CRASM-3844 Resolve CheckmarX vulnerability dependencies

[jayjaybunce]

🗣 Description

Packages Upgraded
Frontend
axios - From 1.11.0 to 1.15.0
aws-amplify - From 5.3.12 to 6.16.3
@aws-amplify/ui-react - From 5.0.4 to 6.15.2
express-rate-limit - From 8.2.1 to 8.3.2
rollup - From 4.22.4 to 4.59.0
minimatch - From unpinned to 10.2.5
basic-ftp - From unpinned to 5.2.0
serverless-better-credentials - From 1.2.0 to 2.0.1
serverless-domain-manager - From from 7.0.0 to 10.0.0
serverless-esbuild - From unpinned 1.57.0
fast-xml-parser From unpinned to 5.5.8
undici - From unpinned to 6.23.0
simple-git - From unpinned to 3.33.0
vite - From 7.0.4 to 7.3.2
lodash - From unpinned to 4.18.1
immutable - From unpinned to 3.8.3
Removed fs due to malicious version 0.0.1-security

Backend
Python Requirements
aiohttp - From 3.12.14 to 3.13.3
cryptography - From 44.0.1 to 46.0.6
Django - From 5.2.9 to 5.2.11
PyJWT - From 2.10.1 to 2.12.0
orjson - From 3.10.12 to 3.11.7
python-multipart - From 0.0.19 to 0.0.22
fastapi - From 0.116.2 to 0.120.1
Node dependencies
osls - From 3.61.1 to 3.63.2
fast-xml-parser - From unpinned to 5.5.8
serverless-better-credentials - from 2.0.0 to 2.0.1
serverless-domain-manager - From 7.0 to 10.0.0
simple-git - From unpinned to 3.36.0
lodash - From unpinned to 4.18.1

Worker
Cryptography - From 44.0.1 to 46.0.5
Mitmproxy - From 12.0.0 to 12.2.2
Ssslyze from 6.2.0 to 6.3.1

External Pshtt Fork
sslyze - From 6.2.0 to 6.3.1
cryptography - From unpinned to 46.0.5

Root XFD
Removed fs due to malicious version 0.0.1-security
lodash - From unpinned to 4.18.1

Playwright
axios - From 1.7.9 to 1.13.6

Docs
lodash - From unpinned to 4.18.1
svgo - From unpinned to 3.3.3

Code Changes
With the upgrade to aws-amplify and @aws-amplify/ui-react to version 6, code changes were required to use of these packages in the frontend. Relevant changes are in useApi.ts and App.tsx

Vulnerabilities Resolved
7 Critical
17 High
12 Medium
6 Low

💭 Motivation and context

Resolves CRASM-3844

🧪 Testing

The bulk of the testing can be done by following the standard process for starting the application, however because the changes made touch dependencies any testers should ensure the frontend, backend and worker containers are rebuilt to ensure testing takes place on containers with the upgraded dependencies.
The frontend, backend and worker containers should be rebuilt before testing

1. XFD => npm run start
2. backend => make syncmdl-populate
3. In the app => create and execute the following scans: refresh_vs_summaries, searchSync
4. Poke around each view and ensure data is being populated
5. Inspect API responses in dev tools

The code changes to useApi effect every api call made across the application, every view was tested by inspecting API response shapes and correlating those to the frontend components which use/display that data and ensuring everything works as intended and the responses include the correct shape and correct data.

Additionally tested the building of each container to ensure no dependency conflicts during the installation of dependencies.

✅ Pre-approval checklist

• This PR has an informative and human-readable title.
• Changes are limited to a single goal - eschew scope creep!
• All future TODOs are captured in issues, which are referenced in code comments.
• All relevant type-of-change labels have been added.
• I have read the CONTRIBUTING document.
• These code changes follow cisagov code standards.
• All relevant repo and/or project documentation has been updated to reflect the changes in this PR.
• Tests have been added and/or modified to cover the changes in this PR.
• All new and existing tests pass.
• Bump major, minor, patch, pre-release, and/or build versions as appropriate via the bump_version script if this repository is versioned and the changes in this PR warrant a version bump.
• Create a pre-release (necessary if and only if the pre-release version was bumped).

✅ Pre-merge checklist

• Revert dependencies to default branches.
• Finalize version.

✅ Post-merge checklist

• Create a release (necessary if and only if the version was bumped).

[cduhn17]

Approved, but assume that the failing check is a know failure and there is not currently a way to verify that these version upgrades results in a stable platform.

[jsalinasnttdata]

Regarding the Amplify v6 migration, overall, the migration looks solid. The API structure and imports seem to be updated correctly and the new configuration format properly implemented while still maintaining backward compatibility through conditional Cognito setup.

That said, there are a few concerns to keep an eye on. The significant changes to the API method signatures, ensuring error handling still behaves as expected, the need for robust handling around the new response.body.json() pattern. I’m assuming thorough testing has been done or is planned, so I went ahead and approved, but wanted to call out these risks.