[Snyk] Fix for 19 vulnerabilities #43

hojatA1 · 2023-11-29T02:58:40Z

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- workspaces/arborist/test/fixtures/audit-all-severities/package.json
- workspaces/arborist/test/fixtures/audit-all-severities/package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Priority Score (*)	Issue	Breaking Change	Exploit Maturity
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
679/1000 Why? Has a fix available, CVSS 9.3	Incomplete List of Disallowed Inputs SNYK-JS-BABELTRAVERSE-5962463	Yes	No Known Exploit
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-DECODEURICOMPONENT-3149970	Yes	Proof of Concept
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-INI-1048974	No	Proof of Concept
506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Validation Bypass SNYK-JS-KINDOF-537849	Yes	Proof of Concept
479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	No	No Known Exploit
506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	No	Proof of Concept
601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	No	Proof of Concept
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-MIXINDEEP-450212	Yes	Proof of Concept
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	No	Proof of Concept
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-SETVALUE-1540541	Yes	Proof of Concept
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-SETVALUE-450213	Yes	Proof of Concept
624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536528	No	No Known Exploit
624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536531	No	No Known Exploit
410/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758	No	No Known Exploit
639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579147	No	No Known Exploit
639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579152	No	No Known Exploit
639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579155	No	No Known Exploit
589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: node-weakauras-parser

The new version differs by 21 commits.

e127d43 Switch to Node-API
02bd852 Update dependencies
6479ddd ci: pre-build for Node v16
22e74ec Update dependencies
3f85863 Update neon to 0.6
c565719 Try to represent maps with numeric keys as arrays when decoding if possible
472871a Fix clippy warnings
00180bc Use a LibSerialize-compatible algorithm in encode()
a8d4f8c Update JS dependencies
af0dd1a Implement decoding of strings generated by WA 2.18+
639062a Make first letters of error messages uppercase
804d1f7 Update dependencies, switch to zlib-ng
6065c16 Implement a configurable memory usage limit for decompression
64dad67 Add some sanity checks for Huffman decompression
7bce56a Update dependencies, switch to zlib fork from Cloudflare
56d9819 Remove redundant imports
908f271 ci: pre-build for Node v14, drop Node v8
10a6b21 Convert infinite numbers to null when deserializing
23a479c Remove target-cpu=native, pre-build for Haswell
6887943 ci: migrate to GitHub Actions
bc146da Fix the possibility of a usize overflow

See the full diff

Package name: nyc

The new version differs by 21 commits.

4a6b327 chore(release): 13.0.1
ae5318b chore: Update istanbul dependencies. (> ## 6.13.6 (2020-01-09) npm/cli#896)
d0b76e2 fix: Enable es-modules by default. (> [# 809 ](https://github.com/npm/cli/pull/809) @cutmuetia npm/cli#889)
6b6cd5e fix: add flag to allow control of intrumenter esModules option, default to looser parsing (#803 npm/cli#863)
c325799 docs: reference babel 7 in all places (#767 npm/cli#881)
7483ed9 fix: use uuid/v4 to generate unique identifiers. (#756 npm/cli#883)
8ab1ae3 chore: update dependencies (#788 npm/cli#872)
52b69ef fix: Update caching-transform options. (> Opsi NPM CLI "engine-strict" (jangan bingung dengan engineStrict package.json, yang sudah usang) tidak berfungsi. Itu tidak kesalahan ketika diatur ke true. npm/cli#873)
624a723 chore: update dependencies (#799 npm/cli#866)
a5818f5 chore(release): 13.0.0
f0d98a5 docs: update README.md with babel configuration info (#808 npm/cli#860)
893345a feat: allow rows with 100% statement, branch, and function coverage to be skipped in text report (package.json with local dependency, npm audit command returns "ELOCKVERIFY ERROR" npm/cli#859)
f09cf02 chore: update dependencies (#819 npm/cli#855)
d0f654c fix: source was being instrumented twice, due to upstream fix in ista… (#821 npm/cli#853)
adb310c chore(release): 12.0.2
ddc9331 fix: stop bundling istanbul-lib-instrument due to npm issue on Node 6 (#820 npm/cli#854)
b4c325b fix: don't bundle istanbul-lib-instrument due to Node 6 issues
9fc20e4 chore(release): 12.0.1
3e087d4 chore: upgrade to version of istanbul with optional catch binding (#823 npm/cli#851)
eaf3f70 chore(release): 12.0.0
19b7d21 chore: upgrade to newest version of istanbul codebase (#827 npm/cli#848)