Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Security upgrade npm from 5.6.0 to 7.0.0 #90

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

Omrisnyk
Copy link
Owner

This PR was automatically created by Snyk using the credentials of a real user.


![snyk-top-banner](https://github.com/andygongea/OWASP-Benchmark/assets/818805/c518c423-16fe-447e-b67f-ad5a49b5d123)

Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

  • openshift/message-board/message-board-web/package.json
  • openshift/message-board/message-board-web/package-lock.json

Vulnerabilities that will be fixed with an upgrade:

Issue Score
medium severity Server-Side Request Forgery (SSRF)
SNYK-JS-IP-7148531
  119  
Release notes
Package name: npm
  • 7.0.0 - 2020-10-13

    v7.0.0 (2020-10-12)

    BUG FIXES

    DOCUMENTATION

    DEPENDENCIES

    • 15366a1cf npm-registry-fetch@8.1.5
    • f04a74140 init-package-json@2.0.0
      • 1de21dce0 fix: support dot-separated aliases defined in a .npmrc ini files for init-* configs (@ ruyadorno)
    • a67275cd9 eslint@7.11.0
    • 6fb83b78d hosted-git-info@3.0.6
    • 1ca30cc9b libnpmfund@1.0.0
    • 28a2d2ba4 @ npmcli/arborist@1.0.0
      • npm/rfcs#239 Improve handling of conflicting peerDependencies in transitive dependencies, so that --force will always accept a best effort override, and --strict-peer-deps will fail faster on conflicts.
    • 9306c6833 libnpmfund@1.0.1
    • fafb348ef npm-package-arg@8.1.0
    • 365f2e756 read-package-json@3.0.0
  • 7.0.0-rc.4 - 2020-10-09

    v7.0.0-rc.4 (2020-10-09)

    • 09b456f2d @ npmcli/config@1.2.1
      • #1919 exposes npm_config_user_agent env variable (@ nlf)
    • e859fba9e #1936 fix npx for non-interactive shells (@ nlf)
    • 9320b8e4f #1906 restore old npx behavior of running existing bins first (@ nlf)
    • 7bd47ca2c @ npmcli/arborist@0.0.33
      • fixed handling of invalid package.json file
    • 02737453b make-fetch-happen@8.0.10
      • do not calculate integrity values of http errors
  • 7.0.0-rc.3 - 2020-10-06

    v7.0.0-rc.3 (2020-10-06)

  • 7.0.0-rc.2 - 2020-10-02

    v7.0.0-rc.2 (2020-10-02)

    • 6de81a013 @ npmcli/run-script@1.7.2
      • Fix regression running 'install' scripts when package.json does not contain a scripts object
  • 7.0.0-rc.1 - 2020-10-02

    v7.0.0-rc.1 (2020-10-02)

    • 281a7f39a @ npmcli/arborist@0.0.31
      • Allow npm update to update bundled root dependencies
      • Only do implicit node-gyp build for gyp files named binding.gyp
    • 384f5ec47 update minipass-fetch to fix many 'cb() never called' errors
    • 7b1e75906 @ npmcli/run-script@1.7.1
      • Only do implicit node-gyp build for gyp files named binding.gyp
    • c20e2f0c7 #1892 Support --omit options in npm outdated
  • 7.0.0-rc.0 - 2020-10-01

    v7.0.0-rc.0 (2020-10-01)

  • 7.0.0-beta.13 - 2020-09-29

    v7.0.0-beta.13 (2020-09-29)

  • 7.0.0-beta.12 - 2020-09-22

    v7.0.0-beta.12 (2020-09-22)

    • 24f3a5448 #1811 npm ci should never save package.json or lockfile (@ isaacs)
    • 5e780a5f0 remove unused spec parameter, assign error code (@ nlf)
    • f019a248a Remove unused npx binary (@ isaacs)
    • db157b3ce @ npmcli/arborist@0.0.27
      • Resolve race condition with conflicting bin links in local installs
      • #1812 Log engine mismatches more usefully
      • #1814 Do not loop trying to resolve dependencies that fail to load
      • npm/rfcs#224 Do not automatically install optional peer dependencies
      • Add the strictPeerDeps option, defaulting to false
      • fix forwarding configs to resolve pkg spec when adding new deps
    • b3a50d275 #1846 @ npmcli/run-script@1.6.0
      • This updates node-gyp to v7, allowing us to deduplicate a lot of significant dependencies.
    • a1d375f6b #1819 Add --strict-peer-deps option (@ isaacs)
    • 5837a4843 #1699 Use allow/deny list in docs (@ luciomartinez)
  • 7.0.0-beta.11 - 2020-09-16

    v7.0.0-beta.11 (2020-09-16)

    • 63005f4a9 #1639 npm view should not output extra newline (@ MylesBorins)
    • 3743a42c8 #1750 add outdated tests (@ claudiahdz)
    • 2019abdf1 #1786 add lib/link.js tests (@ ruyadorno)
    • 2f8d11968 @ npmcli/arborist@0.0.25
      • add meta vulnerability calculator for faster audits
      • changed parsing specs to be relative to cwd
      • fix logging script execution
      • fix properly following resolved symlinks
      • fix package.json dependencies order
    • 49b2bf5a7 @ npmcli/config@1.1.8
      • fix unkown envs to be passed through
      • fix setting correct globalPrefix on load
    • f9aac351d libnpmversion@1.0.5
      • fix git ignored lockfiles
  • 7.0.0-beta.10 - 2020-09-08

    v7.0.0-beta.10 (2020-09-08)

  • 7.0.0-beta.9 - 2020-09-04
  • 7.0.0-beta.8 - 2020-09-01
  • 7.0.0-beta.7 - 2020-08-25
  • 7.0.0-beta.6 - 2020-08-21
  • 7.0.0-beta.5 - 2020-08-18
  • 7.0.0-beta.4 - 2020-08-11
  • 7.0.0-beta.3 - 2020-08-10
  • 7.0.0-beta.2 - 2020-08-07
  • 7.0.0-beta.1 - 2020-08-05
  • 7.0.0-beta.0 - 2020-08-04
  • 6.14.18 - 2022-12-21
  • 6.14.17 - 2022-04-28
  • 6.14.16 - 2022-01-19
  • 6.14.15 - 2021-08-24
  • 6.14.14 - 2021-07-27
  • 6.14.13 - 2021-04-12
  • 6.14.12 - 2021-03-25
  • 6.14.11 - 2021-01-08
  • 6.14.10 - 2020-12-18
  • 6.14.9 - 2020-11-20
  • 6.14.8 - 2020-08-17
  • 6.14.7 - 2020-07-21
  • 6.14.6 - 2020-07-07
  • 6.14.5 - 2020-05-04
  • 6.14.4 - 2020-03-25
  • 6.14.3 - 2020-03-19
  • 6.14.2 - 2020-03-03
  • 6.14.1 - 2020-02-27
  • 6.14.0 - 2020-02-25
  • 6.13.7 - 2020-01-28
  • 6.13.6 - 2020-01-09
  • 6.13.5 - 2020-01-09
  • 6.13.4 - 2019-12-11
  • 6.13.3 - 2019-12-10
  • 6.13.2 - 2019-12-03
  • 6.13.1 - 2019-11-18
  • 6.13.0 - 2019-11-05
  • 6.12.1 - 2019-10-29
  • 6.12.0 - 2019-10-08
  • 6.12.0-next.0 - 2019-09-26
  • 6.11.3 - 2019-09-03
  • 6.11.2 - 2019-08-22
  • 6.11.1 - 2019-08-21
  • 6.11.0 - 2019-08-20
  • 6.10.3 - 2019-08-06
  • 6.10.2 - 2019-07-23
  • 6.10.2-next.3 - 2019-07-22
  • 6.10.2-next.2 - 2019-07-21
  • 6.10.2-next.1 - 2019-07-17
  • 6.10.2-next.0 - 2019-07-16
  • 6.10.1 - 2019-07-11
  • 6.10.1-next.2 - 2019-07-10
  • 6.10.1-next.1 - 2019-07-03
  • 6.10.1-next.0 - 2019-07-03
  • 6.10.0 - 2019-07-03
  • 6.10.0-next.0 - 2019-07-01
  • 6.9.2 - 2019-06-27
  • 6.9.1-next.0 - 2019-03-20
  • 6.9.0 - 2019-03-06
  • 6.9.0-next.0 - 2019-02-21
  • 6.8.0 - 2019-02-13
  • 6.8.0-next.2 - 2019-02-07
  • 6.8.0-next.1 - 2019-02-06
  • 6.8.0-next.0 - 2019-01-31
  • 6.7.0 - 2019-01-23
  • 6.6.0 - 2019-01-17
  • 6.6.0-next.1 - 2019-01-10
  • 6.6.0-next.0 - 2018-12-12
  • 6.5.0 - 2018-12-10
  • 6.5.0-next.0 - 2018-11-28
  • 6.4.1 - 2018-08-29
  • 6.4.1-next.0 - 2018-08-23
  • 6.4.0 - 2018-08-15
  • 6.4.0-next.0 - 2018-08-09
  • 6.3.0 - 2018-08-02
  • 6.3.0-next.0 - 2018-07-25
  • 6.2.0 - 2018-07-14
  • 6.2.0-next.1 - 2018-07-05
  • 6.2.0-next.0 - 2018-06-29
  • 6.1.0 - 2018-05-24
  • 6.1.0-next.0 - 2018-05-17
  • 6.0.1 - 2018-05-10
  • 6.0.1-next.0 - 2018-05-04
  • 6.0.0 - 2018-04-24
  • 6.0.0-next.2 - 2018-04-21
  • 6.0.0-next.1 - 2018-04-13
  • 6.0.0-next.0 - 2018-03-23
  • 5.10.0 - 2018-05-11
  • 5.10.0-next.1 - 2018-05-07
  • 5.10.0-next.0 - 2018-04-13
  • 5.9.0-next.0 - 2018-03-23
  • 5.8.0 - 2018-03-23
  • 5.8.0-next.0 - 2018-03-13
  • 5.7.1 - 2018-02-22
  • 5.7.0 - 2018-02-21
  • 5.6.0 - 2017-11-28
from npm GitHub release notes

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Server-Side Request Forgery (SSRF)

…ft/message-board/message-board-web/package-lock.json to reduce vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-IP-7148531
@Omrisnyk
Copy link
Owner Author

🎉 Snyk hasn't found any issues so far.

code/snyk check is completed. No issues were found. (View Details)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants