusaurus/theme-common": "^2.4.0",
+    "@docusaurus/theme-common": "^2.4.1",
     "@easyops-cn/docusaurus-search-local": "^0.34.0",
     "@mdx-js/react": "^2.3.0",
     "clsx": "^1.2.1",
@@ -34,14 +34,14 @@
     "@docusaurus/plugin-content-docs": "2.3.1",
     "@docusaurus/theme-classic": "2.3.1",
     "@tsconfig/docusaurus": "^1.0.7",
-    "@types/react": "^18.0.32",
-    "eslint": "^8.37.0",
+    "@types/react": "^18.2.14",
+    "eslint": "^8.44.0",
     "eslint-config-prettier": "^8.8.0",
     "eslint-config-react-app": "^7.0.1",
-    "eslint-define-config": "^1.17.0",
-    "eslint-plugin-jest": "^27.2.1",
+    "eslint-define-config": "^1.21.0",
+    "eslint-plugin-jest": "^27.2.2",
     "eslint-plugin-prettier": "^4.2.1",
-    "prettier": "^2.8.7",
+    "prettier": "^2.8.8",
     "typescript": "~4.9.5"
   },
   "browserslist": {

package.json

@@ -14,28 +14,24 @@
   },
   "devDependencies": {
     "@changesets/changelog-github": "^0.4.8",
-    "@changesets/cli": "^2.26.1",
+    "@changesets/cli": "^2.26.2",
     "@types/license-checker": "^25.0.3",
-    "@types/node": "^18.15.11",
+    "@types/node": "^18.16.19",
     "husky": "^8.0.3",
-    "lint-staged": "^13.2.0",
+    "lint-staged": "^13.2.3",
     "ts-node": "^10.9.1",
     "typescript": "^4.9.5"
   },
   "license": "Apache-2.0",
   "pnpm": {
     "auditConfig": {
-      "ignoreCvs": []
+      "ignoreCves": []
     },
     "overrides": {
       "trim@<0.0.3": ">=0.0.3",
       "got@<11.8.5": ">=11.8.5",
-      "minimatch@<3.0.5": ">=3.1.2",
-      "loader-utils": ">=3.2.1",
-      "terser": ">=5.14.2",
-      "eta@<2.0.0": ">=2.0.0",
-      "webpack@5": ">=5.76.0",
-      "yaml@2": ">=2.2.2"
+      "fast-xml-parser@<4.2.4": ">=4.2.4",
+      "semver@<7.2.1": ">=7.2.1"
     },
     "peerDependencyRules": {
       "ignoreMissing": [

packages/gboost-common/package.json

@@ -27,18 +27,18 @@
   },
   "devDependencies": {
     "@tsconfig/node18-strictest-esm": "^1.0.1",
-    "@types/node": "^18.15.11",
-    "@typescript-eslint/eslint-plugin": "^5.57.0",
-    "@typescript-eslint/parser": "^5.57.0",
-    "eslint": "^8.37.0",
+    "@types/node": "^18.16.19",
+    "@typescript-eslint/eslint-plugin": "^5.61.0",
+    "@typescript-eslint/parser": "^5.61.0",
+    "eslint": "^8.44.0",
     "eslint-config-prettier": "^8.8.0",
-    "eslint-define-config": "^1.17.0",
+    "eslint-define-config": "^1.21.0",
     "eslint-plugin-prettier": "^4.2.1",
-    "prettier": "^2.8.7",
+    "prettier": "^2.8.8",
     "rimraf": "^4.4.1",
     "ts-node": "^10.9.1",
     "typescript": "^4.9.5",
-    "vite": "^4.2.1",
+    "vite": "^4.4.2",
     "vitest": "^0.29.8"
   },
   "repository": {

packages/gboost-infra/package.json

@@ -40,38 +40,38 @@
   },
   "dependencies": {
     "@aws-cdk/aws-appsync-alpha": "2.54.0-alpha.0",
-    "@aws-sdk/client-cloudfront": "^3.303.0",
-    "@aws-sdk/client-cognito-identity-provider": "^3.303.0",
+    "@aws-sdk/client-cloudfront": "^3.363.0",
+    "@aws-sdk/client-cognito-identity-provider": "^3.363.0",
     "adm-zip": "^0.5.10",
     "gboost-common": "workspace:^",
     "mime-types": "^2.1.35"
   },
   "peerDependencies": {
-    "aws-cdk-lib": "^2.72.1",
-    "constructs": "^10.1.300",
-    "cdk-nag": "^2.25.2"
+    "aws-cdk-lib": "^2.87.0",
+    "cdk-nag": "^2.25.2",
+    "constructs": "^10.1.300"
   },
   "devDependencies": {
-    "@aws-lambda-powertools/logger": "^1.7.0",
-    "@aws-sdk/client-s3": "^3.304.0",
-    "@aws-sdk/s3-request-presigner": "^3.304.0",
+    "@aws-lambda-powertools/logger": "^1.11.0",
+    "@aws-sdk/client-s3": "^3.367.0",
+    "@aws-sdk/s3-request-presigner": "^3.367.0",
     "@tsconfig/node18-strictest-esm": "^1.0.1",
     "@types/adm-zip": "^0.5.0",
-    "@types/aws-lambda": "^8.10.114",
+    "@types/aws-lambda": "^8.10.119",
     "@types/mime-types": "^2.1.1",
-    "@types/node": "^18.15.11",
-    "@typescript-eslint/eslint-plugin": "^5.57.0",
-    "@typescript-eslint/parser": "^5.57.0",
-    "esbuild": "^0.17.15",
-    "eslint": "^8.37.0",
+    "@types/node": "^18.16.19",
+    "@typescript-eslint/eslint-plugin": "^5.61.0",
+    "@typescript-eslint/parser": "^5.61.0",
+    "esbuild": "^0.17.19",
+    "eslint": "^8.44.0",
     "eslint-config-prettier": "^8.8.0",
-    "eslint-define-config": "^1.17.0",
+    "eslint-define-config": "^1.21.0",
     "eslint-plugin-prettier": "^4.2.1",
-    "joi": "^17.9.1",
-    "prettier": "^2.8.7",
+    "joi": "^17.9.2",
+    "prettier": "^2.8.8",
     "ts-node": "^10.9.1",
     "typescript": "^4.9.5",
-    "vite": "^4.2.1",
+    "vite": "^4.4.2",
     "vitest": "^0.29.8"
   },
   "repository": {

packages/gboost-node/package.json

@@ -21,16 +21,16 @@
   },
   "devDependencies": {
     "@tsconfig/node18-strictest-esm": "^1.0.1",
-    "@typescript-eslint/eslint-plugin": "^5.57.0",
-    "@typescript-eslint/parser": "^5.57.0",
-    "eslint": "^8.37.0",
+    "@typescript-eslint/eslint-plugin": "^5.61.0",
+    "@typescript-eslint/parser": "^5.61.0",
+    "eslint": "^8.44.0",
     "eslint-config-prettier": "^8.8.0",
-    "eslint-define-config": "^1.17.0",
+    "eslint-define-config": "^1.21.0",
     "eslint-plugin-prettier": "^4.2.1",
-    "prettier": "^2.8.7",
+    "prettier": "^2.8.8",
     "rimraf": "^4.4.1",
     "typescript": "^4.9.5",
-    "vite": "^4.2.1",
+    "vite": "^4.4.2",
     "vitest": "^0.29.8"
   },
   "repository": {

packages/gboost-ui/package.json

@@ -45,14 +45,14 @@
   },
   "dependencies": {
     "@mantine/hooks": "^5.10.4",
-    "@radix-ui/colors": "^0.1.8",
-    "@radix-ui/react-dialog": "^1.0.3",
-    "@radix-ui/react-hover-card": "^1.0.5",
-    "@radix-ui/react-portal": "^1.0.2",
+    "@radix-ui/colors": "^0.1.9",
+    "@radix-ui/react-dialog": "^1.0.4",
+    "@radix-ui/react-hover-card": "^1.0.6",
+    "@radix-ui/react-portal": "^1.0.3",
     "@stitches/react": "^1.2.8",
     "clsx": "^1.2.1",
     "gboost-common": "workspace:^",
-    "react-icons": "^4.8.0",
+    "react-icons": "^4.10.1",
     "react-transition-group": "^4.4.5"
   },
   "peerDependencies": {
@@ -89,30 +89,30 @@
     }
   },
   "devDependencies": {
-    "@aws-sdk/client-s3": "^3.304.0",
-    "@hookform/resolvers": "^3.0.0",
-    "@tanstack/react-query": "^4.28.0",
-    "@trpc/server": "^10.18.0",
+    "@aws-sdk/client-s3": "^3.367.0",
+    "@hookform/resolvers": "^3.1.1",
+    "@tanstack/react-query": "^4.29.19",
+    "@trpc/server": "^10.34.0",
     "@tsconfig/vite-react": "^1.0.1",
-    "@types/react": "^18.0.32",
-    "@types/react-dom": "^18.0.11",
-    "@types/react-transition-group": "^4.4.5",
-    "@typescript-eslint/eslint-plugin": "^5.57.0",
-    "@typescript-eslint/parser": "^5.57.0",
-    "aws-amplify": "^5.0.23",
-    "eslint": "^8.37.0",
+    "@types/react": "^18.2.14",
+    "@types/react-dom": "^18.2.6",
+    "@types/react-transition-group": "^4.4.6",
+    "@typescript-eslint/eslint-plugin": "^5.61.0",
+    "@typescript-eslint/parser": "^5.61.0",
+    "aws-amplify": "^5.3.3",
+    "eslint": "^8.44.0",
     "eslint-config-prettier": "^8.8.0",
     "eslint-config-react-app": "^7.0.1",
-    "eslint-define-config": "^1.17.0",
+    "eslint-define-config": "^1.21.0",
     "eslint-plugin-prettier": "^4.2.1",
-    "graphql": "^16.6.0",
+    "graphql": "^16.7.1",
     "graphql-tag": "^2.12.6",
-    "prettier": "^2.8.7",
-    "react-hook-form": "^7.43.9",
-    "react-router-dom": "^6.10.0",
+    "prettier": "^2.8.8",
+    "react-hook-form": "^7.45.1",
+    "react-router-dom": "^6.14.1",
     "rimraf": "^4.4.1",
     "typescript": "^4.9.5",
-    "vite": "^4.2.1",
+    "vite": "^4.4.2",
     "vitest": "^0.29.8",
     "zod": "^3.21.4"
   },

packages/gboost-ui/src/SmartFields/SmartMultiCheckboxField.tsx

@@ -40,7 +40,7 @@ export function SmartMultiCheckboxField<T extends FieldValues>(
         hasError={hasError || invalid}
         labelHidden
         name={name}
-        onChange={onChange}
+        onChange={onChange as any}
         value={value}
       />
     </BaseSmartField>

packages/gboost-ui/src/SmartFields/SmartMultiSelectField.tsx

@@ -41,7 +41,7 @@ export function SmartMultiSelectField<T extends FieldValues>(
         hasError={hasError || invalid}
         name={name}
         labelHidden
-        onChange={onChange}
+        onChange={onChange as any}
         value={value}
       />
     </BaseSmartField>

packages/gboost-ui/src/SmartFields/SmartSliderField.tsx

@@ -58,7 +58,7 @@ export function SmartSliderField<T extends FieldValues>(
         name={name}
         label={label}
         labelHidden
-        onChange={onChange}
+        onChange={onChange as any}
         value={value}
       />
     );

packages/gboost-ui/src/SmartFields/SmartTextField.tsx

@@ -25,10 +25,10 @@ export function SmartTextField<T extends FieldValues>(
     field: { ref, onChange, value },
     fieldState: { error, invalid },
   } = useController({ name, control });
-  let newOnChange = onChange;
+  let newOnChange = onChange as any;
   if (props.type === "number") {
     newOnChange = (e: ChangeEvent<HTMLInputElement>) => {
-      onChange(e.target.valueAsNumber);
+      onChange(e.target.valueAsNumber as any);
     };
   }
 

packages/gboost-ui/src/SmartFields/SmartTransferList.tsx

@@ -56,7 +56,7 @@ export function SmartTransferList<T extends FieldValues, U>(
         ref={ref}
         errorMessage={errorMessage || error?.message}
         hasError={hasError || invalid}
-        onChange={onChange}
+        onChange={onChange as any}
         labelHidden
         value={value}
         render={render}

packages/gboost/package.json

@@ -25,30 +25,30 @@
     "typecheck": "tsc --noEmit"
   },
   "dependencies": {
-    "@aws-sdk/client-lambda": "^3.303.0",
+    "@aws-sdk/client-lambda": "^3.363.0",
     "@commander-js/extra-typings": "^10.0.3",
-    "commander": "^10.0.0",
+    "commander": "^10.0.1",
     "gboost-common": "workspace:^",
     "kleur": "^4.1.5",
     "minimist": "^1.2.8",
     "prompts": "^2.4.2",
-    "vite": "^4.2.1",
+    "vite": "^4.4.2",
     "vitest": "^0.29.8"
   },
   "devDependencies": {
-    "@swc/core": "^1.3.44",
+    "@swc/core": "^1.3.68",
     "@tsconfig/node18-strictest-esm": "^1.0.1",
     "@types/minimist": "^1.2.2",
-    "@types/node": "^18.15.11",
+    "@types/node": "^18.16.19",
     "@types/prompts": "^2.4.4",
-    "@typescript-eslint/eslint-plugin": "^5.57.0",
-    "@typescript-eslint/parser": "^5.57.0",
-    "eslint": "^8.37.0",
+    "@typescript-eslint/eslint-plugin": "^5.61.0",
+    "@typescript-eslint/parser": "^5.61.0",
+    "eslint": "^8.44.0",
     "eslint-config-prettier": "^8.8.0",
-    "eslint-define-config": "^1.17.0",
+    "eslint-define-config": "^1.21.0",
     "eslint-plugin-prettier": "^4.2.1",
-    "npm-check-updates": "^16.10.0",
-    "prettier": "^2.8.7",
+    "npm-check-updates": "^16.10.15",
+    "prettier": "^2.8.8",
     "rimraf": "^4.4.1",
     "ts-node": "^10.9.1",
     "typescript": "^4.9.5"

packages/gboost/src/create/ask.ts

@@ -41,13 +41,14 @@ const questions: PromptObject<keyof Answers>[] = [
     name: "appId",
     type: "text",
     // Part of CDK Stack name and used as scope to prefix all PNPM workspaces within monorepo
-    message: "App ID (lowercase alphanumeric and hyphens):",
+    // Also cloud formation stacks name restrictions only allow alphanumeric and hyphens
+    message: "App ID (lowercase alphanumeric and hyphens only):",
     initial: "myapp",
     validate(v) {
-      if (/[a-z0-9-_]+/g.test(v)) {
+      if (/^[a-z][a-z0-9-]*$/g.test(v)) {
         return true;
       } else {
-        return "App ID must be lowercase alphanumeric and can include hyphens.";
+        return "App ID must begin with a lowercase character and contain only alphanumeric characters with hyphens";
       }
     },
     onState: handleAborted,