Skip to content

[Snyk] Fix for 13 vulnerabilities #329

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jul 22, 2021
Merged

[Snyk] Fix for 13 vulnerabilities #329

merged 2 commits into from
Jul 22, 2021
+14 −14

Conversation

twilio-product-security
Copy link
Contributor

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Issue Breaking Change Exploit Maturity
medium severity Prototype Pollution
SNYK-JS-DOTPROP-543489		 Yes Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-GLOBPARENT-1016905		 Yes No Known Exploit
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-1018905		 Yes Proof of Concept
high severity Command Injection
SNYK-JS-LODASH-1040724		 Yes Proof of Concept
medium severity Prototype Pollution
SNYK-JS-LODASH-567746		 Yes Proof of Concept
critical severity Prototype Pollution
SNYK-JS-LODASH-590103		 Yes No Known Exploit
high severity Prototype Pollution
SNYK-JS-LODASH-608086		 Yes Proof of Concept
high severity Prototype Pollution
SNYK-JS-MERGE-1040469		 Yes No Known Exploit
high severity Prototype Pollution
SNYK-JS-MERGE-1042987		 Yes Proof of Concept
medium severity Prototype Pollution
SNYK-JS-MINIMIST-559764		 Yes Proof of Concept
critical severity Prototype Pollution
SNYK-JS-PROPERTYEXPR-598800		 Yes Proof of Concept
high severity Denial of Service (DoS)
SNYK-JS-TRIMNEWLINES-1298042		 Yes No Known Exploit
medium severity Prototype Pollution
SNYK-JS-YARGSPARSER-560381		 Yes Proof of Concept
Commit messages
Package name: @commitlint/cli The new version differs by 169 commits.
  • 41d4f58 v9.1.2
  • 935e3cf test(load): increase test timeout to avoid flakiness
  • 0eaee18 docs: correct info regarding modifying npm tags
  • dabdfc9 Refactor/armano cli (#1998)
  • d4f064c chore: update dependency @ types/node to v12.12.50 (#1997)
  • 4e830b3 chore: update dependency @ types/node to v12.12.48 (#1991)
  • 46a27bf chore: update node.js to >=v8.17.0 (#1990)
  • 94e7211 chore: update dependency @ types/jest to v26.0.4 (#1992)
  • 5161307 chore: update typescript-eslint monorepo to v3.6.0 (#1989)
  • be3c3a4 chore: update dependency eslint-plugin-jest to v23.18.0 (#1988)
  • ac54d5c chore: update dependency eslint to v7.4.0 (#1987)
  • a406053 chore: v9.1.1 - further gitHead entries
  • cb565df v9.1.1
  • c8367bf chore: update typescript-eslint monorepo to v3.5.0 (#1983)
  • 90d5804 chore: update dependency @ types/lodash to v4.14.157 (#1592)
  • d0f0eb9 fix(load): resolve plugins from extended configs (#1976)
  • 50ae7c1 chore: update dependency eslint-plugin-import to v2.22.0 (#1981)
  • a43c5a3 chore: update dependency @ types/semver to v7.3.1 (#1979)
  • 014b82b chore: update dependency @ types/jest to v26.0.3 (#1978)
  • cff1979 chore: update dependency eslint-plugin-jest to v23.17.1 (#1975)
  • 0fbbb47 chore: update dependency eslint-plugin-jest to v23.17.0 (#1974)
  • 546ac1b chore: update dependency eslint to v7.3.1 (#1973)
  • f8e1b71 chore: update typescript-eslint monorepo to v3.4.0 (#1972)
  • a58c0fa chore: update dependency ts-jest to v26.1.1 (#1971)

See the full diff

Package name: @commitlint/config-conventional The new version differs by 225 commits.
  • 3982e5a v10.0.0
  • 0a70592 chore: update dependency eslint to v7.7.0 (#2063)
  • 5be34ec chore: update dependency @ types/jest to v26.0.10 (#2064)
  • 7b7f9a8 chore: update dependency @ types/semver to v7.3.2 (#2062)
  • 25d42f4 fix: update dependency find-up to v5 (#2060)
  • 74d54d0 chore: update dependency ts-jest to v26.2.0 (#2059)
  • 0772b27 chore: update typescript-eslint monorepo to v3.9.0 (#2058)
  • 4895d5f Use read dafult export - requiring with CommonJS (#2057)
  • da0c75d build(deps): bump prismjs from 1.20.0 to 1.21.0 (#2055)
  • 0329e09 chore: update dependency conventional-changelog-angular to v5.0.11 (#2056)
  • d8b6bd6 chore: update dependency @ types/node to v12.12.54 (#2054)
  • 08bd3db chore: update dependency @ types/lodash to v4.14.159 (#2053)
  • 13382ec chore: update dependency @ types/jest to v26.0.9 (#2052)
  • 46c3982 chore: update babel monorepo (#2050)
  • 163a789 chore: update typescript-eslint monorepo to v3.8.0 (#2045)
  • f4db933 fix: update dependency cosmiconfig to v7 (#2044)
  • ca63602 chore: update dependency eslint to v7.6.0 (#2042)
  • 964876e chore: update dependency @ types/jest to v26.0.8 (#2041)
  • 62f4772 chore: update babel monorepo (#2037)
  • ebb57d2 chore: update dependency eslint-plugin-jest to v23.20.0 (#2034)
  • 1efce79 chore: update dependency ts-jest to v26.1.4 (#2031)
  • 1784ef2 chore: use non-fixed lerna version (#2026)
  • 0b08b4d chore: update dependency eslint-plugin-jest to v23.19.0 (#2030)
  • 3beacfc chore: update typescript-eslint monorepo to v3.7.1 (#2029)

See the full diff

Package name: all-contributors-cli The new version differs by 6 commits.

See the full diff

Package name: commitizen The new version differs by 48 commits.
  • e434901 fix(deps): update find-node-modules to ^2.1.2 (#824)
  • 12442c1 chore(release): use conventionalcommits preset in semantic-release (#793)
  • f2fad87 fix: revert "use cz-conventional-changelog as default adapter (#778)" (#792)
  • 2663ff4 chore(deps): update dependency uuid to v3.4.0 (#668)
  • d1481b9 chore(deps): update dependency semantic-release to v15.14.0 (#660)
  • 1e9dda8 chore(deps): bump node-fetch from 2.6.0 to 2.6.1 (#775)
  • 95a20d4 fix(cli): Exit CLI with 1(as failed) when received SIGINT (#736)
  • ba7eeb6 chore(renovate): Initial enhanced configuration (#786)
  • e6b75cb feat!: use cz-conventional-changelog as default adapter (#778)
  • a97e808 docs(readme): specify environment in code blocks (#781)
  • 4620006 chore(deps): pin dependencies (#651)
  • e22dd6c docs(readme.md): add new reference to new adapter (#780)
  • 3402fdd chore(deps): update babel monorepo (#728)
  • 1b813ce docs: update path to commitlint and commitlint adapter (#741)
  • 4929d03 fix: git-cz commit repoPath (#676)
  • c3c533f feat: use cz as binary name (#767)
  • f7257f8 fix(deps): update dependency inquirer to v6.5.2 (#664)
  • bf275d0 chore(deps): update dependency semver to v6.3.0 (#659)
  • 33a77cc chore(deps): update dependency babel-plugin-istanbul to v5.2.0 (#658)
  • 994f3b0 fix(cli): determine correct location of `COMMIT_EDITMSG` (#737)
  • c3a4542 chore(deps): update dependency nyc to v15.1.0 (#745)
  • 7a61389 docs: add adapter for jira (#748)
  • 2fbd7ea docs: Update `commitlint` adapter link (#751)
  • a333b08 docs: add cz-format-extension (#758)

See the full diff

Package name: lerna The new version differs by 183 commits.
  • 4582c47 chore(release): v4.0.0
  • 2d0a97a fix(version): Ensure --create-release environment variables are present during initialization
  • 63f18ba test(version): Assert on mocked releases, not calls
  • 1f17e0c chore(lerna): Set top-level package tag -> next
  • 80a072e chore(lerna): Enable --temp-tag during publish
  • e00779a chore: Add release script
  • 255c2ea docs(version): Move changelogPreset examples
  • 7acf883 Merge branch 'next' into 'main'
  • c3814b5 test(child-process): Avoid windows bullshit
  • 671ddef chore: Reset lockfile
  • affed1c feat(deps): Bump dependencies
  • 126676a chore(scripts): Support --no-install flag
  • d8100fd feat(deps): execa@^5.0.0
  • 187cd58 chore(deps): Bump devDependencies
  • ce232c8 chore: remove volta pins, annoying
  • d181863 chore: Bump volta pins
  • 42ab453 feat(prompt): Remove ambiguous exports
  • 4acff59 refactor: Synchronize import ChildProcessUtilities -> childProcess
  • a02e12e refactor(test): Refactor mockPromptChoices() -> promptSelectOne.chooseBump()
  • 69bb2e4 refactor: Decompose PromptUtilities namespace import
  • a08bafb refactor(test): Use unambiguous mockPromptChoices() method
  • 3c67f15 refactor: Migrate to unambiguous promptConfirmation()
  • 5d05d95 refactor: Migrate to unambiguous promptSelectOne()
  • e9237f3 refactor: Migrate to unambiguous promptTextInput()

See the full diff

Package name: lint-staged The new version differs by 32 commits.
  • e24aaf2 fix: parse titles for function linters
  • e862e7e docs: correct config file name
  • 309ff1c docs: restore filtering section to README
  • 4bef26e feat: add deprecation error for advanced configuration
  • e829646 refactor: remove dependency on path-is-inside
  • 767edbd refactor: remove dependency on lodash
  • c59cd9a chore: upgrade dependencies
  • 19536e3 refactor: pass unparsed commands to execa with --shell
  • 275d996 refactor: rename --silent to --quiet
  • 18acd59 docs: update README
  • 2ba6d61 test: ignore testSetup from coverage report
  • ecf9227 feat: add --shell and --quiet flags
  • 04190c8 refactor: remove advanced configuration options
  • bed9127 refactor: use execa's shell option to run commands
  • d3f6475 docs: update contributors
  • b71b9c8 refactor: warn about long arguments string only once
  • bcd52ac docs: update README
  • efe8f06 docs: print a warning when arguments length is too long based on platform
  • 2753640 docs: update README
  • 28f3c40 refactor: remove unused configuration options
  • 4db2353 test: add test for linter command exiting with code 1
  • 6d4beec test: update tests for function linters
  • 36e54a2 feat: support function linter returning array of commands
  • 9e4346f refactor: support function linters in getConfig

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

snyk-bot and others added 2 commits July 21, 2021 22:30
@snyk-bot @twilio-product-security
fix: package.json to reduce vulnerabilities
14ed5eb 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-DOTPROP-543489
- https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905
- https://snyk.io/vuln/SNYK-JS-LODASH-1018905
- https://snyk.io/vuln/SNYK-JS-LODASH-1040724
- https://snyk.io/vuln/SNYK-JS-LODASH-567746
- https://snyk.io/vuln/SNYK-JS-LODASH-590103
- https://snyk.io/vuln/SNYK-JS-LODASH-608086
- https://snyk.io/vuln/SNYK-JS-MERGE-1040469
- https://snyk.io/vuln/SNYK-JS-MERGE-1042987
- https://snyk.io/vuln/SNYK-JS-MINIMIST-559764
- https://snyk.io/vuln/SNYK-JS-PROPERTYEXPR-598800
- https://snyk.io/vuln/SNYK-JS-TRIMNEWLINES-1298042
- https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381
@philnash
chore(deps): updates jest, ts-jest and typedoc-plugin-ext across the …
aeafe41 
…packages
@philnash philnash merged commit 8da25ef into main Jul 22, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@twilio-product-security @philnash @snyk-bot