Outdated dependencies with 279 vulnerabilities

[mensinda]

I had a look at the dependencies mojito uses and most (if not all of them) are out of date. Most importantly, spring-boot 3.1.x is no longer supported. The 3.1.5 version used isn't even the latest 3.1 version. The last available version is 3.1.12.

For the frontend, looking at the git blame of the package.json, there is not a single dependency that was updated in the last 6 years! Additionally, nodejs v8.8.1 and npm 6.11.3 are also far from cutting edge.

Thus, there is now a sizable list of vulnerabilities from the dependencies: dependency-check-report.zip (I had to zip the HTML file, since GitHub does not allow attaching HTMLs directly)

This report was generated with:

mvn org.owasp:dependency-check-maven:12.1.3:check -DnvdApiKey=XXX

---

In general, I would recommend setting up something like https://github.com/dependabot to help maintaining up-to-date dependencies. I am aware that this is no magic solution and manual intervention will still required (especially when there are breaking changes in dependencies). However, this might help to keep most of the smaller dependencies up-to-date.

[aurambaj]

i've done a major update on the frontend in ja/ai-review branch, i'll merge to master soon. It upgrades to webpack 5, babel 7, node 20.12 and npm 10.5 and also removes a lot of the clutter like node-sass and pined dependencies.

The backend needs some work too.