[Snyk] Snyk check for week of 1/22/25

[exalate-issue-sync]

Snyk check:

Per the snyk spreadsheet (https://docs.google.com/spreadsheets/d/1SNMOyGS4JAKgXQ0RhhzoX7M2ib1vm14dD0LxWNpssP4/edit?gid=0#gid=0 ) check snyk alerts for all projects and create tickets to address ALL alerts.

Steps to create tickets for alerts:

https://github.com/fecgov/fecfile-web-api/wiki/Snyk-security-scanning

QA Notes

null

DEV Notes

null

Design

null

See full ticket and images here: FECFILE-1958

Pull Request: https://fecgov.atlassian.net/browse/FECFILE-1972

[exalate-issue-sync]

Sasha Dresden commented: 2 New API Vulnerability
1 New Validation Vulnerability
1 New APP Vulnerability

API
django 5.1.4 introduced 2 Vulnerabilities both of which can be resolved by updating to django 5.1.5

Validation

Glob 7.2.3 has dependent vulnerability from: [email protected]
Recommendation is to update Glob to at least version 9 as everything before that is deprecated. Latest version of glob is 11.0.1

APP
@angular-devkit/build-angular uses "vite": "5.4.6". We need to use @5.4.12 or we could update to the next version of angular which addresses this vulnerability.

[exalate-issue-sync]

Sasha Dresden commented: [https://fecgov.atlassian.net/browse/FECFILE-1955|https://fecgov.atlassian.net/browse/FECFILE-1955|smart-link] will address the API issue.

[https://fecgov.atlassian.net/browse/FECFILE-1942|https://fecgov.atlassian.net/browse/FECFILE-1942|smart-link] will address the Validation issue;

New ticket required for APP issue. [https://fecgov.atlassian.net/browse/FECFILE-1972|https://fecgov.atlassian.net/browse/FECFILE-1972|smart-link]

[exalate-issue-sync]

Todd Lees commented: All follow up tickets accounted for and put in sprints

[exalate-issue-sync]

Shelly Wise commented: No QA review needed on this ticket per DEV.

Moved to Stage Ready.

[exalate-issue-sync]

Automation for Jira commented: Sprint accepted by Paul Clark during sprint review on the date of this comment.