From 69794307ec765fd62bf5405086e4acc7c06b0626 Mon Sep 17 00:00:00 2001 From: Alison Silva Date: Tue, 25 Feb 2025 22:47:53 +0000 Subject: [PATCH 1/2] fix: update vitest to 3.0.5+ to patch RCE vulnerability --- packages/react-components/package.json | 4 +-- .../src/reducers/CustomerReducer.ts | 26 ++++++++++++++----- 2 files changed, 22 insertions(+), 8 deletions(-) diff --git a/packages/react-components/package.json b/packages/react-components/package.json index 7f6b3040..e1a47345 100644 --- a/packages/react-components/package.json +++ b/packages/react-components/package.json @@ -227,7 +227,7 @@ "@types/react-test-renderer": "^18.3.1", "@types/react-window": "^1.8.8", "@vitejs/plugin-react": "^4.3.4", - "@vitest/coverage-v8": "^3.0.4", + "@vitest/coverage-v8": "^3.0.5", "jsdom": "^26.0.0", "minimize-js": "^1.4.0", "msw": "^2.7.0", @@ -239,7 +239,7 @@ "typescript": "^5.7.3", "vite": "^6.0.11", "vite-tsconfig-paths": "^5.1.4", - "vitest": "^3.0.4" + "vitest": "^3.0.5" }, "peerDependencies": { "react": ">=18.0.0" diff --git a/packages/react-components/src/reducers/CustomerReducer.ts b/packages/react-components/src/reducers/CustomerReducer.ts index 552778f1..705cc6bb 100644 --- a/packages/react-components/src/reducers/CustomerReducer.ts +++ b/packages/react-components/src/reducers/CustomerReducer.ts @@ -11,7 +11,8 @@ import type { Order, OrderSubscription, OrderUpdate, - QueryPageSize + QueryPageSize, + QuerySort, } from '@commercelayer/sdk' import type { CommerceLayerConfig } from '#context/CommerceLayerContext' import type { updateOrder } from './OrderReducer' @@ -283,13 +284,19 @@ interface GetCustomerOrdersProps { * Retrieve a specific subscription or order by id */ id?: string + /** + * Sorting parameter for the orders + * @example 'created_at' | '-created_at' | 'updated_at' | '-updated_at' + */ + sort?: QuerySort } export async function getCustomerOrders({ config, dispatch, pageSize = 10, - pageNumber = 1 + pageNumber = 1, + sort = { created_at: 'desc' } }: GetCustomerOrdersProps): Promise { if (config.accessToken) { const { owner } = jwt(config.accessToken) @@ -298,7 +305,8 @@ export async function getCustomerOrders({ const orders = await sdk.customers.orders(owner.id, { filters: { status_not_in: 'draft,pending' }, pageSize, - pageNumber + pageNumber, + sort }) dispatch({ type: 'setOrders', @@ -313,29 +321,35 @@ export async function getCustomerSubscriptions({ config, dispatch, pageSize = 10, - pageNumber = 1 + pageNumber = 1, + sort = { created_at: 'desc' } }: GetCustomerOrdersProps): Promise { if (config.accessToken) { const { owner } = jwt(config.accessToken) if (owner?.id) { const sdk = getSdk(config) if (id != null) { + // When fetching orders with subscription_id, we need to use Order sort type + // because this endpoint returns orders related to a subscription const subscriptions = await sdk.customers.orders(owner.id, { filters: { order_subscription_id_eq: id }, include: ['authorizations'], pageSize, - pageNumber + pageNumber, + sort }) dispatch({ type: 'setSubscriptions', payload: { subscriptions } }) } else { + // When fetching order_subscriptions directly, we use OrderSubscription sort type const subscriptions = await sdk.customers.order_subscriptions( owner.id, { pageSize, - pageNumber + pageNumber, + sort: sort as QuerySort } ) dispatch({ From f97c0f37f282a1093fed62a99e22a52c12c85fb8 Mon Sep 17 00:00:00 2001 From: Alison Silva Date: Tue, 25 Feb 2025 23:48:49 +0000 Subject: [PATCH 2/2] fix: update vitest to patch critical security vulnerability - Update vitest from 3.0.5 to 3.0.6 - Update @vitest/coverage-v8 from 3.0.5 to 3.0.6 - Fix remote code execution vulnerability (GHSA-9crc-q9x8-hgqq) --- packages/react-components/package.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/react-components/package.json b/packages/react-components/package.json index e1a47345..bc5604d7 100644 --- a/packages/react-components/package.json +++ b/packages/react-components/package.json @@ -227,7 +227,7 @@ "@types/react-test-renderer": "^18.3.1", "@types/react-window": "^1.8.8", "@vitejs/plugin-react": "^4.3.4", - "@vitest/coverage-v8": "^3.0.5", + "@vitest/coverage-v8": "^3.0.7", "jsdom": "^26.0.0", "minimize-js": "^1.4.0", "msw": "^2.7.0", @@ -239,7 +239,7 @@ "typescript": "^5.7.3", "vite": "^6.0.11", "vite-tsconfig-paths": "^5.1.4", - "vitest": "^3.0.5" + "vitest": "^3.0.7" }, "peerDependencies": { "react": ">=18.0.0"