New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 11 vulnerabilities #219

Open

snyk-bot wants to merge 1 commit into main from snyk-fix-b2dc81dff16f13cc24a59f6e2281a618

snyk-bot commented Sep 27, 2022

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
- package-lock.json
Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	621/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6	Prototype Pollution SNYK-JS-FLAT-596927	No	Proof of Concept
	484/1000 Why? Has a fix available, CVSS 5.4	Open Redirect SNYK-JS-GOT-2932019	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	No	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	No	Proof of Concept
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	No	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Information Exposure SNYK-JS-NODEFETCH-2342118	No	No Known Exploit
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-OBJECTPATH-1017036	No	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-OBJECTPATH-1569453	No	Proof of Concept
	590/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-OBJECTPATH-1585658	No	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-POSTCSS-1090595	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-POSTCSS-1255640	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: flat

The new version differs by 12 commits.

e5ffd66 Release 5.0.2
fdb79d5 Update dependencies, refresh lockfile, format with standard.
e52185d Test against node 14 in CI.
0189cb1 Avoid arrow function syntax.
f25d3a1 Release 5.0.1
54cc7ad use standard formatting
779816e drop dependencies
2eea6d3 Bump lodash from 4.17.15 to 4.17.19
a61a554 Bump acorn from 7.1.0 to 7.4.0
20ef0ef Fix prototype pollution on unflatten
e8fb281 Test prototype pollution on unflatten
6e95c43 Add node 10 & 12 to travis config.

See the full diff

Package name: got

The new version differs by 250 commits.

5e17bb7 11.8.5
bce8ce7 Backport 861ccd9ac2237df762a9e2beed7edd88c60782dc
8ced192 Fix build
670eb04 11.8.4
20f29fe Backport add update index.md github/docs#1543: Initialize globalResponse in case of ignored HTTPError (x github/docs#2017)
0da732f 11.8.3
9463bb6 Bump cacheable-request dependency (Vcc.com github/docs#1921)
0e167b8 HTTPError code set to 'HTTPError' #1711 (rohittravels.md github/docs#1739)
f896aa5 11.8.2
3bd245f Instantiate CacheableLookup only when needed (Update point 2 of Creating your first workflow github/docs#1529)
a72ed84 11.8.1
4c815c3 Do not throw on custom stack traces (repo sync github/docs#1491)
e0cb820 11.8.0
f65c9ef Upgrade dependencies
7acd380 Fix for sending files with size `0` on `stat` (Josenavarro64@gmail.com github/docs#1488)
6aa86f2 Fix indentation in the readme
3dd2273 `beforeRetry` allows stream body if different from original (Include work around for wildcards in HTTP Proxy Exclusion list github/docs#1501)
b1afa2b Fix readme example comment (fix: Links to localhost addresses github/docs#1505)
390b145 Set default value for an options object (Content style guide suggests to avoid the wrong term github/docs#1495)
87dadd5 Fixed documentation example for `responseType` ("repository_dispatch" event shows wrong GITHUB.SHA and GITHUB.REF information github/docs#1494)
3bf3e3b Add `lookup` option documentation (add access-permissions-on-github.md github/docs#1483)
c31366b Add a test for repo sync github/docs#1438 (repo sync github/docs#1469)
5d62958 11.7.0
88b32ea Fix a regression where body was sent after redirect

See the full diff

Package name: node-fetch

The new version differs by 7 commits.

1ef4b56 backport of Lukáš github/docs#1449 (repo sync github/docs#1453)
8fe5c4e 2.x: Specify encoding as an optional peer dependency in package.json (repo sync github/docs#1310)
f56b0c6 fix(URL): prefer built in URL version when available and fallback to whatwg (Adding your SSH key to the ssh-agent still shows "$ ssh-add ~/.ssh/id_rsa" when it should show "$ ssh-add ~/.ssh/id_ed25519" github/docs#1352)
b5417ae fix: import whatwg-url in a way compatible with ESM Node (Add new example to Actions Code examples github/docs#1303)
18193c5 fix v2.6.3 that did not sending query params (Update about-custom-domains-and-github-pages.md github/docs#1301)
ace7536 fix: properly encode url with unicode characters (Update and rename content/github/collaborating-with-issues-and-pull-r… github/docs#1291)
152214c Fix(package.json): Corrected main file path in package.json (repo sync github/docs#1274)

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 More lessons are available in Snyk Learn


          fix: package.json, package-lock.json & .snyk to reduce vulnerabilities

8180d3a

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-FLAT-596927
- https://snyk.io/vuln/SNYK-JS-GOT-2932019
- https://snyk.io/vuln/SNYK-JS-LODASH-1018905
- https://snyk.io/vuln/SNYK-JS-LODASH-1040724
- https://snyk.io/vuln/SNYK-JS-LODASH-567746
- https://snyk.io/vuln/SNYK-JS-NODEFETCH-2342118
- https://snyk.io/vuln/SNYK-JS-OBJECTPATH-1017036
- https://snyk.io/vuln/SNYK-JS-OBJECTPATH-1569453
- https://snyk.io/vuln/SNYK-JS-OBJECTPATH-1585658
- https://snyk.io/vuln/SNYK-JS-POSTCSS-1090595
- https://snyk.io/vuln/SNYK-JS-POSTCSS-1255640


The following vulnerabilities are fixed with a Snyk patch:
- https://snyk.io/vuln/SNYK-JS-LODASH-567746

pull-request-size bot added the size/M label

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels