Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merge main (v1.6.7) into develop #479

Merged
merged 3 commits into from
Feb 13, 2025
Merged

Merge main (v1.6.7) into develop #479

merged 3 commits into from
Feb 13, 2025

Conversation

github-actions[bot]
Copy link
Contributor

Merge main (v1.6.7) into develop

@mkouzel-yext
Resolve Vulnerability (#478)
109b443 
Updating the @babel/present-env import from 7.14.7 to 7.23.2 to resolve a potential vulnerability.

J=VULN-39417
TEST=manual

Ran `npm run start` in test-site, site functioned as expected.
@github-actions github-actions bot requested a review from a team as a code owner November 20, 2024 19:34
@semgrep-code-yext
Copy link

Semgrep found 6 ssc-aff5e8de-c638-4356-8a93-120597e35ce9 findings:

Risk: Affected versions of @babel/traverse are vulnerable to Incomplete List Of Disallowed Inputs. An attacker can exploit a vulnerability in the internal Babel methods path.evaluate() or path.evaluateTruthy() by compiling specially crafted code, potentially resulting in arbitrary code execution during compilation.

Manual Review Advice: A vulnerability from this advisory is reachable if you use Babel to compile untrusted JavaScript

Fix: Upgrade this library to at least version 0.5.3 at search-ui-react/test-site/package-lock.json:22499.

Reference(s): GHSA-67hx-6x53-jw92, CVE-2023-45133

Semgrep found 1 ssc-cee3e6d5-d7c8-4c35-9815-076aa1ebfd49 finding:

Risk: Affected versions of rollup are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').

Manual Review Advice: A vulnerability from this advisory is reachable if you use Rollup to bundle JavaScript with import.meta.url and the output format is set to cjs, umd, or iife formats, while allowing users to inject scriptless HTML elements with unsanitized name attributes

Fix: Upgrade this library to at least version 2.79.2 at search-ui-react/test-site/package-lock.json:30485.

Reference(s): GHSA-gcx4-mw62-g8wm, CVE-2024-47068

@github-actions GitHub Actions
Copy link
Contributor Author

Current unit coverage is 92.01741654571843%
Current visual coverage is 79.24701561065197%
Current combined coverage is 92.50483558994198%

@Fondryext Fondryext merged commit 8803bff into develop Feb 13, 2025
21 of 22 checks passed
@Fondryext Fondryext deleted the dev/merge-v1.6.7-109b443-into-develop branch February 13, 2025 19:53
@coveralls
Copy link

coveralls commented Feb 13, 2025
edited
Loading

Coverage Status

coverage: 85.227%. remained the same
when pulling aa55cef on dev/merge-v1.6.7-109b443-into-develop
into e206b20 on develop.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@coveralls @Fondryext @mkouzel-yext