Purpose

This PR addresses multiple critical and high severity security vulnerabilities identified in the recent security audit. The changes include dependency upgrades and package overrides to patch vulnerable packages and ensure the application's security posture.

Security Issues Resolved

Critical Severity

• pbkdf2 vulnerabilities (CVE-related):

  • Fixed issue where pbkdf2 silently disregards Uint8Array input, returning static keys
  • Fixed predictable uninitialized/zero-filled memory for non-normalized or unimplemented algorithms
  • Resolution: Added package overrides to enforce pbkdf2 >=3.1.3

• sha.js vulnerability:

  • Fixed missing type checks leading to hash rewind and potential crafted data exploitation
  • Resolution: Added package overrides to enforce sha.js >=2.4.12

High Severity

• axios vulnerabilities:

  • Fixed SSRF and credential leakage via absolute URL (CVE-2024-0001)
  • Fixed DoS attack vulnerability through lack of data size check
  • Resolution: Upgraded axios to >=1.12.0 across all packages
  • Resolution: Upgraded axios in browser package to >=0.30.2 and upgraded @asgardeo/auth-spa version to "^3.3.2" in vue package

• playwright vulnerability:

  • Fixed insecure browser downloads without SSL certificate verification
  • Resolution: Upgraded playwright to >=1.55.1

• glob vulnerability:

  • Fixed command injection vulnerability in glob CLI
  • Resolution: Upgraded glob to >=10.5.0

Changes Made

1. Added package overrides for pbkdf2 , sha.js,'glob' and 'axios' to enforce patched versions
2. Upgraded axios dependencies in packages to secure versions
3. Upgraded playwright in packages to secure version (>=1.55.1)
4. Updated rimraf version across all packages

Related Issues

• Security Audit Failure (lts/*, latest)
• GitHub Security Advisories:
  • GHSA-v62p-rq8g-8h59 (pbkdf2)
  • GHSA-h7cp-r72f-jxh6 (pbkdf2)
  • GHSA-95m3-7q98-8xr5 (sha.js)
  • GHSA-jr5f-v2jv-69x6 (axios)
  • GHSA-4hjh-wcwx-xvwj (axios)
  • GHSA-7mvr-c777-76hp (playwright)
  • GHSA-5j98-mcp5-4vw2 (glob)

Related PRs

• N/A

Checklist

• Followed the CONTRIBUTING guidelines.
• Manual test round performed and verified.
• Documentation provided. (Add links if there are any)
• Unit tests provided. (Add links if there are any)

Security checks

• Followed secure coding standards in http://wso2.com/technical-reports/wso2-secure-engineering-guidelines?
• Confirmed that this PR doesn't commit any keys, passwords, tokens, usernames, or other secrets?