[Snyk] Fix for 1 vulnerabilities

[VandeurenGlenn]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • examples/delegated-routing/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	823/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 8.6	Server-side Request Forgery (SSRF) SNYK-JS-IP-6240864	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: ipfs

The new version differs by 250 commits.

• bf1bc8b chore: release master (#4364)
• 7b79c1b fix: add deprecation notice to readmes (#4362)
• 410725b chore: disable dependabot.yml (#4363)
• b64d4af docs: update README.md (#4307)
• 3bcabe3 chore: fix link to ci results (#4299)
• ab02e8f docs: update readmes to fix ci badges (#4296)
• c5e76b7 update-ipfs-http-client (#4293)
• 6eeb1be deps(dev): update interop, ipfsd-ctl and kubo-rpc-client (#4294)
• 6e94067 chore: release master (#4252)
• d1c3abb deps: update libp2p to 0.42.x (#4288)
• 0cfcaf6 fix: allow reading rawLeaves in MFS (#4282)
• fa578ba fix: disallow publishing pubsub messages to zero peers (#4286)
• 789ee58 deps: update dag-jose to 4.0.0 (#4289)
• 4b4c124 deps: update ipfs-utils for node 18 compatibility (#4287)
• 5f73eca chore: do not double-build interface tests
• 1916ca8 chore: interface tests should run after build
• 115a405 fix: fix publish step
• 6d90cbf fix: use aegir to publish RCs (#4284)
• 2a6fede fix: update lerna config for rc publishing (#4283)
• e85e5b6 deps: update @ chainsafe/libp2p-gossipsub to 6.0.0 (#4280)
• 563806f fix: restore lerna for preleases (#4281)
• 521c84a fix!: update multiformats to v11.x.x and related depenendcies (#4277)
• 6be5906 fix: mfs blob import for files larger than 262144b (#4251)
• b722041 docs: DisableNatPortMap should be true to disable port mapping (#4244)

See the full diff

Package name: libp2p-delegated-content-routing

The new version differs by 59 commits.

• d433941 chore: release version v0.11.0
• b01ca9e chore: update contributors
• f34c7d2 chore: update to new multiformats ([Snyk] Security upgrade ipfs from 0.34.4 to 0.66.1 #52)
• a5aa25a chore: release version v0.10.0
• 7a8d8a3 chore: update contributors
• 492ddc7 chore: add github actions
• a83a0dd chore: update deps
• b1b316e chore: remove peer deps ([Snyk] Security upgrade libp2p-webrtc-star from 0.17.11 to 0.20.4 #50)
• 99a6491 chore: update delegate host to existing host ([Snyk] Fix for 1 vulnerabilities #48)
• 33491f1 chore: release version v0.9.0
• a07574a chore: update contributors
• 28d3a45 feat: allow providing non-dag-pb nodes ([Snyk] Security upgrade libp2p-secio from 0.12.6 to 0.13.0 #47)
• 73af076 chore: release version v0.8.2
• 9b382d9 chore: update contributors
• b442ebb chore: release version v0.8.1
• b95c064 chore: update contributors
• edf8ab6 chore: update deps ([Snyk] Fix for 41 vulnerabilities #46)
• 7a7e832 chore: release version v0.8.0
• e28ffe7 chore: update contributors
• aa10486 chore: update ipfs-http-client peer dep ([Snyk] Fix for 6 vulnerabilities #45)
• 0043e9b chore: docs update ([Snyk] Security upgrade libp2p-interfaces from 0.2.8 to 0.3.2 #44)
• a024a96 chore: release version v0.7.0
• 9c8f873 chore: update contributors
• 003888a fix: accept http client instance ([Snyk] Security upgrade react-scripts from 2.1.8 to 3.3.0 #43)

See the full diff

Package name: libp2p-delegated-peer-routing

The new version differs by 26 commits.

• 38d2848 chore: release version v0.5.0
• 1bb207a chore: update contributors
• a1b1b5e chore: make ipfs-http-client a peer dependency ([Snyk] Security upgrade react-scripts from 2.1.8 to 5.0.0 #32)
• f49ddc0 chore: remove-peer-info-from-api ([Snyk] Security upgrade ipfs from 0.34.4 to 0.41.0 #25)
• 4e76474 chore(deps-dev): bump ipfsd-ctl from 3.1.0 to 4.0.1 ([Snyk] Security upgrade react-scripts from 2.1.8 to 5.0.0 #31)
• 3255b6f chore: release version v0.4.3
• e90430c chore: update contributors
• 528adf3 chore: update deps ([Snyk] Security upgrade libp2p-webrtc-star from 0.17.11 to 0.24.0 #30)
• bdb89b6 chore: release version v0.4.2
• 46658e0 chore: update contributors
• 67536b4 chore: update ipfs-http-client to the latest version ([Snyk] Security upgrade react-scripts from 2.1.8 to 3.1.0 #23)
• c777434 chore(deps-dev): bump aegir from 20.6.1 to 21.0.2
• 00296ba chore: release version v0.4.1
• ee2128e chore: update contributors
• afbc877 chore: update ipfs-http-client dep ([Snyk] Fix for 3 vulnerabilities #17)
• 949c0c0 docs: document required API endpoint ([Snyk] Fix for 3 vulnerabilities #15)
• 9a46c6b chore: release version v0.4.0
• 1510fde chore: update contributors
• 36d852f chore: rename timeout option ([Snyk] Upgrade libp2p-secio from 0.12.6 to 0.13.1 #14)
• ce9543f chore: release version v0.3.1
• 78769e2 chore: update contributors
• e844d30 fix: limit concurrent HTTP requests ([Snyk] Upgrade libp2p-secio from 0.12.6 to 0.13.1 #12)
• f09bf3d chore: readme with correct usage dependency ([Snyk] Upgrade libp2p-websockets from 0.12.4 to 0.16.2 #11)
• d1d1163 chore: release version v0.3.0

See the full diff

Package name: libp2p-kad-dht

The new version differs by 79 commits.

• 42eb5eb chore: release version v0.19.0
• 0ed345a chore: update contributors
• 568c19c chore: use new content and peer routing apis (Can I REST over libp2p Connection? libp2p/js-libp2p#181)
• 129566f chore: update interface links (feat: use class-is for type checks libp2p/js-libp2p#182)
• a00b470 chore: release version v0.19.0-pre.0
• 12d0872 chore: use libp2p 0.28.x branch
• f0fb212 chore: peer-discovery not using peer-info (Allow transports to expose a flag if the can be dialed with without having a listener libp2p/js-libp2p#180)
• b9e45ff chore: release version v0.19.0-pre.0
• 67a2db7 chore: update contributors
• 194c701 chore: use new peer store api (Error: no protocol with code: 56 libp2p/js-libp2p#179)
• 6456cc8 chore: release version v0.18.6
• 8d31075 chore: update contributors
• fe3b218 chore(deps): bump cids from 0.7.5 to 0.8.0 (enable missing syntax highlighting libp2p/js-libp2p#178)
• 7b8d115 chore(deps): bump p-map from 3.0.0 to 4.0.0 (avoid constructor.name . fix for #65 libp2p/js-libp2p#177)
• 764ba63 chore(deps-dev): bump sinon from 8.1.1 to 9.0.0 (when listener handle a protocol, how to deal error? libp2p/js-libp2p#176)
• 5ee91d7 chore(deps-dev): bump aegir from 20.6.1 to 21.0.2 ([feature request]: Low-Level Connection Management libp2p/js-libp2p#175)
• 698fc51 chore: release version v0.18.5
• 636d4c2 chore: update contributors
• de85eb6 fix: remove use of assert module ([feature request]: Support changing listeners at runtime libp2p/js-libp2p#173)
• 7b99370 chore: release version v0.18.4
• c5721d0 chore: update contributors
• 3731a2e chore(deps): bump libp2p-interfaces from 0.1.7 to 0.2.3 (Error: Multiplexer is destroyed` on the server when libp2p circuit is doing something while the client crashes just after connecting libp2p/js-libp2p#171)
• 49f8e46 chore(deps-dev): bump datastore-level from 0.12.1 to 0.14.1 (stats: exposed and documented libp2p/js-libp2p#169)
• 6b7dcbf chore(deps-dev): bump sinon from 7.5.0 to 8.1.1 (Expose switch stats libp2p/js-libp2p#168)

See the full diff

Package name: libp2p-secio

The new version differs by 8 commits.

• b3a7040 chore: release version v0.12.1
• f1e79ce chore: update contributors
• b22152a chore: clean up published package (metamask libp2p/js-libp2p#110)
• aea41de chore: release version v0.12.0
• c081ea5 chore: update contributors
• 8ad4c15 refactor: use async await (depends on async but does not declare it libp2p/js-libp2p#108)
• 774267f docs(fix): readme typo (Tutorial: Peer and Content Routing (aka DHT) libp2p/js-libp2p#107)
• 1329e9c chore: add discourse badge (docs(examples): libp2p in the browser 1 libp2p/js-libp2p#105)

See the full diff

Package name: libp2p-webrtc-star

The new version differs by 150 commits.

• 590c5fc chore: release version v0.23.0
• e88d63d chore: update contributors
• e4360f2 chore: update deps (feat: integrate gossipsub by default libp2p/js-libp2p#365)
• c629cc1 chore: release version v0.22.4
• d01cd4a chore: update contributors
• 441a34e chore: update deps and use socket.io server v4 (feat: sign pubsub messages libp2p/js-libp2p#362)
• 4822c40 chore: release version v0.22.3
• a046a72 chore: update contributors
• 1076b5b chore: update ipfs-utils dep (If I need only an outgoing connection, why libp2p should be start()'ed to listening for incoming connections? libp2p/js-libp2p#341)
• f61c4a1 chore: remove unecessary async fn in test (feat: update to the latest switch libp2p/js-libp2p#336)
• 2eacc5f chore: release version v0.22.2
• 4ccf5be chore: update contributors
• 4c82721 chore: add err code for unknown signal server on dial (Windows testing is back!! libp2p/js-libp2p#335)
• c780457 chore: release version v0.22.1
• 68b206f chore: update contributors
• 5b7b142 feat: support multiple listeners (enhancement: allow configuration for transport modules libp2p/js-libp2p#330)
• 53cbde6 chore: release version v0.22.0
• 35ea046 chore: update contributors
• 44f4232 chore: update deps (fix: make the config less restrictive libp2p/js-libp2p#329)
• f644b08 chore: release version v0.21.2
• b8b3fd0 chore: update contributors
• 8ef0358 chore(deps): bump err-code from 2.0.3 to 3.0.1 (add callback to pubsub.unsubscribe and test (#300) libp2p/js-libp2p#302)
• aa9f08a chore: release version v0.21.1
• 1f080b2 chore: update contributors

See the full diff

Package name: libp2p-websockets

The new version differs by 63 commits.

• e9189bb chore: release version v0.16.0
• c4005b3 chore: update contributors
• 27f6c41 chore: update deps (Removing the Central Rendezvous Points for the *-star transports libp2p/js-libp2p#134)
• db343b2 chore: use node 16 in ci (chore: Upgrade wrtc to 0.0.63 libp2p/js-libp2p#133)
• 19e6f59 chore: release version v0.15.9
• 6e6a90c chore: update contributors
• 7bfdcb9 chore: update ipfs-utils dep (Updating CI files libp2p/js-libp2p#132)
• 62a3276 chore: release version v0.15.8
• a996e16 chore: update contributors
• ee47570 fix: listener get addrs with wss (dependency injection during boot time libp2p/js-libp2p#130)
• 237fa15 chore: release version v0.15.7
• 488847e chore: update contributors
• 01ad18e chore: update ipfs-utils dep (docs: add missing sections to the README libp2p/js-libp2p#128)
• e929104 chore: release version v0.15.6
• 47c234d chore: update contributors
• 76a4809 chore: update multiaddr to uri (Expose instance of libp2p to discovery instances libp2p/js-libp2p#125)
• 90f13e9 chore: release version v0.15.5
• c7522a3 chore: update contributors
• 67a95cb chore: update deps (Update README.md libp2p/js-libp2p#124)
• f1a5d21 chore: release version v0.15.4
• c5ddb0b chore: update contributors
• ff4b764 chore: update deps (Remove non-prepared link in document libp2p/js-libp2p#123)
• d07d1b7 chore: release version v0.15.3
• 9934161 chore: update contributors

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Server-side Request Forgery (SSRF)