-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Snyk] Security upgrade zaproxy from 0.2.0 to 1.0.1 #32
base: master
Are you sure you want to change the base?
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-HAWK-2808852 - https://snyk.io/vuln/SNYK-JS-QS-3153490 - https://snyk.io/vuln/npm:hawk:20160119 - https://snyk.io/vuln/npm:hoek:20180212 - https://snyk.io/vuln/npm:http-signature:20150122 - https://snyk.io/vuln/npm:mime:20170907 - https://snyk.io/vuln/npm:qs:20140806 - https://snyk.io/vuln/npm:qs:20140806-1 - https://snyk.io/vuln/npm:qs:20170213 - https://snyk.io/vuln/npm:request:20160119 - https://snyk.io/vuln/npm:tunnel-agent:20170305
Micro-Learning Topic: Regular expression denial of service (Detected by phrase)Matched on "Regular Expression Denial of Service"Denial of Service (DoS) attacks caused by Regular Expression which causes the system to hang or cause them to work very slowly when attacker sends a well-crafted input(exponentially related to input size).Denial of service attacks significantly degrade the service quality experienced by legitimate users. These attacks introduce large response delays, excessive losses, and service interruptions, resulting in direct impact on availability. Try a challenge in Secure Code WarriorMicro-Learning Topic: Denial of service (Detected by phrase)Matched on "Denial of Service"The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service Try a challenge in Secure Code WarriorMicro-Learning Topic: Prototype pollution (Detected by phrase)Matched on "Prototype Pollution"By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Try a challenge in Secure Code WarriorMicro-Learning Topic: Timing attack (Detected by phrase)Matched on "Timing Attack"This vulnerability manifests when the difference in response times from a given process can expose sensitive information or change the flow of a given process. For example, in a semi-controlled environment (where response times should be even under regular circumstances) this could be used to identify whether or not certain data is present in a given data storage. Try a challenge in Secure Code Warrior |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
PR Type: Enhancement
PR Summary: This PR is an automated security upgrade of the zaproxy package from version 0.2.0 to 1.0.1 to address multiple known vulnerabilities.
Decision: Comment
📝 Type: 'Enhancement' - not supported yet.
- Sourcery currently only approves 'Typo fix' PRs.
✅ Issue addressed: this change correctly addresses the issue or implements the desired feature.
No details provided.
✅ Small diff: the diff is small enough to approve with confidence.
No details provided.
General suggestions:
- Verify that the major version upgrade of zaproxy does not introduce any breaking changes to the application.
- Ensure that all functionalities that rely on zaproxy are tested to confirm they still operate as expected after the upgrade.
- Since the package-lock.json failed to update automatically, it's crucial to update it manually to ensure that the correct versions of the package and its dependencies are locked.
Thanks for using Sourcery. We offer it for free for open source projects and would be very grateful if you could help us grow. If you like it, would you consider sharing Sourcery on your favourite social media? ✨
This PR was automatically created by Snyk using the credentials of a real user.
Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.
Changes included in this PR
Vulnerabilities that will be fixed
With an upgrade:
Why? Has a fix available, CVSS 7.4
SNYK-JS-HAWK-2808852
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5
SNYK-JS-QS-3153490
Why? Has a fix available, CVSS 3.7
npm:hawk:20160119
Why? Proof of Concept exploit, Has a fix available, CVSS 6.3
npm:hoek:20180212
Why? Has a fix available, CVSS 6.5
npm:http-signature:20150122
Why? Has a fix available, CVSS 3.7
npm:mime:20170907
Why? Has a fix available, CVSS 7.5
npm:qs:20140806
Why? Has a fix available, CVSS 6.5
npm:qs:20140806-1
Why? Has a fix available, CVSS 7.5
npm:qs:20170213
Why? Has a fix available, CVSS 5.1
npm:request:20160119
Why? Proof of Concept exploit, Has a fix available, CVSS 5.1
npm:tunnel-agent:20170305
(*) Note that the real score may have changed since the PR was raised.
Check the changes in this PR to ensure they won't cause issues with your project.
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
🛠 Adjust project settings
📚 Read more about Snyk's upgrade and patch logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Poisoning
🦉 Prototype Override Protection Bypass
🦉 More lessons are available in Snyk Learn