Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Security upgrade parse from 3.2.0 to 3.3.0 #7464

Merged
merged 3 commits into from
Jul 23, 2021

Conversation

snyk-bot
Copy link
Contributor

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json
    • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
medium severity 479/1000
Why? Has a fix available, CVSS 5.3
Regular Expression Denial of Service (ReDoS)
SNYK-JS-WS-1296835
No No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: parse The new version differs by 25 commits.

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

@mtrezza
Copy link
Member

mtrezza commented Jul 23, 2021

Currently fails with

1) Parse.User testing user updates
  - Expected 5 to equal 6.

in

equal(Object.keys(user.attributes).length, 6);

Related to parse-community/Parse-SDK-JS@ffc523f; this is described in the PR as:

  • Modified an existing test
    ParseUser.get('password') used to return undefined, now password is not an attribute

Solution is to adapt user test.

@codecov
Copy link

codecov bot commented Jul 23, 2021

Codecov Report

Merging #7464 (ed1a7c9) into master (1fe4708) will increase coverage by 0.01%.
The diff coverage is n/a.

❗ Current head ed1a7c9 differs from pull request most recent head a434bd1. Consider uploading reports for the commit a434bd1 to get more accurate results
Impacted file tree graph

@@            Coverage Diff             @@
##           master    #7464      +/-   ##
==========================================
+ Coverage   93.92%   93.94%   +0.01%     
==========================================
  Files         181      181              
  Lines       13251    13251              
==========================================
+ Hits        12446    12448       +2     
+ Misses        805      803       -2     
Impacted Files Coverage Δ
src/batch.js 91.37% <0.00%> (-1.73%) ⬇️
src/Adapters/Files/GridFSBucketAdapter.js 79.50% <0.00%> (-0.82%) ⬇️
src/RestWrite.js 93.92% <0.00%> (ø)
src/Adapters/Storage/Mongo/MongoStorageAdapter.js 93.02% <0.00%> (+0.65%) ⬆️
src/ParseServerRESTController.js 98.50% <0.00%> (+1.49%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 1fe4708...a434bd1. Read the comment docs.

@mtrezza mtrezza merged commit a95ad89 into master Jul 23, 2021
@mtrezza mtrezza deleted the snyk-fix-e0e697abe8702ad1fd28913e7f9c2161 branch July 23, 2021 16:04
SebC99 added a commit to hulab/parse-server that referenced this pull request Jul 26, 2021
* master: (55 commits)
  Accept context via header X-Parse-Cloud-Context (parse-community#7437)
  [Snyk] Upgrade ws from 7.4.6 to 7.5.3 (parse-community#7457)
  fix: upgrade @apollographql/graphql-playground-html from 1.6.28 to 1.6.29 (parse-community#7473)
  fix: upgrade @apollographql/graphql-playground-html from 1.6.27 to 1.6.28 (parse-community#7411)
  fix: upgrade graphql from 15.5.0 to 15.5.1 (parse-community#7462)
  [Snyk] Security upgrade parse from 3.2.0 to 3.3.0 (parse-community#7464)
  fix: upgrade apollo-server-express from 2.25.1 to 2.25.2 (parse-community#7465)
  fix: upgrade graphql-tag from 2.12.4 to 2.12.5 (parse-community#7466)
  fix: upgrade graphql-relay from 0.7.0 to 0.8.0 (parse-community#7467)
  Add MongoDB 5.0 support + bump CI env (parse-community#7469)
  changed twitter API endpoint for oauth test (parse-community#7472)
  add runtime deprecation warning (parse-community#7451)
  bumped node (parse-community#7452)
  fix: upgrade apollo-server-express from 2.25.0 to 2.25.1 (parse-community#7449)
  fix: upgrade subscriptions-transport-ws from 0.9.19 to 0.10.0 (parse-community#7450)
  fix: upgrade mongodb from 3.6.8 to 3.6.9 (parse-community#7445)
  fix: upgrade mongodb from 3.6.7 to 3.6.8 (parse-community#7430)
  fix: upgrade apollo-server-express from 2.24.1 to 2.25.0 (parse-community#7435)
  fix: upgrade ldapjs from 2.2.4 to 2.3.0 (parse-community#7436)
  fix: upgrade graphql-relay from 0.6.0 to 0.7.0 (parse-community#7443)
  ...
mtrezza added a commit to mtrezza/parse-server that referenced this pull request Aug 21, 2021
mtrezza added a commit that referenced this pull request Aug 23, 2021
* bump parse 3.3.0

* Update CHANGELOG.md

* update user test (PR #7464)

* fix Twitter API oauth Error (PR #7370)

* bumped dependencies

* Revert "bumped dependencies"

This reverts commit 97ad83d.

* bump @parse/push-adapter 3.4.1

* bump jwks-rsa@1.12.3

* bump mongodb@3.6.11

* bump ws@7.5.3

* changed logging for circular obj (PR #7457)

* Update CHANGELOG.md
@parseplatformorg
Copy link
Contributor

🎉 This change has been released in version 5.0.0-beta.1

@parseplatformorg parseplatformorg added the state:released-beta Released as beta version label Nov 1, 2021
@parseplatformorg
Copy link
Contributor

🎉 This change has been released in version 5.0.0

@parseplatformorg parseplatformorg added the state:released Released as stable version label Mar 14, 2022
SebC99 pushed a commit to hulab/parse-server that referenced this pull request May 29, 2022
Squashed commits:
[1306da7] Merge pull request from GHSA-23r4-5mxp-c7g5
[3a5c38d] revert to version 4.5.0 for testing
[a3483d8] fix changelog skip 4.5.1
[3c42584] 4.5.2
[97b1dca] revert to version 4.5.0 for testing
[f3133ac] Release 4.10.1 (parse-community#7508)

* bump parse 3.3.0

* Update CHANGELOG.md

* update user test (PR parse-community#7464)

* fix Twitter API oauth Error (PR parse-community#7370)

* bumped dependencies

* Revert "bumped dependencies"

This reverts commit 97ad83d.

* bump @parse/push-adapter 3.4.1

* bump jwks-rsa@1.12.3

* bump mongodb@3.6.11

* bump ws@7.5.3

* changed logging for circular obj (PR parse-community#7457)

* Update CHANGELOG.md
[7e1da90] added changelog
[0e3cae5] audit fix
[f0d5232] bumped version
[4ac4b7f] Merge pull request from GHSA-7pr3-p5fm-8r9x

* fix: LQ deletes session token

* add 4.10.4

* add changes
[ef2ec21] ci: update docker image building (parse-community#7553)

* docker

* Update docker-publish.yml

* Update docker-publish.yml
[6ae5835] Merge pull request from GHSA-xqp8-w826-hh6x

* Backport the advisory fix

* Added a 4.10.3 section to CHANGELOG
[0bfa6b7] Release 4.10.2 (parse-community#7513)

* move graphql-tag from devDependencies to dependencies (parse-community#7183)

* bump version

* Update CHANGELOG.md
[0be0b87] bump version
SebC99 pushed a commit to hulab/parse-server that referenced this pull request Nov 10, 2022
Squashed commits:
[1306da7] Merge pull request from GHSA-23r4-5mxp-c7g5
[3a5c38d] revert to version 4.5.0 for testing
[a3483d8] fix changelog skip 4.5.1
[3c42584] 4.5.2
[97b1dca] revert to version 4.5.0 for testing
[f3133ac] Release 4.10.1 (parse-community#7508)

* bump parse 3.3.0

* Update CHANGELOG.md

* update user test (PR parse-community#7464)

* fix Twitter API oauth Error (PR parse-community#7370)

* bumped dependencies

* Revert "bumped dependencies"

This reverts commit 97ad83d.

* bump @parse/push-adapter 3.4.1

* bump jwks-rsa@1.12.3

* bump mongodb@3.6.11

* bump ws@7.5.3

* changed logging for circular obj (PR parse-community#7457)

* Update CHANGELOG.md
[7e1da90] added changelog
[0e3cae5] audit fix
[f0d5232] bumped version
[4ac4b7f] Merge pull request from GHSA-7pr3-p5fm-8r9x

* fix: LQ deletes session token

* add 4.10.4

* add changes
[ef2ec21] ci: update docker image building (parse-community#7553)

* docker

* Update docker-publish.yml

* Update docker-publish.yml
[6ae5835] Merge pull request from GHSA-xqp8-w826-hh6x

* Backport the advisory fix

* Added a 4.10.3 section to CHANGELOG
[0bfa6b7] Release 4.10.2 (parse-community#7513)

* move graphql-tag from devDependencies to dependencies (parse-community#7183)

* bump version

* Update CHANGELOG.md
[0be0b87] bump version
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
state:released Released as stable version state:released-beta Released as beta version
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants