New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 15 vulnerabilities #137

Merged

mergify merged 1 commit into master from snyk-fix-ee3084a0465afdee019ddfc5a64d59b6

Sep 6, 2023

Owner

Centaurioun commented Mar 2, 2023

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- pkgs/applications/editors/vim/plugins/markdown-preview-nvim/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Issue	Breaking Change	Exploit Maturity
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIHTML-1296849	Yes	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	Denial of Service (DoS) SNYK-JS-ENGINEIO-1056749	Yes	Proof of Concept
	Prototype Pollution SNYK-JS-JSON5-3182856	Yes	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LOADERUTILS-3042992	Yes	No Known Exploit
	Prototype Pollution SNYK-JS-LOADERUTILS-3043105	Yes	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LOADERUTILS-3105943	Yes	No Known Exploit
	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	Open Redirect SNYK-JS-NEXT-1540422	Yes	No Known Exploit
	Path Traversal SNYK-JS-NEXT-561584	Yes	Proof of Concept
	Cross-site Scripting (XSS) SNYK-JS-SERIALIZEJAVASCRIPT-536840	Yes	No Known Exploit
	Arbitrary Code Injection SNYK-JS-SERIALIZEJAVASCRIPT-570062	Yes	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SSRI-1246392	Yes	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-TERSER-2806366	Yes	No Known Exploit

Commit messages

Package name: next

The new version differs by 250 commits.

07431d3 v12.0.9
c938e20 v12.0.9-canary.12
c385d1b REMOVE: duplicate key in docs/testing.md (Fixed output deps NixOS/nixpkgs#33681)
9b98c5a chore(docs): update security headers specification (nixos/jupyter: init service NixOS/nixpkgs#33673)
865a079 v12.0.9-canary.11
b5d4564 Revert "Relay Support in Rust Compiler" (security.pam.usb seems to be broken on unstable NixOS/nixpkgs#33699)
5c6c385 Use relative path for example (Cannot boot with LVM + LUKS NixOS/nixpkgs#33565)
65c63c9 v12.0.9-canary.10
b20eb99 Relay Support in Rust Compiler (lxterminal: init at 0.3.1 NixOS/nixpkgs#33240)
99d4d6c Implement web server as the request handler for edge SSR (bitcoin: fix boost dependency NixOS/nixpkgs#33635)
f0e31ee feat(next-swc): Update swc ([WIP] Home Assistant NixOS/nixpkgs#33675)
d055fee Updated docs for getServerSideProps and getStaticProps return values (Minor cross fixes, 2 NixOS/nixpkgs#33577)
8d1c585 v12.0.9-canary.9
72658c9 fix(errors/no-cache): `netlify-plugin-cache-nextjs` has been deprecated (Restore dnscrypt-proxy NixOS/nixpkgs#33629)
7452c0b Add `lazyRoot` optional property to `next/image` component (phantomjs2: Fixes build with Qt5.10 NixOS/nixpkgs#33290)
9dd0399 feat(next-swc): Update swc (superfluous dependency on zfs-util of grub NixOS/nixpkgs#33628)
eba64c2 Clarify `headers` config option description (firefox: backport 57.0.4 to 17.09 NixOS/nixpkgs#33484)
f60a480 v12.0.9-canary.8
c13d9a0 Update other instances of node-fetch (nixos/udev: fix outdated udev rules for network devices NixOS/nixpkgs#33617)
e8c15e5 Ensure fetch polyfill is loaded in next-server (pythonPackages.structlog: patch to fix tests, build NixOS/nixpkgs#33616)
9a2d97c [examples] Add new Tailwind CSS Prettier plugin to example (nixos/kresd: fix systemd dependency cycle NixOS/nixpkgs#33614)
562439d Update to latest version of turbo (linux_testing: 4.15-rc4 -> 4.15-rc7 NixOS/nixpkgs#33613)
3329ac6 v12.0.9-canary.7
c71465d Clarify `next/image` usage with `next export` based on feedback. (uhd: fix boost version to 1.65 NixOS/nixpkgs#33555)

See the full diff

Package name: socket.io

The new version differs by 57 commits.

1af3267 chore(release): 3.0.0
02951c4 chore(release): 3.0.0-rc4
54bf4a4 feat: emit an Error object upon middleware error
aa7574f feat: serve msgpack bundle
64056d6 docs(examples): update TypeScript example
cacad70 chore(release): 3.0.0-rc3
d16c035 refactor: rename ERROR to CONNECT_ERROR
5c73733 feat: add support for catch-all listeners
129c641 feat: make Socket#join() and Socket#leave() synchronous
0d74f29 refactor(typings): export Socket class
7603da7 feat: remove prod dependency to socket.io-client
a81b9f3 docs(examples): add example with TypeScript
20ea6bd docs(examples): add example with ES modules
0ce5b4c chore(release): 3.0.0-rc2
8a5db7f refactor: remove duplicate _sockets map
2a05042 refactor: add additional typings
91cd255 fix: close clients with no namespace
58b66f8 refactor: hide internal methods and properties
669592d feat: move binary detection back to the parser
2d2a31e chore: publish the wrapper.mjs file
ebb0575 chore(release): 3.0.0-rc1
c0d171f test: use the reconnect event of the Manager
9c7a48d test: use the complete export name
4bd5b23 feat: throw upon reserved event names

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Denial of Service (DoS)
🦉 More lessons are available in Snyk Learn


          fix: pkgs/applications/editors/vim/plugins/markdown-preview-nvim/pack…

…age.json to reduce vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-ANSIHTML-1296849
- https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908
- https://snyk.io/vuln/SNYK-JS-ENGINEIO-1056749
- https://snyk.io/vuln/SNYK-JS-JSON5-3182856
- https://snyk.io/vuln/SNYK-JS-LOADERUTILS-3042992
- https://snyk.io/vuln/SNYK-JS-LOADERUTILS-3043105
- https://snyk.io/vuln/SNYK-JS-LOADERUTILS-3105943
- https://snyk.io/vuln/SNYK-JS-MINIMIST-2429795
- https://snyk.io/vuln/SNYK-JS-MINIMIST-559764
- https://snyk.io/vuln/SNYK-JS-NEXT-1540422
- https://snyk.io/vuln/SNYK-JS-NEXT-561584
- https://snyk.io/vuln/SNYK-JS-SERIALIZEJAVASCRIPT-536840
- https://snyk.io/vuln/SNYK-JS-SERIALIZEJAVASCRIPT-570062
- https://snyk.io/vuln/SNYK-JS-SSRI-1246392
- https://snyk.io/vuln/SNYK-JS-TERSER-2806366

mergify bot merged commit 14a446a into master

2 checks passed

mergify bot deleted the snyk-fix-ee3084a0465afdee019ddfc5a64d59b6 branch

September 6, 2023 03:39

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment