[Snyk] Security upgrade nyc from 13.3.0 to 14.0.0 #102
Conversation
… to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908
|
Mode: paranoid | Total findings: 182 | Considered vulnerability: 182 Insecure Use of Regular Expressions (14)
More info on how to fix Insecure Use of Regular Expressions in TypeScript and JavaScript. Insecure File Management (12)
More info on how to fix Insecure File Management in JavaScript. Vulnerable Libraries (156)
More info on how to fix Vulnerable Libraries in General and JavaScript. 👉 Go to the dashboard for detailed results. 📥 Happy? Share your feedback with us. |
![sonatype-lift[bot]](https://avatars.githubusercontent.com/in/9843?s=60&v=4){kind=small}
| @@ -33,7 +33,7 @@ | |||
| }, | |||
| "dependencies": { | |||
| "@types/tape": "^4.2.33", | |||
| "nyc": "^13.3.0", | |||
| "nyc": "^14.0.0", | |||
There was a problem hiding this comment.
Critical OSS Vulnerability:
pkg:npm/nyc@14.0.0
2 Critical, 3 Severe, 0 Moderate, 0 Unknown vulnerabilities have been found across 5 dependencies
Components
pkg:npm/hosted-git-info@2.8.9
SEVERE Vulnerabilities (1)
[CVE-2021-23362] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
CVSS Score: 5.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-400
pkg:npm/path-parse@1.0.6
SEVERE Vulnerabilities (1)
[sonatype-2021-0176] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
path-parse - Regular expression Denial of Service (ReDoS) [CVE-2021-23343]
The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.
CVSS Score: 6.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
pkg:npm/ansi-regex@4.1.1
CRITICAL Vulnerabilities (1)
[sonatype-2021-1169] Unknown
ansi-regex - Regular Expression Denial of Service (ReDoS) [CVE-2021-3807]
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1333
pkg:npm/istanbul-reports@2.2.7
SEVERE Vulnerabilities (1)
[sonatype-2021-4715] CWE-1022: Use of Web Link to Untrusted Target with window.opener Access
istanbul-reports - Reverse Tabnabbing
The web application produces links to untrusted external sites outside of its sphere of control, but it does not properly prevent the external site from modifying security-critical properties of the window.opener object, such as the location property.
CVSS Score: 4.7
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-1022
pkg:npm/minimatch@3.0.4
CRITICAL Vulnerabilities (1)
[sonatype-2021-4879] Unknown
minimatch - Regular Expression Denial of Service (ReDoS)
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1333
(at-me in a reply with help or ignore)
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
| @@ -33,7 +33,7 @@ | |||
| }, | |||
| "dependencies": { | |||
| "@types/tape": "^4.2.33", | |||
| "nyc": "^13.3.0", | |||
| "nyc": "^14.0.0", | |||
| "remix-lib": "0.4.30", | |||
| "tape": "^4.10.1", | |||
There was a problem hiding this comment.
Critical OSS Vulnerability:
pkg:npm/tape@4.13.3
2 Critical, 1 Severe, 0 Moderate, 0 Unknown vulnerabilities have been found across 3 dependencies
Components
pkg:npm/minimist@1.2.5
CRITICAL Vulnerabilities (1)
[CVE-2021-44906] Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
CVSS Score: 9.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-1321
pkg:npm/path-parse@1.0.6
SEVERE Vulnerabilities (1)
[sonatype-2021-0176] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
path-parse - Regular expression Denial of Service (ReDoS) [CVE-2021-23343]
The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.
CVSS Score: 6.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
pkg:npm/minimatch@3.0.4
CRITICAL Vulnerabilities (1)
[sonatype-2021-4879] Unknown
minimatch - Regular Expression Denial of Service (ReDoS)
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1333
(at-me in a reply with help or ignore)
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
This PR was automatically created by Snyk using the credentials of a real user.
Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.
Changes included in this PR
Vulnerabilities that will be fixed
With an upgrade:
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5
SNYK-JS-ANSIREGEX-1583908
(*) Note that the real score may have changed since the PR was raised.
Commit messages
Package name: nyc
The new version differs by 48 commits.See the full diff
Check the changes in this PR to ensure they won't cause issues with your project.
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
🛠 Adjust project settings
📚 Read more about Snyk's upgrade and patch logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.