Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 16 vulnerabilities #51

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Fix for 16 vulnerabilities #51

wants to merge 1 commit into from

Conversation

enterstudio
Copy link
Owner

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-ANSIREGEX-1583908		 Yes Proof of Concept
critical severity 679/1000
Why? Has a fix available, CVSS 9.3		 Incomplete List of Disallowed Inputs
SNYK-JS-BABELTRAVERSE-5962463		 Yes No Known Exploit
high severity 706/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.7		 Remote Memory Exposure
SNYK-JS-BL-608877		 Yes Proof of Concept
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-GLOBPARENT-1016905		 Yes Proof of Concept
medium severity 641/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.4		 Prototype Pollution
SNYK-JS-JSON5-3182856		 Yes Proof of Concept
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Prototype Pollution
SNYK-JS-MERGE-1040469		 Yes No Known Exploit
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3		 Prototype Pollution
SNYK-JS-MERGE-1042987		 Yes Proof of Concept
low severity 506/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 3.7		 Prototype Pollution
SNYK-JS-MINIMIST-2429795		 Yes Proof of Concept
medium severity 601/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.6		 Prototype Pollution
SNYK-JS-MINIMIST-559764		 Yes Proof of Concept
medium severity 646/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.5		 Server-side Request Forgery (SSRF)
SNYK-JS-REQUEST-3361831		 Yes Proof of Concept
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-SEMVER-3247795		 Yes Proof of Concept
medium severity 646/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.5		 Prototype Pollution
SNYK-JS-TOUGHCOOKIE-5672873		 Yes Proof of Concept
medium severity 479/1000
Why? Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-UGLIFYJS-1727251		 Yes No Known Exploit
medium severity 596/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.5		 Arbitrary Code Injection
SNYK-JS-UNDERSCORE-1080984		 Yes Proof of Concept
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Prototype Pollution
SNYK-JS-UNSETVALUE-2400660		 Yes No Known Exploit
low severity 506/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 3.7		 Regular Expression Denial of Service (ReDoS)
npm:braces:20180219		 Yes Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: azure-storage The new version differs by 119 commits.
  • 611a9e9 Merge pull request #342 from jiacfan/master
  • bddba29 Fix issue related to JsDoc behavior change.
  • 77ee711 Merge pull request [Snyk Update] New fixes for 6 vulnerable dependency paths #3 from wastore/dev
  • 0d86319 Update ChangeLog.md for JavaScript Client Library 0.2.3-preview.9
  • feb0dfc Merge pull request [Snyk Update] New fixes for 1 vulnerable dependency path #2 from wastore/dev
  • c42fcc5 Improve API documentation.
  • 6485f9f Update CONTRIBUTING.md for version 2.3.0 and optimize the existing testing code.
  • 5e7e8f8 Update version number to 2.3.0 and ChangeLog.md
  • d5d3e19 File Server Encryption.
  • e66295f For Premium Accounts only, added support for getting and setting the tier on a page blob. The tier can also be set when creating or copying from an existing page blob.
  • 4dd708f Merge branch 'master' into dev
  • 1873f8a Update version number and changelog for JavaScript Client Library 0.2.2-preview.8
  • 7b42122 Merge branch 'master' into dev
  • 22a82ee Merge pull request #338 from XiaoningLiu/issue_upload_timeout
  • c2ec89a Fixed a retry TIMEOUT issue during uploading
  • 0fa3101 Merge pull request #329 from roadman/dev
  • db07b6e Merge pull request #328 from lijunle/patch-1
  • 6e0fd67 Merge pull request #327 from faust64/patch-1
  • 4c6aa19 Added browseri specific APIs for uploading files and blobs
  • 9807ad9 add .d.ts FileUtilities.SharedAccessPermissions
  • 398c036 chore(package): update request to 2.81.0
  • 7b6a50f Merge pull request #322 from XiaoningLiu/memoryOpti
  • ed7f6e2 Update version number for JavaScript Client Library 0.2.2-preview.6
  • 1338118 Update ChangeLog.md and version number to 2.2.1

See the full diff

Package name: babel-eslint The new version differs by 103 commits.
  • a0fbd50 8.0.2
  • 2004b91 require correct deps
  • fa56d21 Always use unpad (#535)
  • 295091d Allow ^ version for babel dependencies (#534)
  • d3b8519 fix(package): update babylon to version 7.0.0-beta.31 (#533)
  • 54ab4ac 8.0.1
  • c1a7882 Update README.md support (#531) [skip ci]
  • 51100c9 chore(package): update mocha to version 4.0.0 (#524)
  • 5742b71 Adding optionalCatchBinding to plugins. (#521)
  • 905887c 8.0.0
  • 49493e4 update to beta.0
  • 42d0c5b Remove already fixed workaround (#508)
  • 25bd208 8.0.0-alpha.17
  • 1468905 alpha.17
  • 57c133e 8.0.0-alpha.15
  • 1e41162 update (#504)
  • c31b577 Readme update usage section (#501) [skip ci]
  • c2626f9 Update eslint to the latest version 🚀 (#500)
  • 3c6b2de chore(package): update husky to version 0.14.0 (#498)
  • e052d5a Update install instructions to use latest stable release (#497) [skip ci]
  • 8e3e088 8.0.0-alpha.13
  • f757e22 Merge pull request #493 from danez/regression-test
  • 5736be6 Update babylon
  • 37f9242 Add Prettier (#491)

See the full diff

Package name: eslint The new version differs by 250 commits.
  • 80b8d5d 5.5.0
  • b68e403 Build: changelog update for 5.5.0
  • 6e110e6 Fix: camelcase duplicate warning bug (fixes #10801) (#10802)
  • 5103ee7 Docs: Add Brackets integration (#10813)
  • b61d2cd Update: max-params to only highlight function header (#10815)
  • 2b2f11d Upgrade: babel-code-frame to version 7 (#10808)
  • 2824d43 Docs: fix comment placement in a code example (#10799)
  • 10690b7 Upgrade: devdeps and deps to latest (#10622)
  • 80c8598 Docs: gitignore syntax updates (fixes #8139) (#10776)
  • cb946af Chore: use meta.messages in some rules (1/4) (#10764)
  • a857cd9 5.4.0
  • 8dee250 Build: changelog update for 5.4.0
  • a70909f Docs: Add jscs-dev.github.io links (#10771)
  • 034690f Fix: no-invalid-meta crashes for non Object values (fixes #10750) (#10753)
  • 11a462d Docs: Broken jscs.info URLs (fixes #10732) (#10770)
  • 985567d Chore: rm unused dep string.prototype.matchall (#10756)
  • f3d8454 Update: Improve no-extra-parens error message (#10748)
  • 562a03f Fix: consistent-docs-url crashes if meta.docs is empty (fixes #10722) (#10749)
  • 6492233 Chore: enable no-prototype-builtins in codebase (fixes #10660) (#10664)
  • 137140f Chore: use eslintrc overrides (#10677)
  • 2af6f4f 5.3.0
  • 11e70c7 Build: changelog update for 5.3.0
  • dd6cb19 Docs: Updated no-return-await Rule Documentation (fixes #9695) (#10699)
  • 6009239 Chore: rename utils for consistency (#10727)

See the full diff

Package name: nunjucks The new version differs by 250 commits.
  • 53d1223 Release v3.2.1
  • 93129bf Replace yargs with commander
  • 17691da Chokidar bump
  • 40dfdf0 Remove dead link
  • cefb1cf Prevent optional dependency Chokidar from loading when not watching
  • 1485a44 Add badges in README.md
  • 2246457 Add Mozilla Code of Conduct file
  • ff5571c Release v3.2.0
  • f997a52 Add NodeResolveLoader
  • 34b0a26 Fix syntax typos in CONTRIBUTING.md
  • 55e0b7a Set dash as joiner element
  • c99154e Update faq.md
  • 1338712 Emit 'load' events on Loader and Environment instances
  • 057e7b3 Add test for line/column info in user-function exception
  • bcf38f3 Emit line and column info for functions
  • fbddcd5 lexer more accurately tracks token line and column information
  • 889ef80 Add nodejs versions 10 and 11 to CI, remove 6 and 9
  • b828158 Fix documentation typo
  • 1370361 v3.1.7
  • 0a65e1f Fixes for replace example
  • 2946fb4 Removed postinstall-build in favor of npm prepare script
  • 9fd5bdb Add link to Plugin syntax highlighting for VSCode
  • 68ba15c Fix bug where exceptions were silently swallowed with synchronous render
  • 7c187ac tests: fix issue running tests on node 10.x

See the full diff

Package name: pm2 The new version differs by 250 commits.

See the full diff

Package name: postcss-cssnext The new version differs by 16 commits.
  • 7730660 3.0.1
  • 483b81f Fixed: specify the actual require peer dependency for caniuse database (caniuse-lite is used since latest caniuse-api latest major bump)
  • 50557fa Fixed: bump dependencies not updated to PostCSS@6
  • efb7100 Update babel config + some devDeps to be able to build website
  • 69169ac update package-lock.json to 3.0.0
  • 03b6017 3.0.0
  • cf9fb19 Docs: fix chalk update issue
  • b7d6ffd Merge pull request #400 from MoOx/postcss6-upgrade
  • 1781dc7 Docs: Fix id of overflow wrap property in index (#393)
  • 8b99180 Ensure a version of caniuse-db that includes css-image-set (#380)
  • db0f0fa Add a warning for custom property sets that are going to be removed + an option to hide the warning
  • cc7c864 Change: support node4+ up to 8
  • 7bb55c1 chore: add package-lock.json and yarn.lock files
  • 20ae74d Change: upgrade to PostCSS 6
  • af5f9c1 Change link to custom media queries specification
  • 974e40b Fix PR link

See the full diff

Package name: postcss-import The new version differs by 11 commits.
  • 32470ed 9.0.0
  • 7d9099c Merge branch 'v9-dev'
  • 7124d43 BREAKING: Remove transform option (#250)
  • dfe4c23 Add warning message for deprecated addDependencyTo option (#251)
  • 9fdde94 BREAKING: Rewrite imported file parsing
  • 883669d Reorganize tests
  • a15e402 Change resolve behavior (#249)
  • 49cf9be Deprecate addDependencyTo
  • dbb2f60 Add docs for dependency message
  • 3352a37 BREAKING: File not found is an Error, not a Warning (#247)
  • 0cf36ec BREAKING: Remove pkg-resolve as a dep (#243)

See the full diff

Package name: webpack The new version differs by 250 commits.
  • 4be093d 2.2.0
  • 2278469 2.2.0-rc.8
  • b946eb4 Merge pull request #3988 from malstoun/bug/2664
  • 260e413 Merge pull request #3986 from webpack/bugfix/revert_use_of_buffer_dot_from
  • 0ec7de9 Fix regression with watch cli opt, add tests for this case
  • 72226db add missing disable line
  • 4d30675 build fresh yarn.lock file to remove buffer polyfill
  • 91c1f35 fix(node): rollback changes of Buffer.from to new Buffer() and bump down travis to 4.3 min node v
  • 0b47602 2.2.0-rc.7
  • db6ccbc Merge pull request #3978 from webpack/bugfix/conditional-reexports
  • 82a5b03 Merge pull request #3977 from malstoun/bug/2664
  • fc1a43b Merge pull request #3976 from timse/rely-on-defaults
  • a44694a hoist exports declarations too
  • 682bde8 Fix lint
  • c6d7d90 Add tests
  • af8d49e remove defaults values to shave a few bytes
  • 9796696 2.2.0-rc.6
  • e9bdb05 Merge pull request #3971 from webpack/bugfix/fix_available_vars_in_fmtp
  • bd45bdc add test case for global in harmony modules
  • bfccb20 fix PR
  • 5a3a23f fix(nmf): Fix exports for var injection to include free glob exports or arguments
  • 437dce4 2.2.0-rc.5
  • 91cb1df Merge pull request #3970 from webpack/ci/appveyor
  • 9fd55e5 Merge pull request #3969 from webpack/bugfix/issue-3964

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Server-side Request Forgery (SSRF)
🦉 More lessons are available in Snyk Learn

@snyk-bot
fix: package.json to reduce vulnerabilities
3243af2 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908
- https://snyk.io/vuln/SNYK-JS-BABELTRAVERSE-5962463
- https://snyk.io/vuln/SNYK-JS-BL-608877
- https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905
- https://snyk.io/vuln/SNYK-JS-JSON5-3182856
- https://snyk.io/vuln/SNYK-JS-MERGE-1040469
- https://snyk.io/vuln/SNYK-JS-MERGE-1042987
- https://snyk.io/vuln/SNYK-JS-MINIMIST-2429795
- https://snyk.io/vuln/SNYK-JS-MINIMIST-559764
- https://snyk.io/vuln/SNYK-JS-REQUEST-3361831
- https://snyk.io/vuln/SNYK-JS-SEMVER-3247795
- https://snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873
- https://snyk.io/vuln/SNYK-JS-UGLIFYJS-1727251
- https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984
- https://snyk.io/vuln/SNYK-JS-UNSETVALUE-2400660
- https://snyk.io/vuln/npm:braces:20180219
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@enterstudio @snyk-bot