Bump the npm_and_yarn at /research-hub-web security update group in /research-hub-web with 1 update

[dependabot]

Bumps the npm_and_yarn at /research-hub-web security update group in /research-hub-web with 1 update: cross-undici-fetch.

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[dependabot]

Dependabot tried to add @Trombach, @cakr322 and @eric-el-tan as reviewers to this PR, but received the following error from GitHub:

POST https://api.github.com/repos/UoA-eResearch/hub-stack/pulls/427/requested_reviewers: 422 - Reviews may only be requested from collaborators. One or more of the users or teams you specified is not a collaborator of the UoA-eResearch/hub-stack repository. // See: https://docs.github.com/rest/pulls/review-requests#request-reviewers-for-a-pull-request

To fix the problem, declare explicit least-privilege GITHUB_TOKEN permissions for this workflow or specifically for the run-linters job. Since the job only checks out code and runs local lint commands, it only needs read access to repository contents; it does not need any write permissions or access to other scopes.

The best minimal fix without altering functionality is to add a permissions block to the workflow root (so it applies to all jobs by default) specifying contents: read. This documents the permission requirement and ensures that even if organization defaults are permissive, this workflow’s token will be restricted. Concretely, in .github/workflows/linting.yml, insert:

permissions:
  contents: read

after the on: block and before jobs:. No imports or additional methods are needed; this is pure workflow configuration.

In general, fix this by adding a permissions section that grants only the minimal needed scopes to the GITHUB_TOKEN. This can be set at the root of the workflow (affecting all jobs) or within the specific job; here, we’ll add it at the job level for sentry-release.

The sentry-release job only needs to check out code and send a release notification to Sentry using SENTRY_AUTH_TOKEN. It does not need to push commits, create releases/tags in GitHub, or modify issues/PRs. Therefore, we can safely set permissions: contents: read for this job. This explicitly restricts the GITHUB_TOKEN to read-only access to repository contents while preserving all existing functionality.

Concretely: in .github/workflows/sentry.yml, under jobs: sentry-release: name: Create Sentry Release and before runs-on: ubuntu-latest, insert:

    permissions:
      contents: read

No imports or additional methods are required.

In general, to fix log injection arising from user input, sanitize the input before logging by removing or neutralizing characters that can alter log structure (such as \n and \r), and clearly mark which parts of the log entry come from user input. For plain-text logs, replacing all newline and carriage return characters with safe alternatives (or removing them) is usually sufficient.

For this specific code, the best fix with minimal behavioral change is to create a sanitized version of event.body just for logging, leaving the original event.body intact for subsequent parsing. Right before logging, we can convert event.body to a string (in case it is not already) and remove \r and \n using String.prototype.replace with a regular expression. Then we log the sanitized string instead of the raw event.body. The rest of the function, including JSON.parse(event.body), remains unchanged.

Concretely, in hub-search-proxy/handler.js inside module.exports.search, we will replace:

console.log(`Received query: ${event.body}`);

with something like:

const rawBodyForLog = String(event.body);
const sanitizedBodyForLog = rawBodyForLog.replace(/[\r\n]/g, '');
console.log(`Received query: ${sanitizedBodyForLog}`);

This requires no new imports and does not affect how the request body is used later in the code.