Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 21 vulnerabilities #38

Closed
wants to merge 1 commit into from
Closed

[Snyk] Fix for 21 vulnerabilities #38

wants to merge 1 commit into from

Conversation

snyk-bot
Copy link
Contributor

@snyk-bot snyk-bot commented Sep 8, 2020

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

    • package.json
    • package-lock.json

  • Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
    Find out more.

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 579/1000
Why? Has a fix available, CVSS 7.3		 Prototype Pollution
SNYK-JS-HANDLEBARS-173692		 No No Known Exploit
high severity 579/1000
Why? Has a fix available, CVSS 7.3		 Prototype Pollution
SNYK-JS-HANDLEBARS-174183		 No No Known Exploit
high severity 579/1000
Why? Has a fix available, CVSS 7.3		 Prototype Pollution
SNYK-JS-HANDLEBARS-469063		 No No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Denial of Service (DoS)
SNYK-JS-HANDLEBARS-480388		 No No Known Exploit
high severity 619/1000
Why? Has a fix available, CVSS 8.1		 Arbitrary Code Execution
SNYK-JS-HANDLEBARS-534478		 No No Known Exploit
high severity 704/1000
Why? Has a fix available, CVSS 9.8		 Prototype Pollution
SNYK-JS-HANDLEBARS-534988		 No No Known Exploit
medium severity 646/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.5		 Prototype Pollution
SNYK-JS-HANDLEBARS-567742		 No Proof of Concept
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3		 Prototype Pollution
SNYK-JS-LODASH-450202		 No Proof of Concept
medium severity 636/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.3		 Prototype Pollution
SNYK-JS-LODASH-567746		 No Proof of Concept
high severity 704/1000
Why? Has a fix available, CVSS 9.8		 Prototype Pollution
SNYK-JS-LODASH-590103		 No No Known Exploit
high severity 758/1000
Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 7.3		 Prototype Pollution
SNYK-JS-LODASH-608086		 No Proof of Concept
high severity 579/1000
Why? Has a fix available, CVSS 7.3		 Prototype Pollution
SNYK-JS-LODASH-73638		 No No Known Exploit
medium severity 434/1000
Why? Has a fix available, CVSS 4.4		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-73639		 No No Known Exploit
medium severity 479/1000
Why? Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-MARKED-174116		 Yes No Known Exploit
medium severity 479/1000
Why? Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-MARKED-451540		 Yes No Known Exploit
medium severity 529/1000
Why? Has a fix available, CVSS 6.3		 Prototype Pollution
npm:lodash:20180130		 No No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Regular Expression Denial of Service (ReDoS)
npm:minimatch:20160620		 No No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: handlebars The new version differs by 175 commits.
  • 91a1b5d v4.6.0
  • 770d746 Update release notes
  • d7f0dcf refactor: fix typo in private test method
  • 187d611 test: add path to nodeJs when running test:bin
  • d337f40 test: show diff when test:bin fails
  • d03b6ec feat: access control to prototype properties via whitelist
  • 164b7ff chore: ignore .nyc_output
  • ac4655e chore: disable "dot-notation" rule
  • 14b621c test/style: remove or hide unused code in git.js, add tests
  • 1ec1737 test/style: refactor remaining grunt tasks to use promises instead of callbacks
  • 1ebce2b test/style: use nyc instead of istanbul, npm audit fix
  • 3a5b65e test/style: refactor parser task
  • dde108e test/style: refactor test-task to make it more readable
  • dc54952 chore: change eslint-rules for tasks/
  • d1fb07b Update (C) year in the LICENSE file
  • 04b1984 chore: try to fix saucelabs credentials (#1627)
  • c40d9f3 chore: active linting and formatting on commit
  • 8901c28 chore: fix task name in build
  • e97685e style: reformat all files using prettier
  • e913dc5 chore: restructure build commands
  • 1f61f21 chore: configure prettier and eslint
  • 587e7a3 remove yarn.lock
  • edcc84f Update readme.md with updated links (#1620)
  • 23d58e7 fix(runtime.js): partials compile not caching (#1600)

See the full diff

Package name: metalsmith-copy The new version differs by 20 commits.

See the full diff

Package name: metalsmith-markdown The new version differs by 33 commits.

See the full diff

With a Snyk patch:
Severity Priority Score (*) Issue Exploit Maturity
low severity 399/1000
Why? Has a fix available, CVSS 3.7		 Regular Expression Denial of Service (ReDoS)
npm:debug:20170905		 No Known Exploit
high severity 579/1000
Why? Has a fix available, CVSS 7.3		 Prototype Pollution
npm:extend:20180424		 No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Regular Expression Denial of Service (ReDoS)
npm:minimatch:20160620		 No Known Exploit
low severity 399/1000
Why? Has a fix available, CVSS 3.7		 Regular Expression Denial of Service (ReDoS)
npm:moment:20170905		 No Known Exploit
medium severity 479/1000
Why? Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
npm:ms:20151024		 No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
馃 View latest project report

馃洜 Adjust project settings

馃摎 Read more about Snyk's upgrade and patch logic

@snyk-bot
fix: package.json, package-lock.json & .snyk to reduce vulnerabilities
cfc8a26 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-HANDLEBARS-173692
- https://snyk.io/vuln/SNYK-JS-HANDLEBARS-174183
- https://snyk.io/vuln/SNYK-JS-HANDLEBARS-469063
- https://snyk.io/vuln/SNYK-JS-HANDLEBARS-480388
- https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478
- https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534988
- https://snyk.io/vuln/SNYK-JS-HANDLEBARS-567742
- https://snyk.io/vuln/SNYK-JS-LODASH-450202
- https://snyk.io/vuln/SNYK-JS-LODASH-567746
- https://snyk.io/vuln/SNYK-JS-LODASH-590103
- https://snyk.io/vuln/SNYK-JS-LODASH-608086
- https://snyk.io/vuln/SNYK-JS-LODASH-73638
- https://snyk.io/vuln/SNYK-JS-LODASH-73639
- https://snyk.io/vuln/SNYK-JS-MARKED-174116
- https://snyk.io/vuln/SNYK-JS-MARKED-451540
- https://snyk.io/vuln/npm:lodash:20180130
- https://snyk.io/vuln/npm:minimatch:20160620


The following vulnerabilities are fixed with a Snyk patch:
- https://snyk.io/vuln/npm:debug:20170905
- https://snyk.io/vuln/npm:extend:20180424
- https://snyk.io/vuln/npm:minimatch:20160620
- https://snyk.io/vuln/npm:moment:20170905
- https://snyk.io/vuln/npm:ms:20151024
@drewm drewm closed this Sep 8, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@snyk-bot @drewm