diff --git a/package.json b/package.json index af6eabbebe..c585dba165 100644 --- a/package.json +++ b/package.json @@ -89,7 +89,7 @@ "gravatar-url": "^3.1.0", "helmet": "^4.1.0", "joi": "^17.3.0", - "js-yaml": "^4.1.0", + "js-yaml": "^3.14.0", "knex": "0.95.5", "log4js": "^6.0.0", "memoizee": "^0.4.15", @@ -116,7 +116,7 @@ "@types/express": "^4.17.11", "@types/express-session": "^1.17.4", "@types/jest": "^27.0.1", - "@types/js-yaml": "^4.0.2", + "@types/js-yaml": "^3.12.7", "@types/memoizee": "^0.4.6", "@types/node": "^16.6.1", "@types/node-fetch": "^2.5.10", diff --git a/src/lib/addons/slack.ts b/src/lib/addons/slack.ts index eaf469df79..a15c65b992 100644 --- a/src/lib/addons/slack.ts +++ b/src/lib/addons/slack.ts @@ -123,7 +123,7 @@ This was changed by ${createdBy}.`; const stale = data.stale ? '("stale")' : ''; const typeStr = `*Type*: ${data.type}`; const project = `*Project*: ${data.project}`; - const strategies = `*Activation strategies*: \`\`\`${YAML.dump( + const strategies = `*Activation strategies*: \`\`\`${YAML.safeDump( data.strategies, { skipInvalid: true }, )}\`\`\``; diff --git a/src/lib/addons/teams.ts b/src/lib/addons/teams.ts index a857f01a29..1fe82e95c6 100644 --- a/src/lib/addons/teams.ts +++ b/src/lib/addons/teams.ts @@ -109,7 +109,7 @@ export default class TeamsAddon extends Addon { const { data } = event; const typeStr = `*Type*: ${data.type}`; const project = `*Project*: ${data.project}`; - const strategies = `*Activation strategies*: \n${YAML.dump( + const strategies = `*Activation strategies*: \n${YAML.safeDump( data.strategies, { skipInvalid: true }, )}`; diff --git a/src/lib/routes/admin-api/state.ts b/src/lib/routes/admin-api/state.ts index d175708914..c9046c724a 100644 --- a/src/lib/routes/admin-api/state.ts +++ b/src/lib/routes/admin-api/state.ts @@ -97,7 +97,9 @@ class StateController extends Controller { if (downloadFile) { res.attachment(`export-${timestamp}.yml`); } - res.type('yaml').send(YAML.dump(data, { skipInvalid: true })); + res.type('yaml').send( + YAML.safeDump(data, { skipInvalid: true }), + ); } else { if (downloadFile) { res.attachment(`export-${timestamp}.json`); diff --git a/src/lib/services/state-util.ts b/src/lib/services/state-util.ts index 3ec2a7278f..a576781ab1 100644 --- a/src/lib/services/state-util.ts +++ b/src/lib/services/state-util.ts @@ -12,7 +12,8 @@ export const readFile: (file: string) => Promise = (file) => export const parseFile: (file: string, data: string) => any = ( file: string, data: string, -) => (mime.lookup(file) === 'text/yaml' ? YAML.load(data) : JSON.parse(data)); +) => + mime.lookup(file) === 'text/yaml' ? YAML.safeLoad(data) : JSON.parse(data); export const filterExisting: ( keepExisting: boolean, diff --git a/yarn.lock b/yarn.lock index 78801920fa..0c18a1611d 100644 --- a/yarn.lock +++ b/yarn.lock @@ -778,10 +778,10 @@ jest-diff "^27.0.0" pretty-format "^27.0.0" -"@types/js-yaml@^4.0.2": - version "4.0.2" - resolved "https://registry.yarnpkg.com/@types/js-yaml/-/js-yaml-4.0.2.tgz#4117a7a378593a218e9d6f0ef44ce6d5d9edf7fa" - integrity sha512-KbeHS/Y4R+k+5sWXEYzAZKuB1yQlZtEghuhRxrVRLaqhtoG5+26JwQsa4HyS3AWX8v1Uwukma5HheduUDskasA== +"@types/js-yaml@^3.12.7": + version "3.12.7" + resolved "https://registry.yarnpkg.com/@types/js-yaml/-/js-yaml-3.12.7.tgz#330c5d97a3500e9c903210d6e49f02964af04a0e" + integrity sha512-S6+8JAYTE1qdsc9HMVsfY7+SgSuUU/Tp6TYTmITW0PZxiyIMvol3Gy//y69Wkhs0ti4py5qgR3uZH6uz/DNzJQ== "@types/json-schema@^7.0.7": version "7.0.9" @@ -1144,11 +1144,6 @@ argparse@^1.0.7: dependencies: sprintf-js "~1.0.2" -argparse@^2.0.1: - version "2.0.1" - resolved "https://registry.yarnpkg.com/argparse/-/argparse-2.0.1.tgz#246f50f3ca78a3240f6c997e8a9bd1eac49e4b38" - integrity sha512-8+9WqebbFzpX9OR+Wa6O29asIogeRMzcGtAINdpMHHyAg10f05aSFVBbcEqGf/PXw1EjAZ+q2/bEBg3DvurK3Q== - arr-diff@^4.0.0: version "4.0.0" resolved "https://registry.yarnpkg.com/arr-diff/-/arr-diff-4.0.0.tgz#d6461074febfec71e7e15235761a329a5dc7c520" @@ -4343,7 +4338,7 @@ js-tokens@^4.0.0: resolved "https://registry.yarnpkg.com/js-tokens/-/js-tokens-4.0.0.tgz#19203fb59991df98e3a287050d4647cdeaf32499" integrity sha512-RdJUflcE3cUzKiMqQgsCu06FPu9UdIJO0beYbPhHN4k6apgJtifcoCtT9bcxOpYBtpD2kCM6Sbzg4CausW/PKQ== -js-yaml@^3.13.1: +js-yaml@^3.13.1, js-yaml@^3.14.0: version "3.14.1" resolved "https://registry.yarnpkg.com/js-yaml/-/js-yaml-3.14.1.tgz#dae812fdb3825fa306609a8717383c50c36a0537" integrity sha512-okMH7OXXJ7YrN9Ok3/SXrnu4iX9yOk+25nqX4imS2npuvTYDmo/QEZoqwZkYaIDk3jVvBOTOIEgEhaLOynBS9g== @@ -4351,13 +4346,6 @@ js-yaml@^3.13.1: argparse "^1.0.7" esprima "^4.0.0" -js-yaml@^4.1.0: - version "4.1.0" - resolved "https://registry.yarnpkg.com/js-yaml/-/js-yaml-4.1.0.tgz#c1fb65f8f5017901cdd2c951864ba18458a10602" - integrity sha512-wpxZs9NoxZaJESJGIZTyDEaYpl0FKSA+FB9aJiyemKhMwkxQg63h4T1KJgUGHpTqPDNRcmmYLugrRjJlBtWvRA== - dependencies: - argparse "^2.0.1" - jsbn@~0.1.0: version "0.1.1" resolved "https://registry.yarnpkg.com/jsbn/-/jsbn-0.1.1.tgz#a5e654c2e5a2deb5f201d96cefbca80c0ef2f513"