Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Fix for 71 vulnerabilities #82

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

snyk-bot
Copy link

@snyk-bot snyk-bot commented Oct 4, 2022

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

    • package.json
    • package-lock.json
  • Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
    Find out more.

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5
Regular Expression Denial of Service (ReDoS)
SNYK-JS-ANSIREGEX-1583908
Yes Proof of Concept
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5
Prototype Pollution
SNYK-JS-ASYNC-2441827
Yes Proof of Concept
medium severity 526/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 4.1
Arbitrary Code Injection
SNYK-JS-EJS-1049328
Yes Proof of Concept
high severity 726/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 8.1
Remote Code Execution (RCE)
SNYK-JS-EJS-2803307
Yes Proof of Concept
high severity 589/1000
Why? Has a fix available, CVSS 7.5
Prototype Pollution
SNYK-JS-GETOBJECT-1054932
Yes No Known Exploit
medium severity 636/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.3
Directory Traversal
SNYK-JS-GRUNT-2635969
Yes Proof of Concept
medium severity 646/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.5
Race Condition
SNYK-JS-GRUNT-2813632
Yes Proof of Concept
high severity 569/1000
Why? Has a fix available, CVSS 7.1
Arbitrary Code Execution
SNYK-JS-GRUNT-597546
Yes No Known Exploit
high severity 584/1000
Why? Has a fix available, CVSS 7.4
Regular Expression Denial of Service (ReDoS)
SNYK-JS-HAWK-2808852
Yes No Known Exploit
medium severity 626/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.1
Man-in-the-Middle (MitM)
SNYK-JS-HTTPSPROXYAGENT-469131
Yes Proof of Concept
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3
Prototype Pollution
SNYK-JS-INI-1048974
Yes Proof of Concept
medium severity 509/1000
Why? Has a fix available, CVSS 5.9
Denial of Service (DoS)
SNYK-JS-JSYAML-173999
Yes No Known Exploit
high severity 619/1000
Why? Has a fix available, CVSS 8.1
Arbitrary Code Execution
SNYK-JS-JSYAML-174129
Yes No Known Exploit
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3
Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-1018905
Yes Proof of Concept
high severity 681/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.2
Command Injection
SNYK-JS-LODASH-1040724
Yes Proof of Concept
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3
Prototype Pollution
SNYK-JS-LODASH-450202
Yes Proof of Concept
high severity 731/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 8.2
Prototype Pollution
SNYK-JS-LODASH-567746
Yes Proof of Concept
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3
Prototype Pollution
SNYK-JS-LODASH-608086
Yes Proof of Concept
high severity /1000
Why?
Prototype Pollution
SNYK-JS-LODASH-73638
Yes Proof of Concept
medium severity /1000
Why?
Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-73639
Yes Proof of Concept
high severity /1000
Why?
Regular Expression Denial of Service (ReDoS)
SNYK-JS-MINIMATCH-1019388
Yes No Known Exploit
low severity /1000
Why?
Prototype Pollution
SNYK-JS-MINIMIST-2429795
Yes Proof of Concept
medium severity /1000
Why?
Prototype Pollution
SNYK-JS-MINIMIST-559764
Yes Proof of Concept
high severity /1000
Why?
Directory Traversal
SNYK-JS-MOMENT-2440688
No No Known Exploit
high severity /1000
Why?
Regular Expression Denial of Service (ReDoS)
SNYK-JS-MOMENT-2944238
No Proof of Concept
high severity /1000
Why?
Denial of Service (DoS)
SNYK-JS-MONGODB-473855
Yes No Known Exploit
high severity /1000
Why?
Command Injection
SNYK-JS-NODEMAILER-1038834
Yes Proof of Concept
medium severity /1000
Why?
HTTP Header Injection
SNYK-JS-NODEMAILER-1296415
Yes Proof of Concept
medium severity /1000
Why?
Improper Certificate Validation
SNYK-JS-NODESASS-1059081
Yes No Known Exploit
medium severity /1000
Why?
Session Fixation
SNYK-JS-PASSPORT-2840631
No No Known Exploit
high severity /1000
Why?
Denial of Service (DoS)
SNYK-JS-SAILSHOOKSOCKETS-589929
Yes Proof of Concept
medium severity /1000
Why?
Regular Expression Denial of Service (ReDoS)
SNYK-JS-SCSSTOKENIZER-2339884
Yes No Known Exploit
medium severity /1000
Why?
Insecure Defaults
SNYK-JS-SOCKETIO-1024859
Yes Proof of Concept
high severity /1000
Why?
Denial of Service (DoS)
SNYK-JS-SOCKETIOPARSER-1056752
Yes Proof of Concept
high severity /1000
Why?
Arbitrary File Overwrite
SNYK-JS-TAR-1536528
Yes No Known Exploit
high severity /1000
Why?
Arbitrary File Overwrite
SNYK-JS-TAR-1536531
Yes No Known Exploit
low severity /1000
Why?
Regular Expression Denial of Service (ReDoS)
SNYK-JS-TAR-1536758
Yes No Known Exploit
high severity /1000
Why?
Arbitrary File Write
SNYK-JS-TAR-1579147
Yes No Known Exploit
high severity /1000
Why?
Arbitrary File Write
SNYK-JS-TAR-1579152
Yes No Known Exploit
high severity /1000
Why?
Arbitrary File Write
SNYK-JS-TAR-1579155
Yes No Known Exploit
high severity /1000
Why?
Denial of Service (DoS)
SNYK-JS-TRIMNEWLINES-1298042
Yes No Known Exploit
medium severity /1000
Why?
Regular Expression Denial of Service (ReDoS)
SNYK-JS-UGLIFYJS-1727251
Yes No Known Exploit
medium severity /1000
Why?
Regular Expression Denial of Service (ReDoS)
SNYK-JS-VALIDATOR-1090599
Yes Proof of Concept
medium severity /1000
Why?
Regular Expression Denial of Service (ReDoS)
SNYK-JS-VALIDATOR-1090600
Yes Proof of Concept
medium severity /1000
Why?
Regular Expression Denial of Service (ReDoS)
SNYK-JS-VALIDATOR-1090601
Yes Proof of Concept
medium severity /1000
Why?
Regular Expression Denial of Service (ReDoS)
SNYK-JS-VALIDATOR-1090602
Yes Proof of Concept
medium severity /1000
Why?
Regular Expression Denial of Service (ReDoS)
SNYK-JS-WS-1296835
Yes Proof of Concept
high severity /1000
Why?
Arbitrary Code Injection
SNYK-JS-XMLHTTPREQUESTSSL-1082936
Yes Proof of Concept
high severity /1000
Why?
Access Restriction Bypass
SNYK-JS-XMLHTTPREQUESTSSL-1255647
Yes Proof of Concept
low severity 506/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 3.7
Regular Expression Denial of Service (ReDoS)
npm:clean-css:20180306
Yes Proof of Concept
low severity 399/1000
Why? Has a fix available, CVSS 3.7
Regular Expression Denial of Service (ReDoS)
npm:debug:20170905
Yes No Known Exploit
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3
Prototype Pollution
npm:deep-extend:20180409
Yes Proof of Concept
high severity 619/1000
Why? Has a fix available, CVSS 8.1
Arbitrary Code Execution
npm:ejs:20161128
Yes No Known Exploit
medium severity 509/1000
Why? Has a fix available, CVSS 5.9
Cross-site Scripting (XSS)
npm:ejs:20161130
Yes No Known Exploit
medium severity 509/1000
Why? Has a fix available, CVSS 5.9
Denial of Service (DoS)
npm:ejs:20161130-1
Yes No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5
Regular Expression Denial of Service (ReDoS)
npm:fresh:20170908
Yes No Known Exploit
medium severity 636/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.3
Prototype Pollution
npm:hoek:20180212
Yes Proof of Concept
high severity 796/1000
Why? Mature exploit, Has a fix available, CVSS 8.2
Uninitialized Memory Exposure
npm:https-proxy-agent:20180402
Yes Mature
medium severity 636/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.3
Prototype Pollution
npm:lodash:20180130
Yes Proof of Concept
high severity 589/1000
Why? Has a fix available, CVSS 7.5
Regular Expression Denial of Service (ReDoS)
npm:method-override:20170927
Yes No Known Exploit
low severity 399/1000
Why? Has a fix available, CVSS 3.7
Regular Expression Denial of Service (ReDoS)
npm:mime:20170907
Yes No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5
Regular Expression Denial of Service (ReDoS)
npm:minimatch:20160620
Yes No Known Exploit
low severity 399/1000
Why? Has a fix available, CVSS 3.7
Regular Expression Denial of Service (ReDoS)
npm:ms:20170412
Yes No Known Exploit
low severity 496/1000
Why? Mature exploit, Has a fix available, CVSS 2.2
Uninitialized Memory Exposure
npm:mysql:20170317
Yes Mature
high severity 801/1000
Why? Mature exploit, Has a fix available, CVSS 8.3
Arbitrary Code Execution
npm:pg:20170813
Yes Mature
high severity 589/1000
Why? Has a fix available, CVSS 7.5
Prototype Override Protection Bypass
npm:qs:20170213
Yes No Known Exploit
medium severity 576/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.1
Uninitialized Memory Exposure
npm:tunnel-agent:20170305
Yes Proof of Concept
high severity 589/1000
Why? Has a fix available, CVSS 7.5
Regular Expression Denial of Service (ReDoS)
npm:underscore.string:20170908
Yes No Known Exploit
medium severity 479/1000
Why? Has a fix available, CVSS 5.3
Buffer Overflow
npm:validator:20160218
Yes No Known Exploit
high severity 761/1000
Why? Mature exploit, Has a fix available, CVSS 7.5
Denial of Service (DoS)
npm:ws:20171108
Yes Mature

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: @slack/client The new version differs by 209 commits.

See the full diff

Package name: grunt The new version differs by 67 commits.
  • 82d79b8 1.5.3
  • 572d79b Merge pull request #1745 from gruntjs/fix-copy-op
  • 58016ff Patch up race condition in symlink copying.
  • 0749e1d Merge pull request #1746 from JamieSlome/patch-1
  • 69b7c50 Create SECURITY.md
  • ac667b2 1.5.2
  • 7f15fd5 Update Changelog
  • b0ec6e1 Merge pull request #1743 from gruntjs/cleanup-link
  • 433f91b Clean up link handling
  • d5969ec 1.5.1
  • ad22608 Merge pull request #1742 from gruntjs/update-symlink-test
  • 0652305 Fix symlink test
  • a7ab0a8 1.5.0
  • b2b2c2b Updated changelog
  • 3eda6ae Merge pull request #1740 from gruntjs/update-deps-22-10
  • 47d32de Update testing matrix
  • 2e9161c More updates
  • 04b960e Remove console log
  • aad3d45 Update dependencies, tests...
  • fdc7056 Merge pull request #1736 from justlep/main
  • e35fe54 support .cjs extension
  • ee722d1 1.4.1
  • e7625e5 Update Changelog
  • 5d67e34 Merge pull request #1731 from gruntjs/update-options

See the full diff

Package name: grunt-contrib-jst The new version differs by 11 commits.

See the full diff

Package name: node-sass The new version differs by 93 commits.
  • 3b556c1 7.0.2
  • c716359 Bump sass-graph@^4.0.1 (#3292)
  • 24741b3 docs(readme): fix docpad plugin link
  • 1523330 feat: Drop Node 12
  • 365d357 update https://registry.npm.taobao.org to https://registry.npmmirror.com
  • 1456114 build(deps): bump actions/upload-artifact from 2 to 3
  • b465b69 chore: bump GitHub Actions to Windows 2019 (#3254)
  • e6194b1 build(deps): bump make-fetch-happen from 9.1.0 to 10.0.4
  • 4edf594 build(deps): bump node-gyp from 8.4.1 to 9.0.0
  • 29e2344 build(deps): bump actions/checkout from 2 to 3
  • 85b0d22 build(deps): bump actions/setup-node from 2 to 3
  • 3bb51da Use make-fetch-happen instead of request (#3193)
  • adc2f8b build(deps): bump true-case-path from 1.0.3 to 2.2.1 (#3000)
  • 77d12f0 chore: disable Apline for Node 16/17 builds
  • 308d533 ci: use Python 3 for Node 12
  • c818907 ci: unpin actions/setup-node to v2
  • 99242d7 7.0.1
  • 77049d1 build(deps): bump sass-graph from 2.2.5 to 4.0.0 (#3224)
  • c929f25 build(deps): bump node-gyp from 7.1.2 to 8.4.1 (#3209)
  • 918dcb3 Lint fix
  • 0a21792 Set rejectUnauthorized to true by default (#3149)
  • e80d4af chore: Drop EOL Node 15 (#3122)
  • d753397 feat: Add Node 17 support (#3195)
  • dcf2e75 build(deps-dev): bump eslint from 7.32.0 to 8.0.0

See the full diff

Package name: nodemailer The new version differs by 99 commits.

See the full diff

Package name: passport The new version differs by 168 commits.

See the full diff

Package name: sails The new version differs by 250 commits.

See the full diff

Package name: sails-disk The new version differs by 85 commits.
  • 15faa44 1.0.0
  • a2b7ee6 1.0.0-12
  • 9d7118c Only set footprint keys for uniqueness violations.
  • a2c2261 Add some assertions.
  • a222824 Update gitignore and scripts
  • 3b3c334 1.0.0-11
  • cef95b4 Support updating the primary key value, as long as it's not using _id as the column.
  • aad2a15 Set _id column to value of primary key when creating records.
  • 333e2d1 1.0.0-10
  • c8a26c5 Add shim to replicate MongoDB's behavior w/ `{ $ne: null }` and empty arrays.
  • bf92cb8 1.0.0-9
  • af97943 Workaround issue with projections including only `_id`
  • b5b985b Relax restrictions on using `_id` column in sails disk.
  • f4adfd7 Add an entry in the `refCols` dictionary for every model, so we don't have to short-circuit checks for it later
  • b494fd9 In `find`, deserialize Buffer objects into `ref` attributes where possible.
  • 7aaaaa4 Merge pull request [Snyk] Security upgrade node from 12.16-alpine to 12.22.10-alpine #58 from balderdashy/expose-lib
  • 70ead96 (whoops) Add back 0.10 and 0.12 in appveyor.yml
  • beabe7a Merge pull request [Snyk] Fix for 1 vulnerabilities #57 from balderdashy/expose-lib
  • 9c80187 1.0.0-8
  • f7a349d Actually, don't expose the static lib. (No reason to do so, and better to not introduce something experimental if there's any chance it could make an app dependent on random stuff in a dev-only adapter)
  • 2d4d97e 1.0.0-7
  • f2dd761 Rename afterwards function to avoid perceived scope conflict (whether or not it'd ever actually be a big deal, this avoids any potential future scope issues from refactoring, etc).
  • 4051e5e 1.0.0-6
  • 250c32e Handle stray error (and a couple of other trivial changes just from when I was reading through the code)

See the full diff

Package name: sails-mongo The new version differs by 250 commits.

See the full diff

Package name: sails-mysql The new version differs by 202 commits.

See the ful...

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908
- https://snyk.io/vuln/SNYK-JS-ASYNC-2441827
- https://snyk.io/vuln/SNYK-JS-EJS-1049328
- https://snyk.io/vuln/SNYK-JS-EJS-2803307
- https://snyk.io/vuln/SNYK-JS-GETOBJECT-1054932
- https://snyk.io/vuln/SNYK-JS-GRUNT-2635969
- https://snyk.io/vuln/SNYK-JS-GRUNT-2813632
- https://snyk.io/vuln/SNYK-JS-GRUNT-597546
- https://snyk.io/vuln/SNYK-JS-HAWK-2808852
- https://snyk.io/vuln/SNYK-JS-HTTPSPROXYAGENT-469131
- https://snyk.io/vuln/SNYK-JS-INI-1048974
- https://snyk.io/vuln/SNYK-JS-JSYAML-173999
- https://snyk.io/vuln/SNYK-JS-JSYAML-174129
- https://snyk.io/vuln/SNYK-JS-LODASH-1018905
- https://snyk.io/vuln/SNYK-JS-LODASH-1040724
- https://snyk.io/vuln/SNYK-JS-LODASH-450202
- https://snyk.io/vuln/SNYK-JS-LODASH-567746
- https://snyk.io/vuln/SNYK-JS-LODASH-608086
- https://snyk.io/vuln/SNYK-JS-LODASH-73638
- https://snyk.io/vuln/SNYK-JS-LODASH-73639
- https://snyk.io/vuln/SNYK-JS-MINIMATCH-1019388
- https://snyk.io/vuln/SNYK-JS-MINIMIST-2429795
- https://snyk.io/vuln/SNYK-JS-MINIMIST-559764
- https://snyk.io/vuln/SNYK-JS-MOMENT-2440688
- https://snyk.io/vuln/SNYK-JS-MOMENT-2944238
- https://snyk.io/vuln/SNYK-JS-MONGODB-473855
- https://snyk.io/vuln/SNYK-JS-NODEMAILER-1038834
- https://snyk.io/vuln/SNYK-JS-NODEMAILER-1296415
- https://snyk.io/vuln/SNYK-JS-NODESASS-1059081
- https://snyk.io/vuln/SNYK-JS-PASSPORT-2840631
- https://snyk.io/vuln/SNYK-JS-SAILSHOOKSOCKETS-589929
- https://snyk.io/vuln/SNYK-JS-SCSSTOKENIZER-2339884
- https://snyk.io/vuln/SNYK-JS-SOCKETIO-1024859
- https://snyk.io/vuln/SNYK-JS-SOCKETIOPARSER-1056752
- https://snyk.io/vuln/SNYK-JS-TAR-1536528
- https://snyk.io/vuln/SNYK-JS-TAR-1536531
- https://snyk.io/vuln/SNYK-JS-TAR-1536758
- https://snyk.io/vuln/SNYK-JS-TAR-1579147
- https://snyk.io/vuln/SNYK-JS-TAR-1579152
- https://snyk.io/vuln/SNYK-JS-TAR-1579155
- https://snyk.io/vuln/SNYK-JS-TRIMNEWLINES-1298042
- https://snyk.io/vuln/SNYK-JS-UGLIFYJS-1727251
- https://snyk.io/vuln/SNYK-JS-VALIDATOR-1090599
- https://snyk.io/vuln/SNYK-JS-VALIDATOR-1090600
- https://snyk.io/vuln/SNYK-JS-VALIDATOR-1090601
- https://snyk.io/vuln/SNYK-JS-VALIDATOR-1090602
- https://snyk.io/vuln/SNYK-JS-WS-1296835
- https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUESTSSL-1082936
- https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUESTSSL-1255647
- https://snyk.io/vuln/npm:clean-css:20180306
- https://snyk.io/vuln/npm:debug:20170905
- https://snyk.io/vuln/npm:deep-extend:20180409
- https://snyk.io/vuln/npm:ejs:20161128
- https://snyk.io/vuln/npm:ejs:20161130
- https://snyk.io/vuln/npm:ejs:20161130-1
- https://snyk.io/vuln/npm:fresh:20170908
- https://snyk.io/vuln/npm:hoek:20180212
- https://snyk.io/vuln/npm:https-proxy-agent:20180402
- https://snyk.io/vuln/npm:lodash:20180130
- https://snyk.io/vuln/npm:method-override:20170927
- https://snyk.io/vuln/npm:mime:20170907
- https://snyk.io/vuln/npm:minimatch:20160620
- https://snyk.io/vuln/npm:ms:20170412
- https://snyk.io/vuln/npm:mysql:20170317
- https://snyk.io/vuln/npm:pg:20170813
- https://snyk.io/vuln/npm:qs:20170213
- https://snyk.io/vuln/npm:tunnel-agent:20170305
- https://snyk.io/vuln/npm:underscore.string:20170908
- https://snyk.io/vuln/npm:validator:20160218
- https://snyk.io/vuln/npm:ws:20171108


The following vulnerabilities are fixed with a Snyk patch:
- https://snyk.io/vuln/SNYK-JS-LODASH-567746
- https://snyk.io/vuln/npm:debug:20170905
- https://snyk.io/vuln/npm:lodash:20180130
- https://snyk.io/vuln/npm:mime:20170907
- https://snyk.io/vuln/npm:ms:20170412
- https://snyk.io/vuln/npm:negotiator:20160616
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant