Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Fix for 1 vulnerabilities #20

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

snyk-bot
Copy link

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • deps/npm/package.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
medium severity 658/1000
Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 5.3
Regular Expression Denial of Service (ReDoS)
SNYK-JS-HOSTEDGITINFO-1088355
Yes Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: hosted-git-info The new version differs by 28 commits.
  • a810463 chore(release): 3.0.8
  • bede0dc fix: simplify the regular expression for shortcut matching
  • afe2808 chore(release): 3.0.7
  • eb5bd5a fix: correctly filter out urls for tarballs in gitlab
  • d30f96e chore(release): 3.0.6
  • c067102 fix: support to github gist legacy hash length
  • c53c6ab chore(release): 3.0.5
  • 167cef2 chore: properly advertise version support
  • 47c931e update lru-cache to latest
  • 8e0b0ec chore(release): 3.0.4
  • 0835306 fix: Do not pass scp-style URLs to the WhatWG url.URL
  • 6f39e93 chore(release): 3.0.3
  • 31140a7 Ensure passwords in hosted Git URLs are correctly escaped
  • 4636ac9 chore(release): 3.0.2
  • 3e5fbec fix: do not encodeURIComponent the domain
  • 97c8caa chore(release): 3.0.1
  • e3e3054 fix: update pathmatch for gitlab
  • af4835c test: added script to get coverage report
  • d04239b test: removed unused testing structure
  • 4693b9c test: moved all github url tests together
  • a03d51e test: added refactered tests for bitbucket
  • 0aea712 test: added ignore; for 100% testing (this seems wonky)
  • b473c55 test: added basic test for ._fill() method
  • fa87af7 fix: updated pathmatch for gitlab

See the full diff

Package name: init-package-json The new version differs by 21 commits.

See the full diff

Package name: libnpmhook The new version differs by 14 commits.

See the full diff

Package name: normalize-package-data The new version differs by 12 commits.

See the full diff

Package name: npm-package-arg The new version differs by 3 commits.

See the full diff

Package name: npm-pick-manifest The new version differs by 9 commits.
  • 405d00b chore(release): 4.0.0
  • 42c76d8 deps: bump npm-package-arg to v7
  • 8e66272 chore(release): 3.0.2
  • 420fb8c chore: update repo links
  • 543da7c chore(release): 3.0.1
  • 003286e fix: throw 403 for forbidden major/minor versions
  • ed0fc29 chore(release): 3.0.0
  • 6ab64fd chore: remove node 4.0 from travis
  • ad2a962 feat: throw forbidden error when package is blocked by policy

See the full diff

Package name: npm-registry-fetch The new version differs by 63 commits.
  • 622afb4 chore(release): 5.0.1
  • 7aa14fd deps: update all deps
  • 5764c15 deps: npm-package-arg@7
  • 786f092 chore(release): 5.0.0
  • 41ff216 chore: update travis config
  • 39e5cfe doc: fix badge url
  • 97c1208 chore: update tap, improve offline/prefer-offline tests
  • 82abf26 chore: Add missing tests and clean up dead code
  • 90ac7b1 fix: prefer const in getAuth function
  • e64702e fix: use minizlib instead of core zlib
  • 5cfe30b test: add string query example to test
  • e7286f7 fix!: Use native Promises
  • bb37f20 feat: refactor to use Minipass streams
  • b758555 chore(release): 4.0.2
  • e3a0186 fix: Add null check on body on 401 errors
  • ff5f990 test(check-response): Added missing tests
  • 49059f0 chore(release): 4.0.1
  • 8eae5f0 fix(deps): Add explicit dependency on safe-buffer
  • 5dbd1d7 chore(release): 4.0.0
  • 0c4f060 cacache@12.0.0, infer uid from cache folder
  • 4b62980 chore(release): 3.9.1
  • 7878bbe deps: make-fetch-happen@4.0.2
  • e064215 deps: lru-cache@5.1.1
  • 4491843 chore(release): 3.9.0

See the full diff

Package name: pacote The new version differs by 154 commits.
  • ed57e5c 10.1.2
  • d9bce22 git: resolved should be a git+ssh:// url, not just ssh://
  • 84535a3 git: Fall back from tgz to ssh on HTTP errors
  • 7ee23c3 git: make 'from' and 'resolved' consistent and useful
  • 10ff45f update deps to pull in newer hosted-git-info
  • 88beaab Return the requested spec as the 'from' value
  • e5b84f2 test: fix git configs for git 2.23 and above
  • 5a3bfbd typo in bin usage text
  • 04a0f0c Keep home dir out of snapshots
  • ae7c912 10.1.1
  • cb31be8 filter out .swp files from package
  • 43e239d 10.1.0
  • 3d4012a add pacote CLI
  • 99a3f21 update tap
  • dc10617 test: node 13 made errno a number again
  • e516f96 add repository field to package
  • 37f24b3 10.0.0
  • ad72e94 test: use t.testdir() instead of manually creating test dirs
  • a79846e fresh update all deps
  • 2e4482a Improve integrity consistency and handling
  • 9964c7b update tap and minipass-fetch
  • 6460b02 Remove spurious top-level dep on make-fetch-happen
  • 1f4473a Pack and unpack preserving exec perms on all package bins
  • 347c563 Cache manifest as fetcher.package

See the full diff

Package name: read-package-json The new version differs by 8 commits.
  • 9f7049d chore(release): 3.0.0
  • 19d9fbe fix: check-in updated lockfile
  • eef46fa chore: add engines definition
  • 36b7ef7 chore: remove old .travis.yml envs
  • b3a8831 globa@7.1.6
  • fb3ceae json-parse-even-better-errors@2.3.1
  • 78add03 npm-normalize-package-bin@1.0.1
  • 7595d70 normalize-package-data@3.0.0

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant