New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 9 vulnerabilities #105

Open

ajesse11x wants to merge 1 commit into develop from snyk-fix-fe49b20add454fd25e524ebc940b16ef

Owner

ajesse11x commented Nov 29, 2023

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- packages/server/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	679/1000 Why? Has a fix available, CVSS 9.3	Incomplete List of Disallowed Inputs SNYK-JS-BABELTRAVERSE-5962462	No	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	No	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	No	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	No	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	No	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-URLREGEX-569472	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Prototype Pollution SNYK-JS-XML2JS-5414874	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @cypress/browserify-preprocessor

The new version differs by 69 commits.

2b1c1f4 chore: Upgrade node to 16.13.0, use https for npm registry ([Snyk] Security upgrade electron-packager from 9.0.1 to 15.0.0 #94)
927b76a fix: release
67ea9f6 chore: Fix semantic release ([Snyk] Security upgrade execa from 0.10.0 to 2.1.0 #93)
a8ff57f fix: release
a8adb24 chore: Bump circle node orb and non-major deps ([Snyk] Fix for 13 vulnerabilities #92)
c66ae40 chore(docs): remove note about being default ([Snyk] Security upgrade debug from 2.6.9 to 3.1.0 #91)
76edfbe chore(deps): update dependency semantic-release to version 17.2.3 🌟 ([Snyk] Security upgrade @cypress/browserify-preprocessor from 1.1.0 to 1.1.1 #76)
61dae70 fix(deps): update dependency glob-parent to version 5.1.2 🌟 ([Snyk] Security upgrade @cypress/browserify-preprocessor from 1.1.0 to 2.0.0 #84)
fc9f2ee Merge pull request [Snyk] Security upgrade jimp from 0.2.28 to 0.3.7 #77 from cypress-io/renovate/npm-set-value-vulnerability
60e408b Merge pull request [Snyk] Security upgrade electron-packager from 9.0.1 to 13.0.0 #67 from cypress-io/renovate/npm-elliptic-vulnerability
d0a76d7 Merge pull request [Snyk] Security upgrade plist from 2.1.0 to 3.0.4 #68 from cypress-io/renovate/npm-handlebars-vulnerability
f1273c8 Merge pull request [Snyk] Security upgrade ramda from 0.24.1 to 0.27.2 #65 from cypress-io/renovate/npm-acorn-vulnerability
d9467f2 Merge pull request [Snyk] Security upgrade underscore.string from 3.3.4 to 3.3.6 #66 from cypress-io/renovate/npm-dot-prop-vulnerability
b882246 chore(deps): update set-value to 2.0.1 🌟
91dbb34 Merge pull request [Snyk] Security upgrade node-forge from 0.6.49 to 1.3.0 #69 from cypress-io/renovate/npm-https-proxy-agent-vulnerability
8f20054 Merge pull request [Snyk] Fix for 1 vulnerabilities #70 from cypress-io/renovate/npm-ini-vulnerability
9044660 Merge pull request [Snyk] Fix for 1 vulnerabilities #71 from cypress-io/renovate/npm-lodash-vulnerability
1309f48 Merge pull request [Snyk] Fix for 1 vulnerabilities #72 from cypress-io/renovate/npm-marked-vulnerability
e9c9043 Merge pull request [Snyk] Security upgrade getos from 3.1.0 to 3.1.2 #73 from cypress-io/renovate/npm-mixin-deep-vulnerability
cff2acb Merge pull request [Snyk] Security upgrade hbs from 4.0.0 to 4.0.2 #74 from cypress-io/renovate/npm-node-fetch-vulnerability
170a37c chore(deps): update node-fetch to 2.6.1 🌟
0526cb6 chore(deps): update mixin-deep to 1.3.2 🌟
e000efc chore(deps): update marked to 0.7.0 🌟
494c6bd chore(deps): update lodash to 4.17.19 🌟

See the full diff

Package name: chokidar

The new version differs by 239 commits.

7b8e02a Release 3.0.0.
e7bfe2f Move stuff.
df7f22e Remove changelog from npm, move to hidden dir.
3df7692 Improve naming.
6e94ca2 Clean-up.
2de2f9c test: Add testing of Node.js v12 in Travis pipeline. (Add browser + version to stdout cypress-io/cypress#833)
9e0965a Fix Windows tests in Travis CI (Support chrome --headless cypress-io/cypress#832)
c95a98f Update stuff.
187ff2b test: Trying to fix blinked tests for Travis CI. (Uncaught Exceptions should clearly indicate where they originated from cypress-io/cypress#825)
db99076 fix(Windows): Add converting from windows to unix path for all ignored paths. (Add Cypress utility methods for OS / Platform / Arch / Browser / Browser Version cypress-io/cypress#824)
41f8782 fix(FsEvents): Remove situation with NaN depth. (No stack traces in cypress run and inconsistent from cypress open cypress-io/cypress#823)
7cf3f7e Update readdirp to stable.
0927a62 Bump packages.
11cd857 Update nyc.
99c14d7 Uncomment fsevents.
cf330a5 Update fsevents.
0e4fca5 Fix deps.
9c575d4 Fix Windows version (server: read record key from environment variable, close #820 cypress-io/cypress#821)
3323d59 fix(Linux): Make event loop hack for keep testing valid. (Cannot pass record key through CYPRESS_RECORD_KEY variable (local dev mode) cypress-io/cypress#820)
06214c5 Update to latest readdirp.
793639f Rename osxfswatch.
078bc2d Refactor and fix freaking tests.
2b9bb41 Try node 11.
3fe3d4e Test travis.

See the full diff

Package name: hbs

The new version differs by 95 commits.

7a0da80 v4.1.1
0647f9b deps: handlebars@4.7.6
3cc3455 deps: handlebars@4.7.3
07d4acc build: mocha@7.1.1
0717195 build: eslint-plugin-markdown@1.0.2
da7edaf tests: add test for typical model usage
a9dbdc2 build: mocha@7.1.0
8640b2d build: eslint@6.8.0
2fb94e0 build: Node.js@12.16
74e5568 build: Node.js@10.19
da05674 lint: apply to readme
504a635 build: mocha@7.0.1
55df109 v4.1.0
54780a9 build: remove deprecated mocha.opts
42e5550 build: nyc@15.0.0
04ff393 build: mocha@7.0.0
57a2086 deps: handlebars@4.5.3
00b0449 build: Node.js@12.14
0d99d08 build: Node.js@10.18
e49d614 build: Node.js@8.17
c3f0070 build: Node.js@10.17
b3252a3 deps: handlebars@4.4.5
7f9133b docs: fix history formatting
5b74831 build: Node.js@12.13

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Server-side Request Forgery (SSRF)


          fix: packages/server/package.json to reduce vulnerabilities

f5364d4

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-BABELTRAVERSE-5962462
- https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905
- https://snyk.io/vuln/SNYK-JS-MINIMIST-2429795
- https://snyk.io/vuln/SNYK-JS-MINIMIST-559764
- https://snyk.io/vuln/SNYK-JS-REQUEST-3361831
- https://snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873
- https://snyk.io/vuln/SNYK-JS-UNSETVALUE-2400660
- https://snyk.io/vuln/SNYK-JS-URLREGEX-569472
- https://snyk.io/vuln/SNYK-JS-XML2JS-5414874

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet