Investigate resolving package vulnerabilities - either by replacing o…

…r upgrading (#178) * Let's see if dependabot complains * Import order linting * updated the Requests package due to a reported vulnerability in 2.32.0 * updated package.json to force usage of the newer braces package that doesn't contain the vulnerability --------- Co-authored-by: jmscherer <jscherer@uab.edu>
uab-cgds-worthey · Jun 27, 2024 · 1ac66dd · 1ac66dd
1 parent 633a067
commit 1ac66dd
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 9 deletions.
diff --git a/backend/requirements.txt b/backend/requirements.txt
@@ -6,13 +6,12 @@ pymongo==4.6.3
 jq==1.6.0
 
 python-multipart==0.0.7
-python-jose[cryptography]==3.3.0
-passlib==1.7.4
-bcrypt==4.0.1
+PyJWT[crypto]==2.8.0
+passlib[bcrypt]==1.7.4
 
 # dev
 pytest-cov==4.0.0
 pytest==7.4.2
 pylint==3.0.0
-requests==2.31.0
+requests==2.32.3
 yapf==0.40.2
diff --git a/backend/src/security/security.py b/backend/src/security/security.py
@@ -1,12 +1,15 @@
 """ Provides necessary functions to handle passwords and determining whether users are a verified user  """
+
 import secrets
 import string
 
+from datetime import datetime, timedelta
 from typing import Optional
 
-from datetime import datetime, timedelta
+import jwt
+
 from pydantic import ValidationError
-from jose import jwt, JWTError
+from jwt.exceptions import InvalidTokenError
 
 from fastapi import Depends, HTTPException, Response, status
 from fastapi.security import SecurityScopes
@@ -93,7 +96,7 @@ def get_current_user(
                 detail="Could not validate credentials",
                 headers={"WWW-Autenticate": authenticate_value, "set-cookie": response.headers["set-cookie"]},
             )
-    except JWTError as jwt_error:
+    except InvalidTokenError as jwt_error:
         response.delete_cookie(key="rosalution_TOKEN")
         raise HTTPException(
             status_code=status.HTTP_401_UNAUTHORIZED,
@@ -132,7 +135,7 @@ def get_authorization(
         if client_id is None:
             raise credentials_exception
         user_scopes = payload.get("scopes", str)
-    except (JWTError, ValidationError) as validation_exception:
+    except (InvalidTokenError, ValidationError) as validation_exception:
         raise validation_exception
     # for scope in security_scopes.scopes:
     if "write" in security_scopes.scopes and "write" not in user_scopes:

diff --git a/backend/tests/unit/security/test_security.py b/backend/tests/unit/security/test_security.py
@@ -7,7 +7,7 @@
 
 import pytest
 
-from jose import jwt
+import jwt
 
 from fastapi import HTTPException, Response
 from fastapi.security import SecurityScopes

diff --git a/frontend/package.json b/frontend/package.json
@@ -35,5 +35,8 @@
     "sinon": "16.0.0",
     "vite": "4.5.3",
     "vitest": "0.34.6"
+  },
+  "resolutions": {
+      "braces": "3.0.3"
   }
 }