Dependency updates (#363)

stephenfuqua · web-flow · commit 279dc7d15f4a · 2025-03-11T09:31:26.000-05:00
* Update all available GitHub Action versions

* Update jsonpath-plus

* npm audit fix

* npm update

* Fix a bad GH Action dependency update

* Fix a type error, must have been introduced with an npm update

* Force use of older Ubuntu runner due to missing libcrypto.so.1.1 in newer versions
diff --git a/.github/workflows/on-merge-to-main.yml b/.github/workflows/on-merge-to-main.yml
@@ -19,7 +19,7 @@ jobs:
 
   create-pre-releases:
     name: Create Pre-Releases
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
     defaults:
       run:
         working-directory: Meadowlark-js
diff --git a/.github/workflows/on-prerelease.yml b/.github/workflows/on-prerelease.yml
@@ -23,7 +23,7 @@ env:
 jobs:
   azure-publish:
     name: Publish to Azure Artifacts
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
     defaults:
       run:
         working-directory: Meadowlark-js
@@ -34,7 +34,7 @@ jobs:
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Setup Node
-        uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
+        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
         with:
           node-version: "18"
           cache: "npm"
@@ -73,7 +73,7 @@ jobs:
 
       - name: Upload packages as artifacts
         if: success()
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: npm
           path: Meadowlark-js/*.tgz
@@ -82,7 +82,7 @@ jobs:
 
   docker-publish:
     name: Publish to Docker Hub
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
     needs:
       - azure-publish
     steps:
@@ -114,22 +114,22 @@ jobs:
           echo "NPM_VERSION=$NPM_VERSION" >> $GITHUB_OUTPUT
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226  # v3.0.0
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5  # v3.8.0
 
       - name: Log in to Docker Hub
-        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d  # v3.0.0
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567  # v3.3.0
         with:
           username: ${{ env.DOCKER_USERNAME }}
           password: ${{ env.DOCKER_HUB_TOKEN }}
 
       - name: Extract metadata (tags, labels) for Docker
         id: meta
-        uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934  # v5.0.0
+        uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96  # v5.6.1
         with:
           images: ${{ env.IMAGE_NAME }}
 
       - name: Build and push
-        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09  # v5.0.0
+        uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc  # v6.11.0
         with:
           context: "{{defaultContext}}:docker"
           cache-from: type=registry,ref=${{ env.IMAGE_NAME }}:pre
@@ -142,7 +142,7 @@ jobs:
 
   sbom-create:
     name: Create SBOM for NPM Packages
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
     needs: azure-publish
     permissions:
       contents: write
@@ -152,7 +152,7 @@ jobs:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Get Artifacts
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a #v3.0.2
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 #v4.1.8
         with:
           name: npm
 
@@ -173,7 +173,7 @@ jobs:
               -ps "Ed-Fi Alliance"
       - name: Upload SBOM
         if: success()
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: meadowlark-SBOM
           path: ./sbom
@@ -188,14 +188,14 @@ jobs:
 
   sbom-attach:
     name: Attach SBOM file
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
     needs:
       - sbom-create
     permissions:
       contents: write
     steps:
       - name: Download the SBOM
-        uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-artifact@7f4fdb871876c23e455853d694197440c5a91506 #v1.5.0
+        uses: Ed-Fi-Alliance-OSS/slsa-github-generator/.github/actions/secure-download-artifact@main
         with:
           name: meadowlark-SBOM
           path: _manifest/spdx_2.2/manifest.spdx.json
@@ -230,7 +230,7 @@ jobs:
     permissions:
       id-token: write
       contents: write
-    uses: Ed-Fi-Alliance-OSS/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0
+    uses: Ed-Fi-Alliance-OSS/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@main
     with:
       base64-subjects: ${{ needs.azure-publish.outputs.hash-code }}
       provenance-name: meadowlark.intoto.jsonl
diff --git a/.github/workflows/on-pullrequest-dockerfile.yml b/.github/workflows/on-pullrequest-dockerfile.yml
@@ -21,7 +21,7 @@ permissions: read-all
 
 jobs:
   docker-testing:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
     steps:
       - name: Checkout code
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
diff --git a/.github/workflows/on-pullrequest.yml b/.github/workflows/on-pullrequest.yml
@@ -34,7 +34,7 @@ jobs:
 
   upgrade:
     name: Upgrade packages
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
     defaults:
       run:
         working-directory: Meadowlark-js
@@ -82,7 +82,7 @@ jobs:
     name: Analyze Code Dependencies
     # Not mandatory, but better for this to go after the upgrade since it can change the code.
     needs: upgrade
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
     permissions:
       security-events: write
 
@@ -91,13 +91,13 @@ jobs:
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Dependency Review ("Dependabot on PR")
-        uses: actions/dependency-review-action@c090f4e553673e6e505ea70d6a95362ee12adb94 # v3.0.3
+        uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0
 
   analyze-code:
     name: Analyze Code
     # Not mandatory, but better for this to go after the upgrade since it can change the code.
     needs: upgrade
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
     env:
       SRC_DIR: Meadowlark-js
     permissions:
@@ -108,15 +108,15 @@ jobs:
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Setup Node
-        uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
+        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
         with:
           node-version: "18"
           cache: "npm"
           cache-dependency-path: "**/package-lock.json"
 
       - name: Node modules cache
         id: modules-cache
-        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 #v3.3.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         with:
           path: "**/node_modules"
           key: ${{ runner.os }}-modules-${{ hashFiles('**/package-lock.json') }}
@@ -126,33 +126,33 @@ jobs:
         run: npm install
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@df32e399139a3050671466d7d9b3cbacc1cfd034 # v2.15.2
+        uses: github/codeql-action/init@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
         with:
           languages: "typescript"
           setup-python-dependencies: false
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@df32e399139a3050671466d7d9b3cbacc1cfd034 # v2.15.2
+        uses: github/codeql-action/analyze@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
 
   lint:
     name: Lint
     needs: upgrade
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
 
     steps:
       - name: Checkout repository
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Setup Node
-        uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
+        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
         with:
           node-version: "18"
           cache: "npm"
           cache-dependency-path: "**/package-lock.json"
 
       - name: Node modules cache
         id: modules-cache
-        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 #v3.3.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         with:
           path: "**/node_modules"
           key: ${{ runner.os }}-modules-${{ hashFiles('**/package-lock.json') }}
@@ -167,22 +167,22 @@ jobs:
   build:
     name: Build
     needs: lint
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
 
     steps:
       - name: Checkout repository
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Setup Node
-        uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
+        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
         with:
           node-version: "18"
           cache: "npm"
           cache-dependency-path: "**/package-lock.json"
 
       - name: Node modules cache
         id: modules-cache
-        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 #v3.3.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         with:
           path: "**/node_modules"
           key: ${{ runner.os }}-modules-${{ hashFiles('**/package-lock.json') }}
@@ -197,7 +197,7 @@ jobs:
   tests:
     name: ${{matrix.tests.type}} tests
     needs: lint
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
     strategy:
       fail-fast: false
       matrix:
@@ -215,7 +215,7 @@ jobs:
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Setup Node
-        uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
+        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
         with:
           node-version: "18"
           cache: "npm"
@@ -224,14 +224,14 @@ jobs:
       - name: Load MongoDB binary cache
         if: matrix.tests.type != 'Unit'
         id: cache-mongodb-binaries
-        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 #v3.3.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         with:
           path: ~/.cache/mongodb-binaries
           key: ${{ runner.os }}-mongo-${{ hashFiles('**/package-lock.json') }}
 
       - name: Node modules cache
         id: modules-cache
-        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 #v3.3.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         with:
           path: "**/node_modules"
           key: ${{ runner.os }}-modules-${{ hashFiles('**/package-lock.json') }}
@@ -242,7 +242,7 @@ jobs:
 
       - name: Jest cache
         id: cache-jest
-        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 #v3.3.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         with:
           path: /tmp/jest_rt
           key: ${{ runner.os }}-jest-${{ hashFiles('**/package-lock.json') }}
@@ -279,7 +279,7 @@ jobs:
 
       - name: Archive coverage results
         if: ${{ matrix.tests.type == 'Unit' }}
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: code-coverage-report
           path: Meadowlark-js/coverage/lcov-report
@@ -288,7 +288,7 @@ jobs:
   end-to-end:
     name: End to End tests for ${{ matrix.store.db }} as store and ${{matrix.query_handler.provider}} as query handler
     needs: lint
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
     strategy:
       fail-fast: false
       matrix:
@@ -304,7 +304,7 @@ jobs:
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Setup Node
-        uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
+        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
         with:
           node-version: "18"
           cache: "npm"
@@ -315,7 +315,7 @@ jobs:
 
       - name: Jest cache
         id: cache-jest
-        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 #v3.3.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         with:
           path: /tmp/jest_rt
           key: ${{ runner.os }}-jest-${{ hashFiles('**/package-lock.json') }}
@@ -336,7 +336,7 @@ jobs:
 
       - name: Docker logs
         if: failure()
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: docker-logs
           path: |
diff --git a/.github/workflows/on-release.yml b/.github/workflows/on-release.yml
@@ -19,7 +19,7 @@ env:
 jobs:
   promote-Azure-artifact:
     name: Promote Azure Artifact
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
     steps:
       - name: Checkout repository
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -16,7 +16,7 @@ permissions: read-all
 jobs:
   analysis:
     name: Scorecard analysis
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
     permissions:
       # Needed to upload the results to code-scanning dashboard.
       security-events: write
@@ -33,7 +33,7 @@ jobs:
           persist-credentials: false
 
       - name: Run analysis
-        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
         with:
           results_file: scorecard.sarif
           results_format: sarif
@@ -63,6 +63,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@cf7e9f23492505046de9a37830c3711dd0f25bb3 # codeql-bundle-v2.16.2
+        uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 #codeql-bundle-v3.28.0
         with:
           sarif_file: scorecard.sarif
diff --git a/Meadowlark-js/package-lock.json b/Meadowlark-js/package-lock.json
diff --git a/Meadowlark-js/packages/meadowlark-core/package.json b/Meadowlark-js/packages/meadowlark-core/package.json
diff --git a/Meadowlark-js/tests/e2e/scenarios/RequestSmuggling.test.ts b/Meadowlark-js/tests/e2e/scenarios/RequestSmuggling.test.ts
