Fix various dependabot alerts (#2063)

* Upgrade posthog-node to clear axios vulns

* Upgrade @slack/web-api to use a secure version of axios

* Update parse-duration to fix security vulns

* Mitigate against the ws DoS vuln

* Upgrade body-parser to 1.20.3 in the webapp

* Upgrade react-use to 17.5.1 to remove the fast-loops transitive dep

* Remove unused babel dev deps and config file that's no longer used

* Upgrade prismjs to 1.30.0 and bundle parse-duration now

* upgrade express to 4.20.0 to fix issue with XSS when redirecting

* Upgrade @conform/zod to 0.9.2

Author: ericallam

apps/webapp/.babelrc.json

@@ -186,7 +186,7 @@ export const action = async ({ request, params }: ActionFunctionArgs) => {
   const project = await findProjectBySlug(organizationSlug, projectParam, userId);
 
   if (!project) {
-    submission.error.key = "Project not found";
+    submission.error.key = ["Project not found"];
     return json(submission);
   }
 
@@ -198,7 +198,7 @@ export const action = async ({ request, params }: ActionFunctionArgs) => {
   );
 
   if (!alertChannel) {
-    submission.error.key = "Failed to create alert channel";
+    submission.error.key = ["Failed to create alert channel"];
     return json(submission);
   }
 

apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.alerts.new/route.tsx

@@ -122,7 +122,7 @@ export const action = async ({ request, params }: ActionFunctionArgs) => {
   const project = await findProjectBySlug(organizationSlug, projectParam, userId);
 
   if (!project) {
-    submission.error.key = "Project not found";
+    submission.error.key = ["Project not found"];
     return json(submission);
   }
 

apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.alerts/route.tsx

@@ -145,7 +145,7 @@ export const action = async ({ request, params }: ActionFunctionArgs) => {
     },
   });
   if (!project) {
-    submission.error.key = "Project not found";
+    submission.error.key = ["Project not found"];
     return json(submission);
   }
 
@@ -158,11 +158,11 @@ export const action = async ({ request, params }: ActionFunctionArgs) => {
         const index = submission.value.variables.findIndex((v) => v.key === key);
 
         if (index !== -1) {
-          submission.error[`variables[${index}].key`] = error;
+          submission.error[`variables[${index}].key`] = [error];
         }
       }
     } else {
-      submission.error.variables = result.error;
+      submission.error.variables = [result.error];
     }
 
     return json(submission);

apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.environment-variables.new/route.tsx

@@ -142,7 +142,7 @@ export const action = async ({ request, params }: ActionFunctionArgs) => {
     },
   });
   if (!project) {
-    submission.error.key = "Project not found";
+    submission.error.key = ["Project not found"];
     return json(submission);
   }
 
@@ -152,7 +152,7 @@ export const action = async ({ request, params }: ActionFunctionArgs) => {
       const result = await repository.editValue(project.id, submission.value);
 
       if (!result.success) {
-        submission.error.key = result.error;
+        submission.error.key = [result.error];
         return json(submission);
       }
 
@@ -175,7 +175,7 @@ export const action = async ({ request, params }: ActionFunctionArgs) => {
       const result = await repository.deleteValue(project.id, submission.value);
 
       if (!result.success) {
-        submission.error.key = result.error;
+        submission.error.key = [result.error];
         return json(submission);
       }
 

apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.environment-variables/route.tsx

@@ -79,11 +79,11 @@ export const action: ActionFunction = async ({ request, params }) => {
           stack: error.stack,
         },
       });
-      submission.error = { runParam: error.message };
+      submission.error = { runParam: [error.message] };
       return json(submission);
     } else {
       logger.error("Failed to promote deployment", { error });
-      submission.error = { runParam: JSON.stringify(error) };
+      submission.error = { runParam: [JSON.stringify(error)] };
       return json(submission);
     }
   }

apps/webapp/app/routes/resources.$projectId.deployments.$deploymentShortCode.promote.ts

@@ -93,15 +93,15 @@ export const action: ActionFunction = async ({ request, params }) => {
         projectId,
         deploymentShortCode,
       });
-      submission.error = { runParam: error.message };
+      submission.error = { runParam: [error.message] };
       return json(submission);
     } else {
       logger.error("Failed to retry deployment indexing", {
         error,
         projectId,
         deploymentShortCode,
       });
-      submission.error = { runParam: JSON.stringify(error) };
+      submission.error = { runParam: [JSON.stringify(error)] };
       return json(submission);
     }
   }

apps/webapp/app/routes/resources.$projectId.deployments.$deploymentShortCode.retry-indexing.ts

@@ -82,11 +82,11 @@ export const action: ActionFunction = async ({ request, params }) => {
           stack: error.stack,
         },
       });
-      submission.error = { runParam: error.message };
+      submission.error = { runParam: [error.message] };
       return json(submission);
     } else {
       logger.error("Failed to roll back deployment", { error });
-      submission.error = { runParam: JSON.stringify(error) };
+      submission.error = { runParam: [JSON.stringify(error)] };
       return json(submission);
     }
   }

apps/webapp/app/routes/resources.$projectId.deployments.$deploymentShortCode.rollback.ts

@@ -83,7 +83,7 @@ export async function action({ request }: ActionFunctionArgs) {
       "Thanks for your feedback! We'll get back to you soon."
     );
   } catch (e) {
-    submission.error.message = e instanceof Error ? e.message : "Unknown error";
+    submission.error.message = [e instanceof Error ? e.message : "Unknown error"];
     return json(submission);
   }
 }

apps/webapp/app/routes/resources.feedback.ts

@@ -32,7 +32,7 @@ export const action: ActionFunction = async ({ request, params }) => {
     });
 
     if (!taskRun) {
-      submission.error = { runParam: "Run not found" };
+      submission.error = { runParam: ["Run not found"] };
       return json(submission);
     }
 

apps/webapp/app/routes/resources.taskruns.$runParam.cancel.ts

@@ -43,8 +43,8 @@
     "@codemirror/search": "^6.2.3",
     "@codemirror/state": "^6.1.3",
     "@codemirror/view": "^6.5.0",
-    "@conform-to/react": "^0.6.1",
-    "@conform-to/zod": "^0.6.1",
+    "@conform-to/react": "0.9.2",
+    "@conform-to/zod": "0.9.2",
     "@depot/sdk-node": "^1.0.0",
     "@depot/cli": "0.0.1-cli.2.80.0",
     "@electric-sql/react": "^0.3.5",
@@ -92,7 +92,7 @@
     "@remix-run/serve": "2.1.0",
     "@remix-run/server-runtime": "2.1.0",
     "@remix-run/v1-meta": "^0.1.3",
-    "@slack/web-api": "^6.8.1",
+    "@slack/web-api": "7.9.1",
     "@socket.io/redis-adapter": "^8.3.0",
     "@splinetool/react-spline": "^2.2.6",
     "@tabler/icons-react": "^2.39.0",
@@ -126,7 +126,7 @@
     "effect": "^3.11.7",
     "emails": "workspace:*",
     "evt": "^2.4.13",
-    "express": "^4.18.1",
+    "express": "4.20.0",
     "framer-motion": "^10.12.11",
     "graphile-worker": "0.16.6",
     "highlight.run": "^7.3.4",
@@ -146,12 +146,12 @@
     "non.geist": "^1.0.2",
     "ohash": "^1.1.3",
     "openai": "^4.33.1",
-    "parse-duration": "^1.1.0",
+    "parse-duration": "^2.1.0",
     "p-limit": "^6.2.0",
     "posthog-js": "^1.93.3",
-    "posthog-node": "^3.1.3",
+    "posthog-node": "4.17.1",
     "prism-react-renderer": "^2.3.1",
-    "prismjs": "^1.29.0",
+    "prismjs": "^1.30.0",
     "prom-client": "^15.1.0",
     "random-words": "^2.0.0",
     "react": "^18.2.0",
@@ -162,7 +162,7 @@
     "react-popper": "^2.3.0",
     "react-resizable-panels": "^2.0.9",
     "react-stately": "^3.29.1",
-    "react-use": "^17.4.0",
+    "react-use": "17.5.1",
     "react-window-splitter": "^0.4.1",
     "recharts": "^2.12.6",
     "regression": "^2.0.1",
@@ -232,8 +232,6 @@
     "@typescript-eslint/eslint-plugin": "^5.59.6",
     "@typescript-eslint/parser": "^5.59.6",
     "autoprefixer": "^10.4.13",
-    "babel-loader": "^9.1.3",
-    "babel-preset-react-app": "^10.0.1",
     "css-loader": "^6.10.0",
     "datepicker": "link:@types/@react-aria/datepicker",
     "engine.io": "^6.5.4",

apps/webapp/package.json

@@ -24,6 +24,7 @@ module.exports = {
     "prismjs/components/prism-json",
     "prismjs/components/prism-typescript",
     "redlock",
+    "parse-duration",
   ],
   browserNodeBuiltinsPolyfill: { modules: { path: true, os: true, crypto: true } },
 };

apps/webapp/remix.config.js

@@ -129,6 +129,10 @@ if (process.env.HTTP_SERVER_DISABLED !== "true") {
   });
 
   server.keepAliveTimeout = 65 * 1000;
+  // Mitigate against https://github.com/triggerdotdev/trigger.dev/security/dependabot/128
+  // by not allowing 2000+ headers to be sent and causing a DoS
+  // headers will instead be limited by the maxHeaderSize
+  server.maxHeadersCount = 0;
 
   process.on("SIGTERM", () => {
     server.close((err) => {

apps/webapp/server.ts

@@ -79,6 +79,9 @@
       "graphile-worker@0.16.6": "patches/graphile-worker@0.16.6.patch",
       "redlock@5.0.0-beta.2": "patches/redlock@5.0.0-beta.2.patch",
       "@kubernetes/client-node@1.0.0": "patches/@kubernetes__client-node@1.0.0.patch"
+    },
+    "overrides": {
+      "express@^4>body-parser": "1.20.3"
     }
   }
 }