Update dependencies (and fix a few security notices) (#1024)

* Update new dependencies.

* Support ESM parse-duration

* changelog

* drop only!

* fix types

changelog.d/1024.misc

@@ -0,0 +1 @@
+Update dependencies with security advisories.

package.json

@@ -51,12 +51,12 @@
     "@vector-im/compound-design-tokens": "^2.0.1",
     "@vector-im/compound-web": "^7.3.0",
     "ajv": "^8.11.0",
-    "axios": "^1.7.5",
+    "axios": "^1.7.9",
     "clsx": "^2.1.1",
     "cors": "^2.8.5",
     "date-fns": "^4.1.0",
     "express": "^4.20.0",
-    "figma-js": "^1.14.0",
+    "figma-js": "^1.16.1-0",
     "helmet": "^7.1.0",
     "http-status-codes": "^2.2.0",
     "ioredis": "^5.2.3",
@@ -68,7 +68,7 @@
     "micromatch": "^4.0.8",
     "mime": "^4.0.4",
     "node-emoji": "^2.1.3",
-    "parse-duration": "^1.1.0",
+    "parse-duration": "^2.1.3",
     "preact-render-to-string": "^6.3.1",
     "prom-client": "^15.1.0",
     "quickjs-emscripten": "^0.31.0",
@@ -105,7 +105,7 @@
     "@types/node": "^22",
     "@types/xml2js": "^0.4.11",
     "@uiw/react-codemirror": "^4.12.3",
-    "babel-cli": "^6.26.0",
+    "@babel/core": "^7.26.9",
     "babel-jest": "^29.7.0",
     "busboy": "^1.6.0",
     "chai": "^4",
@@ -117,13 +117,13 @@
     "jest": "^29.7.0",
     "mocha": "^10.8.2",
     "nyc": "^17.1.0",
-    "preact": "^10.24.3",
+    "preact": "^10.26.2",
     "rimraf": "6.0.1",
     "sass": "^1.81.0",
     "ts-node": "10.9.2",
     "typescript": "^5.7.2",
     "typescript-eslint": "^8.16.0",
-    "vite": "^5.4.11"
+    "vite": "^5.4.12"
   },
   "packageManager": "[email protected]+sha512.a6b2f7906b721bba3d67d4aff083df04dad64c399707841b7acf00f6b133b7ac24255f2652fa22ae3534329dc6180534e98d17432037ff6fd140556e2bb3137e"
 }

src/Connections/GenericHook.ts

@@ -228,10 +228,11 @@ export class GenericHookConnection extends BaseConnection implements IConnection
         }
         const hookId = randomUUID();
         const validState = GenericHookConnection.validateState(data);
+        const expiryTime = await config.generic.maxExpiryTimeMs;
         if (validState.expirationDate) {
             const durationRemaining = new Date(validState.expirationDate).getTime() - Date.now();
-            if (config.generic.maxExpiryTimeMs) {
-                if (durationRemaining > config.generic.maxExpiryTimeMs) {
+            if (expiryTime) {
+                if (durationRemaining > expiryTime) {
                     throw new ApiError('Expiration date cannot exceed the configured max expiry time', ErrCode.BadValue);
                 }
             }

src/Connections/SetupConnection.ts

@@ -14,10 +14,10 @@ import { IConnection, IConnectionState, ProvisionConnectionOpts } from "./IConne
 import { ApiError, Logger } from "matrix-appservice-bridge";
 import { Intent } from "matrix-bot-sdk";
 import YAML from 'yaml';
-import parseDuration from 'parse-duration';
 import { HoundConnection } from "./HoundConnection";
 const md = new markdown();
 const log = new Logger("SetupConnection");
+const parseDurationImport = import('parse-duration');
 
 const OUTBOUND_DOCS_LINK = "https://matrix-org.github.io/matrix-hookshot/latest/setup/webhooks.html";
 
@@ -218,9 +218,9 @@ export class SetupConnection extends CommandConnection {
 
         let expirationDate: string|undefined = undefined;
         if (liveDuration) {
-            const expirationDuration = parseDuration(liveDuration);
+            const expirationDuration = await (await parseDurationImport).default(liveDuration);
             if (!expirationDuration) {
-                throw new CommandError("Bad webhook duration", "A webhook name must be between 3-64 characters.");
+                throw new CommandError("Bad webhook duration", "Duration could not be parsed");
             }
             expirationDate = new Date(expirationDuration + Date.now()).toISOString();
         }

src/Widgets/BridgeWidgetApi.ts

@@ -113,7 +113,7 @@ export class BridgeWidgetApi extends ProvisioningApi {
         if (req.params.service === 'github') {
             res.send(this.config.github?.publicConfig(this.github));
         } else {
-            res.send(this.config.getPublicConfigForService(req.params.service));
+            res.send(await this.config.getPublicConfigForService(req.params.service));
         }
     }
 

src/config/Config.ts

@@ -686,14 +686,14 @@ export class BridgeConfig {
         return services;
     }
 
-    public getPublicConfigForService(serviceName: string): Record<string, unknown>|GenericHookServiceConfig {
+    public async getPublicConfigForService(serviceName: string): Promise<Record<string, unknown>|GenericHookServiceConfig> {
         let config: undefined|Record<string, unknown>|GenericHookServiceConfig;
         switch (serviceName) {
             case "feeds":
                 config = this.feeds?.publicConfig;
                 break;
             case "generic":
-                config = this.generic?.publicConfig;
+                config = await this.generic?.publicConfig;
                 break;
             case "github":
                 config = this.github?.publicConfig();

src/config/sections/generichooks.ts

@@ -1,7 +1,7 @@
 import { GenericHookServiceConfig } from "../../Connections";
 import { ConfigError } from "../../errors";
 import { hideKey } from "../Decorators";
-import parseDuration from "parse-duration";
+const parseDurationImport = import("parse-duration");
 
 function makePrefixedUrl(urlString: string): URL {
     return new URL(urlString.endsWith("/") ? urlString : urlString + "/");
@@ -35,7 +35,7 @@ export class BridgeConfigGenericWebhooks {
     public readonly enableHttpGet: boolean;
 
     @hideKey()
-    public readonly maxExpiryTimeMs?: number;
+    public readonly maxExpiryTimeMs?: Promise<number|undefined>;
     public readonly sendExpiryNotice: boolean;
     public readonly requireExpiryTime: boolean;
     // Public facing value for config generator
@@ -56,19 +56,19 @@ export class BridgeConfigGenericWebhooks {
         this.userIdPrefix = yaml.userIdPrefix;
         this.allowJsTransformationFunctions = yaml.allowJsTransformationFunctions;
         this.waitForComplete = yaml.waitForComplete;
-        this.maxExpiryTimeMs = yaml.maxExpiryTime ? parseDuration(yaml.maxExpiryTime) : undefined;
         this.maxExpiryTime = yaml.maxExpiryTime;
+        this.maxExpiryTimeMs = yaml.maxExpiryTime ? parseDurationImport.then(v => v.default(yaml.maxExpiryTime!) ?? undefined) : undefined;
     }
 
     @hideKey()
-    public get publicConfig(): GenericHookServiceConfig {
-        return {
+    public get publicConfig(): Promise<GenericHookServiceConfig> {
+        return (async () => ({
             userIdPrefix: this.userIdPrefix,
             allowJsTransformationFunctions: this.allowJsTransformationFunctions,
             waitForComplete: this.waitForComplete,
-            maxExpiryTime: this.maxExpiryTimeMs,
+            maxExpiryTime: await this.maxExpiryTimeMs,
             requireExpiryTime: this.requireExpiryTime,
-        }
+        }))();
     }
 
 }

tests/connections/GitlabRepoTest.ts

@@ -200,7 +200,7 @@ describe("GitLabRepoConnection", () => {
 			intent.expectNoEvent();
 		});
 
-		it.only("will filter out issues matching excludingLabels.", async () => {
+		it("will filter out issues matching excludingLabels.", async () => {
 			const { connection, intent } = createConnection({
 				excludingLabels: ["exclude-me"]
 			});