New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 11 vulnerabilities #9

Closed

snyk-bot wants to merge 1 commit into main from snyk-fix-aee5c974755c1b35bfbb463e37823af3

snyk-bot commented Dec 16, 2021

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- SCA/JS/package.json
- SCA/JS/package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-ENGINEIO-1056749	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-INI-1048974	Yes	Proof of Concept
	715/1000 Why? Has a fix available, CVSS 9.8	DLL Injection SNYK-JS-KERBEROS-568900	No	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	Yes	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Yes	No Known Exploit
	469/1000 Why? Has a fix available, CVSS 5.1	Denial of Service (DoS) npm:mem:20180117	Yes	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:negotiator:20160616	No	No Known Exploit
	756/1000 Why? Mature exploit, Has a fix available, CVSS 7.4	Uninitialized Memory Exposure npm:npmconf:20180512	Yes	Mature
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:semver:20150403	Yes	No Known Exploit
	761/1000 Why? Mature exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) npm:ws:20171108	Yes	Mature

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: errorhandler

The new version differs by 85 commits.

c41e9aa 1.4.3
ffce329 build: istanbul@0.4.2
90a8777 build: Node.js@4.2
38b745b deps: accepts@~1.3.0
80aea51 deps: escape-html@~1.0.3
b0be93a docs: fix typo in readme
2f688d0 build: support Node.js 5.x
1238ed4 build: istanbul@0.4.1
fdeb13c build: mocha@2.3.4
cc6fd1f build: support Node.js 4.x
3a2117a build: support io.js 3.x
75b9ee1 build: reduce runtime versions to one per major
6797752 tests: add test for util.inspect in HTML response
b6e53d7 docs: add more documentation regarding util.inspect
88b9a58 deps: accepts@~1.2.13
ac75d3f build: istanbul@0.3.19
5ee62b7 deps: escape-html@1.0.3
1e89ae7 build: istanbul@0.3.18
ef1e8f1 build: supertest@1.1.0
a7a6dce 1.4.2
692e2e7 deps: accepts@~1.2.12
6f2e8d2 build: io.js@2.5
564c117 build: fix running Node.js 0.8 tests on Travis CI
2dfd872 1.4.1

See the full diff

Package name: karma

The new version differs by 250 commits.

3653caf chore(release): 6.0.0 [skip ci]
04a811d fix(ci): abandon browserstack tests for Safari and IE ([Snyk(Unlimited)] Upgrade cookie-parser from 1.3.3 to 1.4.5 snyk-matt/goof-platform#3615)
4bf90f7 feat(client): update banner with connection, test status, ping times ([Snyk(Unlimited)] Upgrade adm-zip from 0.4.7 to 0.5.5 snyk-matt/goof-platform#3611)
68c4a3a chore(test): run client tests without grunt wrapper ([Snyk(Unlimited)] Upgrade body-parser from 1.9.0 to 1.19.0 snyk-matt/goof-platform#3604)
fec972f fix(middleware): catch errors when loading a module ([Snyk(Unlimited)] Upgrade moment from 2.15.1 to 2.29.1 snyk-matt/goof-platform#3605)
3fca456 fix(server): clean up close-server logic ([Snyk(Unlimited)] Upgrade express from 4.12.4 to 4.17.1 snyk-matt/goof-platform#3607)
1c9c2de fix(test): mark all second connections reconnects ([Snyk(Unlimited)] Upgrade typeorm from 0.2.30 to 0.2.34 snyk-matt/goof-platform#3598)
87f7e5e chore(license): Update copyright notice to 2020 [ci skip] ([Snyk(Unlimited)] Upgrade humanize-ms from 1.0.1 to 1.2.1 snyk-matt/goof-platform#3568)
e6b045f chore(deps): npm audit fix the package-lock.json ([Snyk(Unlimited)] Upgrade tinymce from 4.1.0 to 4.9.11 snyk-matt/goof-platform#3603)
3c649fa chore(build): remove obsolete Grunt tasks ([Snyk] Security upgrade karma from 1.7.1 to 2.0.0 snyk-matt/goof-platform#3602)
8997b74 fix(test): clear up clearContext ([Snyk(Unlimited)] Upgrade mongodb from 3.6.3 to 3.6.9 snyk-matt/goof-platform#3597)
fe0e24a chore(build): unify client bundling scripts ([Snyk(Unlimited)] Upgrade humanize-ms from 1.0.1 to 1.2.1 snyk-matt/goof-platform#3600)
1a65bf1 feat(server): remove deprecated static methods ([Snyk(Unlimited)] Upgrade dustjs-helpers from 1.5.0 to 1.7.4 snyk-matt/goof-platform#3595)
fb76ed6 chore(test): remove usage of deprecated buffer API ([Snyk(Unlimited)] Upgrade cookie-parser from 1.3.3 to 1.4.5 snyk-matt/goof-platform#3596)
35a5842 feat(server): print stack of unhandledrejections ([Snyk(Unlimited)] Upgrade dustjs-linkedin from 2.5.0 to 2.7.5 snyk-matt/goof-platform#3593)
4a8178f fix(client): do not reset karmaNavigating in unload handler ([Snyk(Unlimited)] Upgrade lodash from 4.17.4 to 4.17.21 snyk-matt/goof-platform#3591)
603bbc0 feat(cli): error out on unexpected options or parameters ([Snyk(Unlimited)] Upgrade npmconf from 0.0.24 to 0.2.0 snyk-matt/goof-platform#3589)
7a3bd55 feat: remove support for running dart code in the browser ([Snyk(Unlimited)] Upgrade adm-zip from 0.4.7 to 0.5.5 snyk-matt/goof-platform#3592)
1b9e1de fix(deps): bump socket-io to v3 ([Snyk(Unlimited)] Upgrade moment from 2.15.1 to 2.29.1 snyk-matt/goof-platform#3586)
3fed0bc fix(cve): update yargs to 16.1.1 to fix cve-2020-7774 in y18n ([Snyk(Unlimited)] Upgrade lodash from 4.17.4 to 4.17.21 snyk-matt/goof-platform#3578)
f819fa8 fix(cve): update ua-parser-js to 0.7.23 to fix CVE-2020-7793 ([Snyk(Unlimited)] Upgrade tinymce from 4.1.0 to 4.9.11 snyk-matt/goof-platform#3584)
05dc288 fix(context): do not error when karma is navigating ([Snyk(Unlimited)] Upgrade cookie-parser from 1.3.3 to 1.4.5 snyk-matt/goof-platform#3565)
e5086fc docs: clarify `browser_complete` vs `run_complete`
ead31cd chore(release): 5.2.3 [skip ci]

See the full diff

Package name: mongoose

The new version differs by 35 commits.

de88912 release 4.2.5
fae7c94 fix; correctly handle changes in update hook (Fix [Snyk(Unlimited)] Upgrade consolidate from 0.14.5 to 0.16.0 snyk-matt/goof-platform#3549)
5e58d83 repro; [Snyk(Unlimited)] Upgrade consolidate from 0.14.5 to 0.16.0 snyk-matt/goof-platform#3549
68e394d fix; dont flatten empty arrays in updateValidators (Fix [Snyk(Unlimited)] Upgrade body-parser from 1.9.0 to 1.19.0 snyk-matt/goof-platform#3554)
f0b0f61 repro; [Snyk(Unlimited)] Upgrade body-parser from 1.9.0 to 1.19.0 snyk-matt/goof-platform#3554
73de49c fix; proper support for .update(doc) (Fix [Snyk(Unlimited)] Upgrade npmconf from 0.0.24 to 0.2.0 snyk-matt/goof-platform#3221)
b5329a1 repro; [Snyk(Unlimited)] Upgrade npmconf from 0.0.24 to 0.2.0 snyk-matt/goof-platform#3221
932cdbe upgrade; node driver -> 2.0.48 (re: [Snyk(Unlimited)] Upgrade dustjs-linkedin from 2.5.0 to 2.7.5 snyk-matt/goof-platform#3544)
6ff39ef fix; unhandled rejection using Query.then() (Fix [Snyk(Unlimited)] Upgrade adm-zip from 0.4.7 to 0.5.5 snyk-matt/goof-platform#3543)
8cccafb Merge pull request [Snyk(Unlimited)] Upgrade mongodb from 3.6.3 to 3.6.9 snyk-matt/goof-platform#3548 from ChristianMurphy/node-5
2ff09cc Merge pull request [Snyk(Unlimited)] Upgrade cookie-parser from 1.3.3 to 1.4.5 snyk-matt/goof-platform#3547 from ChristianMurphy/eslint-update
6d0df2f Test against Node 4 LTS and Node 5 Stable
fc3f645 update ESLint and add a lint script to the package.json
aac346a Update README examples to comma last style
352d80d fix; ability to use mongos for standalones (Fix [Snyk(Unlimited)] Upgrade moment from 2.15.1 to 2.29.1 snyk-matt/goof-platform#3537)
043c958 repro; [Snyk(Unlimited)] Upgrade moment from 2.15.1 to 2.29.1 snyk-matt/goof-platform#3537
4023f12 docs; fix bad connection string example
a55fba7 fix; allow undefined for min/max validators (Fix [Snyk(Unlimited)] Upgrade express from 4.12.4 to 4.17.1 snyk-matt/goof-platform#3539)
cfc3194 repro; [Snyk(Unlimited)] Upgrade express from 4.12.4 to 4.17.1 snyk-matt/goof-platform#3539
a2a3b8b fix; issue with fix for [Snyk(Unlimited)] Upgrade tinymce from 4.1.0 to 4.9.11 snyk-matt/goof-platform#3535
171e694 docs; deep populate docs (Fix [Snyk(Unlimited)] Upgrade dustjs-helpers from 1.5.0 to 1.7.4 snyk-matt/goof-platform#3528)
0922d78 fix; call toObject() when setting single embedded schema to doc (Fix [Snyk(Unlimited)] Upgrade tinymce from 4.1.0 to 4.9.11 snyk-matt/goof-platform#3535)
ce11be0 repro; [Snyk(Unlimited)] Upgrade tinymce from 4.1.0 to 4.9.11 snyk-matt/goof-platform#3535
b3472ac fix; apply methods to single embedded schemas (Fix [Snyk(Unlimited)] Upgrade cfenv from 1.2.3 to 1.2.4 snyk-matt/goof-platform#3534)

See the full diff

Package name: tap

The new version differs by 11 commits.

7a20037 12.0.2
cf95e01 bump nyc and standard
7f54124 Bump deps for security and bugfixes
f323cdc 12.0.1
6745ecf fix test regression in node <10
39f73f9 docs(coverage): browser launching details
3336514 Fix interse typo in asserts docs
c1070a7 Add twing to the 100 club
51ae4f2 Do not run coverage report if ended with a signal
d5f7b12 12.0.0
5de8801 Update tsame and tmatch, resolve request security vuln

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic


          fix: SCA/JS/package.json & SCA/JS/package-lock.json to reduce vulnera…

…bilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-ENGINEIO-1056749
- https://snyk.io/vuln/SNYK-JS-INI-1048974
- https://snyk.io/vuln/SNYK-JS-KERBEROS-568900
- https://snyk.io/vuln/SNYK-JS-WS-1296835
- https://snyk.io/vuln/npm:debug:20170905
- https://snyk.io/vuln/npm:mem:20180117
- https://snyk.io/vuln/npm:ms:20170412
- https://snyk.io/vuln/npm:negotiator:20160616
- https://snyk.io/vuln/npm:npmconf:20180512
- https://snyk.io/vuln/npm:semver:20150403
- https://snyk.io/vuln/npm:ws:20171108

jeremiahgrady closed this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment