Challenge_gov Dependabot alerts

[r-bartlett-gsa]

• Review dependabot alerts and resolve items that apply to challenge_gov
  • Document below which items are being worked on / resolved
• Update the items that do not apply to challenge_gov

[r-bartlett-gsa]

Dependent on library updates

[r-bartlett-gsa]

@jairoanaya / @kkrug Since all other dependabot items have been merged, what is the determination for the remaining ones? Should we unblock this and move it to sprint backlog?

[kkrug]

Yes this can be unblocked

[jairoanaya]

@kkrug PR has been requested resolving the following dependabots https://github.com/GSA/Challenge_gov/security/dependabot

@kkrug @r-bartlett-gsa all dependabots issues have been addressed, in the following way:

• Regular Expression Denial of Service (ReDoS) in micromatch #75 - automatic
• path-to-regexp outputs backtracking regular expressions #74 - automatic
• Denial of service while parsing a tar file due to lack of folders count validation #68 - removed unused package.
• tough-cookie Prototype Pollution vulnerability #52 - removed unused package.
• Server-Side Request Forgery in Request #48 - reference to packaged not found on repository.
• phoenix_html allows Cross-site Scripting in HEEx class attributes #45 - updated version from 2.14.3. to 3.1.0 - tests were updated.

Tasks performed:

• Review each component on NPM repository and research its functionality in the project.
• Check in depth package used with yarn and mix commands.
• Update the code.
• Meeting with Kenny to review solution and issues.
• Review and test potential affected functionalities.
• Update tests.