From 8076182bb40c37898cba66e673f11b56790df3eb Mon Sep 17 00:00:00 2001
From: David Deal <ddeal@linuxfoundation.org>
Date: Thu, 26 Jan 2023 14:08:30 -0800
Subject: [PATCH] Edge Library Updates (#308)

* Edge Library Updates

- updated cookiejar to 2.1.4
- updated json5 to 2.2.3

Signed-off-by: David Deal <ddeal@linuxfoundation.org>

* CI/CD - Added Edge Folder Scanning

Signed-off-by: David Deal <ddeal@linuxfoundation.org>

Signed-off-by: David Deal <ddeal@linuxfoundation.org>
---
 .github/workflows/snyk-scan-edge-npm-pr.yml | 44 +++++++++++++++++++++
 .github/workflows/yarn-scan-edge-pr.yml     | 28 +++++++++++++
 edge/package.json                           |  2 +
 edge/yarn.lock                              | 22 +++++------
 4 files changed, 84 insertions(+), 12 deletions(-)
 create mode 100644 .github/workflows/snyk-scan-edge-npm-pr.yml
 create mode 100644 .github/workflows/yarn-scan-edge-pr.yml

diff --git a/.github/workflows/snyk-scan-edge-npm-pr.yml b/.github/workflows/snyk-scan-edge-npm-pr.yml
new file mode 100644
index 00000000..7cf0bb5e
--- /dev/null
+++ b/.github/workflows/snyk-scan-edge-npm-pr.yml
@@ -0,0 +1,44 @@
+---
+# Copyright The Linux Foundation and each contributor to CommunityBridge.
+# SPDX-License-Identifier: MI
+
+name: Snyk Scan Edge NPM Dependencies
+
+on:
+  # https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  snyk-scan-edge-npm-pr:
+    runs-on: ubuntu-latest
+    environment: dev
+    steps:
+      - uses: actions/checkout@v3
+      - uses: snyk/actions/setup@master
+        id: snyk
+      - name: Setup Node
+        uses: actions/setup-node@v3
+        with:
+          node-version: '14'
+      - name: Yarn Version
+        run: yarn --version
+      - name: Yarn Install
+        working-directory: src
+        run: yarn install
+      - name: Snyk version
+        run: echo "${{ steps.snyk.outputs.version }}"
+      - name: Scan for NPM Vulnerabilities
+        working-directory: src
+        run: |
+          snyk test --org=${{ secrets.SNYK_ORG }} --file=package.json
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        continue-on-error: true
+      - name: Monitor for NPM Vulnerabilities
+        working-directory: src
+        run: snyk monitor --org=${{ secrets.SNYK_ORG }} --file=package.json
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        continue-on-error: true
diff --git a/.github/workflows/yarn-scan-edge-pr.yml b/.github/workflows/yarn-scan-edge-pr.yml
new file mode 100644
index 00000000..2f54c81a
--- /dev/null
+++ b/.github/workflows/yarn-scan-edge-pr.yml
@@ -0,0 +1,28 @@
+---
+# Copyright The Linux Foundation and each contributor to CommunityBridge.
+# SPDX-License-Identifier: MI
+
+name: Yarn Edge Dependency Audit
+
+on:
+  # https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  yarn-scan-edge-pr:
+    runs-on: ubuntu-latest
+    environment: dev
+    steps:
+      - uses: actions/checkout@v3
+      - name: Setup Node
+        uses: actions/setup-node@v3
+        with:
+          node-version: '14'
+      - name: Setup
+        run: yarn install
+      - name: Yarn Audit
+        working-directory: src
+        run: |
+          yarn audit
diff --git a/edge/package.json b/edge/package.json
index fc66e9cf..234e645c 100644
--- a/edge/package.json
+++ b/edge/package.json
@@ -25,10 +25,12 @@
   "resolutions": {
     "ansi-regex": "^5.0.1",
     "browserslist": "^4.16.5",
+    "cookiejar": "^2.1.4",
     "dns-packet": "^5.2.2",
     "hosted-git-info": "^3.0.8",
     "ini": "^1.3.7",
     "glob-parent": "^5.1.2",
+    "json5": "^2.2.3",
     "jszip": "^3.7.0",
     "netmask": "^2.0.1",
     "minimatch": "^3.0.5",
diff --git a/edge/yarn.lock b/edge/yarn.lock
index 1cbb3dd2..b638872a 100644
--- a/edge/yarn.lock
+++ b/edge/yarn.lock
@@ -922,6 +922,11 @@ convert-source-map@^1.5.1:
   dependencies:
     safe-buffer "~5.1.1"
 
+cookiejar@^2.1.4:
+  version "2.1.4"
+  resolved "https://registry.yarnpkg.com/cookiejar/-/cookiejar-2.1.4.tgz#ee669c1fea2cf42dc31585469d193fef0d65771b"
+  integrity sha512-LDx6oHrK+PhzLKJU9j5S7/Y3jM/mUHvD/DeI1WQmJn652iPC5Y4TBzC9l+5OMOXlyTTA+SmVUPm0HQUwpD5Jqw==
+
 copy-concurrently@^1.0.0:
   version "1.0.5"
   resolved "https://registry.yarnpkg.com/copy-concurrently/-/copy-concurrently-1.0.5.tgz#92297398cae34937fcafd6ec8139c18051f0b5e0"
@@ -2055,17 +2060,10 @@ json-stable-stringify-without-jsonify@^1.0.1:
   resolved "https://registry.yarnpkg.com/json-stable-stringify-without-jsonify/-/json-stable-stringify-without-jsonify-1.0.1.tgz#9db7b59496ad3f3cfef30a75142d2d930ad72651"
   integrity sha1-nbe1lJatPzz+8wp1FC0tkwrXJlE=
 
-json5@^0.5.1:
-  version "0.5.1"
-  resolved "https://registry.yarnpkg.com/json5/-/json5-0.5.1.tgz#1eade7acc012034ad84e2396767ead9fa5495821"
-  integrity sha1-Hq3nrMASA0rYTiOWdn6tn6VJWCE=
-
-json5@^1.0.1:
-  version "1.0.1"
-  resolved "https://registry.yarnpkg.com/json5/-/json5-1.0.1.tgz#779fb0018604fa854eacbf6252180d83543e3dbe"
-  integrity sha512-aKS4WQjPenRxiQsC93MNfjx+nbF4PAdYzmd/1JIj8HYzqfbu86beTuNgXDzPknWk0n0uARlyewZo4s++ES36Ow==
-  dependencies:
-    minimist "^1.2.0"
+json5@^0.5.1, json5@^1.0.1, json5@^2.2.3:
+  version "2.2.3"
+  resolved "https://registry.yarnpkg.com/json5/-/json5-2.2.3.tgz#78cd6f1a19bdc12b73db5ad0c61efd66c1e29283"
+  integrity sha512-XmOWe7eyHYH14cLdVPoyg+GOH3rYX++KpzrylJwSW98t3Nk+U8XOl8FWKOgwtzdb8lXGf6zYwDUzeHMWfxasyg==
 
 jszip@^3.7.0:
   version "3.7.1"
@@ -2276,7 +2274,7 @@ minimatch@^3.0.4, minimatch@^3.0.5:
   dependencies:
     brace-expansion "^1.1.7"
 
-minimist@^1.2.0, minimist@^1.2.5:
+minimist@^1.2.5:
   version "1.2.7"
   resolved "https://registry.yarnpkg.com/minimist/-/minimist-1.2.7.tgz#daa1c4d91f507390437c6a8bc01078e7000c4d18"
   integrity sha512-bzfL1YUZsP41gmu/qjrEk0Q6i2ix/cVeAhbCbqH9u3zYutS1cLg00qhrD0M2MVdCcx4Sc0UpP2eBWo9rotpq6g==