[Snyk] Fix for 11 vulnerabilities #32

ferreiramarcelo · 2023-11-27T16:51:25Z

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json

Vulnerabilities that will be fixed

With an upgrade:

Priority Score (*)	Issue	Breaking Change	Exploit Maturity
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
706/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.7	Remote Memory Exposure SNYK-JS-BL-608877	No	Proof of Concept
646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536528	Yes	No Known Exploit
624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536531	Yes	No Known Exploit
410/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758	Yes	No Known Exploit
639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579147	Yes	No Known Exploit
639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579152	Yes	No Known Exploit
639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579155	Yes	No Known Exploit
646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: bitfinex-api-node

The new version differs by 250 commits.

cbb2502 updated docs
45e8a0d Merge pull request bitfinex trading enabled error askmike/gekko#583 from ZIMkaRU/bugfix/fix-ws-transport-to-support-new-rest-api-signature
df7889b Update CHANGELOG
d38c4fc Update CHANGELOG
bf1df8f Update CHANGELOG
d951c24 Update package.json
f072f0e Bump bfx-api-node-rest version up to 5.1.1
54300fc Bump bfx-api-node-models version up to 1.7.1
e337030 Change min node version to 16.20
2164cba Update docs
050c326 Add changes to changelog
21d0961 Bump version up to 6.0.1
b6a407b Fix ws transports methods params
08a085a Merge pull request Problem in --import askmike/gekko#582 from ZIMkaRU/feature/resolve-deps-issue
cb37175 Add changes to changelog
59d7587 Move dev deps into corresponding section
5a39752 Update docs
f2d93f6 Bump version up to 6.0.0
ac5f726 Bump dep versions to fix vulnerabilities
f41b7ef Bump bfx-api-node-rest version up to 5.1.0
5344bd2 Remove bluebird Promise
eceaf2a Remove unused deps
be6596c Merge pull request period is not defined askmike/gekko#578 from vitaliystoliarovcc/fix/emit-public-funding-trades
92a7b77 5.0.4

See the full diff

Package name: btc-markets

The new version differs by 2 commits.

2266e5d Updated dependencies and bumped version
e6c32b9 Commented out all examples so none accidently run

See the full diff

Package name: koa-logger

The new version differs by 33 commits.

e7b24bd 3.2.1
66f5551 bump deps
a8c6c57 fix script
225b98e lint
3ded55e bump deps
f683c31 travis - add node v10, v12
0f4e7a1 Fixed error when using custom error codes > 800. The default color at index 0 is used by default. (Gekko freeze on "Profit reporter active on simulated balance" when trading is enabled askmike/gekko#73)
d04c9d2 docs: added note about request-received
17cdb74 [feat] add support for request-received middleware (closes Noob question... askmike/gekko#76)
6bec129 3.2.0
7daa5f4 lint
afc9680 add npmrc: disable package-lock
8862cc4 add a transporter to logger opts param (refresh portfolio stats every 11 minutes askmike/gekko#65)
3481627 3.1.0
d68995c travis: test on node@8
b0493a5 lint
1e522e8 Adds Boom compatibility (Support For LiteCoin (Need Direction) askmike/gekko#64)
bfcd3ab 3.0.1
df46732 Fixes error 'chalk[color] does not return function' when using custom (CEX.io syntax error askmike/gekko#61)
866ff23 change `new Date()` to `Date.now()` for performance (cexio.js - pair syntax fix askmike/gekko#60)
cd1b6a2 3.0.0
28c4a0b lint
fb947af use async function
8d26a8e travis: test node@7 only

See the full diff

Package name: kraken-api

The new version differs by 24 commits.

816fa67 update version
566017c update README
e5fdd67 switch "request" to "got", formatting
795fce4 update to ES6
6aec364 add package lock file
b4ec922 formatting
01702aa Merge pull request [Snyk] Fix for 11 vulnerabilities #32 from yury-dymov/pass-options
ef95226 Update kraken.js
5ad7d32 Merge branch 'master' into pass-options
b05f3db Merge pull request [Snyk] Security upgrade sqlite3 from 3.1.13 to 5.0.3 #24 from claude2/patch-1
74ded25 Merge branch 'master' into patch-1
44ae6c7 Merge pull request [Snyk] Security upgrade semver from 2.2.1 to 7.5.2 #31 from moppymopperson/patch-2
8eddbcf Merge pull request [Snyk] Fix for 1 vulnerabilities #29 from MaxBlaushild/patch-1
c20e647 Merge pull request [Snyk] Security upgrade btc-markets from 0.0.6 to 1.0.0 #28 from DeX3/master
371d90a pass config options to the constructor
213c711 Cover error case
1251498 Checks for arrayness of error
ca939e6 🔧 Allow specification of custom timeout for API calls
35a2aef Use qs library because it supports nested objects
2e1c4f7 Fix [Snyk] Security upgrade moment from 2.29.1 to 2.29.2 #22 + consistent space after if
9f92a3b Merge pull request [Snyk] Fix for 1 vulnerabilities #23 from EdgarBarrantes/master
2c1d57c Modifies reference in readme file.
b64b44a Merge pull request [Snyk] Security upgrade pushbullet from 1.4.3 to 3.0.0 #19 from mastilver/nonce-override
b543bdf feat(nonce): make nonce overridable

See the full diff

Package name: pushbullet

The new version differs by 63 commits.

1f8c1fd Update to version 3.0.0
9186bd9 Add `createChannel()`
ac2fe7e Deprecate `sendSMS()`
9b7bcda Add support for the text API
5f501c5 Fix some comments
426de2b Remove old Travis CI yaml file
6a0076c Update ESLint rules and apply fixes
ebdc39e Merge branch 'github-action-tests'
ffd626d Add GitHub action to run tests
f68187d Add tests using nock for mocking the API
45a657f Remove tests for now
72e856e Codestyle, modernisation, misc fixes
a899190 Update dependencies to latest versions
dca0e34 Merge branch 'node-fetch-migration'
3f89158 Update changelog
6508617 Update README
6a83ef9 Replace request with node-fetch
0f18e80 Switch CJS requires to ESM imports
8b5eaef Update to version 2.4.0
c1581bb Update dependency requirements
eadb250 Reconnect to websocket stream if disconnected
3ea3f0c Update version to 2.3.0
e662e3c Add fullResponses option to return response object
7b78838 Switch to ws module for stream handling

See the full diff

Package name: sqlite3

The new version differs by 250 commits.

573784b v5.0.3
e5a24fd Deleted `examples/` folder
b05f459 Added note about GitHub Releases to CHANGELOG.md
33d0656 Modernised Usage example in README
9d05c55 Fixed up more README nits
08d6319 Fixed link to API docs
0e2235a Altered wording in README
76b6c56 Altered README header
e3df365 Updated README
426930f Enabled CI to run when pushing tags
a21d41f Fixed uploading binaries to commit artifacts
bc978c7 Fixed CI step wording
7f744a1 Added prebuilt binaries via GitHub Releases
b4b3c3a Deleted `scripts/` directory
71bbdea Pinned dev dependencies (market graph wrong (Buy/Sell) plot askmike/gekko#1558)
a597383 Updated badges in README
0eb4a0f Deleted Travis and Appveyor configs
b58d341 Downgraded `mocha` and `eslint`
f39b10d Added missing Node versions to CI
8db96d4 Replaced Python extraction script with JS (Question - Trading History in Strategy askmike/gekko#1570)
11c988c Fixed Windows build architecture in CI
8e63848 Updated Windows CI runner to `windows-latest`
d9e7d8b Fixed building on MacOS Monterey 12.3
859b95b Updated `node-gyp` to v8.x