New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 9 vulnerabilities #43

Open

bsmoove247 wants to merge 1 commit into master from snyk-fix-bb5c26e4426e35b4aebcc3be10c4d6d3

Owner

bsmoove247 commented Oct 6, 2022

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- deps/npm/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	484/1000 Why? Has a fix available, CVSS 5.4	Open Redirect SNYK-JS-GOT-2932019	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Insertion of Sensitive Information into Log File SNYK-JS-NPMREGISTRYFETCH-575432	Yes	No Known Exploit
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536528	Yes	No Known Exploit
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536531	Yes	No Known Exploit
	410/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579147	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579152	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579155	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: cli-columns

The new version differs by 4 commits.

89eaa84 drop travis and coveralls from readme
5da2489 upgrade deps, drop heavy dev deps, github actions, node 10+
b9e986b Update readme.md
ed6df24 Update copyright info

See the full diff

Package name: columnify

The new version differs by 34 commits.

a532ca1 Release 1.6.0
92fdab6 Clean up readme badges, update stats.
a350bf2 Add npm cache to CI.
aae8411 Actually install & test in CI.
b2fe72f Use github actions.
4b54106 Update node version in travis.yml.
c820951 Update packages.
10ea59d Update packages.
e768ed8 Revert "Merge pull request [Snyk] Security upgrade rollup-plugin-typescript2 from 0.20.1 to 0.22.0 #59 from njhoffman/master"
1cf9287 Merge pull request [Snyk] Security upgrade rollup-plugin-typescript2 from 0.20.1 to 0.22.0 #59 from njhoffman/master
091ddb0 Merge pull request [Snyk] Fix for 1 vulnerabilities #60 from sreekanth370/master
bece43f Merge pull request [Snyk] Security upgrade mocha from 5.2.0 to 10.1.0 #49 from tdmalone/patch-1
4b72760 Merge branch 'master' into master
e7c082a Merge pull request [Snyk] Fix for 1 vulnerabilities #62 from viceice/patch-1
db4ee97 chore: bump version
0bd797f chore: require node v8
ea15deb fix: update strip-ansi to v6.0.1
33c942e compatibility updates
5cb6515 fixed transipiling errors
a27ddb8 version bump
95d9a8e extract strip-ansi dependency
4895ec1 version bump
64c77f5 version bump
1d3ef4b add modules key and main eky to package.json

See the full diff

Package name: libnpm

The new version differs by 4 commits.

d24cd69 chore(release): 3.0.1
b4c1696 deps: bump deps for cacache@12 update
54070f6 chore(release): 3.0.0
56cc8e5 npm-lifecycle@3.0.0

See the full diff

Package name: node-gyp

The new version differs by 250 commits.

f5fa6b8 chore: release 8.4.1
cc37b88 fix: windows command missing space (test: fix default value for additional param nodejs/node#2553)
8083f6b deps: npmlog@6.0.0
787cf7f docs: fix typo in powershell node-gyp update
7073c65 chore: release 8.4.0
a27dc08 feat: build with config.gypi from node headers
5a00387 feat: support vs2022 (src: check for --prof in ParseArgs nodejs/node#2533)
fb85fb2 chore: release 8.3.0
5585792 feat(gyp): update gyp to v0.10.0 (added CSI (\x9b) as additionally allowable escape nodejs/node#2521)
b05b4fe chore(deps): bump make-fetch-happen from 8.0.14 to 9.1.0
0a67dcd test: Python 3.10 was release on Oct. 4th (Input from TTY is strange nodejs/node#2504)
f2ad87f chore: refactor the creation of config.gypi file
bc47cd6 chore: release 8.2.0
ed9a9ed feat(gyp): update gyp to v0.9.6 (The future of HTTP in Node nodejs/node#2481)
660dd7b doc: correct link to "binding.gyp files out in the wild" (src: improve startup time nodejs/node#2483)
ec15a3e chore(deps): bump tar from 6.1.0 to 6.1.2 (Investigate flaky test test-dgram-multicast-multi-process nodejs/node#2474)
78361b3 ISSUE_TEMPLATE.md: Instructions for old versions (Investigate flaky test test-child-process-spawnsync nodejs/node#2470)
f0882b1 fix: missing spaces
c8c0af7 fix: doc how to update node-gyp independently from npm
b6e1cc7 Add title to node-gyp version document (Merge v3.1.0 into next+1 nodejs/node#2452)
b7bccdb ci: GitHub Actions Test on node: [12.x, 14.x, 16.x] (win,msi: Upgrade from old upgrade code nodejs/node#2439)
161c235 doc(wiki): safer doc names, remove unnecessary TypedArray doc
b52e487 doc(wiki): link to docs/ from README
f0a4835 doc(wiki): move wiki docs into doc/

See the full diff

Package name: npm-registry-fetch

The new version differs by 16 commits.

62ce833 chore(release): 4.0.5
43a5d84 chore: remove basic auth data from logs
71ab0e7 chore(release): 4.0.4
fc5d94c Put default timeout back to zero
2e0c446 chore(release): 4.0.3
d7d8c58 chore: publish as latest-v4
69c2977 fix: use 30s default for timeout as per README
fe7b129 chore(doc): document the effect of ?write=true on caching
ba8b4fe fix: always bypass cache when ?write=true
b758555 chore(release): 4.0.2
e3a0186 fix: Add null check on body on 401 errors
ff5f990 test(check-response): Added missing tests
49059f0 chore(release): 4.0.1
8eae5f0 fix(deps): Add explicit dependency on safe-buffer
5dbd1d7 chore(release): 4.0.0
0c4f060 cacache@12.0.0, infer uid from cache folder

See the full diff

Package name: npmlog

The new version differs by 7 commits.

15366fb 5.0.0
d81ce11 docs: changelog for v5.0.0
e420957 BREAKING CHANGE: update deps, lint, test coverage (Mani nodejs/node#79)
f0454b0 deps: bump tap
c989a1c chore: update CI for current Node LTS
5414070 Appease standard
c9ed17d package-lock@1

See the full diff

Package name: update-notifier

The new version differs by 42 commits.

311557e 6.0.0
9183541 Require Node.js 14 and move to ESM
3fdb218 5.1.0
73c391b Upgrade dependencies
0a6027e Move to GitHub Actions
d8fa601 Rename `master` branch to `main`
f63b2eb 5.0.1
9e2b772 Update dependencies
da7c464 5.0.0
5b440c2 Require Node.js 10
3dfe42d Don't suggest to upgrade to lower version (node-forward/node deactivation nodejs/node#192)
132b7ce Remove a project from "Users" section (doc: util: document --trace-deprecation nodejs/node#191)
c9d2166 4.1.1
f42fc8f Improve vertical alignment of the notifier output (What branch/version and which of the contributing guides to use? nodejs/node#183)
71a3f19 Use HTTPS links
64c5236 Fix Travis
9d9f4ff 4.1.0
4062f12 Update dependencies
adbeb6e Add template support for the `message` option (debugger: improve clearBreakpoint error and docs nodejs/node#175)
adf7803 4.0.0
fb5161c Remove the `callback` option (RFC: bundle tick processor with iojs nodejs/node#158)
39682de Rename `boxenOpts` option to `boxenOptions`
bc1721a Avoid showing notification if current version is the latest (lib,src: remove post-gc event infrastructure nodejs/node#174)
ccaf686 Update dependencies

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Arbitrary File Write
🦉 Arbitrary File Write
🦉 Arbitrary File Write
🦉 More lessons are available in Snyk Learn


          fix: deps/npm/package.json to reduce vulnerabilities

6df9738

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908
- https://snyk.io/vuln/SNYK-JS-GOT-2932019
- https://snyk.io/vuln/SNYK-JS-NPMREGISTRYFETCH-575432
- https://snyk.io/vuln/SNYK-JS-TAR-1536528
- https://snyk.io/vuln/SNYK-JS-TAR-1536531
- https://snyk.io/vuln/SNYK-JS-TAR-1536758
- https://snyk.io/vuln/SNYK-JS-TAR-1579147
- https://snyk.io/vuln/SNYK-JS-TAR-1579152
- https://snyk.io/vuln/SNYK-JS-TAR-1579155

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment