Skip to content

Fix various dependabot alerts #2063

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 10 commits into from
May 19, 2025
Merged

Fix various dependabot alerts #2063

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
aa29555
Upgrade posthog-node to clear axios vulns
ericallam May 15, 2025
9ca8e18
Upgrade @slack/web-api to use a secure version of axios
ericallam May 15, 2025
7c02423
Update parse-duration to fix security vulns
ericallam May 15, 2025
cbc52ba
Mitigate against the ws DoS vuln
ericallam May 15, 2025
cc351a8
Upgrade body-parser to 1.20.3 in the webapp
ericallam May 15, 2025
99da059
Upgrade react-use to 17.5.1 to remove the fast-loops transitive dep
ericallam May 15, 2025
dada30f
Remove unused babel dev deps and config file that's no longer used
ericallam May 15, 2025
75105ba
Upgrade prismjs to 1.30.0 and bundle parse-duration now
ericallam May 15, 2025
9aa42d5
upgrade express to 4.20.0 to fix issue with XSS when redirecting
ericallam May 15, 2025
a874299
Upgrade @conform/zod to 0.9.2
ericallam May 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 0 additions & 16 deletions apps/webapp/.babelrc.json
View file
Open in desktop

This file was deleted.

4 changes: 2 additions & 2 deletions ...tes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.alerts.new/route.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -186,7 +186,7 @@ export const action = async ({ request, params }: ActionFunctionArgs) => {
const project = await findProjectBySlug(organizationSlug, projectParam, userId);

if (!project) {
submission.error.key = "Project not found";
submission.error.key = ["Project not found"];
return json(submission);
}

Expand All @@ -198,7 +198,7 @@ export const action = async ({ request, params }: ActionFunctionArgs) => {
);

if (!alertChannel) {
submission.error.key = "Failed to create alert channel";
submission.error.key = ["Failed to create alert channel"];
return json(submission);
}

Expand Down
2 changes: 1 addition & 1 deletion .../routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.alerts/route.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -122,7 +122,7 @@ export const action = async ({ request, params }: ActionFunctionArgs) => {
const project = await findProjectBySlug(organizationSlug, projectParam, userId);

if (!project) {
submission.error.key = "Project not found";
submission.error.key = ["Project not found"];
return json(submission);
}

Expand Down
6 changes: 3 additions & 3 deletions ...organizationSlug.projects.$projectParam.env.$envParam.environment-variables.new/route.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -145,7 +145,7 @@ export const action = async ({ request, params }: ActionFunctionArgs) => {
},
});
if (!project) {
submission.error.key = "Project not found";
submission.error.key = ["Project not found"];
return json(submission);
}

Expand All @@ -158,11 +158,11 @@ export const action = async ({ request, params }: ActionFunctionArgs) => {
const index = submission.value.variables.findIndex((v) => v.key === key);

if (index !== -1) {
submission.error[`variables[${index}].key`] = error;
submission.error[`variables[${index}].key`] = [error];
}
}
} else {
submission.error.variables = result.error;
submission.error.variables = [result.error];
}

return json(submission);
Expand Down
6 changes: 3 additions & 3 deletions ...gs.$organizationSlug.projects.$projectParam.env.$envParam.environment-variables/route.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -142,7 +142,7 @@ export const action = async ({ request, params }: ActionFunctionArgs) => {
},
});
if (!project) {
submission.error.key = "Project not found";
submission.error.key = ["Project not found"];
return json(submission);
}

Expand All @@ -152,7 +152,7 @@ export const action = async ({ request, params }: ActionFunctionArgs) => {
const result = await repository.editValue(project.id, submission.value);

if (!result.success) {
submission.error.key = result.error;
submission.error.key = [result.error];
return json(submission);
}

Expand All @@ -175,7 +175,7 @@ export const action = async ({ request, params }: ActionFunctionArgs) => {
const result = await repository.deleteValue(project.id, submission.value);

if (!result.success) {
submission.error.key = result.error;
submission.error.key = [result.error];
return json(submission);
}

Expand Down
4 changes: 2 additions & 2 deletions apps/webapp/app/routes/resources.$projectId.deployments.$deploymentShortCode.promote.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,11 +79,11 @@ export const action: ActionFunction = async ({ request, params }) => {
stack: error.stack,
},
});
submission.error = { runParam: error.message };
submission.error = { runParam: [error.message] };
return json(submission);
} else {
logger.error("Failed to promote deployment", { error });
submission.error = { runParam: JSON.stringify(error) };
submission.error = { runParam: [JSON.stringify(error)] };
return json(submission);
}
}
Expand Down
4 changes: 2 additions & 2 deletions ...webapp/app/routes/resources.$projectId.deployments.$deploymentShortCode.retry-indexing.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,15 +93,15 @@ export const action: ActionFunction = async ({ request, params }) => {
projectId,
deploymentShortCode,
});
submission.error = { runParam: error.message };
submission.error = { runParam: [error.message] };
return json(submission);
} else {
logger.error("Failed to retry deployment indexing", {
error,
projectId,
deploymentShortCode,
});
submission.error = { runParam: JSON.stringify(error) };
submission.error = { runParam: [JSON.stringify(error)] };
return json(submission);
}
}
Expand Down
4 changes: 2 additions & 2 deletions apps/webapp/app/routes/resources.$projectId.deployments.$deploymentShortCode.rollback.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,11 +82,11 @@ export const action: ActionFunction = async ({ request, params }) => {
stack: error.stack,
},
});
submission.error = { runParam: error.message };
submission.error = { runParam: [error.message] };
return json(submission);
} else {
logger.error("Failed to roll back deployment", { error });
submission.error = { runParam: JSON.stringify(error) };
submission.error = { runParam: [JSON.stringify(error)] };
return json(submission);
}
}
Expand Down
2 changes: 1 addition & 1 deletion apps/webapp/app/routes/resources.feedback.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,7 @@ export async function action({ request }: ActionFunctionArgs) {
"Thanks for your feedback! We'll get back to you soon."
);
} catch (e) {
submission.error.message = e instanceof Error ? e.message : "Unknown error";
submission.error.message = [e instanceof Error ? e.message : "Unknown error"];
return json(submission);
}
}
2 changes: 1 addition & 1 deletion apps/webapp/app/routes/resources.taskruns.$runParam.cancel.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ export const action: ActionFunction = async ({ request, params }) => {
});

if (!taskRun) {
submission.error = { runParam: "Run not found" };
submission.error = { runParam: ["Run not found"] };
return json(submission);
}

Expand Down
18 changes: 8 additions & 10 deletions apps/webapp/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,8 +43,8 @@
"@codemirror/search": "^6.2.3",
"@codemirror/state": "^6.1.3",
"@codemirror/view": "^6.5.0",
"@conform-to/react": "^0.6.1",
"@conform-to/zod": "^0.6.1",
"@conform-to/react": "0.9.2",
"@conform-to/zod": "0.9.2",
"@depot/sdk-node": "^1.0.0",
"@depot/cli": "0.0.1-cli.2.80.0",
"@electric-sql/react": "^0.3.5",
Expand Down Expand Up @@ -92,7 +92,7 @@
"@remix-run/serve": "2.1.0",
"@remix-run/server-runtime": "2.1.0",
"@remix-run/v1-meta": "^0.1.3",
"@slack/web-api": "^6.8.1",
"@slack/web-api": "7.9.1",
"@socket.io/redis-adapter": "^8.3.0",
"@splinetool/react-spline": "^2.2.6",
"@tabler/icons-react": "^2.39.0",
Expand Down Expand Up @@ -126,7 +126,7 @@
"effect": "^3.11.7",
"emails": "workspace:*",
"evt": "^2.4.13",
"express": "^4.18.1",
"express": "4.20.0",
"framer-motion": "^10.12.11",
"graphile-worker": "0.16.6",
"highlight.run": "^7.3.4",
Expand All @@ -146,12 +146,12 @@
"non.geist": "^1.0.2",
"ohash": "^1.1.3",
"openai": "^4.33.1",
"parse-duration": "^1.1.0",
"parse-duration": "^2.1.0",
"p-limit": "^6.2.0",
"posthog-js": "^1.93.3",
"posthog-node": "^3.1.3",
"posthog-node": "4.17.1",
"prism-react-renderer": "^2.3.1",
"prismjs": "^1.29.0",
"prismjs": "^1.30.0",
"prom-client": "^15.1.0",
"random-words": "^2.0.0",
"react": "^18.2.0",
Expand All @@ -162,7 +162,7 @@
"react-popper": "^2.3.0",
"react-resizable-panels": "^2.0.9",
"react-stately": "^3.29.1",
"react-use": "^17.4.0",
"react-use": "17.5.1",
"react-window-splitter": "^0.4.1",
"recharts": "^2.12.6",
"regression": "^2.0.1",
Expand Down Expand Up @@ -232,8 +232,6 @@
"@typescript-eslint/eslint-plugin": "^5.59.6",
"@typescript-eslint/parser": "^5.59.6",
"autoprefixer": "^10.4.13",
"babel-loader": "^9.1.3",
"babel-preset-react-app": "^10.0.1",
"css-loader": "^6.10.0",
"datepicker": "link:@types/@react-aria/datepicker",
"engine.io": "^6.5.4",
Expand Down
1 change: 1 addition & 0 deletions apps/webapp/remix.config.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ module.exports = {
"prismjs/components/prism-json",
"prismjs/components/prism-typescript",
"redlock",
"parse-duration",
],
browserNodeBuiltinsPolyfill: { modules: { path: true, os: true, crypto: true } },
};
4 changes: 4 additions & 0 deletions apps/webapp/server.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -129,6 +129,10 @@ if (process.env.HTTP_SERVER_DISABLED !== "true") {
});

server.keepAliveTimeout = 65 * 1000;
// Mitigate against https://github.com/triggerdotdev/trigger.dev/security/dependabot/128
// by not allowing 2000+ headers to be sent and causing a DoS
// headers will instead be limited by the maxHeaderSize
server.maxHeadersCount = 0;
Comment on lines +132 to +135
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

🧩 Analysis chain

Verify the intended behavior of setting maxHeadersCount = 0

Setting maxHeadersCount = 0 in Node.js HTTP server typically means "unlimited" or "no limit" on the number of headers, which seems contradictory to the stated goal of preventing DoS attacks from 2000+ headers.

In standard Node.js behavior:

  • Default value is 2000
  • Setting to 0 means "unlimited headers"

This configuration might not achieve the intended security mitigation unless there's additional context about how your specific Node.js environment interprets this value.

Please verify the expected behavior with this script:

🏁 Script executed:

#!/bin/bash
# Check Node.js documentation for maxHeadersCount behavior

# Find Node.js version used in the project
node -v

# Search for relevant information in Node.js documentation
curl -s https://nodejs.org/api/http.html | grep -A 10 "maxHeadersCount"

# Look for other HTTP header limit settings in the codebase
grep -r "maxHeaderSize\|headersTimeout" --include="*.ts" --include="*.js" .

Length of output: 6692

Adjust maxHeadersCount to enforce a header-count limit

The Node.js docs confirm that server.maxHeadersCount = 0 actually disables the header-count limit (default is 2000), so this override makes your server accept unlimited headers rather than capping them. To mitigate a DoS via excessive headers you should either:

• Remove the override entirely and rely on the default (2000)
• Or set a lower, positive limit (e.g. 1000) that fits your threat model

Please update in apps/webapp/server.ts (lines 132–135):

- // Mitigate against https://github.com/triggerdotdev/trigger.dev/security/dependabot/128
- // by not allowing 2000+ headers to be sent and causing a DoS
- // headers will instead be limited by the maxHeaderSize
- server.maxHeadersCount = 0;
+ // Mitigate against https://github.com/triggerdotdev/trigger.dev/security/dependabot/128
+ // by capping the number of headers; rely on header-size limits for payload size
+ // Remove override to use default (2000) or choose a custom cap:
+ server.maxHeadersCount = 1000;  // e.g. limit to 1000 headers
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
// Mitigate against https://github.com/triggerdotdev/trigger.dev/security/dependabot/128
// by not allowing 2000+ headers to be sent and causing a DoS
// headers will instead be limited by the maxHeaderSize
server.maxHeadersCount = 0;
// Mitigate against https://github.com/triggerdotdev/trigger.dev/security/dependabot/128
// by capping the number of headers; rely on header-size limits for payload size
// Remove override to use default (2000) or choose a custom cap:
server.maxHeadersCount = 1000; // e.g. limit to 1000 headers
🤖 Prompt for AI Agents 
In apps/webapp/server.ts around lines 132 to 135, the current setting of
server.maxHeadersCount = 0 disables the header count limit, allowing unlimited
headers, which contradicts the intended DoS mitigation. To fix this, either
remove this override to use the default limit of 2000 headers or set
maxHeadersCount to a positive integer like 1000 to enforce a stricter limit that
fits your security requirements.


process.on("SIGTERM", () => {
server.close((err) => {
Expand Down
3 changes: 3 additions & 0 deletions package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,9 @@
"[email protected]": "patches/[email protected]",
"[email protected]": "patches/[email protected]",
"@kubernetes/[email protected]": "patches/@[email protected]"
},
"overrides": {
"express@^4>body-parser": "1.20.3"
}
}
}
Loading