New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 4 vulnerabilities #3

Open

snyk-bot wants to merge 1 commit into master from snyk-fix-aee1ba88117225cf77a9632c9e5fefd2

snyk-bot commented May 7, 2023

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
- package-lock.json
Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	372/1000 Why? Proof of Concept exploit, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	No	Proof of Concept
	/1000 Why?	Reverse Tabnabbing SNYK-JS-ISTANBULREPORTS-2328088	Yes	No Known Exploit
	/1000 Why?	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOMENT-2944238	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: dustjs-linkedin

The new version differs by 7 commits.

5cd5529 Release v3.0.1
0d72e0b Merge pull request #808 from sumeetkakkar/topic/update-deps
b2aaa47 Merge branch 'master' into topic/update-deps
bd397ea Update tests.yaml: add --legacy-peer-deps to support npm 8 restrictions
115f78c dependency update: chokidar
d951a90 Update tests.yml
ea9ae70 Create tests.yml

See the full diff

Package name: tap

The new version differs by 148 commits.

bc49fb7 15.0.0
4378608 remove publishConfig beta tag
2c2e75f provide mkdirRecursive polyfill for old node versions
8f4c855 correctly specify 10.0.x versions
5e61672 update deps
c44c418 Support 10.0 and test in CI
dc5c841 [email protected]
385b6d2 Add .taprc.yml/yaml handling to change log
4f87466 just run regular test script as snap script
315a921 delete FORCE_COLOR/NO_COLOR rather than setting to '0'
564e96f Add detection for .yaml and .yml
75bae93 update cli doc
c1289bf 15.0.0-3
d6fe32f Do not CI on node 10
d2e0428 do not use equals() alias in self-test
3f787c4 tell npm to be colorful in CI
1512818 run tests with color on github actions
4626fa1 Docs: update documentation for tap v15
02d536b [email protected]
f7c7c58 update cli doc
2aa497c 15.0.0-2
8d7f62e Add support for overriding libtap's internal settings
29eed63 new snapshot folder layout
3a28d4d update libtap git ref to isaacs/tap-v15-prep branch

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution


          fix: package.json, package-lock.json & .snyk to reduce vulnerabilities

9bcdcdc

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905
- https://snyk.io/vuln/SNYK-JS-ISTANBULREPORTS-2328088
- https://snyk.io/vuln/SNYK-JS-MOMENT-2944238


The following vulnerabilities are fixed with a Snyk patch:
- https://snyk.io/vuln/SNYK-JS-LODASH-567746

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet