New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 9 vulnerabilities #57

Open

snyk-bot wants to merge 1 commit into master from snyk-fix-939be3712fb6c2325fbacab5412d0f94

snyk-bot commented Sep 4, 2021

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Issue	Breaking Change	Exploit Maturity
	Prototype Pollution SNYK-JS-AJV-584908	No	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SSRI-1085630	Yes	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SSRI-1246392	Yes	Proof of Concept
	Arbitrary File Overwrite SNYK-JS-TAR-174125	No	No Known Exploit
	Prototype Pollution SNYK-JS-YARGSPARSER-560381	No	Proof of Concept
	Prototype Pollution npm:hoek:20180212	No	Proof of Concept
	Denial of Service (DoS) npm:mem:20180117	No	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:ssri:20180214	No	No Known Exploit

Commit messages

Package name: npm

The new version differs by 250 commits.

7e679fd 6.0.0
73e50a7 test: prepublish-only: Use our own copy of npm
82dfa54 6.0.0-next.2
408a7ff update AUTHORS
1b021d0 doc: update changelog for npm@6.0.0
9c1eb94 inflate-shrinkwrap: For git changelings use version as resolved
2facb35 has-modern-meta: Correctly identify git changelings
e4ed976 install/deps: Let git deps w/ lock only match package.json
552ff6d audit: Ensure we don't mutate the shrinkwrap
f2386e1 test: standard common-tap
1d8ac24 test: JSON parse error message changed slightly
cd36a21 audit: Avoid config-meta's literal-only test
09c7348 test: Default audit to off when testing
8e71334 audit: Add docs
be393a2 audit: Temporarily suppress git metadata till there's an opt-in
8c77dde audit: Add new audit command
5e28404 npm: Make --timing set loglevel=timing
a17d14e perf: Fix timing catch
594d169 npm-audit-report@1.0.5
f4bc648 npm-registry-fetch@1.1.0
820f74a pkglock: add from field back into git dependencies (#20384)
833046e docs: add --scope to npm init usage (#20373)
ed81d14 test: ensure npm init forwards arguments (#20372)
9d5d0a1 install-test: fix shrinkwrap handling of package-lock.json (#20358)

See the full diff

Package name: request

The new version differs by 44 commits.

6420240 2.88.0
bd22e21 fix: massive dependency upgrade, fixes all production vulnerabilities
925849a Merge pull request Updated italian translation adobe/brackets#2996 from kwonoj/fix-uuid
7b68551 fix(uuid): import versioned uuid
5797963 Merge pull request Spanish Strings for Sprint 21 adobe/brackets#2994 from dlecocq/oauth-sign-0.9.0
628ff5e Update to oauth-sign 0.9.0
10987ef Merge pull request move starting of static server to live dev start time and fix up some comments adobe/brackets#2993 from simov/fix-header-tests
cd848af These are not going to fail if there is a server listening on those ports
a92e138 Enable rule switching and resize logic between rule list and displayed CSS rule adobe/brackets#515, Disable the cache before every reload adobe/brackets#2894 Strip port suffix from Host header if the protocol is known. (Update to latest CodeMirror upstream master adobe/brackets#2904)
45ffc4b Improve AWS SigV4 support. (Preference to change new font rendering adobe/brackets#2791)
a121270 Merge pull request Quick Edit on HTML tags opens wrong CSS class adobe/brackets#2977 from simov/update-cert
bd16414 Update test certificates
536f0e7 2.87.1
02fc5b1 Update changelog
de1ed5a 2.87.0
a6741d4 Replace hawk dependency with a local implemenation (GB18030: Mac: Brackets cannot open folder successfully with “Error loading project” message when folder contains a file named with GB18030 characters. adobe/brackets#2943)
a7f0a36 2.86.1
8f2fd4d Update changelog
386c7d8 2.86.0
76a6e5b Merge pull request Mac: Sometimes see empty parens in Open With menu adobe/brackets#2885 from ChALkeR/patch-1
db76838 Merge branch 'patch-1' of github.com:ChALkeR/request
fb7aeb3 Merge pull request Fix #2902: Externalize debug menu as an extension adobe/brackets#2942 from simov/fix-tests
e47ce95 Add Node v10 build target explicitly
0c5db42 Skip status code 105 on Node > v10

See the full diff

With a Snyk patch:

Severity	Issue	Exploit Maturity
	Prototype Pollution npm:lodash:20180130	Proof of Concept

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic


          fix: package.json & .snyk to reduce vulnerabilities

97a16b8

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-AJV-584908
- https://snyk.io/vuln/SNYK-JS-SSRI-1085630
- https://snyk.io/vuln/SNYK-JS-SSRI-1246392
- https://snyk.io/vuln/SNYK-JS-TAR-174125
- https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381
- https://snyk.io/vuln/npm:hoek:20180212
- https://snyk.io/vuln/npm:mem:20180117
- https://snyk.io/vuln/npm:ssri:20180214


The following vulnerabilities are fixed with a Snyk patch:
- https://snyk.io/vuln/npm:lodash:20180130

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment