3328 vul audit

[raftmsohani]

Summary of Changes

Provide a brief summary of changes
Pull request closes #3328

How to Test

run npm audit

Deliverables

More details on how deliverables herein are assessed included here.

Deliverable 1: Accepted Features

Checklist of ACs:

• no high security vulnerabilities due to react upgrade.
• lfrohlich and/or adpennington confirmed that ACs are met.

Deliverable 2: Tested Code

• Are all areas of code introduced in this PR meaningfully tested?
  • If this PR introduces backend code changes, are they meaningfully tested?
  • If this PR introduces frontend code changes, are they meaningfully tested?
• Are code coverage minimums met?
  • Frontend coverage: [insert coverage %] (see CodeCov Report comment in PR)
  • Backend coverage: [insert coverage %] (see CodeCov Report comment in PR)

Deliverable 3: Properly Styled Code

• Are backend code style checks passing on CircleCI?
• Are frontend code style checks passing on CircleCI?
• Are code maintainability principles being followed?

Deliverable 4: Accessible

• Does this PR complete the epic?
• Are links included to any other gov-approved PRs associated with epic?
• Does PR include documentation for Raft's a11y review?
• Did automated and manual testing with iamjolly and ttran-hub using Accessibility Insights reveal any errors introduced in this PR?

Deliverable 5: Deployed

• Was the code successfully deployed via automated CircleCI process to development on Cloud.gov?

Deliverable 6: Documented

• Does this PR provide background for why coding decisions were made?
• If this PR introduces backend code, is that code easy to understand and sufficiently documented, both inline and overall?
• If this PR introduces frontend code, is that code easy to understand and sufficiently documented, both inline and overall?
• If this PR introduces dependencies, are their licenses documented?
• Can reviewer explain and take ownership of these elements presented in this code review?

Deliverable 7: Secure

• Does the OWASP Scan pass on CircleCI?
• Do manual code review and manual testing detect any new security issues?
• If new issues detected, is investigation and/or remediation plan documented?

Deliverable 8: User Research

Research product(s) clearly articulate(s):

• the purpose of the research
• methods used to conduct the research
• who participated in the research
• what was tested and how
• impact of research on TDP
• (if applicable) final design mockups produced for TDP development

[raftmsohani]

now only getting this:

# npm audit report

request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
fix available via `npm audit fix --force`
Will install jest-enzyme@4.2.0, which is a breaking change
node_modules/request
  jsdom  0.1.20 || 0.2.0 - 16.5.3
  Depends on vulnerable versions of request
  Depends on vulnerable versions of request-promise-native
  node_modules/jest-environment-enzyme/node_modules/jsdom
    jest-environment-jsdom  10.0.2 - 25.5.0
    Depends on vulnerable versions of jsdom
    node_modules/jest-environment-enzyme/node_modules/jest-environment-jsdom
      jest-environment-enzyme  *
      Depends on vulnerable versions of jest-environment-jsdom
      node_modules/jest-environment-enzyme
        jest-enzyme  >=5.0.0
        Depends on vulnerable versions of jest-environment-enzyme
        node_modules/jest-enzyme
  request-promise-core  *
  Depends on vulnerable versions of request
  node_modules/request-promise-core
    request-promise-native  >=1.0.0
    Depends on vulnerable versions of request
    Depends on vulnerable versions of request-promise-core
    node_modules/request-promise-native

7 moderate severity vulnerabilities

[jtimpe]

will these have to be changed/removed when the downstream packages update their dependencies?

[raftmsohani]

Yes, this is just interim solution

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 91.38%. Comparing base (d6faa15) to head (442fdd7).
Report is 3 commits behind head on develop.

Additional details and impacted files

@@           Coverage Diff            @@
##           develop    #3390   +/-   ##
========================================
  Coverage    91.38%   91.38%           
========================================
  Files          299      299           
  Lines         8614     8614           
  Branches       640      640           
========================================
  Hits          7872     7872           
  Misses         622      622           
  Partials       120      120           

Flag	Coverage Δ
dev-backend	91.24% <ø> (ø)
dev-frontend	92.44% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 6d98e5f...442fdd7. Read the comment docs.

[ADPennington]

test results here: #3328 (comment)

thanks @raftmsohani 🚀