chore(deps-dev): bump the jest group across 1 directory with 4 updates #5341
Conversation
dependabot
bot
added
dependencies
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/jest-1ecd9637f0
branch
from
1b52632 to
ca23232
Compare
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/jest-1ecd9637f0
branch
from
ca23232 to
d1b2768
Compare
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/jest-1ecd9637f0
branch
2 times, most recently
from
ea3e481 to
f2eaea0
Compare
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/jest-1ecd9637f0
branch
from
f2eaea0 to
efb9b59
Compare
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/jest-1ecd9637f0
branch
2 times, most recently
from
42794bb to
30c7dc2
Compare
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/jest-1ecd9637f0
branch
from
30c7dc2 to
5ae0b86
Compare
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/jest-1ecd9637f0
branch
from
5ae0b86 to
36a49ee
Compare
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/jest-1ecd9637f0
branch
from
36a49ee to
665242a
Compare
Bumps the jest group with 4 updates in the / directory: [jest](https://github.com/jestjs/jest/tree/HEAD/packages/jest), [jest-cli](https://github.com/jestjs/jest/tree/HEAD/packages/jest-cli), [jest-each](https://github.com/jestjs/jest/tree/HEAD/packages/jest-each) and [jest-environment-jsdom](https://github.com/jestjs/jest/tree/HEAD/packages/jest-environment-jsdom). Updates `jest` from 29.7.0 to 30.1.1 - [Release notes](https://github.com/jestjs/jest/releases) - [Changelog](https://github.com/jestjs/jest/blob/main/CHANGELOG.md) - [Commits](https://github.com/jestjs/jest/commits/v30.1.1/packages/jest) Updates `jest-cli` from 29.7.0 to 30.1.1 - [Release notes](https://github.com/jestjs/jest/releases) - [Changelog](https://github.com/jestjs/jest/blob/main/CHANGELOG.md) - [Commits](https://github.com/jestjs/jest/commits/v30.1.1/packages/jest-cli) Updates `jest-each` from 30.0.5 to 30.1.0 - [Release notes](https://github.com/jestjs/jest/releases) - [Changelog](https://github.com/jestjs/jest/blob/main/CHANGELOG.md) - [Commits](https://github.com/jestjs/jest/commits/v30.1.0/packages/jest-each) Updates `jest-environment-jsdom` from 29.7.0 to 30.1.1 - [Release notes](https://github.com/jestjs/jest/releases) - [Changelog](https://github.com/jestjs/jest/blob/main/CHANGELOG.md) - [Commits](https://github.com/jestjs/jest/commits/v30.1.1/packages/jest-environment-jsdom) --- updated-dependencies: - dependency-name: jest dependency-version: 30.1.1 dependency-type: direct:development update-type: version-update:semver-major dependency-group: jest - dependency-name: jest-cli dependency-version: 30.1.1 dependency-type: direct:development update-type: version-update:semver-major dependency-group: jest - dependency-name: jest-each dependency-version: 30.1.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: jest - dependency-name: jest-environment-jsdom dependency-version: 30.1.1 dependency-type: direct:development update-type: version-update:semver-major dependency-group: jest ... Signed-off-by: dependabot[bot] <[email protected]>
nucleogenesis
force-pushed
the
dependabot/npm_and_yarn/jest-1ecd9637f0
branch
from
1cf9ed1 to
27f80f3
Compare
| expect( | ||
| () => new Change({ key: '1', table: TABLE_NAMES.CONTENTNODE, type: CHANGE_TYPES.CREATED }), | ||
| ).toThrow(new ReferenceError('source should be a string, but undefined was passed instead')); | ||
| ).toThrow(new TypeError('source should be a string, but undefined was passed instead')); |
There was a problem hiding this comment.
So this is weird so I wonder if jest was a bit loosey-goosey with the type of error it got when checking things out here.
It was two years ago that the errors here were defined and the tests error types were flip-flopped but only now did they fail apparently.
|
I've gotten all but one test passing on this PR - seems like something has changed w/ regards to mocking and overriding In |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| }, | ||
| navigate(path) { | ||
| // Extracted for easier testing | ||
| window.location.assign(path); |
Check failure
Code scanning / CodeQL
Client-side cross-site scripting High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 8 hours ago
General Fix:
The vulnerability must be fixed by ensuring the next parameter (from the query string) cannot facilitate cross-site scripting or open redirect attacks. Only allow navigation to safe, trusted URLs. The safest practice is to allow only relative internal paths or, even stricter, to whitelist possible destinations. Arbitrary full URLs or JavaScript schemes must never be allowed.
Detailed Fix:
Update the nextParam computed property (or submit method) to permit only valid, relative paths—beginning with / and not containing any protocol (to prohibit javascript:, //, or http(s)://). If next does not pass this validation, it should be ignored or fallback to a known safe page. We can use a simple regular expression or URL parsing to verify this. Changes should be made in AccountsMain.vue (lines 155-158 and/or in the logic around line 183 in submit).
Implementation Requirements:
- Add a function to validate (sanitize) the
nextparameter: ensure it is a relative path within the application, e.g.,/foo,/bar/baz?x=1, etc. - Use this function when retrieving
nextParamso it cannot return an unsafe value. - This can be implemented in the
computedblock or as a method. - No external dependencies required—vanilla JS suffices.
| @@ -154,7 +154,8 @@ | ||
| }), | ||
| nextParam() { | ||
| const params = new URLSearchParams(window.location.search.substring(1)); | ||
| return params.get('next'); | ||
| const next = params.get('next'); | ||
| return this.sanitizeNextPath(next); | ||
| }, | ||
| }, | ||
| methods: { | ||
| @@ -196,6 +197,24 @@ | ||
| } | ||
| return Promise.resolve(); | ||
| }, | ||
|
|
||
| /** | ||
| * Only allow safe, local, relative paths for redirection. | ||
| * Disallows protocol-relative, external, or javascript: URLs. | ||
| */ | ||
| sanitizeNextPath(next) { | ||
| if ( | ||
| typeof next === 'string' && | ||
| next.length > 0 && | ||
| next.startsWith('/') && | ||
| !next.startsWith('//') && | ||
| !next.includes('://') | ||
| ) { | ||
| return next; | ||
| } | ||
| // Fallback: unsafe or missing next param | ||
| return null; | ||
| }, | ||
| }, | ||
| $trs: { | ||
| kolibriStudio: 'Kolibri Studio', |
| }, | ||
| navigate(path) { | ||
| // Extracted for easier testing | ||
| window.location.assign(path); |
Check warning
Code scanning / CodeQL
Client-side URL redirect Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 8 hours ago
To fix the open redirect issue, we must ensure that the next parameter extracted from the query string cannot be used to redirect users to arbitrary, potentially malicious, locations. The best approach is to only allow redirection to safe, internal paths. We can do this by only permitting relative paths that start with a single / and do not contain a protocol (://) or start with // (protocol-relative). We'll add a validation method that checks the supplied path, and only performs the redirect if it is deemed safe; otherwise, we fall back to a known-safe default (such as window.Urls.channels()). We will implement this validation inside the Vue component, ensuring minimal change to feature behavior.
The edits should be within contentcuration/contentcuration/frontend/accounts/pages/AccountsMain.vue, particularly in the method that handles the redirect (navigate), the computed property for nextParam, and the logic that determines the redirect target. We'll add a method isSafeRedirectPath for validation.
| @@ -154,7 +154,11 @@ | ||
| }), | ||
| nextParam() { | ||
| const params = new URLSearchParams(window.location.search.substring(1)); | ||
| return params.get('next'); | ||
| const param = params.get('next'); | ||
| if (param && this.isSafeRedirectPath(param)) { | ||
| return param; | ||
| } | ||
| return null; | ||
| }, | ||
| }, | ||
| methods: { | ||
| @@ -166,7 +170,7 @@ | ||
| this.$router.push({ query: { showPolicy: policies.PRIVACY } }); | ||
| }, | ||
| navigate(path) { | ||
| // Extracted for easier testing | ||
| // Only redirect to internal, validated paths | ||
| window.location.assign(path); | ||
| }, | ||
| submit() { | ||
| @@ -180,7 +184,7 @@ | ||
| .then(() => { | ||
| this.loginFailedOffline = false; | ||
| this.loginFailed = false; | ||
| const path = this.nextParam || window.Urls.channels(); | ||
| const path = this.nextParam ? this.nextParam : window.Urls.channels(); | ||
| this.navigate(path); | ||
| }) | ||
| .catch(err => { | ||
| @@ -197,6 +201,20 @@ | ||
| return Promise.resolve(); | ||
| }, | ||
| }, | ||
| /** | ||
| * Accepts only safe internal paths: | ||
| * - Starts with a single "/" (not "//") | ||
| * - Does not contain ":" before a "?" or "#" (no protocol-relative or absolute URLs) | ||
| * - Optional: Could be tightened to match a whitelist | ||
| */ | ||
| isSafeRedirectPath(path) { | ||
| // Must start with /, not with // | ||
| if (typeof path !== "string") return false; | ||
| if (!path.startsWith('/') || path.startsWith('//')) return false; | ||
| // Prevent "http:/", "http://", etc. | ||
| if (/^[a-zA-Z][a-zA-Z0-9+.-]*:/.test(path)) return false; | ||
| return true; | ||
| }, | ||
| $trs: { | ||
| kolibriStudio: 'Kolibri Studio', | ||
| passwordLabel: 'Password', |
|
|
||
| // Create a spy for navigate before rendering | ||
| const navigateSpy = jest.fn(); | ||
| const OriginalAccountsMain = AccountsMain; |
There was a problem hiding this comment.
This is the witchcraft that Claude came up with to accommodate the need to use the path in the next parameter to redirect.
I tried doing it w/ Vue Router and ran into redundant navigation errors. I tried mocking window.location all sorts of different ways but always ended up running into the issue of it being read-only.
I kind of hate everything about this because it feels like it should be done differently if this is how the tests have to be written, but my attempts to do it differently fizzled out in annoying ways where when I got it working in the browser, tests failed and vice versa until I asked Claude a second time to "figure it out please" and let them run with it.
It works and tests pass now anyway
Bumps the jest group with 4 updates in the / directory: jest, jest-cli, jest-each and jest-environment-jsdom.
Updates
jestfrom 29.7.0 to 30.1.1Release notes
Sourced from jest's releases.
... (truncated)
Changelog
Sourced from jest's changelog.
... (truncated)
Commits
d347c0fv30.1.14d5f41dv30.1.022236cfv30.0.5f4296d2v30.0.4d4a6c94v30.0.3393acbfv30.0.25ce865bv30.0.1469f665v30.0.0ce14203v30.0.0-rc.10ab14bav30.0.0-beta.9Updates
jest-clifrom 29.7.0 to 30.1.1Release notes
Sourced from jest-cli's releases.
... (truncated)
Changelog
Sourced from jest-cli's changelog.
... (truncated)
Commits
d347c0fv30.1.14d5f41dv30.1.022236cfv30.0.5f4296d2v30.0.4d4a6c94v30.0.3393acbfv30.0.25ce865bv30.0.1469f665v30.0.08a58fdeRename some options before releasing Jest 30.ce14203v30.0.0-rc.1Updates
jest-eachfrom 30.0.5 to 30.1.0Release notes
Sourced from jest-each's releases.
Changelog
Sourced from jest-each's changelog.
Commits
4d5f41dv30.1.0Updates
jest-environment-jsdomfrom 29.7.0 to 30.1.1Release notes
Sourced from jest-environment-jsdom's releases.
... (truncated)
Changelog
Sourced from jest-environment-jsdom's changelog.
... (truncated)
Commits
d347c0fv30.1.14d5f41dv30.1.022236cfv30.0.5f4296d2v30.0.4393acbfv30.0.25ce865bv30.0.1469f665v30.0.0ce14203v30.0.0-rc.1ac334c0v30.0.0-beta.87c799e5v30.0.0-beta.7You can trigger a rebase of this PR by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditions