PWA-3370::github.com/magento/pwa-studio Dependency Updates

[glo82145]

Description

Hey PSIRT, can you issue tickets for the following issue in dependencies reported by a customer:

https://github.com/magento/pwa-studio

I have identified two issues in PWA-Studio that also end up in the final client bundle and could potentially be exploited by a hacker I have a patch and have smoke-tested the frontend. 

 ** 

Here are the details of the vulnerabilities:

 
 

Package Name | Title | Vulnerability ID | Installed | Fixed Version | URL -- | -- | -- | -- | -- | -- path-to-regexp | Backtracking regular expressions cause ReDoS | CVE-2024-45296 | 0.1.7 | 1.9.0, 0.1.10, 8.0.0, 3.3.0, 6.3.0 | Link path-to-regexp | Backtracking regular expressions cause ReDoS | CVE-2024-45296 | 01.08.00 | 1.9.0, 0.1.10, 8.0.0, 3.3.0, 6.3.0 | Link qs | Prototype poisoning causes the hang of the node process | CVE-2022-24999 | 06.05.02 | 6.10.3, 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1 | Link qs | Prototype poisoning causes the hang of the node process | CVE-2022-24999 | 06.05.02 | 6.10.3, 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1 | Link

 

 For More Details dev can go through https://jira.corp.adobe.com/browse/VULN-29466 and https://jira.corp.adobe.com/browse/MAGREQ-12574

Related Issue

Closes https://jira.corp.adobe.com/browse/PWA-3370

Acceptance

Verification Stakeholders

Specification

Verification Steps

Test scenario(s) for direct fix/feature

Test scenario(s) for any existing impacted features/areas

Test scenario(s) for any Magento Backend Supported Configurations

Is Browser/Device testing needed?

Any ad-hoc/edge case scenarios that need to be considered?

Screenshots / Screen Captures (if appropriate)

Breaking Changes (if any)

Checklist

• I have added tests to cover my changes, if necessary.
• I have added translations for new strings, if necessary.
• I have updated the documentation accordingly, if necessary.