fix: add npm override for axios (CVE-2025-58754)#17
Open
jignaciopm wants to merge 75 commits into
Open
Conversation
…#1862) This solves an issue that allowed the users to import files .gz. We make the drop zone allow only .tar.gz files. Resolves openedx#1386
Fix translation issue on Files and Videos table view mode on the columns.
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Bumps [formidable](https://github.com/node-formidable/formidable) from 3.5.2 to 3.5.4. - [Release notes](https://github.com/node-formidable/formidable/releases) - [Changelog](https://github.com/node-formidable/formidable/blob/master/CHANGELOG.md) - [Commits](https://github.com/node-formidable/formidable/commits) --- updated-dependencies: - dependency-name: formidable dependency-version: 3.5.4 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…1840) Bumps [http-proxy-middleware](https://github.com/chimurai/http-proxy-middleware) from 2.0.7 to 2.0.9. - [Release notes](https://github.com/chimurai/http-proxy-middleware/releases) - [Changelog](https://github.com/chimurai/http-proxy-middleware/blob/v2.0.9/CHANGELOG.md) - [Commits](chimurai/http-proxy-middleware@v2.0.7...v2.0.9) --- updated-dependencies: - dependency-name: http-proxy-middleware dependency-version: 2.0.9 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [@babel/helpers](https://github.com/babel/babel/tree/HEAD/packages/babel-helpers) from 7.25.0 to 7.27.0. - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md) - [Commits](https://github.com/babel/babel/commits/v7.27.0/packages/babel-helpers) --- updated-dependencies: - dependency-name: "@babel/helpers" dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…dx#1769) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
* fix: rename "Organize" tab to "Manage" * fix: duplicate key warnings * fix: uniform messages while adding to collection * fix: do not allow units be added to a unit
…penedx#1820) * fix: use Library search results to populate container card preview * feat: show published children when showing only published Unit content * fix: nits
Co-authored-by: abdullahwaheed <42172960+abdullahwaheed@users.noreply.github.com>
This PR fixes some UX bugs related to the unit pages: * Sort for "recently modified" on unit tab does not update after adding new components to units * Change component delete warning message
Fixes the following issues: * Selection behavior * Component selection is by header click only * Newly created blocks within a unit should be selected on creation/save, appear selected, and have their sidebar open * Some long text components seem to display at the default height rather than a longer height * Within the full-page unit view, the "add to collection" overflow menu item on components does not seem to work/only opens the sidebar. * Draft status indicator text is not vertically centered with icon * When reordering, dragging a short component past a long component often causes a strange stutter effect. * When dragging to reorder a component, moving quickly or scrolling often causes the drag handle to be lost / causes the block to jump somewhere else * Reordering may not consistently support a keyboard-accessible option to change order, like in course authoring * Tag button on component header opens the old tag side pane
- Add filter functionality to course optimizer broken links to check different results - modify design, make use of logo with better tooltip - change message texts in different area of the page
- add more unit tests for code coverage to cover more use cases - ignore Modal close in code coverage as our modal does not have close button
Improves the focus and selected styles from the LibraryPage and UnitPage.
Co-authored-by: abdullahwaheed <42172960+abdullahwaheed@users.noreply.github.com>
…nits in library units picker [FC-0083] (openedx#1926) Fixes the issues from openedx#1633 (comment) * In successfully added units, the "add new component" widget appears sometimes * In the "add existing unit" modal, the preview shows draft versions of units
Fixes issues related to component libraries' review/sync flow * Inconsistent sync pane title versions * Library content shown in preview warning only appears in review changes modal when that modal is opened from the review tab * Some new changes only appear within library review tab on scroll at top of list * Vertically misaligned sync icon in review changes message on course outline * Show available updates whenever content is updated, regardless of number of updates available
The whole page was being refreshed while searching content from course outline page due to fetching of waffle flag on changes in location search field.
* fix: adding messages for i18n issues related to placeholders * fix: adding messages for i18n issues related to import tag wizard stepper titles * fix: changing name to duplicated id on i18n message * fix: replacing hardcoded string with constants to solve i18n issue * fix: typo on title prop * fix: adding components prop name correctly * test: adding ut for select video modal * chore: adding description to placeholder, changing extension to constant file and adding uts for code coverage * chore: removing outdated comment lines
…openedx#1930) Improves the focus and selected styles from the LibraryPage and UnitPage.
Fixes issues related to component libraries' review/sync flow * Inconsistent sync pane title versions * Library content shown in preview warning only appears in review changes modal when that modal is opened from the review tab * Some new changes only appear within library review tab on scroll at top of list * Vertically misaligned sync icon in review changes message on course outline * Show available updates whenever content is updated, regardless of number of updates available
…nits in library units picker (openedx#1940) Fixes the issues from openedx#1633 (comment) * In successfully added units, the "add new component" widget appears sometimes * In the "add existing unit" modal, the preview shows draft versions of units
…2006) * feat: select component and show sidebar on edit (openedx#1949) Select component that is being edited in library and show its sidebar. Also fixes issue with children component listing in library unit page (cherry picked from commit 08ac1c0) * fix: search text flickering (openedx#1999) Fix flickering issue in search field. (cherry picked from commit 6f3b7ab) * feat: open collection or unit page on double click only (openedx#2002) Opens collection or unit page only on double click. (cherry picked from commit 503642b)
…x#1953) (openedx#2014) * Optimistic update for renaming Components, Collections and Containers * Change the InplaceTextEditor to show the new text until the onSave promise resolves * Change the InplaceTextEditor style to: Always show the rename button
* feat: display editors as modals (openedx#1838) * fix: do open editor of new xblock when duplicating (openedx#1887) Fixes bug where after duplicating an xblock, the editor modal of the old xblock is being open instead of the new copied xblock.
…Remove never published filter from component picker (openedx#2021) * fix: Inconsistent publish status filter menu placement (openedx#1966) * fix: Remove never published filter from component picker (openedx#1947) Removes the never-published filter option from the component picker and unit picker.
…enedx#2022) (openedx#2028) Instead of reloading the entire Unit after syncing changes from the library, just reload the xblock that was changed. (cherry picked from commit ac5574d)
…) (openedx#2030) Sets a max_height=500px for the TinyMCE editor when editing a Text/Html component. This prevents the autoresize plugin from expanding the editor textarea beyond the bounds of the editor modal.⚠️ Because the max height can only be a numeric pixel value, we can't use clever settings like vh or %, and so we're forced to limit the height of the editor to a fixed size for all screen sizes in order to address this issue. (cherry picked from commit c5f7d0c)
(cherry picked from commit 3fc0f27)
Make the unit preview on the sidebar read-only and add `Truncate` to the `InplaceTextEditor`
This PR resolves rendering issues with the Markdown editor inside the modal. The problem began after a PR [1] introduced the use of modals for the editor. The EditorPage [2] component expects a `isMarkdownEditorEnabledForCourse` prop, which was missing in that implementation. [1] openedx#1838 [2] https://github.com/openedx/frontend-app-authoring/pull/1838/files#diff-147218ef88726880178ea895988a5d3feaf2c0c4459086a8de7a4080cbe37de7R226 Backports openedx#2074
* fix: enable markdown editor for problems in libraries too This fix is also achieved on master via 5991fd3 / openedx#2068 but this is a simpler fix, not a direct backport of that refactor. * fix: remove duplicate markdown_edited save request (openedx#2127) Removes the unnecessary duplicate save request of markdown_edited value to the backend. Part of: openedx#2099 Backports: 62589ae --------- Co-authored-by: Muhammad Anas <88967643+Anas12091101@users.noreply.github.com>
…es on Inplace Editor (openedx#2140) Backport of fix: show unit published name in sidebar on content picker [FC-0090] openedx#2100 Backport of fix: Issue on the Inplace editor [FC-0090] openedx#2101
…rt) (openedx#2087) * fix: advanced-settings api should not camel-case return value (openedx#1581) * fix: update advanced module list not working (openedx#2189) Backend was still expecting `{'advanced_modules', {'value': ['poll', 'problem-builder', 'h5pxblock']}}` but without this change, it was receiving `{'advancedModules', ['poll', 'problem-builder', 'h5pxblock']}` Follow up to openedx#1581 --------- Co-authored-by: Muhammad Faraz Maqsood <fmaqsood@2u.com>
* refactor: remove custom order function from course libraries list (openedx#1865) (openedx#1888) (cherry picked from commit bc18fff) * perf: use Library search results to populate container card preview [FC-0083] [TEAK] (openedx#1889) * fix: several library unit page UX bugs (openedx#1868) * fix: rename "Organize" tab to "Manage" * fix: duplicate key warnings * fix: uniform messages while adding to collection * fix: do not allow units be added to a unit (cherry picked from commit 0fdc460) * perf: use Library search results to populate container card preview (openedx#1820) * fix: use Library search results to populate container card preview * feat: show published children when showing only published Unit content * fix: nits (cherry picked from commit 24e4695) --------- Co-authored-by: Rômulo Penido <romulo.penido@gmail.com> * fix: manage access modal on duplicated xblock (openedx#1874) * fix: unit pages ux bugs [FC-0083] (openedx#1884) (openedx#1916) This PR fixes some UX bugs related to the unit pages: * Sort for "recently modified" on unit tab does not update after adding new components to units * Change component delete warning message It's a backport of openedx#1884 * fix: UX issues in unit page (openedx#1913) (openedx#1923) Fixes the following issues: * Selection behavior * Component selection is by header click only * Newly created blocks within a unit should be selected on creation/save, appear selected, and have their sidebar open * Some long text components seem to display at the default height rather than a longer height * Within the full-page unit view, the "add to collection" overflow menu item on components does not seem to work/only opens the sidebar. * Draft status indicator text is not vertically centered with icon * When reordering, dragging a short component past a long component often causes a strange stutter effect. * When dragging to reorder a component, moving quickly or scrolling often causes the drag handle to be lost / causes the block to jump somewhere else * Reordering may not consistently support a keyboard-accessible option to change order, like in course authoring * Tag button on component header opens the old tag side pane (cherry picked from commit 8c3fab3) * fix: invalidate search results when publishing all changes in library (openedx#1925) (openedx#1927) (cherry picked from commit cdb8016) Co-authored-by: Braden MacDonald <braden@opencraft.com> * fix: improve focus/selected style on library authoring (openedx#1918) (openedx#1930) Improves the focus and selected styles from the LibraryPage and UnitPage. * fix: review/sync bugs [FC-0083] (openedx#1905) (openedx#1941) Fixes issues related to component libraries' review/sync flow * Inconsistent sync pane title versions * Library content shown in preview warning only appears in review changes modal when that modal is opened from the review tab * Some new changes only appear within library review tab on scroll at top of list * Vertically misaligned sync icon in review changes message on course outline * Show available updates whenever content is updated, regardless of number of updates available * fix: Issue with read-only units in libraries & published version of units in library units picker (openedx#1940) Fixes the issues from openedx#1633 (comment) * In successfully added units, the "add new component" widget appears sometimes * In the "add existing unit" modal, the preview shows draft versions of units * fix: search modal refresh on typing (openedx#1938) (openedx#1948) * [Teak] backport openedx#1949, openedx#1999 and openedx#2002 (openedx#2006) * feat: select component and show sidebar on edit (openedx#1949) Select component that is being edited in library and show its sidebar. Also fixes issue with children component listing in library unit page (cherry picked from commit 08ac1c0) * fix: search text flickering (openedx#1999) Fix flickering issue in search field. (cherry picked from commit 6f3b7ab) * feat: open collection or unit page on double click only (openedx#2002) Opens collection or unit page only on double click. (cherry picked from commit 503642b) * fix: change InplaceTextEditor style and add optimistic update (openedx#1953) (openedx#2014) * Optimistic update for renaming Components, Collections and Containers * Change the InplaceTextEditor to show the new text until the onSave promise resolves * Change the InplaceTextEditor style to: Always show the rename button * fix: rename library publish button (openedx#2015) * fix: do open editor of new xblock when duplicating (openedx#2017) * feat: display editors as modals (openedx#1838) * fix: do open editor of new xblock when duplicating (openedx#1887) Fixes bug where after duplicating an xblock, the editor modal of the old xblock is being open instead of the new copied xblock. * [Teak] fix: Inconsistent publish status filter menu placement & fix: Remove never published filter from component picker (openedx#2021) * fix: Inconsistent publish status filter menu placement (openedx#1966) * fix: Remove never published filter from component picker (openedx#1947) Removes the never-published filter option from the component picker and unit picker. * fix: refresh xblock inline after accepting/rejecting library sync (openedx#2022) (openedx#2028) Instead of reloading the entire Unit after syncing changes from the library, just reload the xblock that was changed. (cherry picked from commit ac5574d) * fix: set maxHeight on TextEditor TinyMce widget [FC-0090] (openedx#2024) (openedx#2030) Sets a max_height=500px for the TinyMCE editor when editing a Text/Html component. This prevents the autoresize plugin from expanding the editor textarea beyond the bounds of the editor modal.⚠️ Because the max height can only be a numeric pixel value, we can't use clever settings like vh or %, and so we're forced to limit the height of the editor to a fixed size for all screen sizes in order to address this issue. (cherry picked from commit c5f7d0c) * fix: upstreamInfo is not always provided (openedx#2041) (openedx#2042) (cherry picked from commit 3fc0f27) * fix: selection card wiggle (openedx#2047) * fix: set unit preview readonly on sidebar (openedx#2008) (openedx#2059) Make the unit preview on the sidebar read-only and add `Truncate` to the `InplaceTextEditor` * fix: backport changes for html button in text component markdown editor (openedx#2065) * fix: markdown editor issues in modal (openedx#2076) This PR resolves rendering issues with the Markdown editor inside the modal. The problem began after a PR [1] introduced the use of modals for the editor. The EditorPage [2] component expects a `isMarkdownEditorEnabledForCourse` prop, which was missing in that implementation. [1] openedx#1838 [2] https://github.com/openedx/frontend-app-authoring/pull/1838/files#diff-147218ef88726880178ea895988a5d3feaf2c0c4459086a8de7a4080cbe37de7R226 Backports openedx#2074 * fix: Expand all now expands subsections (openedx#2085) * fix: files & uploads menu was truncated due to overflow-x (openedx#2071) (openedx#2077) * fix: (backport) remove an extra editing xblock modal on unit page (openedx#2111) (openedx#2130) * fix: (backport) enable markdown editor in libraries (openedx#2098) * fix: enable markdown editor for problems in libraries too This fix is also achieved on master via 5991fd3 / openedx#2068 but this is a simpler fix, not a direct backport of that refactor. * fix: remove duplicate markdown_edited save request (openedx#2127) Removes the unnecessary duplicate save request of markdown_edited value to the backend. Part of: openedx#2099 Backports: 62589ae --------- Co-authored-by: Muhammad Anas <88967643+Anas12091101@users.noreply.github.com> * fix: remove icon and empty breadcrumb from libraries (openedx#2129) (openedx#2133) * fix: (backport) text truncate issue in the search modal (openedx#2151) * [Teak] fix: published name in unit sidebar in container picker & Issues on Inplace Editor (openedx#2140) Backport of fix: show unit published name in sidebar on content picker [FC-0090] openedx#2100 Backport of fix: Issue on the Inplace editor [FC-0090] openedx#2101 * feat: add `v2` `CourseAuthoringUnitSidebarSlot` (openedx#2000) * fix: advanced-settings api should not camel-case return value (backport) (openedx#2087) * fix: advanced-settings api should not camel-case return value (openedx#1581) * fix: update advanced module list not working (openedx#2189) Backend was still expecting `{'advanced_modules', {'value': ['poll', 'problem-builder', 'h5pxblock']}}` but without this change, it was receiving `{'advancedModules', ['poll', 'problem-builder', 'h5pxblock']}` Follow up to openedx#1581 --------- Co-authored-by: Muhammad Faraz Maqsood <fmaqsood@2u.com> * fix: clear selection on files & uploads page after deleting (backport) (openedx#2228) * refactor: remove selected rows when deleting or adding elements * refactor: ensure unique asset IDs when adding new ones * refactor: remove unnecessary loading checks in mockStore function * test: add unit tests for TableActions component * fix: loading unit page directly from link after logging in in Teak (openedx#2246) This is a simple version of the fix for Teak; on master it was fixed with openedx#1867 * fix: pages and resources plugins not rendered (openedx#1885) * docs: (backport) adding comprehensive readme documentation for plugin slots (openedx#2340) * fix: publish btn doesn't show after component edit When we edit & save the component, publish button doesn't show up until we refresh the page manualy or open this unit by opening previous unit and coming back to this unit again. In this commit, we are dispatching a storage event whenever we edit the component, it'll refresh the page & show the publish button as expected. --------- Co-authored-by: Navin Karkera <navin@opencraft.com> Co-authored-by: Jillian <jill@opencraft.com> Co-authored-by: Rômulo Penido <romulo.penido@gmail.com> Co-authored-by: Ihor Romaniuk <ihor.romaniuk@raccoongang.com> Co-authored-by: Braden MacDonald <braden@opencraft.com> Co-authored-by: Chris Chávez <xnpiochv@gmail.com> Co-authored-by: Daniel Valenzuela <dsvalenzuela@uc.cl> Co-authored-by: Tony Busa <70979397+tonybusa@users.noreply.github.com> Co-authored-by: Muhammad Anas <88967643+Anas12091101@users.noreply.github.com> Co-authored-by: Victor Navarro <vm.navarro94@gmail.com> Co-authored-by: diana-villalvazo-wgu <diana.villalvazo@wgu.edu> Co-authored-by: bydawen <oleksandr.buhaienko@raccoongang.com> Co-authored-by: Arunmozhi <tecoholic@users.noreply.github.com> Co-authored-by: José Ignacio Palma <jignaciopm13@gmail.com> Co-authored-by: Muhammad Faraz Maqsood <fmaqsood@2u.com> Co-authored-by: Brayan Cerón <86393372+bra-i-am@users.noreply.github.com> Co-authored-by: Jansen Kantor <jkantor@edx.org> Co-authored-by: Jacobo Dominguez <jacobo.dominguez@wgu.edu> Co-authored-by: Muhammad Faraz Maqsood <faraz.maqsood@A006-01130.local>
Axios versions 1.9.0-1.13.4 are vulnerable to DoS via large data schemes. Force resolution to ^1.15.0 (resolves to 1.18.0) via npm overrides. Regenerated package-lock.json for npm ci compatibility. Refs: CVE-2025-58754
jignaciopm
force-pushed
the
jipm/fix-synack-W1162-7-axios
branch
from
e7d9504 to
c825692
Compare
Author
CI failure is pre-existing — not caused by this PRThe Codecov failure is a configuration issue unrelated to this PR's changes: Codecov requires an upload token ( What this PR changesOnly |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add npm
overridesfor axios to address CVE-2025-58754 (Denial of Service via massive data schemas in Node.js).CVSS: 7.5 (High)
Vulnerability ID: HELICOPTER-W1162-7
Why npm overrides instead of bumping frontend-platform?
The vulnerable axios version (1.9.0) is a transitive dependency of
@edx/frontend-platform. The fix was shipped infrontend-platformv8.5.5+ (axios 1.13.5+), but this MFE's release branch usesfrontend-platform ^8.3.1.Bumping
frontend-platformfrom 8.3.x to 8.5.x on a release branch carries risk of breaking changes. The npm overrides mechanism is the standard approach to force a transitive dependency to a safe version without changing the parent package.Note:
release/verawoodalready ships withfrontend-platform ^8.7.0(axios 1.15.0) and is not affected.frontend-platform axios timeline
Change
Test plan
References