[Snyk] Fix for 5 vulnerabilities #91

snyk-bot · 2022-10-02T03:15:38Z

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- backend/src/functions/order-api/package.json
- backend/src/functions/order-api/package-lock.json

Priority Score (*)	Issue	Breaking Change	Exploit Maturity
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-AWSSDK-1059424	No	Proof of Concept
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASHMERGE-173732	No	Proof of Concept
636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-LODASHMERGE-173733	No	Proof of Concept
649/1000 Why? Has a fix available, CVSS 8.7	Elliptic Curve Key Disclosure npm:node-jose:20170313	No	No Known Exploit
784/1000 Why? Mature exploit, Has a fix available, CVSS 7.1	Insecure Token Validation npm:node-jose:20171222	No	Mature

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: aws-sdk

The new version differs by 250 commits.

8875a35 Updates SDK to v2.814.0
dd83d67 throw at invalid profile name in shared ini file (#3585)
ee0c5a3 Updates SDK to v2.813.0
468d15b Updates SDK to v2.812.0
c50132f Update README.md with references to JS SDK V3 (#3582)
3e19b08 Updates SDK to v2.811.0
f26c00d Updates SDK to v2.810.0
b393a6e Adds automatic PreSignedUrl generation to RDS.StartDBInstanceAutomatedBackupsReplication (#3566)
fa57967 Updates SDK to v2.809.0
9a52018 Updates SDK to v2.808.0
1958076 Updates SDK to v2.807.0
ffcad20 Updates SDK to v2.806.0
2f37893 chore: remove cognitoidentity customizations to disable auth (#3543)
c6fe3c0 Updates SDK to v2.805.0
71d6fa9 Fix dual-callback case (#3537)
b981971 Updates SDK to v2.804.0
332573f Updates SDK to v2.803.0
deb7bc7 Updates SDK to v2.802.0
b6401d0 Remove incorrectly named service named 'Profile' (#3562)
3364d4b Updates SDK to v2.801.0
d400577 Updates SDK to v2.800.0
21c7dc0 Updates SDK to v2.799.0
d2b8964 Updates SDK to v2.798.0
44ded82 fix: test IAM.getUser instead of listUsers (#3542)

Package name: node-jose

The new version differs by 141 commits.

f15bd46 Release 0.11.0
9a86dd6 Update: configure option for allowed algorithm(s) on decrypt/verify (#148)
959a61d Update: configure if embedded keys can be used for signature verification (#147)
3e5e8be chore(package): update yargs to version 10.0.3 (#145)
7eacc84 chore(package): update browserify-istanbul to version 3.0.0 (#143)
f13d8f3 chore(package): update mocha to version 4.0.0 (#141)
be18233 Doc: Enable syntax highlighting on code areas in README (#142)
c8d09f8 Release 0.10.0 (#140)
c00d320 chore(package): update yargs to version 9.0.1 (#134)
0a6e324 Update: Provide PBKDF2-based algorithms publically (#139)
20fe41e Build: exclude old browsers from SL tests (#138)
1dcd545 Fix: incorrect variable name
8595398 Fix: HMAC minimum length checks should be enforced
d1b8d88 Fix: prevent JWK.KeyStore#add from modifying jwk input (#129)
2ed035a Update: alias JWS.createVerify to construct a sentence (#127)
01e40d5 Release 0.9.5
57916db Doc: Add key hints and status badges to README (#126)
21c11d2 chore(package): update webpack-stream to version 4.0.0 (#124)
7d8070c Fix: regression errors with Safari (webkit); fixes #123 (#125)
755f526 chore(package): update run-sequence to version 2.0.0 (#120)
255108c chore(package): update webpack to version 3.0.0 (#119)
6f9085d chore(docs): fix typo in keystore key removal (#121)
c5c0989 chore(package): update del to version 3.0.0 (#117)
bbe4d73 Fix: coerce "kid" during lookup (#116)