Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 2 vulnerabilities #357

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Fix for 2 vulnerabilities #357

wants to merge 1 commit into from

Conversation

snyk-bot
Copy link

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • packages/homepage/package.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
medium severity 479/1000
Why? Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-CSSWHAT-1298035		 Yes No Known Exploit
high severity 661/1000
Why? Recently disclosed, Has a fix available, CVSS 7.5		 Denial of Service (DoS)
SNYK-JS-SOCKETIOPARSER-5596892		 Yes No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: gatsby The new version differs by 250 commits.
  • 15ab3f8 chore(release): Publish
  • 19eec6d chore(gatsby): bump socket.io (#37272) (#37497)
  • d88ed09 chore(release): Publish
  • d04b3b5 feat(gatsby-source-drupal): drupal langcode as notlangcode (#37445) (#37459)
  • 19d3861 fix(gatsby-source-drupal): await async handleDeletedNode (#37435) (#37458)
  • b229e7b fix(gatsby): Use correct settings for yaml-loader (#37454) (#37460)
  • 7021834 fix(gatsby-source-contentful): maintain back reference map between runs (#37442) (#37456)
  • 13bf518 chore(release): Publish
  • b30a43f chore(deps): Bump yaml-loader (#37401) (#37407)
  • 492a31a fix(gatsby): handle initializing multiple instances of gatsby-plugin-sharp (#37306) (#37329)
  • 4dcca80 chore(release): Publish
  • 59076c8 fix(gatsby-transformer-remark): Disallow JS frontmatter by default (#37244) (#37298)
  • 48a3db4 fix(gatsby): [rendering engines] use results of exports removal if sourceMap was not generated alongside transformed code (#37282) (#37299)
  • ea42d7f fix(gatsby): don't output file-loader assets to .cache (#37284) (#37300)
  • 2cc9eaf chore(release): Publish
  • a729764 fix(gatsby-source-wordpress): Add back nodeType field that was removed in last version (#37212) (#37218)
  • 188d3e7 chore(release): Publish
  • 947e11b chore(gatsby-source-wordpress): use wpgql 1.13 in itests (#37146) (#37208)
  • 5e72a5d chore(release): Publish
  • 2dc715d chore: remove tracedSVG (#37093) (#37127)
  • 07c0478 chore(release): Publish
  • c698f13 fix(gatsby-source-wordpress): WPGraphQL 1.13.0 compatibility (#37134) (#37183)
  • 49cca44 chore(release): Publish
  • fac9fbc feat(gatsby-source-drupal): Provide proxyUrl in addition to baseUrl to allow using CDN, API gateway, etc. (#36819) (#37084)

See the full diff

Package name: gatsby-plugin-sharp The new version differs by 250 commits.
  • c1e67a2 chore(release): Publish
  • 0c45654 chore: remove tracedSVG (#37093) (#37137)
  • d7edf95 chore(release): Publish
  • 2d00ea0 fix(gatsby-plugin-mdx): Do not leak frontmatter into page (#35859) (#35913)
  • 4997d63 chore(release): Publish
  • ff94ed5 fix(gatsby-plugin-mdx): don't allow JS frontmatter by default (#35830) (#35834)
  • 36f21b0 chore: Removate validate-renovate from v3-latest branch (#34460)
  • 1acb1bc chore(release): Publish
  • 1589bd8 fix(gatsby): ensure that writing node manifests to disk does not break on Windows (#33853) (#34020)
  • 9694010 fix(gatsby-source-drupal): Ensure all new nodes are created before creating relationships (#33864) (#34019)
  • 76deb39 fix(gatsby-source-drupal): searcParams missing from urls (#33861) (#34018)
  • f74cc8f feat(gatsby-source-drupal): Add node manifest support for previews (#33683) (#34017)
  • 476a591 chore(release): Publish
  • 35b48f8 fix(gatsby-plugin-image): GatsbyImage not displaying image in IE11 (#33416) (#33806)
  • 880022e fix(gatsby-plugin-image): flickering when state changes (#33732) (#33807)
  • c0d07e7 feat(gatsby-source-wordpress): Update supported-remote-plugin-versions.ts (#33801) (#33804)
  • 3d9a702 chore(release): Publish
  • 84053a2 fix(gatsby-plugin-sharp): pass input buffer instead of readStream when processing image jobs (#33685) (#33703)
  • 4722a0d fix(gatsby-source-drupal): Add timeout in case of stalled API requests (#33668) (#33705)
  • 857a628 fix(gatsby): single page node manifest accuracy (#33642) (#33698)
  • 6bfd0f1 Properly set the pathPrefix and assetPrefix in the pluginData (#33667) (#33702)
  • 26c51c0 fix(gatsby-source-drupal): cache backlink records (#33444) (#33701)
  • b80c53a fix(gatsby-source-drupal): Correctly update nodes with changed back references so queries are re-run (#33328) (#33699)
  • e29a194 chore: use gatsby-dev-cli@latest-v3 in tests

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)

@socket-security
Copy link

New dependency changes detected. Learn more about Socket for GitHub ↗︎

🚨 Potential security issues found in this pull request. To accept the risk, merge this PR and you will not be notified again.

Bot Commands

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@* or ignore all packages with @SocketSecurity ignore-all

  • @SocketSecurity ignore @parcel/watcher@2.1.0
  • @SocketSecurity ignore lmdb@2.5.2
  • @SocketSecurity ignore lmdb@2.5.3
  • @SocketSecurity ignore msgpackr-extract@3.0.2
🫣 Native code

Contains native code which could be a vector to obscure malicious code, and generally decrease the likelihood of reproducible or reliable installs.

Ensure that native code bindings are expected. Consumers may consider pure JS and functionally similar alternatives to avoid the challenges and risks associated with native code bindings.

Package Location Source
@parcel/watcher@2.1.0 (added) binding.gyp packages/homepage/package.json via gatsby@4.25.7
lmdb@2.5.2 (added) binding.gyp packages/homepage/package.json via gatsby@4.25.7
lmdb@2.5.3 (added) binding.gyp packages/homepage/package.json via gatsby@4.25.7
msgpackr-extract@3.0.2 (added) binding.gyp packages/homepage/package.json via gatsby@4.25.7
Pull request alert summary
Issue Status
Install scripts ✅ 0 issues
Native code ⚠️ 4 issues
Bin script shell injection ✅ 0 issues
Unresolved require ✅ 0 issues
Invalid package.json ✅ 0 issues
HTTP dependency ✅ 0 issues
Git dependency ✅ 0 issues
Potential typo squat ✅ 0 issues
Known Malware ✅ 0 issues
Telemetry ✅ 0 issues
Protestware/Troll package ✅ 0 issues

📊 Modified Dependency Overview:

➕ Added Package Capability Access +/- Transitive Count Publisher
babel-plugin-macros@3.1.0 None +0 kentcdodds
gatsby@4.25.7 environment +256 pieh
gatsby-plugin-sharp@3.15.0 filesystem +148 pieh

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
do-not-merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@snyk-bot