Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Security upgrade immer from 5.3.6 to 8.0.1 #489

Closed
wants to merge 1 commit into from
Closed

[Snyk] Security upgrade immer from 5.3.6 to 8.0.1 #489

wants to merge 1 commit into from

Conversation

danactive
Copy link
Owner

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

merge advice

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • ui/package.json
    • ui/package-lock.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 554/1000
Why? Proof of Concept exploit, Recently disclosed, CVSS 7.5		 Prototype Pollution
SNYK-JS-IMMER-1019369		 Yes Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: immer The new version differs by 198 commits.
  • da2bd4f fix: Fixed security issue #738: prototype pollution possible when applying patches CVE-2020-28477
  • d75de70 chore: fix Buffer deprecation warning in test (#706)
  • 8fbf93c docs: Add referential equality to pitfalls (#731)
  • c21a2ef docs: Update current.md (#728)
  • 211314c docs: add cool-store into built-with.md (#724)
  • e8fd805 chore(tests): use UTC date string in tests to be timezone independent (#705)
  • fe8f589 chore(comments): update comments (#727)
  • d8121d6 chore(docs): Fix typo in pitfalls.md (#729)
  • 5379cdd chore(docs): Update example-reducer.md (#734)
  • d3908e1 chore(deps): bump dot-prop from 4.2.0 to 4.2.1 in /website (#735)
  • 3a62869 chore(deps): bump ini from 1.3.5 to 1.3.7 in /website (#723)
  • 1a15615 chore(deps): bump ini from 1.3.5 to 1.3.7 (#722)
  • 894d190 chore(deps): bump highlight.js from 9.15.10 to 9.18.5 in /website (#709)
  • 3c4e3f7 chore(deps-dev): bump semantic-release from 17.0.2 to 17.2.3 (#704)
  • 7faa7b4 docs: some refinements on freezing
  • 51cc8b8 chore: back to node, everything is slow on travis
  • a406c8f feature: Always freeze by default (#702)
  • 6c62eec chore: Merge branch 'master' of github.com:immerjs/immer
  • 31684f2 chore: fix some build issues (#701)
  • 0730231 docs: Organize performance and pitfalls, and document nested produce behavior. Fixes #694
  • 754331b fix: make plugin loading idempotent, fixes #692
  • 8808065 chore: fix travis build not failing, fixes #688 (?)
  • 678e541 chore: Added the missing space in readme.md (#698)
  • b2e5493 clearer error when plugin is missing

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

@coveralls
Copy link

Coverage Status

Coverage remained the same at 93.25% when pulling 849491d on snyk-fix-a4e733068bbf9d04bb1b1c015f3f0128 into 8342bd9 on master.

@danactive
Copy link
Owner Author

immer v8 applied to main branch already

@danactive danactive closed this Feb 20, 2021
@danactive danactive deleted the snyk-fix-a4e733068bbf9d04bb1b1c015f3f0128 branch February 20, 2021 22:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@danactive @coveralls @snyk-bot