HHS · Jones-QuarteyDana · Aug 27, 2024 · Aug 21, 2024 · Aug 21, 2024 · Aug 26, 2024
diff --git a/automation/common/scripts/postgrescli_install.sh b/automation/common/scripts/postgrescli_install.sh
@@ -221,9 +221,9 @@ function cleanup() {
 
 # Main function to control workflow
 function main() {
-    local deb_url="http://security.debian.org/debian-security/pool/updates/main/p/postgresql-15/postgresql-client-15_15.6-0+deb12u1_amd64.deb"
+    local deb_url="https://security.debian.org/debian-security/pool/updates/main/p/postgresql-15/postgresql-client-15_15.8-0+deb12u1_amd64.deb"
     local deb_file="/tmp/postgresql.deb"
-    local deb_sha256="f601421f0f075c78df0ee289fbe075f38f52d08362ff2907d1710c26d5e53c39"
+    local deb_sha256="e88cfe7aa8548f8461dcbd56f69a1bb365affcd380469f705aca697fc2146994"
     local bin_dir="/tmp/local/bin"
     local tools=("pg_dump" "pg_isready" "pg_restore" "psql" "reindexdb" "vacuumdb")
 

diff --git a/frontend/yarn-audit-known-issues b/frontend/yarn-audit-known-issues
diff --git a/src/goalServices/helpers.js b/src/goalServices/helpers.js
@@ -21,6 +21,7 @@ const findOrFailExistingGoal = (needle, haystack, translate = goalFieldTransate)
     g[translate.status] === needle.status
     && g[translate.name].trim() === needle.name.trim()
     && g[translate.source] === needle.source
+    && g.isFei === needle.dataValues.isFei
     && g[translate.responsesForComparison] === responsesForComparison(needle)
     && (
       // Check if both needle and haystack goal have no valid collaborators

diff --git a/src/migrations/20240827142432-update-missing-fei-templates.js b/src/migrations/20240827142432-update-missing-fei-templates.js
@@ -0,0 +1,29 @@
+const { prepMigration } = require('../lib/migration');
+
+module.exports = {
+  up: async (queryInterface) => queryInterface.sequelize.transaction(
+    async (transaction) => {
+      await prepMigration(queryInterface, transaction, __filename);
+
+      await queryInterface.sequelize.query(/* sql */`
+        UPDATE "Goals"
+        SET "goalTemplateId" = 19017
+        WHERE "goalTemplateId" is null AND "id" IN (
+          SELECT 
+              g.id  
+          FROM "Goals" g 
+          INNER JOIN "GoalFieldResponses" gfr ON g.id = gfr."goalId"
+          INNER JOIN "GoalTemplateFieldPrompts" gfft ON gfr."goalTemplateFieldPromptId" = gfft.id
+          WHERE g."goalTemplateId" is null AND gfft."goalTemplateId" = 19017
+        );
+
+      `, { transaction });
+    },
+  ),
+
+  down: async (queryInterface) => queryInterface.sequelize.transaction(
+    async (transaction) => {
+      await prepMigration(queryInterface, transaction, __filename);
+    },
+  ),
+};
diff --git a/src/models/hooks/activityReport.js b/src/models/hooks/activityReport.js
@@ -169,7 +169,7 @@ const propagateSubmissionStatus = async (sequelize, instance, options) => {
         )));
       // Add the corresponding template id to each of the goals.
       goals = goals.map((goal) => {
-        const goalTemplateId = distinctTemplates.filter((dt) => dt.name === goal.name).id;
+        const goalTemplateId = distinctTemplates.find((dt) => dt.name === goal.name).id;
         return { ...goal, goalTemplateId };
       });
       // Update all the goals with their template id.
@@ -221,7 +221,7 @@ const propagateSubmissionStatus = async (sequelize, instance, options) => {
       // Add the corresponding template id to each of the objectives.
       objectives = objectives.map((objective) => {
         const objectiveTemplateId = distinctTemplates
-          .filter((dt) => dt.title === objective.title).id;
+          .find((dt) => dt.title === objective.title).id;
         return { ...objective, objectiveTemplateId };
       });
       // Update all the objectives with their template id.

diff --git a/yarn-audit-known-issues b/yarn-audit-known-issues
@@ -1,7 +1,7 @@
 {"type":"auditAdvisory","data":{"resolution":{"id":1096366,"path":"email-templates>preview-email>mailparser>nodemailer","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"6.7.3","paths":["email-templates>preview-email>mailparser>nodemailer"]}],"metadata":null,"vulnerable_versions":"<=6.9.8","module_name":"nodemailer","severity":"moderate","github_advisory_id":"GHSA-9h6g-pr28-7cqp","cves":[],"access":"public","patched_versions":">=6.9.9","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-02-01T17:58:50.000Z","recommendation":"Upgrade to version 6.9.9 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1096366,"references":"- https://github.com/nodemailer/nodemailer/security/advisories/GHSA-9h6g-pr28-7cqp\n- https://gist.github.com/francoatmega/890dd5053375333e40c6fdbcc8c58df6\n- https://gist.github.com/francoatmega/9aab042b0b24968d7b7039818e8b2698\n- https://github.com/nodemailer/nodemailer/commit/dd8f5e8a4ddc99992e31df76bcff9c590035cd4a\n- https://github.com/advisories/GHSA-9h6g-pr28-7cqp","created":"2024-01-31T22:42:54.000Z","reported_by":null,"title":"nodemailer ReDoS when trying to send a specially crafted email","npm_advisory_id":null,"overview":"### Summary\nA ReDoS vulnerability occurs when nodemailer tries to parse img files with the parameter `attachDataUrls` set, causing the stuck of event loop. \nAnother flaw was found when nodemailer tries to parse an attachments with a embedded file, causing the stuck of event loop. \n\n### Details\n\nRegex: /^data:((?:[^;]*;)*(?:[^,]*)),(.*)$/\n\nPath: compile -> getAttachments -> _processDataUrl\n\nRegex: /(<img\\b[^>]* src\\s*=[\\s\"']*)(data:([^;]+);[^\"'>\\s]+)/\n\nPath: _convertDataImages\n\n### PoC\n\nhttps://gist.github.com/francoatmega/890dd5053375333e40c6fdbcc8c58df6\nhttps://gist.github.com/francoatmega/9aab042b0b24968d7b7039818e8b2698\n\n### Impact\n\nReDoS causes the event loop to stuck a specially crafted evil email can cause this problem.\n","url":"https://github.com/advisories/GHSA-9h6g-pr28-7cqp"}}}
+{"type":"auditAdvisory","data":{"resolution":{"id":1098583,"path":"newrelic>@newrelic/security-agent>axios","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"1.6.0","paths":["newrelic>@newrelic/security-agent>axios"]},{"version":"1.6.1","paths":["smartsheet>axios"]}],"metadata":null,"vulnerable_versions":">=1.3.2 <=1.7.3","module_name":"axios","severity":"high","github_advisory_id":"GHSA-8hc4-vh64-cxmj","cves":["CVE-2024-39338"],"access":"public","patched_versions":">=1.7.4","cvss":{"score":0,"vectorString":null},"updated":"2024-08-13T19:53:25.000Z","recommendation":"Upgrade to version 1.7.4 or later","cwe":["CWE-918"],"found_by":null,"deleted":null,"id":1098583,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-39338\n- https://github.com/axios/axios/releases\n- https://jeffhacks.com/advisories/2024/06/24/CVE-2024-39338.html\n- https://github.com/axios/axios/issues/6463\n- https://github.com/axios/axios/pull/6539\n- https://github.com/axios/axios/pull/6543\n- https://github.com/axios/axios/commit/6b6b605eaf73852fb2dae033f1e786155959de3a\n- https://github.com/axios/axios/releases/tag/v1.7.4\n- https://github.com/advisories/GHSA-8hc4-vh64-cxmj","created":"2024-08-12T15:30:49.000Z","reported_by":null,"title":"Server-Side Request Forgery in axios","npm_advisory_id":null,"overview":"axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.","url":"https://github.com/advisories/GHSA-8hc4-vh64-cxmj"}}}
 {"type":"auditAdvisory","data":{"resolution":{"id":1098559,"path":"newrelic>@newrelic/security-agent>@aws-sdk/client-lambda>@aws-sdk/client-sts>fast-xml-parser","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.2.5","paths":["newrelic>@newrelic/security-agent>@aws-sdk/client-lambda>@aws-sdk/client-sts>fast-xml-parser"]}],"metadata":null,"vulnerable_versions":"<4.4.1","module_name":"fast-xml-parser","severity":"high","github_advisory_id":"GHSA-mpg4-rc92-vx8v","cves":["CVE-2024-41818"],"access":"public","patched_versions":">=4.4.1","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2024-08-08T05:10:58.000Z","recommendation":"Upgrade to version 4.4.1 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1098559,"references":"- https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-mpg4-rc92-vx8v\n- https://github.com/NaturalIntelligence/fast-xml-parser/commit/d0bfe8a3a2813a185f39591bbef222212d856164\n- https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/src/v5/valueParsers/currency.js#L10\n- https://nvd.nist.gov/vuln/detail/CVE-2024-41818\n- https://github.com/advisories/GHSA-mpg4-rc92-vx8v","created":"2024-07-29T17:46:16.000Z","reported_by":null,"title":"fast-xml-parser vulnerable to ReDOS at currency parsing","npm_advisory_id":null,"overview":"### Summary\nA ReDOS exists on currency.js  was discovered by Gauss Security Labs R&D team.\n\n### Details\nhttps://github.com/NaturalIntelligence/fast-xml-parser/blob/master/src/v5/valueParsers/currency.js#L10\ncontains a vulnerable regex \n\n### PoC\npass the following string '\\t'.repeat(13337)  + '.'\n\n### Impact\nDenial of service during currency parsing in experimental version 5 of fast-xml-parser-library\n\nhttps://gauss-security.com","url":"https://github.com/advisories/GHSA-mpg4-rc92-vx8v"}}}
+{"type":"auditAdvisory","data":{"resolution":{"id":1098583,"path":"smartsheet>axios","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"1.6.0","paths":["newrelic>@newrelic/security-agent>axios"]},{"version":"1.6.1","paths":["smartsheet>axios"]}],"metadata":null,"vulnerable_versions":">=1.3.2 <=1.7.3","module_name":"axios","severity":"high","github_advisory_id":"GHSA-8hc4-vh64-cxmj","cves":["CVE-2024-39338"],"access":"public","patched_versions":">=1.7.4","cvss":{"score":0,"vectorString":null},"updated":"2024-08-13T19:53:25.000Z","recommendation":"Upgrade to version 1.7.4 or later","cwe":["CWE-918"],"found_by":null,"deleted":null,"id":1098583,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-39338\n- https://github.com/axios/axios/releases\n- https://jeffhacks.com/advisories/2024/06/24/CVE-2024-39338.html\n- https://github.com/axios/axios/issues/6463\n- https://github.com/axios/axios/pull/6539\n- https://github.com/axios/axios/pull/6543\n- https://github.com/axios/axios/commit/6b6b605eaf73852fb2dae033f1e786155959de3a\n- https://github.com/axios/axios/releases/tag/v1.7.4\n- https://github.com/advisories/GHSA-8hc4-vh64-cxmj","created":"2024-08-12T15:30:49.000Z","reported_by":null,"title":"Server-Side Request Forgery in axios","npm_advisory_id":null,"overview":"axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.","url":"https://github.com/advisories/GHSA-8hc4-vh64-cxmj"}}}
 {"type":"auditAdvisory","data":{"resolution":{"id":1096410,"path":"xml2json>hoek","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"4.2.1","paths":["xml2json>hoek"]},{"version":"5.0.4","paths":["xml2json>joi>hoek"]},{"version":"6.1.3","paths":["xml2json>joi>topo>hoek"]}],"metadata":null,"vulnerable_versions":"<=6.1.3","module_name":"hoek","severity":"high","github_advisory_id":"GHSA-c429-5p7v-vgjp","cves":["CVE-2020-36604"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":8.1,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2024-02-07T18:59:37.000Z","recommendation":"None","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1096410,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-36604\n- https://github.com/hapijs/hoek/issues/352\n- https://github.com/hapijs/hoek/commit/4d0804bc6135ad72afdc5e1ec002b935b2f5216a\n- https://github.com/hapijs/hoek/commit/948baf98634a5c206875b67d11368f133034fa90\n- https://github.com/advisories/GHSA-c429-5p7v-vgjp","created":"2022-09-25T00:00:27.000Z","reported_by":null,"title":"hoek subject to prototype pollution via the clone function.","npm_advisory_id":null,"overview":"hoek versions prior to 8.5.1, and 9.x prior to 9.0.3 are vulnerable to prototype pollution in the clone function. If an object with the __proto__ key is passed to clone() the key is converted to a prototype. This issue has been patched in version 9.0.3, and backported to 8.5.1. ","url":"https://github.com/advisories/GHSA-c429-5p7v-vgjp"}}}
 {"type":"auditAdvisory","data":{"resolution":{"id":1096410,"path":"xml2json>joi>hoek","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"4.2.1","paths":["xml2json>hoek"]},{"version":"5.0.4","paths":["xml2json>joi>hoek"]},{"version":"6.1.3","paths":["xml2json>joi>topo>hoek"]}],"metadata":null,"vulnerable_versions":"<=6.1.3","module_name":"hoek","severity":"high","github_advisory_id":"GHSA-c429-5p7v-vgjp","cves":["CVE-2020-36604"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":8.1,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2024-02-07T18:59:37.000Z","recommendation":"None","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1096410,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-36604\n- https://github.com/hapijs/hoek/issues/352\n- https://github.com/hapijs/hoek/commit/4d0804bc6135ad72afdc5e1ec002b935b2f5216a\n- https://github.com/hapijs/hoek/commit/948baf98634a5c206875b67d11368f133034fa90\n- https://github.com/advisories/GHSA-c429-5p7v-vgjp","created":"2022-09-25T00:00:27.000Z","reported_by":null,"title":"hoek subject to prototype pollution via the clone function.","npm_advisory_id":null,"overview":"hoek versions prior to 8.5.1, and 9.x prior to 9.0.3 are vulnerable to prototype pollution in the clone function. If an object with the __proto__ key is passed to clone() the key is converted to a prototype. This issue has been patched in version 9.0.3, and backported to 8.5.1. ","url":"https://github.com/advisories/GHSA-c429-5p7v-vgjp"}}}
 {"type":"auditAdvisory","data":{"resolution":{"id":1096410,"path":"xml2json>joi>topo>hoek","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"4.2.1","paths":["xml2json>hoek"]},{"version":"5.0.4","paths":["xml2json>joi>hoek"]},{"version":"6.1.3","paths":["xml2json>joi>topo>hoek"]}],"metadata":null,"vulnerable_versions":"<=6.1.3","module_name":"hoek","severity":"high","github_advisory_id":"GHSA-c429-5p7v-vgjp","cves":["CVE-2020-36604"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":8.1,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2024-02-07T18:59:37.000Z","recommendation":"None","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1096410,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-36604\n- https://github.com/hapijs/hoek/issues/352\n- https://github.com/hapijs/hoek/commit/4d0804bc6135ad72afdc5e1ec002b935b2f5216a\n- https://github.com/hapijs/hoek/commit/948baf98634a5c206875b67d11368f133034fa90\n- https://github.com/advisories/GHSA-c429-5p7v-vgjp","created":"2022-09-25T00:00:27.000Z","reported_by":null,"title":"hoek subject to prototype pollution via the clone function.","npm_advisory_id":null,"overview":"hoek versions prior to 8.5.1, and 9.x prior to 9.0.3 are vulnerable to prototype pollution in the clone function. If an object with the __proto__ key is passed to clone() the key is converted to a prototype. This issue has been patched in version 9.0.3, and backported to 8.5.1. ","url":"https://github.com/advisories/GHSA-c429-5p7v-vgjp"}}}
-{"type":"auditAdvisory","data":{"resolution":{"id":1098582,"path":"newrelic>@newrelic/security-agent>axios","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"1.6.0","paths":["newrelic>@newrelic/security-agent>axios"]},{"version":"1.6.1","paths":["smartsheet>axios"]}],"metadata":null,"vulnerable_versions":">=1.3.2 <=1.7.3","module_name":"axios","severity":"high","github_advisory_id":"GHSA-8hc4-vh64-cxmj","cves":["CVE-2024-39338"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":0,"vectorString":null},"updated":"2024-08-12T17:26:46.000Z","recommendation":"None","cwe":["CWE-918"],"found_by":null,"deleted":null,"id":1098582,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-39338\n- https://github.com/axios/axios/releases\n- https://jeffhacks.com/advisories/2024/06/24/CVE-2024-39338.html\n- https://github.com/axios/axios/issues/6463\n- https://github.com/axios/axios/pull/6539\n- https://github.com/advisories/GHSA-8hc4-vh64-cxmj","created":"2024-08-12T15:30:49.000Z","reported_by":null,"title":"Server-Side Request Forgery in axios","npm_advisory_id":null,"overview":"axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.","url":"https://github.com/advisories/GHSA-8hc4-vh64-cxmj"}}}
-{"type":"auditAdvisory","data":{"resolution":{"id":1098582,"path":"smartsheet>axios","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"1.6.0","paths":["newrelic>@newrelic/security-agent>axios"]},{"version":"1.6.1","paths":["smartsheet>axios"]}],"metadata":null,"vulnerable_versions":">=1.3.2 <=1.7.3","module_name":"axios","severity":"high","github_advisory_id":"GHSA-8hc4-vh64-cxmj","cves":["CVE-2024-39338"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":0,"vectorString":null},"updated":"2024-08-12T17:26:46.000Z","recommendation":"None","cwe":["CWE-918"],"found_by":null,"deleted":null,"id":1098582,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-39338\n- https://github.com/axios/axios/releases\n- https://jeffhacks.com/advisories/2024/06/24/CVE-2024-39338.html\n- https://github.com/axios/axios/issues/6463\n- https://github.com/axios/axios/pull/6539\n- https://github.com/advisories/GHSA-8hc4-vh64-cxmj","created":"2024-08-12T15:30:49.000Z","reported_by":null,"title":"Server-Side Request Forgery in axios","npm_advisory_id":null,"overview":"axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.","url":"https://github.com/advisories/GHSA-8hc4-vh64-cxmj"}}}
diff --git a/yarn.lock b/yarn.lock
@@ -5907,9 +5907,9 @@ electron-to-chromium@^1.4.251:
   integrity sha512-7mHFONwp7MNvdyto1v70fCwk28NJMFgsK79op+iYHzz1BLE8T66a1B2qW5alb8XgE0yi3FL3ZQjSYZpJpF6snw==
 
 elliptic@^6.5.3, elliptic@^6.5.4:
-  version "6.5.4"
-  resolved "https://registry.yarnpkg.com/elliptic/-/elliptic-6.5.4.tgz#da37cebd31e79a1367e941b592ed1fbebd58abbb"
-  integrity sha512-iLhC6ULemrljPZb+QutR5TQGB+pdW6KGD5RSegS+8sorOZT+rdQFbsQFJgvN3eRqNALqJer4oQ16YvJHlU8hzQ==
+  version "6.5.7"
+  resolved "https://registry.yarnpkg.com/elliptic/-/elliptic-6.5.7.tgz#8ec4da2cb2939926a1b9a73619d768207e647c8b"
+  integrity sha512-ESVCtTwiA+XhY3wyh24QqRGBoP3rEdDUl3EDUUo9tft074fi19IrdpH7hLCMMP3CIj7jb3W96rn8lt/BqIlt5Q==
   dependencies:
     bn.js "^4.11.9"
     brorand "^1.1.0"