Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 17 vulnerabilities #11

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Fix for 17 vulnerabilities #11

wants to merge 1 commit into from

Conversation

augustk
Copy link

@augustk augustk commented Oct 5, 2022

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • project_info/package.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 671/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7		 Remote Code Execution (RCE)
SNYK-JS-HANDLEBARS-1056767		 Yes Proof of Concept
medium severity 601/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.6		 Prototype Pollution
SNYK-JS-HANDLEBARS-1279029		 Yes Proof of Concept
high severity 579/1000
Why? Has a fix available, CVSS 7.3		 Prototype Pollution
SNYK-JS-HANDLEBARS-173692		 Yes No Known Exploit
medium severity 646/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.5		 Prototype Pollution
SNYK-JS-HANDLEBARS-567742		 Yes Proof of Concept
low severity 506/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 3.7		 Prototype Pollution
SNYK-JS-MINIMIST-2429795		 Yes Proof of Concept
medium severity 601/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.6		 Prototype Pollution
SNYK-JS-MINIMIST-559764		 Yes Proof of Concept
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-MOCHA-561476		 Yes No Known Exploit
medium severity 479/1000
Why? Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-UGLIFYJS-1727251		 Yes No Known Exploit
low severity 399/1000
Why? Has a fix available, CVSS 3.7		 Regular Expression Denial of Service (ReDoS)
npm:debug:20170905		 Yes No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Regular Expression Denial of Service (ReDoS)
npm:fresh:20170908		 No No Known Exploit
critical severity 704/1000
Why? Has a fix available, CVSS 9.8		 Arbitrary Code Injection
npm:growl:20160721		 Yes No Known Exploit
medium severity 479/1000
Why? Has a fix available, CVSS 5.3		 Cross-site Scripting (XSS)
npm:handlebars:20151207		 Yes No Known Exploit
low severity 399/1000
Why? Has a fix available, CVSS 3.7		 Regular Expression Denial of Service (ReDoS)
npm:mime:20170907		 No No Known Exploit
low severity 399/1000
Why? Has a fix available, CVSS 3.7		 Regular Expression Denial of Service (ReDoS)
npm:ms:20170412		 No No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Regular Expression Denial of Service (ReDoS)
npm:negotiator:20160616		 No No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Prototype Override Protection Bypass
npm:qs:20170213		 No No Known Exploit
critical severity 704/1000
Why? Has a fix available, CVSS 9.8		 Sandbox Escaping
npm:safe-eval:20170830		 No No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: express The new version differs by 250 commits.
  • f974d22 4.16.0
  • 8d4ceb6 docs: add more information to installation
  • c0136d8 Add express.json and express.urlencoded to parse bodies
  • 86f5df0 deps: serve-static@1.13.0
  • 4196458 deps: send@0.16.0
  • ddeb713 tests: add maxAge option tests for res.sendFile
  • 7154014 Add "escape json" setting for res.json and res.jsonp
  • 628438d deps: update example dependencies
  • a24fd0c Add options to res.download
  • 95fb5cc perf: remove dead .charset set in res.jsonp
  • 44591fe deps: vary@~1.1.2
  • 2df1ad2 Improve error messages when non-function provided as middleware
  • 12c3712 Use safe-buffer for improved Buffer API
  • fa272ed docs: fix typo in jsdoc comment
  • d9d09b8 perf: re-use options object when generating ETags
  • 02a9d5f deps: proxy-addr@~2.0.2
  • c2f4fb5 deps: finalhandler@1.1.0
  • 673d51f deps: utils-merge@1.0.1
  • 5cc761c deps: parseurl@~1.3.2
  • ad7d96d deps: qs@6.5.1
  • e62bb8b deps: etag@~1.8.1
  • 70589c3 deps: content-type@~1.0.4
  • 9a99c15 deps: accepts@~1.3.4
  • 550043c deps: setprototypeof@1.1.0

See the full diff

Package name: express-handlebars The new version differs by 12 commits.
  • a707698 Bump package version to 3.0
  • 424e870 Version bump to object.assign and handlebars
  • 07f9bbd Revert "use sindresorhus's object-assign polyfill"
  • 5514a07 Fixed links
  • d005c83 v2.0.2
  • 14fa097 use handlebars 4.0.5 in shared template example
  • 41e99a1 updated glob and graceful-fs dependencies
  • 28335bc use sindresorhus's object-assign polyfill
  • 4c16ce4 Merge branch 'PaulBGD-patch-1'
  • c19c888 Update to the latest version of promise
  • 5769107 Merge branch 'blendlabs-master'
  • 71bac24 bump handlebars version to ^4.0.0

See the full diff

Package name: mocha The new version differs by 250 commits.
  • eb781e2 Release v6.2.3
  • 10dbe94 update CHANGELOG for v6.2.3 [ci skip]
  • 848d6fb security: update mkdirp, yargs, yargs-parser
  • 843a322 6.2.2
  • aec8b02 update CHANGELOG for v6.2.2 [ci skip]
  • 7a8b95a npm audit fixes
  • cebddf2 Improve reporter documentation for mocha in browser. (#4026)
  • 3f7b987 uncaughtException: report more than one exception per test (#4033)
  • ee82d38 modify alt text of image from Backers to Sponsors inside Sponsors section in Readme (#4046)
  • e9c036c special-case parsing of "require" in unparseNodeArgs(); closes #4035 (#4063)
  • 954cf0b Fix HTMLCollection iteration to make unhide function work as expected (#4051)
  • 816dc27 uncaughtException: fix double EVENT_RUN_END events (#4025)
  • 9650d3f add OpenJS Foundation logo to website (#4008)
  • f04b81d Adopt the OpenJSF Code of Conduct (#3971)
  • aca8895 Add link checking to docs build step (#3972)
  • ef6c820 Release v6.2.1
  • 9524978 updated CHANGELOG for v6.2.1 [ci skip]
  • dfdb8b3 Update yargs to v13.3.0 (#3986)
  • 18ad1c1 treat '--require esm' as Node option (#3983)
  • fcffd5a Update yargs-unparser to v1.6.0 (#3984)
  • ad4860e Remove extraGlobals() (#3970)
  • b269ad0 Clarify effect of .skip() (#3947)
  • 1e6cf3b Add Matomo to website (#3765)
  • 91b3a54 fix style on mochajs.org (#3886)

See the full diff

Package name: safe-eval The new version differs by 10 commits.
  • 0fdfb82 Increase timeout for vm options test
  • 27fcd97 Release 0.4.0
  • 5bc3929 fix standard `Trailing spaces not allowed`
  • 7051474 Clear Function from eval context
  • 4c06548 Tests for context bypass using constructor
  • b6ae3e5 Update README.md
  • 8248a5c support current node versions only
  • 42df496 test only Node 1+
  • 52f0726 improved test
  • 484e24b travis config file

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
馃 View latest project report

馃洜 Adjust project settings

馃摎 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

馃 Regular Expression Denial of Service (ReDoS)
馃 Regular Expression Denial of Service (ReDoS)
馃 Regular Expression Denial of Service (ReDoS)
馃 More lessons are available in Snyk Learn

@snyk-bot
fix: project_info/package.json to reduce vulnerabilities
cc6aa0e 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767
- https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1279029
- https://snyk.io/vuln/SNYK-JS-HANDLEBARS-173692
- https://snyk.io/vuln/SNYK-JS-HANDLEBARS-567742
- https://snyk.io/vuln/SNYK-JS-MINIMIST-2429795
- https://snyk.io/vuln/SNYK-JS-MINIMIST-559764
- https://snyk.io/vuln/SNYK-JS-MOCHA-561476
- https://snyk.io/vuln/SNYK-JS-UGLIFYJS-1727251
- https://snyk.io/vuln/npm:debug:20170905
- https://snyk.io/vuln/npm:fresh:20170908
- https://snyk.io/vuln/npm:growl:20160721
- https://snyk.io/vuln/npm:handlebars:20151207
- https://snyk.io/vuln/npm:mime:20170907
- https://snyk.io/vuln/npm:ms:20170412
- https://snyk.io/vuln/npm:negotiator:20160616
- https://snyk.io/vuln/npm:qs:20170213
- https://snyk.io/vuln/npm:safe-eval:20170830
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@augustk @snyk-bot