[Snyk] Fix for 36 vulnerabilities #1682

aliscco · 2023-12-01T23:12:21Z

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- test/fixtures/qs-package/node_modules/es6-promise/package.json

Vulnerabilities that will be fixed

With an upgrade:

Priority Score (*)	Issue	Breaking Change	Exploit Maturity
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
679/1000 Why? Has a fix available, CVSS 9.3	Incomplete List of Disallowed Inputs SNYK-JS-BABELTRAVERSE-5962463	Yes	No Known Exploit
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	No	Proof of Concept
661/1000 Why? Recently disclosed, Has a fix available, CVSS 7.5	Missing Release of Resource after Effective Lifetime SNYK-JS-INFLIGHT-6095116	Yes	No Known Exploit
641/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.4	Prototype Pollution SNYK-JS-JSON5-3182856	Yes	Proof of Concept
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	No	Proof of Concept
681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	No	Proof of Concept
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	No	Proof of Concept
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	No	Proof of Concept
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	No	Proof of Concept
541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	No	Proof of Concept
681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASHTEMPLATE-1088054	Yes	Proof of Concept
589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-MERGE-1040469	No	No Known Exploit
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-MERGE-1042987	No	Proof of Concept
589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-1019388	No	No Known Exploit
479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	No	No Known Exploit
506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	No	Proof of Concept
601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	No	Proof of Concept
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Poisoning SNYK-JS-QS-3153490	No	Proof of Concept
646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	No	Proof of Concept
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-SOCKETIOPARSER-1056752	No	Proof of Concept
704/1000 Why? Has a fix available, CVSS 9.8	Improper Input Validation SNYK-JS-SOCKETIOPARSER-3091012	No	No Known Exploit
646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	No	Proof of Concept
479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-UGLIFYJS-1727251	Yes	No Known Exploit
539/1000 Why? Has a fix available, CVSS 6.5	Improper Input Validation SNYK-JS-XMLDOM-1534562	Yes	No Known Exploit
639/1000 Why? Has a fix available, CVSS 8.5	Prototype Pollution SNYK-JS-XMLDOM-3042242	Yes	No Known Exploit
811/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 9.8	Improper Input Validation SNYK-JS-XMLDOM-3092935	Yes	Proof of Concept
506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:braces:20180219	No	Proof of Concept
506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	No	Proof of Concept
636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	No	Proof of Concept
589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	No	No Known Exploit
399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	No	No Known Exploit
589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:parsejson:20170908	No	No Known Exploit
589/1000 Why? Has a fix available, CVSS 7.5	Prototype Override Protection Bypass npm:qs:20170213	No	No Known Exploit
629/1000 Why? Has a fix available, CVSS 8.3	Improper minification of non-boolean comparisons npm:uglify-js:20150824	Yes	No Known Exploit
479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:uglify-js:20151024	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: babel-eslint

The new version differs by 103 commits.

a0fbd50 8.0.2
2004b91 require correct deps
fa56d21 Always use unpad ([Snyk] Fix for 1 vulnerabilities #535)
295091d Allow ^ version for babel dependencies ([Snyk] Security upgrade hoek from 2.16.3 to 4.2.1 #534)
d3b8519 fix(package): update babylon to version 7.0.0-beta.31 ([Snyk] Fix for 1 vulnerabilities #533)
54ab4ac 8.0.1
c1a7882 Update README.md support ([Snyk] Security upgrade dot-prop from 2.4.0 to 4.2.1 #531) [skip ci]
51100c9 chore(package): update mocha to version 4.0.0 ([Snyk] Security upgrade jinja2 from 2.7.3 to 2.11.3 #524)
5742b71 Adding optionalCatchBinding to plugins. ([Snyk] Security upgrade jinja2 from 2.7.2 to 2.11.3 #521)
905887c 8.0.0
49493e4 update to beta.0
42d0c5b Remove already fixed workaround ([Snyk] Fix for 5 vulnerabilities #508)
25bd208 8.0.0-alpha.17
1468905 alpha.17
57c133e 8.0.0-alpha.15
1e41162 update ([Snyk] Security upgrade node-fetch from 2.6.0 to 2.6.7 #504)
c31b577 Readme update usage section ([Snyk] Security upgrade boom from 2.10.1 to 3.1.3 #501) [skip ci]
c2626f9 Update eslint to the latest version 🚀 ([Snyk] Security upgrade ansi-regex from 2.1.1 to 3.0.1 #500)
3c6b2de chore(package): update husky to version 0.14.0 ([Snyk] Fix for 2 vulnerabilities #498)
e052d5a Update install instructions to use latest stable release ([Snyk] Security upgrade django from 1.6.1 to 3.2.15 #497) [skip ci]
8e3e088 8.0.0-alpha.13
f757e22 Merge pull request [Snyk] Security upgrade django from 1.6.1 to 3.2.15 #493 from danez/regression-test
5736be6 Update babylon
37f9242 Add Prettier ([Snyk] Security upgrade aiohttp from 2.2.2 to 3.8.0 #491)

See the full diff

Package name: broccoli-merge-trees

The new version differs by 2 commits.

45d4f7b Release version 2.0.0
3f5cbdb Extract logic into node-merge-trees. Requires Node >= 4

See the full diff

Package name: broccoli-replace

The new version differs by 2 commits.

d9c8b5e Move workflows to .github folder.
0519d75 General improvements, fix vulnerabilities and bump the dependencies.

See the full diff

Package name: broccoli-stew

The new version differs by 3 commits.

9fc5cad release v2.0.0 🎉
b90c268 Merge pull request [Snyk] Security upgrade django from 1.6.1 to 2.2.26 #158 from stefanpenner/bump-engine
43d4865 Bump engine to only supported node versions 6, 8 and >= 10

See the full diff

Package name: broccoli-watchify

The new version differs by 15 commits.

97ad9d2 Merge pull request [Snyk] Upgrade typescript from 4.2.4 to 4.3.2 #2 from stefanpenner/fixes
4816cc4 release v1.0.0
6dbd972 update changelog in readme
b834f3f ensure stable output
3056266 drop watchify, only its `collect` method is required
b40d33f add tests, and improve cache
e1154ae tree-sync is a normal dep, not devdep
db0ba0c rather the loading + depending all of lodash lets just depend on assignIn (formerly known as extend)
ccf7669 remove trailing whitespace
e2405cd ensure directory for output exists, but relative to the outputPath
f8debb5 deference inputPath, so browserify requires relative to out inputPath and not relative to the realPath of a given file.
a4aab3b update deps
cbf0cf3 update + improve stuff
8ed7f1f asdf
ed8912e Merge branch 'release/0.2.0'

See the full diff

Package name: release-it

The new version differs by 247 commits.

1fcdb0f Release 3.0.0
8f94fea Move gh-pages doc updater command
59d5f73 Move `beforeStartCommand` and `isGitRepo` up
526e30e Restore support for `--debug` arg & enable more colors for debug
0acf626 Make release test more stand-alone
6860c5a Use local git repo in test
c6de5a3 Minor refactoring of task runner
ae88f4c No need to pass branch at all by default
b47fa0a Fancier readme + CONTRIBUTING.md
c88c96d Create CODE_OF_CONDUCT.md ([Snyk] Security upgrade sanitize from 4.6.2 to 4.6.2 #112)
9a66359 Release 3.0.0-beta.7
f53a713 Bit of config
7dc6c5b Update more deps
57870e8 Switch from node-glob to globby
865ece2 Release 3.0.0-beta.6
3d1a5d8 Further doc tweaks
6c475ca Always use `t.end` in sync tests
7597461 Consistent "preRelease" + docs re. pre-releases
1122601 Rewrite much of readme
d0d18d2 Change local config path to .release-it.json
2eabd81 Always generate changelog
354ffa0 Clean up & fix config defaults
aa77d23 Release 3.0.0-beta.5
a363f18 Fix "requireCleanWorkingDir" check