New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 8 vulnerabilities #36

Closed

Tshegofatso wants to merge 1 commit into staging from snyk-fix-09f0ecf9099b536c6d82c8b7e0e994db

Owner

Tshegofatso commented Sep 22, 2022

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Directory Traversal SNYK-JS-MOMENT-2440688	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOMENT-2944238	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-NCONF-2395478	Yes	Proof of Concept
	454/1000 Why? Has a fix available, CVSS 4.8	Session Fixation SNYK-JS-PASSPORT-2840631	Yes	No Known Exploit
	490/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-RAMDA-1582370	No	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-SANITIZEHTML-2957526	No	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-UGLIFYJS-1727251	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: forever

The new version differs by 19 commits.

4705421 Prepare 4.0.0 for release
35a4062 Remove y18n due to CVE 2020 7774 part 5 (Not working freeCodeCamp/freeCodeCamp#1112)
1f6108e Move getopts to devDependencies (Tests adding 2 to expected results freeCodeCamp/freeCodeCamp#1113)
aa22041 Replace yargs with getopts (CVE-2020-777) (Add a "How to use GitHub"-waypoint freeCodeCamp/freeCodeCamp#1110)
ae6d88e Update in-range dependencies (Bonfire: Convert HTML Entities freeCodeCamp/freeCodeCamp#1108)
4a404f7 Drop `deep-equal` (Issue 1094 - Field Guide Error freeCodeCamp/freeCodeCamp#1101)
b2120f9 Remove utile (Having trouble with <li> tags </li> freeCodeCamp/freeCodeCamp#1099)
071cc04 Update changelog
c1bcbff Remove dependency on broadway (Bonfire: Drop it - correct solution but wrong answer? freeCodeCamp/freeCodeCamp#1098)
3586afe Prepare 3.0.1 for release
67cc950 Prepare 3.0.1 for release
877d93a Replaced optimist with yargs (Fixes misspelling that caused 'undefined is not function' error freeCodeCamp/freeCodeCamp#1093)
a36330a Update forever-monitor (Adding </ to the end of the document breaks the testSuite list freeCodeCamp/freeCodeCamp#1081)
0c5d32a Update dependencies and test Node 14 (Don't refer to Bootstrap as Twitter Bootstrap freeCodeCamp/freeCodeCamp#1080)
9e85c59 Fix argument type of fs.writeFileSync (Make Streak more lenient (due to time zone confusion) freeCodeCamp/freeCodeCamp#1075)
58eb131 Add CLI test for starting/stopping from a directory with space (Readme still points to slack in notes section freeCodeCamp/freeCodeCamp#1068)
437ca4a Remove unnecessary path-is-absolute dependency ([Convert HTML Entities] Chai test never passes freeCodeCamp/freeCodeCamp#1062)
8f739b0 Execute Mocha tests (bug in the img tag freeCodeCamp/freeCodeCamp#1054)
ceb235c Update changelog

See the full diff

Package name: gulp-less

The new version differs by 5 commits.

9d9e96f chore: update deps, publish v5
ea13d8a Merge pull request Create production branch freeCodeCamp/freeCodeCamp#313 from MisterLuffy/master
7ce4b9b feat: support less v4
1a9d694 Merge pull request Merge UX-improvements and nonprofit-show into master freeCodeCamp/freeCodeCamp#314 from stamminator/master
b1a3e18 Update .travis.yml

See the full diff

Package name: ramda

The new version differs by 250 commits.

1a5d40b Version 0.27.2
4d8e8f0 Merge pull request Same code, to the letter and whitespace fails on waypoint 9 of html freeCodeCamp/freeCodeCamp#3212 from ramda/davidchambers/trim
94d0570 Security fix for ReDoS (Streak not showing properly freeCodeCamp/freeCodeCamp#3177)
8ae355e update test string for trim
6bb8eea Version 0.27.1
ed191e6 Merge pull request Typo on this page. freeCodeCamp/freeCodeCamp#2832 from kibertoad/chore/update-dependencies-2
20ba763 Update dependencies
a6620f6 Update Babel to v7 (Cannot find anchor text in cat photos freeCodeCamp/freeCodeCamp#2829)
2705518 Execute tests on Node 12 (My code seems to be generating the right output but it's not passing the tests freeCodeCamp/freeCodeCamp#2828)
c45208e hasPath return false for non-object checks (fixes 'editor.getValue(...).match(...) is null' freeCodeCamp/freeCodeCamp#2825)
0baeda1 updated invoker.js documentation (Fixed typo for issue 1979 freeCodeCamp/freeCodeCamp#2821)
072d417 Including BR translation. (Changed test for the 'Add id attributes to bootstrap elements' freeCodeCamp/freeCodeCamp#2621)
ca1e2b5 add an example which covers error and value (type or copy-paste src element and run code and doesn't show it completed correctly freeCodeCamp/freeCodeCamp#2806)
271b044 docs: Add @ since where it is missing (Need more assertion examples freeCodeCamp/freeCodeCamp#2793)
ac58c96 Update `pathSatisfies` to handles empty `path` arguments (The last test won't pass even though the three li's are closed freeCodeCamp/freeCodeCamp#2791)
b25ac73 Fix typo in split docs (Clicking the buttons on pop ups too quickly closes the pop up freeCodeCamp/freeCodeCamp#2792)
7d55e91 Add R.xor (Exclusive OR) (Update copy for handling failed attempt at linking oauth account freeCodeCamp/freeCodeCamp#2646)
efd899b feature: adding paths operator - toLowerCase is not a function freeCodeCamp/freeCodeCamp#2740 (Not accepting $(document).ready.. freeCodeCamp/freeCodeCamp#2742)
235a370 fix: rename then to andThen (You have to press the "Run Code" button twice to advance freeCodeCamp/freeCodeCamp#2772)
8d59032 Fix broken link in readme (submit method freeCodeCamp/freeCodeCamp#2768)
38feed2 remove erroneous quotes in tryCatch documentation (I cant keep going freeCodeCamp/freeCodeCamp#2765)
ce4f936 fix `@ since` in `includes` (Waypoint doesn't accept JQuery selector surrounded by single quotes freeCodeCamp/freeCodeCamp#2764)
626762b Reference to Ramda Conventions wiki page (Error on Script tag lesson freeCodeCamp/freeCodeCamp#2718)
878cacd Add prebench script (Code is correct but continues to fail freeCodeCamp/freeCodeCamp#2759)

See the full diff

Package name: sanitize-html

The new version differs by 69 commits.

b4682c1 Merge pull request Challenge http://www.freecodecamp.com/challenges/waypoint-create-a-text-field has an issue freeCodeCamp/freeCodeCamp#557 from apostrophecms/release-2.7.1
b6c4971 release 2.7.1 (with security fix previously tested and approved by Miro)
6683aad remove DoS vulnerability
7c7ccb4 credit
994f962 Merge pull request Challenge http://www.freecodecamp.com/challenges/waypoint-create-a-text-field has an issue freeCodeCamp/freeCodeCamp#555 from paweljq/fix_protocol_relative_script_tag
3c3f075 Merge pull request Challenge http://www.freecodecamp.com/challenges/waypoint-wrap-an-anchor-element-within-a-paragraph has an issue freeCodeCamp/freeCodeCamp#556 from cha147/patch-1
8e3b00f fix typos in readme
329dae7 Fix protocol relative url in scripts tags Challenge http://www.freecodecamp.com/challenges/waypoint-add-font-awesome-icons-all-of-our-buttons has an issue freeCodeCamp/freeCodeCamp#531
3cdc262 release 2.7.0 (Challenge http://www.freecodecamp.com/challenges/waypoint-wrap-an-anchor-element-within-a-paragraph has an issue freeCodeCamp/freeCodeCamp#534)
72989f1 Merge pull request css/html waypoints freeCodeCamp/freeCodeCamp#530 from apostrophecms/zade-credit
208cdb4 zade credit
7338f8b Merge pull request Challenge http://www.freecodecamp.com/challenges/waypoint-adjust-the-margin-of-an-element has an issue freeCodeCamp/freeCodeCamp#529 from zadeviggers/patch-1
1971a57 Update defaults in readme
43f28f3 Update changelog
5fccedb Allow srcset
be9c90d Add common image attributes
379b55b Bumps version (Challenge http://www.freecodecamp.com/challenges/waypoint-turn-an-image-into-a-link has an issue freeCodeCamp/freeCodeCamp#523)
da9767f Fixes important stripping (Challenge http://www.freecodecamp.com/challenges/waypoint-link-to-external-pages-with-anchor-elements has an issue freeCodeCamp/freeCodeCamp#522)
d077c9f Merge pull request The #help channel on Slack has become useless freeCodeCamp/freeCodeCamp#521 from alex-rantos/fix-trailing-text
d905b3b typo on changelog
836c5ab add CHANGELOG entry
c1112fb fix trailing text issue
d737f39 Bumps version (Challenge http://www.freecodecamp.com/challenges/bonfire-return-largest-numbers-in-arrays has an issue freeCodeCamp/freeCodeCamp#520)
e5027ef Merge pull request Challenge http://www.freecodecamp.com/challenges/waypoint-inform-with-the-paragraph-element has an issue freeCodeCamp/freeCodeCamp#515 from apostrophecms/revert-505-504-whatwg-url

See the full diff

Package name: uglify-js

The new version differs by 250 commits.

bca83cb v3.14.3
a841d45 fix corner case in `awaits` (when i return math.random() i get the error: math is not defined freeCodeCamp/freeCodeCamp#5160)
eb93d92 fix corner case in `awaits` (D3 Zipline 2: Interactive Scatterplot freeCodeCamp/freeCodeCamp#5158)
a0250ec fix corner case in `dead_code` (API Basejump 2: Request Header Parser freeCodeCamp/freeCodeCamp#5154)
2580162 parse `let` as symbol names correctly (React Zipline 5: Rogue-like Game freeCodeCamp/freeCodeCamp#5151)
32ae994 fix issues in tests flagged by LGTM (Increase Loop Protect Timeout to 1000 freeCodeCamp/freeCodeCamp#5150)
03aec89 fix corner cases in `strings` & `templates` (React Zipline 1: Markdown Preview App freeCodeCamp/freeCodeCamp#5147)
faf0190 document ECMAScript quirks (API Basejump 3: URL shortener freeCodeCamp/freeCodeCamp#5148)
c8b0f68 fix corner case in `merge_vars` (propose to change image provider freeCodeCamp/freeCodeCamp#5143)
87b9916 fix corner case in `inline` (API Basejump 4 - Image search freeCodeCamp/freeCodeCamp#5141)
940887f fix corner case in `evaluate` (Bonefire: Error Potential infinite loop freeCodeCamp/freeCodeCamp#5139)
0b2573c fix corner case in `templates` (Update babel-core to version 6.3.17 🚀 freeCodeCamp/freeCodeCamp#5137)
1575210 avoid potential RegExp denial-of-service (Update history to version 1.16.0 🚀 freeCodeCamp/freeCodeCamp#5135)
f766bab enhance `templates` (Update webpack-stream to version 3.0.0 🚀 freeCodeCamp/freeCodeCamp#5131)
436a293 enhance `dead_code` (Stop making assumptions about names freeCodeCamp/freeCodeCamp#5130)
55418fd fix corner case in `rests` (Lost all my completed waypoints & bonfires while switching laptops freeCodeCamp/freeCodeCamp#5129)
8578688 v3.14.2
4b88dfb tweak test & warnings (Accept grey-background or gray-background in Waypoint Give a Background Color to a Div freeCodeCamp/freeCodeCamp#5123)
c3aef23 fix corner case in `reduce_vars` (Skip Button/Go to next step functionality enhancement freeCodeCamp/freeCodeCamp#5121)
db94d21 fix corner case in `side_effects` (Unable to advance past this point in either Chrome or Firefox freeCodeCamp/freeCodeCamp#5118)
9634a9d fix corner cases in `optional_chains` (Fix Bonfire Truncate a String Typo freeCodeCamp/freeCodeCamp#5110)
befb99b fix corner case in `inline` (Estimate amount pledged to nonprofits and display on map freeCodeCamp/freeCodeCamp#5115)
02eb8ba fix corner case in `collapse_vars` (Change Cloud 9 Node.js selection words freeCodeCamp/freeCodeCamp#5113)
c09f63a fix corner case in `rests` (Created the task, does not work freeCodeCamp/freeCodeCamp#5109)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Directory Traversal
🦉 Regular Expression Denial of Service (ReDoS)
🦉 More lessons are available in Snyk Learn


          fix: package.json to reduce vulnerabilities

188475f

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908
- https://snyk.io/vuln/SNYK-JS-MOMENT-2440688
- https://snyk.io/vuln/SNYK-JS-MOMENT-2944238
- https://snyk.io/vuln/SNYK-JS-NCONF-2395478
- https://snyk.io/vuln/SNYK-JS-PASSPORT-2840631
- https://snyk.io/vuln/SNYK-JS-RAMDA-1582370
- https://snyk.io/vuln/SNYK-JS-SANITIZEHTML-2957526
- https://snyk.io/vuln/SNYK-JS-UGLIFYJS-1727251

github-actions bot commented May 16, 2024

Stale pull request message

github-actions bot added the no-pr-activity label

github-actions bot closed this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment