[Snyk] Upgrade: , , govuk-frontend, , applicationinsights, axios, joi, prom-client, redis #291
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Snyk has created this PR to upgrade:
- @azure/msal-common from 14.13.0 to 14.14.1.
See this package in npm: https://www.npmjs.com/package/@azure/msal-common
- @azure/msal-node from 2.10.0 to 2.13.0.
See this package in npm: https://www.npmjs.com/package/@azure/msal-node
- govuk-frontend from 5.2.0 to 5.5.0.
See this package in npm: https://www.npmjs.com/package/govuk-frontend
- @ministryofjustice/frontend from 2.1.1 to 2.2.0.
See this package in npm: https://www.npmjs.com/package/@ministryofjustice/frontend
- applicationinsights from 2.9.5 to 2.9.6.
See this package in npm: https://www.npmjs.com/package/applicationinsights
- axios from 1.7.4 to 1.7.5.
See this package in npm: https://www.npmjs.com/package/axios
- joi from 17.13.0 to 17.13.3.
See this package in npm: https://www.npmjs.com/package/joi
- prom-client from 15.1.0 to 15.1.3.
See this package in npm: https://www.npmjs.com/package/prom-client
- redis from 4.6.13 to 4.7.0.
See this package in npm: https://www.npmjs.com/package/redis
See this project in Snyk:
https://app.snyk.io/org/tanovellino/project/44a5dd0b-21d5-4c80-81e2-56c897479301?utm_source=github&utm_medium=referral&page=upgrade-pr
muyinatech
commented
Sep 20, 2024
| "@azure/msal-node": "^2.10.0", | ||
| "@ministryofjustice/frontend": "^2.1.1", | ||
| "@azure/msal-common": "^14.14.1", | ||
| "@azure/msal-node": "^2.13.0", |
There was a problem hiding this comment.
Upgrade to msal-node v2.13.0 breaks the application with the following error:-
[Node] TypeError: Cannot read properties of undefined (reading 'LogLevel')
[Node] at Object.<anonymous> (/Users/.../Projects/laa-crime-equinity-historical-data-frontend/dist/server/auth/authConfig.js:27:43)
[Node] at Module._compile (node:internal/modules/cjs/loader:1376:14)
[Node] at Module._extensions..js (node:internal/modules/cjs/loader:1435:10)
[Node] at Module.load (node:internal/modules/cjs/loader:1207:32)
[Node] at Module._load (node:internal/modules/cjs/loader:1023:12)
[Node] at Module.require (node:internal/modules/cjs/loader:1235:19)
[Node] at Module.patchedRequire (/Users/.../Projects/laa-crime-equinity-historical-data-frontend/node_modules/diagnostic-channel/dist/src/patchRequire.js:16:46)
[Node] at Hook._require.Module.require (/Users/.../Projects/laa-crime-equinity-historical-data-frontend/node_modules/require-in-the-middle/index.js:188:39)
[Node] at require (node:internal/modules/helpers:176:18)
[Node] at Object.<anonymous> (/Users/.../Projects/laa-crime-equinity-historical-data-frontend/dist/server/auth/authProvider.js:31:22)
Need to investigate this before upgrading library.
|
Closing as msal-node upgrade requires further investigation. Added comments to JIRA ticket:- https://dsdmoj.atlassian.net/browse/EMP-544 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Snyk has created this PR to upgrade multiple dependencies.
👯♂ The following dependencies are linked and will therefore be updated together.ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
@azure/msal-common
from 14.13.0 to 14.14.1 | 3 versions ahead of your current version | a month ago
on 2024-08-13
@azure/msal-node
from 2.10.0 to 2.13.0 | 4 versions ahead of your current version | a month ago
on 2024-08-13
govuk-frontend
from 5.2.0 to 5.5.0 | 5 versions ahead of your current version | a month ago
on 2024-08-09
@ministryofjustice/frontend
from 2.1.1 to 2.2.0 | 3 versions ahead of your current version | 2 months ago
on 2024-07-31
applicationinsights
from 2.9.5 to 2.9.6 | 1 version ahead of your current version | a month ago
on 2024-08-15
axios
from 1.7.4 to 1.7.5 | 1 version ahead of your current version | a month ago
on 2024-08-23
joi
from 17.13.0 to 17.13.3 | 3 versions ahead of your current version | 3 months ago
on 2024-06-19
prom-client
from 15.1.0 to 15.1.3 | 3 versions ahead of your current version | 3 months ago
on 2024-06-27
redis
from 4.6.13 to 4.7.0 | 3 versions ahead of your current version | 2 months ago
on 2024-07-29
Release notes
Package name: @azure/msal-common
-
14.14.1 - 2024-08-13
- Add retryError to PerformanceEvent #7216 (joarroyo@microsoft.com)
- Add PerformanceEvent for PopupTokenHelper #7216 (joarroyo@microsoft.com)
- Bump eslint-config-msal to v0.0.0 (beachball)
- Bump msal-test-utils to v0.0.1 (beachball)
-
14.14.0 - 2024-07-23
- Track MSAL SKU for broker flows #7182 (kshabelko@microsoft.com)
- Track MSAL node SKU for broker flows #7213 (kshabelko@microsoft.com)
- Bump eslint-config-msal to v0.0.0 (beachball)
- Bump msal-test-utils to v0.0.1 (beachball)
-
14.13.1 - 2024-07-16
-
14.13.0 - 2024-07-01
from @azure/msal-common GitHub release notes14.14.1
Tue, 13 Aug 2024 23:25:08 GMT
Patches
14.14.0
Tue, 23 Jul 2024 14:19:34 GMT
Minor changes
Package name: @azure/msal-node
-
2.13.0 - 2024-08-13
- Added file-based detection for Azure Arc (rginsburg@microsoft.com)
- Bump @ azure/msal-common to v14.14.1 (beachball)
- Bump eslint-config-msal to v0.0.0 (beachball)
- Send the error template back when theres an error response (tyleonha@microsoft.com)
- clientSecret can now (once again) be provided as undefined #7209 (rginsburg@microsoft.com)
-
2.12.0 - 2024-07-23
- Track MSAL node SKU for broker flows #7213 (kshabelko@microsoft.com)
- Bump @ azure/msal-common to v14.14.0 (beachball)
- Bump eslint-config-msal to v0.0.0 (beachball)
-
2.11.1 - 2024-07-16
-
2.11.0 - 2024-07-12
-
2.10.0 - 2024-07-01
from @azure/msal-node GitHub release notes2.13.0
Tue, 13 Aug 2024 23:25:05 GMT
Minor changes
Patches
2.12.0
Tue, 23 Jul 2024 14:19:34 GMT
Minor changes
Package name: govuk-frontend
-
5.5.0 - 2024-08-09
- add all current government departments and their brand colours
- add variants of brand colours that meet a 4.5:1 contrast ratio against white, where required
- provide warnings if defunct organisations are still being referenced in your Sass code
- #5046: Skip ‘empty’ tasks in the task list
- #5066: Fix whitespace affecting text alignment in pagination block variant
- #5158: Remove ↑ up and ↓ down arrow key bindings from tabs
- #5191: Fix rendering of Back link's
-
5.4.1 - 2024-07-12
- #5114: Fix divider width for small checkboxes – thanks to @ colinrotherham
- #5043: Refactor the accordion JavaScript
- #5044: Remove session storage checks from accordion JavaScript
- #5060: Reintroduce additional bottom margin to Error Summary content
- #5070: Fix alignment of content in conditional checkboxes and radio buttons
- #5090: Remove redundant tag CSS from phase banner
-
5.4.0 - 2024-05-17
- find all elements in the page with the corresponding
- instantiate a component object for each element
- catch errors and log them in the console
- return an array of all the successfully instantiated component objects.
import { createAll, Button, Checkboxes } from 'govuk-frontend'
- #4942: Remove duplicate
- #4961: Fix tree-shaking when importing
- #4963: Fix input value not being set if the value was '0' – thanks to @ dwp-dmitri-algazin for reporting this issue
- #4971: Fix Error Summary component outputting list HTML when no
- #442: Update content to streamline installation info
- #438: Split up the 'Import CSS, assets and JavaScript' page
-
5.3.1 - 2024-04-19
- #4906: Update the icon in the warning text component to match the defined text colour and background colour, rather than always being white on black
- #4919: Use canvas colour for cookie banner over hardcoded grey
- #4899: Remove indents from conditional reveals in radios and checkboxes
- #4935: Fix password input button unexpectedly stretching
- #4936: Fix skip link underline being removed when global styles are enabled
- #4938: Fix
-
5.3.0 - 2024-03-26
- whether their passwords are visible or not
- to enter their passwords in plain text
- move all classes and attributes from the form group
- remove the opening
- check the count message is now directly after the
- #1573: feat: add preset and plugin options for browserslist in the cssnano repository
- #4829: Bump the postcss group with 2 updates
- #4811: Use
- #4812: Use
- #4813: Remove deprecated
- #4855: Fix mobile product name being misaligned in new type scale
-
5.2.0 - 2024-02-21
- point 16 now returns 16px across all screen sizes
- point 19 now returns 19px across all screen sizes
- point 24 remains as 24px on large screens
- point 24 now returns 21px on small screens instead of 18px and has a line height 25px instead of 20px
- point 27 remains as 27px on large screens
- point 27 now returns 21px on small screens instead of 18px and has a line height 25px instead of 20px
- point 36 remains as 27px on large screens
- point 36 now returns 27px on small screens instead of 24px and has a line height 30px instead of 25px
- #4768: Fix z-index of inputs in Radios and Checkboxes component
- #4784: Fix LibSass
from govuk-frontend GitHub release notesThis release includes an updated list of organisations and brand colours. We’ve also added a new feature to stop long words from ‘breaking out’ of components.
To install this version with npm, run
npm install govuk-frontend@5.5.0. You can also find more information about how to stay up to date in our documentation.New features
We've updated the list of organisations and brand colours included in Frontend
We've overhauled the list of organisations and organisation brand colours that are shipped with GOV.UK Frontend.
The previous list was outdated and had not kept up with changes to the machinery of government. We’ve updated the list to:
To enable these changes, set the feature flag variable
$govuk-new-organisation-colourstotruebefore you import GOV.UK Frontend in your Sass files:You can also silence warnings about defunct organisations by adding
organisation-coloursto the$govuk-suppressed-warningssetting.We introduced this change in pull request #3407: Update organisation colours.
Stop long words breaking out of components with
govuk-!-text-break-wordWe've added a new override class to help display long words with no obvious break points when the space is too narrow to display them on one line. An example of a long word might be an email address entered by a user.
Wrapping the content with the
govuk-!-text-break-wordclass forces words that are too long for the parent element to break onto a new line.Sass users can also use the
govuk-text-break-wordmixin.We introduced this change in pull request #5159: Add break-word typography helper.
Recommended changes
Update the
$websafeparameter on thegovuk-organisation-colourfunctionThe
govuk-organisation-colourSass function's$websafeparameter has been renamed to$contrast-safe.This is to more accurately describe the functionality of the parameter.
The old parameter name will stop working in the next major version of GOV.UK Frontend.
We introduced this change in pull request #3407: Update organisation colours.
Fixes
We've made fixes to GOV.UK Frontend in the following pull requests:
hrefandtextfor falsy valuesTo install this version with npm, run
npm install govuk-frontend@5.4.1. You can also find more information about how to stay up to date in our documentation.Recommended changes
Update Breadcrumbs to use
navandaria-labelWe've made changes to the Breadcrumbs component to improve how it appears to screen readers.
We've changed the wrapping element to use the
navtag to expose it as a navigational landmark, and added anaria-labelattribute to differentiate it as breadcrumb navigation.This change was introduced in pull request #4995: Update Breadcrumb component to improve screen reader accessibility.
Fixes
We've made fixes to GOV.UK Frontend in the following pull requests:
To install this version with npm, run
npm install govuk-frontend@5.4.0. You can also find more information about how to stay up to date in our documentation.This release includes new features to help you include only the components your service uses. Doing this can help reduce the size of the JavaScript and CSS files sent to users, improving their experience.
New features
Create individual components with
createAllWe've added a new
createAllfunction that lets you initialise specific components in the same way thatinitAlldoes.The
createAllfunction will:data-moduleattributecreateAll(Button)
createAll(Checkboxes)
You can also pass a config object and a scope within which to search for elements.
You can find out more about how to use the
createAllfunction in our documentation.This change was introduced in pull request #4975: Add
createAllfunction to initialise individual components.Use tabular numbers easily with
govuk-!-font-tabular-numbersWe've added a new override class for tabular number styling:
govuk-!-font-tabular-numbers.Using tabular numbers can make it easier for users to read numbers intended for comparison to one another, or for numbers that dynamically update.
It was previously only possible to use tabular numbers by using the
govuk-font-tabular-numbersSass mixin.This change was introduced in pull request #4973: Add override class for tabular numbers.
Deprecated features
Importing layers using
allfilesYou'll see a warning when compiling your Sass if you import any of our layers using the
allfile. Importing using theallfiles is deprecated, and we’ll remove them in the next major release.In your import statements, use a trailing
/indexrather than/allto load GOV.UK Frontend's files.For example:
@ import "govuk/index";instead of@ import "govuk/all";;@ import "govuk/<PATH>/index";instead of@ import "govuk/<PATH>/all";;You do not need
/indexat the end of each import path if you’re using Dart Sass, LibSass 3.6.0 or higher, or Ruby Sass 3.6.0 or higher.This change was introduced in pull request #4955: Rename
allfiles toindexfor our Sass entry points.Fixes
We've made fixes to GOV.UK Frontend in the following pull requests:
errorMessageargument for the password input component - thanks to Tim South for contributing this changegovuk-frontenderrorListis providedTo install this version with npm, run
npm install govuk-frontend@5.3.1. You can also find more information about how to stay up to date in our documentation.Fixes
We've made fixes to GOV.UK Frontend in the following pull requests:
attributesoption ignoring values passed from thesafefilterTo install this version with npm, run
npm install govuk-frontend@5.3.0. You can also find more information about how to stay up to date in our documentation.New features
Use the Password input component to help users accessibly enter passwords
The Password input component allows users to choose:
This helps users use longer and more complex passwords without needing to remember what they've already typed.
This change was introduced in pull request #4442: Create password input component. Thanks to @ andysellick for the original contribution.
Recommended changes
Update the HTML for the Character count component
We've updated the HTML for the Character count component. The component wrapper
data-module="govuk-character-count"and its form groupclass="govuk-form-group"are now combined as the same<div>. The hint text used as the count message now appears directly after the<textarea>.If you're not using Nunjucks macros, then you should:
<div>to the component wrapper<div><div>and closing</div>tags used by the form group<textarea>The following example shows some HTML and the difference once it’s updated.
HTML before:
HTML after:
Check your changes against the Character count example in the Design System to make sure you’ve correctly implemented them.
This change was introduced in pull request #4566: Use Character count
formGroupas module wrapper.Remove redundant
roleattributes from elementsWe've made minor changes to the HTML of the page template, as well as the header, footer and pagination components.
You can update your HTML to remove the
roleattribute from some elements. These include the:mainrole on themainelement in the templatebannerrole on theheaderelement in the Header componentcontentinforole on thefooterelement in the Footer componentnavigationrole on thenavelement in the Pagination componentThese roles were present to support legacy browsers, such as older versions of Internet Explorer. GOV.UK Frontend no longer supports these browsers, so you can now remove these roles.
You do not need to change anything if you're using the Nunjucks versions of the page template or these components,
This change was introduced in pull request #4854: Remove redundant
roleattributes.Fixes
We've fixed an upstream issue in the cssnano npm package that caused elements with transparency to render incorrectly in Internet Explorer 11. This affected the pre-compiled CSS files in the GOV.UK Frontend npm package and GitHub releases for versions 5.0, 5.1 and 5.2. This was fixed in:
We've made fixes to GOV.UK Frontend in the following pull requests:
KeyboardEvent.keyover deprecatedKeyboardEvent.keyCodein the Tabs componentKeyboardEvent.keyover deprecatedKeyboardEvent.keyCodein the Button componentKeyboardEventproperties from the Exit this Page componentIn this release, we’ve adjusted our responsive type scale, which is available behind a feature flag. The type scale change is to make text easier to read on smaller screens. We’ve also deprecated the
useTudorCrownparameter.To install this version with npm, run
npm install govuk-frontend@5.2.0. You can also find more information about how to stay up to date in our documentation.New features
We've adjusted our responsive type scale
We've made the following adjustments to our responsive type scale:
To enable these changes, set the feature flag variable
$govuk-new-typography-scaletotruebefore you import GOV.UK Frontend in your Sass files:If your service uses custom elements made using GOV.UK Frontend, test your service against the new typography scale to assess if you need to make any adjustments.
You can read more on upgrading your service to the new type scale in our upgrade guide.
This change was introduced in pull request #2421: Adjust the responsive type scale
Insert custom HTML into component form group wrappers
You can now insert custom HTML into form group wrappers for all components with form fields.
govukInput({ formGroup: { beforeInput: { html: "example" }, afterInput: { html: "example" }, } })This change was introduced in pull request #4567: Add
beforeInput(s)andbeforeInput(s)options to form groups.Deprecated features
Stop using the
useTudorCrownparameter in the Heading componentThe rollout for the revised GOV.UK logo has started and the Tudor crown logo is now shown by default. We’ve deprecated the
useTudorCrownparameter and will remove it in the next major release.You can now remove the
useTudorCrownparameter, along with any other adjustments made to display the Tudor crown logo in your service.This change was introduced in pull request #4740: Make Tudor Crown logo the default
Fixes
We've made fixes to GOV.UK Frontend in the following pull requests:
calc()compatibility in Radios and CheckboxesPackage name: @ministryofjustice/frontend
-
2.2.0 - 2024-07-31
- select a date from the calendar view
- also enter a date using a text input
- identify available dates
-
2.1.3 - 2024-05-07
- package.json & package-lock.json to reduce vulnerabilities (#592) (d815589)
-
2.1.2 - 2024-03-13
- filter toggle button: ensure button appears (#581) (fbe6407)
-
2.1.1 - 2024-02-19
- sortable-table: support mixed content and floating values (e4f9e69), closes #559
from @ministryofjustice/frontend GitHub release notes2.2.0 (2024-07-31)
You can find out how to stay up-to-date with new releases.
New feature: use the date picker component to help users select dates
The date picker component enables users to:
2.1.3 (2024-05-07)
Bug Fixes
2.1.2 (2024-03-13)
Bug Fixes
2.1.1 (2024-02-19)
Bug Fixes
Package name: axios
-
1.7.5 - 2024-08-23
- adapter: fix undefined reference to hasBrowserEnv (#6572) (7004707)
- core: add the missed implementation of AxiosError#status property; (#6573) (6700a8a)
- core: fix
- fetch: fix credentials handling in Cloudflare workers (#6533) (550d885)
Dmitriy Mozgovoy
Antonin Bas
Hans Otto Wirtz
-
1.7.4 - 2024-08-13
- sec: CVE-2024-39338 (#6539) (#6543) (6b6b605)
- sec: disregard protocol-relative URL to remediate SSRF (#6539) (07a661a)
Lev Pachmanov
Đỗ Trọng Hải
from axios GitHub release notesRelease notes:
Bug Fixes
ReferenceError: navigator is not definedfor custom environments; (#6567) (fed1a4b)Contributors to this release
Release notes:
Bug Fixes
Contributors to this release
Package name: joi
-
17.13.3 - 2024-06-19
-
17.13.2 - 2024-06-19
-
17.13.1 - 2024-05-02
-
17.13.0 - 2024-04-23
from joi GitHub release notes17.13.3
17.13.2
17.13.1
17.13.0
Package name: prom-client
-
15.1.3 - 2024-06-27
- Improve error message on labels by @ leftieFriele in #633
- @ leftieFriele made their first contribution in #633
- @ korengal made their first contribution in #636
-
15.1.2 - 2024-04-16
- Enable
- Add
- Correctly read and set
- @ owlcode made their first contribution in #624
-
15.1.1 - 2024-03-26
- perf: improve the memory usage of histogram by @ xsbchen in #606
- fix: avoid updating exemplar values during subsequent metric changes by @ psimk in #620
- @ glensc made their first contribution in #604
- @ xsbchen made their first contribution in #606
- @ psimk made their first contribution in #620
-
15.1.0 - 2023-12-15
- remove unnecessary loop from
- Improve performance of
- Fix type of
- Allow Pushgateway to now require job names for compatibility with Gravel Gateway.
- Allow
- @ Connormiha made their first contribution in #592
- @ yosiat made their first contribution in #596
- @ geofholbrook made their first contribution in #597
- @ Pigrabbit made their first contribution in #593
from prom-client GitHub release notesWhat's Changed
New Contributors
Full Changelog: v15.1.2...v15.1.3
What's Changed
bun.jsby catchingNotImplementederrorby @ owlcode in #624Registry.PROMETHEUS_CONTENT_TYPEandRegistry.OPENMETRICS_CONTENT_TYPEconstants to the TypeScript types by @ SimenB in #626contentTypetop level export by @ SimenB in #625New Contributors
Full Changelog: v15.1.1...v15.1.2
What's Changed
New Contributors
Full Changelog: v15.1.0...v15.1.1
Changed
osMemoryHeapLinuxhashObjectby using pre-sorted array of label namescollectDefaultMetrics.metricsListAdded
histogram.startTime()to be used with exemplars.New Contributors
Full Changelog: v15.0.0...v15.1.0
Package name: redis
-
4.7.0 - 2024-07-29
- Upgrade
- Upgrade
- Upgrade
- Upgrade
-
4.6.15 - 2024-07-02
- Upgrade
-
4.6.14 - 2024-05-16
- Upgrade
-
4.6.13 - 2024-02-05
from redis GitHub release notesEnhancements
@ redis/clientfrom1.5.16to1.6.0@ redis/jsonfrom1.0.6to1.0.7@ redis/searchfrom1.1.6to1.2.0@ redis/time-seriesfrom1.0.5to1.1.0Enhancements
@ redis/clientfrom1.5.16to1.5.17Enhancements
@ redis/clientfrom1.5.14to1.5.16Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.
For more information: