From d2826872fe487a027b677aeb43704f761a6b4e80 Mon Sep 17 00:00:00 2001 From: Pevey <7490308+pevey@users.noreply.github.com> Date: Sun, 16 Apr 2023 03:37:43 -0500 Subject: [PATCH] chore: Bump package versions to address security vulnerabilities (#3845) --- .changeset/nasty-pears-unite.md | 5 + .../api/__tests__/admin/currency.js | 33 ---- .../api/__tests__/admin/discount.js | 2 +- .../api/__tests__/admin/order/order.js | 4 +- packages/medusa/package.json | 12 +- .../discounts/__tests__/create-discount.js | 1 + .../admin/orders/__tests__/create-claim.js | 6 +- .../__tests__/create-price-list.ts | 2 +- yarn.lock | 156 +++++++++++++++--- 9 files changed, 156 insertions(+), 65 deletions(-) create mode 100644 .changeset/nasty-pears-unite.md diff --git a/.changeset/nasty-pears-unite.md b/.changeset/nasty-pears-unite.md new file mode 100644 index 0000000000..bee4e12281 --- /dev/null +++ b/.changeset/nasty-pears-unite.md @@ -0,0 +1,5 @@ +--- +"@medusajs/medusa": patch +--- + +Bump package versions to address security vulnerabilities diff --git a/integration-tests/api/__tests__/admin/currency.js b/integration-tests/api/__tests__/admin/currency.js index a3080ccac2..1f045671c4 100644 --- a/integration-tests/api/__tests__/admin/currency.js +++ b/integration-tests/api/__tests__/admin/currency.js @@ -54,39 +54,6 @@ describe("/admin/currencies", () => { expect(response.data).toMatchSnapshot() }) }) - - describe("POST /admin/currencies/:code", function () { - beforeEach(async () => { - try { - await adminSeeder(dbConnection) - } catch (e) { - console.error(e) - } - }) - - afterEach(async () => { - const db = useDb() - await db.teardown() - }) - - it("should fail when attempting to update includes_tax", async () => { - const api = useApi() - - try { - await api.post( - `/admin/currencies/aed`, - { - includes_tax: true, - }, - adminReqConfig - ) - } catch (error) { - expect(error.response.data.message).toBe( - "property includes_tax should not exist" - ) - } - }) - }) }) describe("[MEDUSA_FF_TAX_INCLUSIVE_PRICING] /admin/currencies", () => { let medusaProcess diff --git a/integration-tests/api/__tests__/admin/discount.js b/integration-tests/api/__tests__/admin/discount.js index b6a6d6aa31..d73a44b3d2 100644 --- a/integration-tests/api/__tests__/admin/discount.js +++ b/integration-tests/api/__tests__/admin/discount.js @@ -324,7 +324,7 @@ describe("/admin/discounts", () => { expect(err.response.status).toEqual(400) expect(err.response.data.type).toEqual("invalid_data") expect(err.response.data.message).toEqual( - "type must be a valid enum value" + "type must be one of the following values: fixed, percentage, free_shipping" ) }) }) diff --git a/integration-tests/api/__tests__/admin/order/order.js b/integration-tests/api/__tests__/admin/order/order.js index f1506068cd..fd6bb21b67 100644 --- a/integration-tests/api/__tests__/admin/order/order.js +++ b/integration-tests/api/__tests__/admin/order/order.js @@ -1654,7 +1654,7 @@ describe("/admin/orders", () => { ) }) - it("fails to lists all orders with an invalid status", async () => { + it.only("fails to lists all orders with an invalid status", async () => { expect.assertions(3) const api = useApi() @@ -1664,7 +1664,7 @@ describe("/admin/orders", () => { expect(err.response.status).toEqual(400) expect(err.response.data.type).toEqual("invalid_data") expect(err.response.data.message).toEqual( - "each value in status must be a valid enum value" + "each value in status must be one of the following values: pending, completed, archived, canceled, requires_action" ) }) }) diff --git a/packages/medusa/package.json b/packages/medusa/package.json index bb1b9ff7b1..8b8b7c8a57 100644 --- a/packages/medusa/package.json +++ b/packages/medusa/package.json @@ -54,7 +54,7 @@ "bullmq": "^3.5.6", "chokidar": "^3.4.2", "class-transformer": "^0.5.1", - "class-validator": "^0.13.2", + "class-validator": "^0.14.0", "compression": "^1.7.4", "connect-redis": "^5.0.0", "cookie-parser": "^1.4.6", @@ -62,23 +62,23 @@ "cors": "^2.8.5", "cross-spawn": "^7.0.3", "dotenv": "^16.0.3", - "express": "^4.17.1", + "express": "^4.18.2", "express-session": "^1.17.3", "fs-exists-cached": "^1.0.0", "glob": "^7.1.6", "ioredis": "^5.2.5", "ioredis-mock": "8.4.0", "iso8601-duration": "^1.3.0", - "jsonwebtoken": "^8.5.1", + "jsonwebtoken": "^9.0.0", "lodash": "^4.17.21", "medusa-core-utils": "^1.2.0", "medusa-telemetry": "^0.0.16", "medusa-test-utils": "^1.1.40", "morgan": "^1.9.1", - "multer": "^1.4.4", + "multer": "^1.4.5-lts.1", "node-schedule": "^2.1.1", "papaparse": "^5.3.2", - "passport": "^0.4.1", + "passport": "^0.6.0", "passport-http-bearer": "^1.0.1", "passport-jwt": "^4.0.1", "passport-local": "^1.0.0", @@ -89,7 +89,7 @@ "request-ip": "^2.1.3", "scrypt-kdf": "^2.0.1", "ulid": "^2.3.0", - "uuid": "^8.3.2", + "uuid": "^9.0.0", "winston": "^3.8.2" }, "gitHead": "cd1f5afa5aa8c0b15ea957008ee19f1d695cbd2e" diff --git a/packages/medusa/src/api/routes/admin/discounts/__tests__/create-discount.js b/packages/medusa/src/api/routes/admin/discounts/__tests__/create-discount.js index cea0999562..70a02bec9f 100644 --- a/packages/medusa/src/api/routes/admin/discounts/__tests__/create-discount.js +++ b/packages/medusa/src/api/routes/admin/discounts/__tests__/create-discount.js @@ -4,6 +4,7 @@ import { DiscountServiceMock } from "../../../../../services/__mocks__/discount" const validRegionId = IdMap.getId("region-france") +jest.setTimeout(30000) describe("POST /admin/discounts", () => { const adminSession = { jwt: { diff --git a/packages/medusa/src/api/routes/admin/orders/__tests__/create-claim.js b/packages/medusa/src/api/routes/admin/orders/__tests__/create-claim.js index b2c0662abb..206ee51b0c 100644 --- a/packages/medusa/src/api/routes/admin/orders/__tests__/create-claim.js +++ b/packages/medusa/src/api/routes/admin/orders/__tests__/create-claim.js @@ -81,7 +81,9 @@ describe("POST /admin/orders/:id/claims", () => { it("throws an error", () => { expect(subject.status).toEqual(400) - expect(subject.body.message).toEqual("type must be a valid enum value") + expect(subject.body.message).toEqual( + "type must be one of the following values: refund, replace" + ) }) }) @@ -166,7 +168,7 @@ describe("POST /admin/orders/:id/claims", () => { it("throws an error", () => { expect(subject.status).toEqual(400) expect(subject.body.message).toEqual( - "reason must be a valid enum value" + "reason must be one of the following values: missing_item, wrong_item, production_failure, other" ) }) }) diff --git a/packages/medusa/src/api/routes/admin/price-lists/__tests__/create-price-list.ts b/packages/medusa/src/api/routes/admin/price-lists/__tests__/create-price-list.ts index 87c07b7703..0b2c4a8a92 100644 --- a/packages/medusa/src/api/routes/admin/price-lists/__tests__/create-price-list.ts +++ b/packages/medusa/src/api/routes/admin/price-lists/__tests__/create-price-list.ts @@ -112,7 +112,7 @@ describe("POST /price-lists", () => { it("returns descriptive error that several fields are missing", () => { expect(subject.body.type).toEqual("invalid_data") expect(subject.body.message).toEqual( - "name must be a string, type must be a valid enum value, prices must be an array" + "name must be a string, type must be one of the following values: sale, override, prices must be an array" ) }) }) diff --git a/yarn.lock b/yarn.lock index 87a6e0f96e..0977f07eb1 100644 --- a/yarn.lock +++ b/yarn.lock @@ -6123,7 +6123,7 @@ __metadata: bullmq: ^3.5.6 chokidar: ^3.4.2 class-transformer: ^0.5.1 - class-validator: ^0.13.2 + class-validator: ^0.14.0 compression: ^1.7.4 connect-redis: ^5.0.0 cookie-parser: ^1.4.6 @@ -6132,7 +6132,7 @@ __metadata: cross-env: ^5.2.1 cross-spawn: ^7.0.3 dotenv: ^16.0.3 - express: ^4.17.1 + express: ^4.18.2 express-session: ^1.17.3 fs-exists-cached: ^1.0.0 glob: ^7.1.6 @@ -6140,17 +6140,17 @@ __metadata: ioredis-mock: 8.4.0 iso8601-duration: ^1.3.0 jest: ^25.5.4 - jsonwebtoken: ^8.5.1 + jsonwebtoken: ^9.0.0 lodash: ^4.17.21 medusa-core-utils: ^1.2.0 medusa-interfaces: ^1.3.7 medusa-telemetry: ^0.0.16 medusa-test-utils: ^1.1.40 morgan: ^1.9.1 - multer: ^1.4.4 + multer: ^1.4.5-lts.1 node-schedule: ^2.1.1 papaparse: ^5.3.2 - passport: ^0.4.1 + passport: ^0.6.0 passport-http-bearer: ^1.0.1 passport-jwt: ^4.0.1 passport-local: ^1.0.0 @@ -6164,7 +6164,7 @@ __metadata: ts-jest: ^25.5.1 typescript: ^4.4.4 ulid: ^2.3.0 - uuid: ^8.3.2 + uuid: ^9.0.0 winston: ^3.8.2 peerDependencies: "@medusajs/types": 1.8.2 @@ -12024,6 +12024,13 @@ __metadata: languageName: node linkType: hard +"@types/validator@npm:^13.7.10": + version: 13.7.15 + resolution: "@types/validator@npm:13.7.15" + checksum: 982d20d3d30a2079f9c9aa2edd8887e722b921593096651b8ece228bf52887532efb8bbc4fb18881beb0889aa0d37974e382080e5e3f86b4f69df5b54378b650 + languageName: node + linkType: hard + "@types/webpack-env@npm:^1.16.0": version: 1.17.0 resolution: "@types/webpack-env@npm:1.17.0" @@ -14962,6 +14969,26 @@ __metadata: languageName: node linkType: hard +"body-parser@npm:1.20.1": + version: 1.20.1 + resolution: "body-parser@npm:1.20.1" + dependencies: + bytes: 3.1.2 + content-type: ~1.0.4 + debug: 2.6.9 + depd: 2.0.0 + destroy: 1.2.0 + http-errors: 2.0.0 + iconv-lite: 0.4.24 + on-finished: 2.4.1 + qs: 6.11.0 + raw-body: 2.5.1 + type-is: ~1.6.18 + unpipe: 1.0.0 + checksum: a202d493e2c10a33fb7413dac7d2f713be579c4b88343cd814b6df7a38e5af1901fc31044e04de176db56b16d9772aa25a7723f64478c20f4d91b1ac223bf3b8 + languageName: node + linkType: hard + "boolbase@npm:^1.0.0": version: 1.0.0 resolution: "boolbase@npm:1.0.0" @@ -15356,6 +15383,15 @@ __metadata: languageName: node linkType: hard +"busboy@npm:^1.0.0": + version: 1.6.0 + resolution: "busboy@npm:1.6.0" + dependencies: + streamsearch: ^1.1.0 + checksum: fa7e836a2b82699b6e074393428b91ae579d4f9e21f5ac468e1b459a244341d722d2d22d10920cdd849743dbece6dca11d72de939fb75a7448825cf2babfba1f + languageName: node + linkType: hard + "bytes@npm:3.0.0": version: 3.0.0 resolution: "bytes@npm:3.0.0" @@ -16005,6 +16041,17 @@ __metadata: languageName: node linkType: hard +"class-validator@npm:^0.14.0": + version: 0.14.0 + resolution: "class-validator@npm:0.14.0" + dependencies: + "@types/validator": ^13.7.10 + libphonenumber-js: ^1.10.14 + validator: ^13.7.0 + checksum: 1f7c34052f0c342b1d27c5aec7c42b646bb77a56874acc0d8003e2ad8f0294e7da18b43e9caaac8e8817cbb309cf9f14bcebe4611994390ca4818f3b393783dc + languageName: node + linkType: hard + "classnames@npm:^2.2.6, classnames@npm:^2.3.1": version: 2.3.2 resolution: "classnames@npm:2.3.2" @@ -20369,6 +20416,45 @@ __metadata: languageName: node linkType: hard +"express@npm:^4.18.2": + version: 4.18.2 + resolution: "express@npm:4.18.2" + dependencies: + accepts: ~1.3.8 + array-flatten: 1.1.1 + body-parser: 1.20.1 + content-disposition: 0.5.4 + content-type: ~1.0.4 + cookie: 0.5.0 + cookie-signature: 1.0.6 + debug: 2.6.9 + depd: 2.0.0 + encodeurl: ~1.0.2 + escape-html: ~1.0.3 + etag: ~1.8.1 + finalhandler: 1.2.0 + fresh: 0.5.2 + http-errors: 2.0.0 + merge-descriptors: 1.0.1 + methods: ~1.1.2 + on-finished: 2.4.1 + parseurl: ~1.3.3 + path-to-regexp: 0.1.7 + proxy-addr: ~2.0.7 + qs: 6.11.0 + range-parser: ~1.2.1 + safe-buffer: 5.2.1 + send: 0.18.0 + serve-static: 1.15.0 + setprototypeof: 1.2.0 + statuses: 2.0.1 + type-is: ~1.6.18 + utils-merge: 1.0.1 + vary: ~1.1.2 + checksum: 75af556306b9241bc1d7bdd40c9744b516c38ce50ae3210658efcbf96e3aed4ab83b3432f06215eae5610c123bc4136957dc06e50dfc50b7d4d775af56c4c59c + languageName: node + linkType: hard + "ext@npm:^1.1.2": version: 1.6.0 resolution: "ext@npm:1.6.0" @@ -27856,6 +27942,13 @@ __metadata: languageName: node linkType: hard +"libphonenumber-js@npm:^1.10.14": + version: 1.10.26 + resolution: "libphonenumber-js@npm:1.10.26" + checksum: 4a534112c2a182e95e96c13e4f969ebc2969421a6a06be65f20ff6de4625ae8f9ec0dba115c4d7485bc547f091b7acb8985332e1b4b6dc02390485ac33f4c8ea + languageName: node + linkType: hard + "libphonenumber-js@npm:^1.9.43": version: 1.10.8 resolution: "libphonenumber-js@npm:1.10.8" @@ -30664,7 +30757,7 @@ __metadata: languageName: node linkType: hard -"multer@npm:^1.4.3, multer@npm:^1.4.4": +"multer@npm:^1.4.3": version: 1.4.4 resolution: "multer@npm:1.4.4" dependencies: @@ -30680,6 +30773,21 @@ __metadata: languageName: node linkType: hard +"multer@npm:^1.4.5-lts.1": + version: 1.4.5-lts.1 + resolution: "multer@npm:1.4.5-lts.1" + dependencies: + append-field: ^1.0.0 + busboy: ^1.0.0 + concat-stream: ^1.5.2 + mkdirp: ^0.5.4 + object-assign: ^4.1.1 + type-is: ^1.6.4 + xtend: ^4.0.0 + checksum: 4c6c91e93e510c99e791b6520e3e2f4a227a57f4f509427ff7f3a6f4cc0b4b09ad77c475f629c12f7ae01dba11645b2bd6568877cab775de8bf853b0a67259b4 + languageName: node + linkType: hard + "multilang-extract-comments@npm:^0.4.0": version: 0.4.0 resolution: "multilang-extract-comments@npm:0.4.0" @@ -32387,13 +32495,14 @@ __metadata: languageName: node linkType: hard -"passport@npm:^0.4.1": - version: 0.4.1 - resolution: "passport@npm:0.4.1" +"passport@npm:^0.6.0": + version: 0.6.0 + resolution: "passport@npm:0.6.0" dependencies: passport-strategy: 1.x.x pause: 0.0.1 - checksum: aa1a8eb2e991368734ae1e33d354c94a02c5fcd27c4ef25c3c303b4f3df1e05512ac0159e608cedbfc8c544c166735a153124cfa3bd8d48fb01f5ded500f0c5f + utils-merge: ^1.0.1 + checksum: 1d8651a4a1a72b84ea08c498cff9cfc209aebfe18baed4cf93292ded3f8e30a04e30b404fdfce39dfb6aa7247e205f1df43fbfd7bc7c1a67a600884359d46ee6 languageName: node linkType: hard @@ -34086,14 +34195,7 @@ __metadata: languageName: node linkType: hard -"qs@npm:6.7.0": - version: 6.7.0 - resolution: "qs@npm:6.7.0" - checksum: 04e6934d8cfa4f352e5bf5fe16eeed75dccad16d1e03b53ece849839b7439940f0df8bf0bc4750306d65baf95ebe165315f61122067e33bfee7b7ef4e3945813 - languageName: node - linkType: hard - -"qs@npm:^6.10.0, qs@npm:^6.10.3, qs@npm:^6.11.0, qs@npm:^6.5.1, qs@npm:^6.9.4": +"qs@npm:6.11.0, qs@npm:^6.10.0, qs@npm:^6.10.3, qs@npm:^6.11.0, qs@npm:^6.5.1, qs@npm:^6.9.4": version: 6.11.0 resolution: "qs@npm:6.11.0" dependencies: @@ -34102,6 +34204,13 @@ __metadata: languageName: node linkType: hard +"qs@npm:6.7.0": + version: 6.7.0 + resolution: "qs@npm:6.7.0" + checksum: 04e6934d8cfa4f352e5bf5fe16eeed75dccad16d1e03b53ece849839b7439940f0df8bf0bc4750306d65baf95ebe165315f61122067e33bfee7b7ef4e3945813 + languageName: node + linkType: hard + "qs@npm:~6.5.2": version: 6.5.3 resolution: "qs@npm:6.5.3" @@ -37629,6 +37738,13 @@ __metadata: languageName: node linkType: hard +"streamsearch@npm:^1.1.0": + version: 1.1.0 + resolution: "streamsearch@npm:1.1.0" + checksum: fbd9aecc2621364384d157f7e59426f4bfd385e8b424b5aaa79c83a6f5a1c8fd2e4e3289e95de1eb3511cb96bb333d6281a9919fafce760e4edb35b2cd2facab + languageName: node + linkType: hard + "strict-event-emitter@npm:^0.2.0": version: 0.2.4 resolution: "strict-event-emitter@npm:0.2.4" @@ -40474,7 +40590,7 @@ __metadata: languageName: node linkType: hard -"utils-merge@npm:1.0.1": +"utils-merge@npm:1.0.1, utils-merge@npm:^1.0.1": version: 1.0.1 resolution: "utils-merge@npm:1.0.1" checksum: 02ba649de1b7ca8854bfe20a82f1dfbdda3fb57a22ab4a8972a63a34553cf7aa51bc9081cf7e001b035b88186d23689d69e71b510e610a09a4c66f68aa95b672