New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 14 vulnerabilities #9

Open

snyk-bot wants to merge 1 commit into main from snyk-fix-e97a613aa53fd6ecda5719e3e85be187

snyk-bot commented Feb 14, 2023

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
- package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-ASYNC-2441827	No	Proof of Concept
	621/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6	Prototype Pollution SNYK-JS-FLAT-596927	No	Proof of Concept
	484/1000 Why? Has a fix available, CVSS 5.4	Open Redirect SNYK-JS-GOT-2932019	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LOADERUTILS-3042992	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-LOADERUTILS-3043105	No	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LOADERUTILS-3105943	No	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	No	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	No	Proof of Concept
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	No	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Information Exposure SNYK-JS-NODEFETCH-2342118	No	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-POSTCSS-1090595	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-POSTCSS-1255640	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Poisoning SNYK-JS-QS-3153490	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-TRIM-1017038	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: express

The new version differs by 117 commits.

3d7fce5 4.17.3
f906371 build: update example dependencies
6381bc6 deps: qs@6.9.7
a007863 deps: body-parser@1.19.2
e98f584 Revert "build: use minimatch@3.0.4 for Node.js < 4"
a659137 tests: use strict mode
a39e409 tests: prevent leaking changes to NODE_ENV
82de4de examples: fix path traversal in downloads example
12310c5 build: use nyc for test coverage
884657d examples: remove bitwise syntax for includes check
7511d08 build: use minimatch@3.0.4 for Node.js < 4
2585f20 tests: fix test missing assertion
9d09762 build: supertest@6.2.2
43cc56e build: clean up gitignore
1c7bbcc build: Node.js@14.19
9cbbc8a deps: cookie@0.4.2
6fbc269 pref: remove unnecessary regexp for trust proxy
2bc734a deps: accepts@~1.3.8
89bb531 docs: fix typo in res.download jsdoc
744564f tests: add test for multiple ips in "trust proxy"
da6cb0e tests: add range tests to res.download
00ad5be tests: add more tests for app.request & app.response
141914e tests: fix tests that did not bubble errors
bd4fdfe tests: remove global dependency on should

See the full diff

Package name: flat

The new version differs by 12 commits.

e5ffd66 Release 5.0.2
fdb79d5 Update dependencies, refresh lockfile, format with standard.
e52185d Test against node 14 in CI.
0189cb1 Avoid arrow function syntax.
f25d3a1 Release 5.0.1
54cc7ad use standard formatting
779816e drop dependencies
2eea6d3 Bump lodash from 4.17.15 to 4.17.19
a61a554 Bump acorn from 7.1.0 to 7.4.0
20ef0ef Fix prototype pollution on unflatten
e8fb281 Test prototype pollution on unflatten
6e95c43 Add node 10 & 12 to travis config.

See the full diff

Package name: got

The new version differs by 250 commits.

5e17bb7 11.8.5
bce8ce7 Backport 861ccd9ac2237df762a9e2beed7edd88c60782dc
8ced192 Fix build
670eb04 11.8.4
20f29fe Backport add update index.md github/docs#1543: Initialize globalResponse in case of ignored HTTPError (x github/docs#2017)
0da732f 11.8.3
9463bb6 Bump cacheable-request dependency (Vcc.com github/docs#1921)
0e167b8 HTTPError code set to 'HTTPError' #1711 (rohittravels.md github/docs#1739)
f896aa5 11.8.2
3bd245f Instantiate CacheableLookup only when needed (Update point 2 of Creating your first workflow github/docs#1529)
a72ed84 11.8.1
4c815c3 Do not throw on custom stack traces (repo sync github/docs#1491)
e0cb820 11.8.0
f65c9ef Upgrade dependencies
7acd380 Fix for sending files with size `0` on `stat` (Josenavarro64@gmail.com github/docs#1488)
6aa86f2 Fix indentation in the readme
3dd2273 `beforeRetry` allows stream body if different from original (Include work around for wildcards in HTTP Proxy Exclusion list github/docs#1501)
b1afa2b Fix readme example comment (fix: Links to localhost addresses github/docs#1505)
390b145 Set default value for an options object (Content style guide suggests to avoid the wrong term github/docs#1495)
87dadd5 Fixed documentation example for `responseType` ("repository_dispatch" event shows wrong GITHUB.SHA and GITHUB.REF information github/docs#1494)
3bf3e3b Add `lookup` option documentation (add access-permissions-on-github.md github/docs#1483)
c31366b Add a test for repo sync github/docs#1438 (repo sync github/docs#1469)
5d62958 11.7.0
88b32ea Fix a regression where body was sent after redirect

See the full diff

Package name: hubdown

The new version differs by 37 commits.

56fba5a build: use cfa orb ([Snyk] Upgrade: @babel/core, @babel/plugin-proposal-class-properties, @babel/plugin-syntax-class-properties, @babel/plugin-transform-modules-amd, @babel/plugin-transform-modules-commonjs, @babel/plugin-transform-react-jsx, @babel/plugin-transform-runtime, @babel/runtime, @babel/preset-env, @babel/preset-react #58)
b496b57 fix: update dependencies to clean up yarn audit
b9a2c49 Merge pull request [Snyk] Upgrade instantsearch.js from 4.8.2 to 4.56.8 #55 from electron/dependabot/npm_and_yarn/minimist-1.2.6
4cf5e68 build(deps): bump minimist from 1.2.5 to 1.2.6
a8e74f9 Merge pull request [Snyk] Upgrade instantsearch.js from 4.8.2 to 4.56.7 #49 from electron/dependabot/npm_and_yarn/tar-4.4.19
f4279d4 Merge pull request [Snyk] Upgrade: @babel/core, @babel/plugin-proposal-class-properties, @babel/plugin-syntax-class-properties, @babel/plugin-transform-modules-amd, @babel/plugin-transform-modules-commonjs, @babel/plugin-transform-react-jsx, @babel/plugin-transform-runtime, @babel/runtime, @babel/preset-env, @babel/preset-react #52 from electron/dependabot/npm_and_yarn/trim-off-newlines-1.0.3
2e4deda Merge pull request [Snyk] Upgrade @graphql-tools/load from 6.2.5 to 6.2.8 #48 from electron/dependabot/npm_and_yarn/path-parse-1.0.7
57b6581 build(deps): bump tar from 4.4.15 to 4.4.19
b3dc62b build(deps): bump path-parse from 1.0.6 to 1.0.7
f060a2e Merge pull request [Snyk] Upgrade @graphql-tools/load from 6.2.5 to 6.2.8 #34 from electron/dependabot/npm_and_yarn/semantic-release-17.2.3
19966a2 build(deps-dev): bump semantic-release from 15.13.18 to 17.2.3
ddbd350 build(deps): bump trim-off-newlines from 1.0.1 to 1.0.3
6c814d0 Merge pull request [Snyk] Upgrade instantsearch.js from 4.8.2 to 4.56.5 #44 from electron/dependabot/npm_and_yarn/hosted-git-info-2.8.9
f4e6c45 build(deps): bump hosted-git-info from 2.8.8 to 2.8.9
4ceec32 chore: update deps
bc56a8e Merge pull request [Snyk] Upgrade instantsearch.js from 4.8.2 to 4.56.4 #42 from electron/dependabot/npm_and_yarn/handlebars-4.7.7
527014e Merge pull request [Snyk] Upgrade instantsearch.js from 4.8.2 to 4.56.3 #41 from electron/dependabot/npm_and_yarn/ssri-6.0.2
0924e3a Merge pull request [Snyk] Security upgrade debian from bullseye-20230109-slim to bullseye-20230703-slim #43 from electron/dependabot/npm_and_yarn/lodash-4.17.21
3192253 Merge pull request [Snyk] Upgrade instantsearch.js from 4.8.2 to 4.56.5 #45 from electron/dependabot/npm_and_yarn/glob-parent-5.1.2
00dcb3e Merge pull request [Snyk] Upgrade: @babel/core, @babel/plugin-proposal-class-properties, @babel/plugin-syntax-class-properties, @babel/plugin-transform-modules-amd, @babel/plugin-transform-modules-commonjs, @babel/plugin-transform-react-jsx, @babel/plugin-transform-runtime, @babel/runtime, @babel/preset-env, @babel/preset-react #47 from electron/dependabot/npm_and_yarn/https-proxy-agent-2.2.4
3b47978 build(deps): bump https-proxy-agent from 2.2.2 to 2.2.4
73c77e2 Merge pull request [Snyk] Upgrade sass from 1.26.3 to 1.63.6 #46 from electron/dependabot/npm_and_yarn/normalize-url-4.5.1
9b5332e build(deps): bump normalize-url from 4.5.0 to 4.5.1
6e59094 build(deps): bump glob-parent from 5.0.0 to 5.1.2

See the full diff

Package name: linkinator

The new version differs by 141 commits.

2cab633 feat: create new release with notes (Missed slash in "if" and minor formatting github/docs#508)
a376199 fix!: stream CSV results (repo sync github/docs#507)
18d808c chore(deps): update dependency @ types/update-notifier to v6 (repo sync github/docs#503)
0ee27e0 chore(deps): update dependency got to 11.8.5 [security] (Update testing-webhooks.md github/docs#505)
5ef0e1e build!: drop support for nodejs 12.x (docs: add tnir as a contributor github/docs#506)
eeebebd build(deps-dev): bump semantic-release from 19.0.2 to 19.0.3 (Multiple deploy keys github/docs#501)
da166dd build(deps): bump semver-regex from 3.1.3 to 3.1.4 (Multiple Unique Deployment Keys on One Server. github/docs#500)
4c63eb8 build(deps): bump npm from 8.3.1 to 8.12.0 (Fix and extend push webhook documentation. github/docs#499)
5ca5a46 feat: allow --skip to be defined multiple times (https://github.com/github/docs/pull/398#issue-501049475 github/docs#399)
9c2b5d8 chore(deps): update dependency sinon to v14 (Update defining-the-mergeability-of-pull-requests.md github/docs#398)
d334dc6 fix(deps): upgrade node-glob to v8 (.Update keyboard-shortcuts.md github/docs#397)
ba3b9a8 fix(deps): upgrade to htmlparser2 v8.0.1 (Translation of the last line into Portuguese github/docs#396)
48af50e fix(deps): update dependency gaxios to v5 (Repairing .allcontributorsrc github/docs#391)
78ae8b5 chore(deps): update github/codeql-action action to v2 (Update autolinked-references-and-urls.md github/docs#393)
0b31851 chore(deps): update dependency mocha to v10 (Update identifying-and-authorizing-users-for-github-apps.md github/docs#394)
e586584 build(deps): bump minimist from 1.2.5 to 1.2.6 (docs: Add Chinese translation github/docs#387)
1cc3a88 docs: Update latest major version specified in SECURITY.md (repo sync github/docs#380)
833fd33 chore(deps): update actions/checkout action to v3 (#385)
1835248 chore(deps): update actions/setup-node action to v3 (#383)
4a16353 build(deps): bump simple-get from 3.1.0 to 3.1.1 (repo sync github/docs#379)
65dfb90 chore(deps): update dependency simple-get to 3.1.1 [security] (Neftali github/docs#378)
96d3ddf chore(deps): update dependency nanoid to 3.1.31 [security] (repo sync github/docs#377)
ad1e73e build(deps): bump node-fetch from 2.6.1 to 2.6.7 (API Libraries Design update github/docs#376)
9b287c3 chore(deps): update dependency sinon to v13 (repo sync github/docs#375)

See the full diff

Package name: node-fetch

The new version differs by 7 commits.

1ef4b56 backport of Lukáš github/docs#1449 (repo sync github/docs#1453)
8fe5c4e 2.x: Specify encoding as an optional peer dependency in package.json (repo sync github/docs#1310)
f56b0c6 fix(URL): prefer built in URL version when available and fallback to whatwg (Adding your SSH key to the ssh-agent still shows "$ ssh-add ~/.ssh/id_rsa" when it should show "$ ssh-add ~/.ssh/id_ed25519" github/docs#1352)
b5417ae fix: import whatwg-url in a way compatible with ESM Node (Add new example to Actions Code examples github/docs#1303)
18193c5 fix v2.6.3 that did not sending query params (Update about-custom-domains-and-github-pages.md github/docs#1301)
ace7536 fix: properly encode url with unicode characters (Update and rename content/github/collaborating-with-issues-and-pull-r… github/docs#1291)
152214c Fix(package.json): Corrected main file path in package.json (repo sync github/docs#1274)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Prototype Pollution
🦉 Open Redirect
🦉 More lessons are available in Snyk Learn


          fix: package.json & package-lock.json to reduce vulnerabilities

266beab

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-ASYNC-2441827
- https://snyk.io/vuln/SNYK-JS-FLAT-596927
- https://snyk.io/vuln/SNYK-JS-GOT-2932019
- https://snyk.io/vuln/SNYK-JS-LOADERUTILS-3042992
- https://snyk.io/vuln/SNYK-JS-LOADERUTILS-3043105
- https://snyk.io/vuln/SNYK-JS-LOADERUTILS-3105943
- https://snyk.io/vuln/SNYK-JS-LODASH-1018905
- https://snyk.io/vuln/SNYK-JS-LODASH-1040724
- https://snyk.io/vuln/SNYK-JS-LODASH-567746
- https://snyk.io/vuln/SNYK-JS-NODEFETCH-2342118
- https://snyk.io/vuln/SNYK-JS-POSTCSS-1090595
- https://snyk.io/vuln/SNYK-JS-POSTCSS-1255640
- https://snyk.io/vuln/SNYK-JS-QS-3153490
- https://snyk.io/vuln/SNYK-JS-TRIM-1017038

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet