New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 8 vulnerabilities #873

Merged

nabeelio merged 1 commit into dev from snyk-fix-f40436588fafabc6c9ec4e015a4816da

Oct 16, 2020

Contributor

snyk-bot commented Oct 16, 2020

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

✨ Snyk has automatically assigned this pull request, set who gets assigned.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
- package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	619/1000 Why? Has a fix available, CVSS 8.1	Prototype Pollution SNYK-JS-AJV-584908	Yes	No Known Exploit
	540/1000 Why? Has a fix available, CVSS 6.3	Cross-site Scripting (XSS) SNYK-JS-JQUERY-565129	No	No Known Exploit
	550/1000 Why? Has a fix available, CVSS 6.5	Cross-site Scripting (XSS) SNYK-JS-JQUERY-567880	No	No Known Exploit
	519/1000 Why? Has a fix available, CVSS 6.1	Cross-site Scripting (XSS) SNYK-JS-SELECT2-456562	No	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Denial of Service (DoS) SNYK-JS-SOCKJS-575261	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Information Exposure SNYK-JS-WEBPACKDEVSERVER-72405	Yes	No Known Exploit
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-YARGSPARSER-560381	Yes	Proof of Concept
	469/1000 Why? Has a fix available, CVSS 5.1	Denial of Service (DoS) npm:mem:20180117	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: laravel-mix

The new version differs by 246 commits.

89d1cdb 5.0.5
399ddcd Bump dependency
8c19e10 Fix tests
8f1a87e adds optional --hmr-port argument (#2308) (#2309)
d4679d3 Fix prod css/sass sourcemaps (Bump express from 4.18.1 to 4.19.2 #1793) (#2282)
a96f24f Updates docs link to v5.0. (#2334)
d1b4fc7 implement mix.when() (#2330)
06ca909 Merge branch 'fix/styles-missing-file' of https://github.com/paullaffitte/laravel-mix into paullaffitte-fix/styles-missing-file
ee9d457 Use sync test instead of callback (#2348)
be67b97 5.0.4
1683b95 Remove shrinkwrap
09d21d5 5.0.3
675e817 Fix failing test
4fbbbd7 Add test for FileCollection.merge should throw if file not found
6eef224 Replace async/await by promises to pass eslint checks
f783c6b Throw an error when .css is not found with mix.styles() (#2289)
b0c2960 Remove notification timeout, fixes #2161 (#2179)
ddd3834 Browsersync snippet regex for lookbehinds (#2227)
0a31b17 Update CssPurifier to laravel resources structure (#2180)
21efecb Update travis.yml to supported Node.js versions (#2248)
46afaa2 Pass options to ts-loader using a third argument (#2287)
ab97c17 5.0.1
218d34d Fix audit issues
97b714e Revert "Update dependency to avoid security flawness (#2291)"

See the full diff

Package name: select2

The new version differs by 122 commits.

a389a6d Merge pull request #5578 from select2/develop
eeefa1e Merge pull request #5577 from select2/release/4.0.8
5005c56 Update changelog for 4.0.8
8b55e47 Recompile dist for 4.0.8
6fbe132 Bump versions for 4.0.8 release
bbd320d Convert source and tests to unix newlines
1b5a962 Revert change to focusing behaviour in 4.0.6 (#5576)
d926025 Fix infinite scroll when the scrollbar is not visible (#5575)
8a5aeab Remove deprecated jQuery shorthand (#5564)
9c4f0c8 Fix typos (#5574)
bd7ac9d Results respect disabled state of `<option>` (#5560)
b5f136f Add `computedstyle` option for calculating the width (#5559)
f9decd6 Fix tag creation being broken in 4.0.7 (#5558)
9491e1a Test against jQuery 3.4.1 (#5531)
d66e55d removed select2-selection__placeholder from _multiple.scss (#5508)
5d2fdd7 Update grunt-contrib-qunit to latest version (#5530)
70ca392 Update dev dependencies (#5529)
36b226d Improve French Translation (#5521)
d53958a Clean up docs (#5528)
0a612f9 Automatically deploy to NPM (#5527)
04fce55 Merge pull request #5507 from select2/develop
f8193c6 Merge pull request #5506 from select2/release/4.0.7
5285eef Recompile dist for 4.0.7
20ffd12 Bump versions for 4.0.7 release

See the full diff

Package name: webpack

The new version differs by 250 commits.

213226e 4.0.0
fde0183 Merge pull request #6081 from webpack/formating/prettier
b6396e7 update stats
f32bd41 fix linting
5238159 run prettier on existing code
518d1e0 replace js-beautify with prettier
4c25bfb 4.0.0-beta.3
dd93716 Merge pull request #6296 from shellscape/fix/hmr-before-node-stuff
7a07901 Merge pull request #6563 from webpack/performance/assign-depth
c7eb895 Merge pull request #6452 from webpack/update_acorn
9179980 Merge pull request #6551 from nveenjain/fix/templatemd
e52f323 optimize performance of assignDepth
6bf5df5 Fixed template.md
90ab23a Merge branch 'master' into fix/hmr-before-node-stuff
b0949cb add integration test for spread operator
39438c7 unittest now also walks the ast
15ab027 Merge pull request #6536 from jevan0307/sideEffects-selectors
1611ce1 Merge pull request #6561 from joshunger/patch-1
6e175bc Merge pull request #6549 from webpack/md4_hash
0637531 Add a hyperlink to create a new issue
0e1f9c6 Merge pull request #6554 from webpack/deps/end-of-beta
72477f4 upgrade versions to stable versions
ed30285 Merge pull request #6546 from webpack/bot/review-permission
40ee8c7 Use MD4 for hashing

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

👩‍💻 Set who automatically gets assigned

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic


          fix: package.json & package-lock.json to reduce vulnerabilities

2551d8b

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-AJV-584908
- https://snyk.io/vuln/SNYK-JS-JQUERY-565129
- https://snyk.io/vuln/SNYK-JS-JQUERY-567880
- https://snyk.io/vuln/SNYK-JS-SELECT2-456562
- https://snyk.io/vuln/SNYK-JS-SOCKJS-575261
- https://snyk.io/vuln/SNYK-JS-WEBPACKDEVSERVER-72405
- https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381
- https://snyk.io/vuln/npm:mem:20180117

nabeelio added the bug label

nabeelio added this to the 7.0.0 milestone

nabeelio self-requested a review

October 16, 2020 14:52

nabeelio merged commit ca220f1 into dev

nabeelio deleted the snyk-fix-f40436588fafabc6c9ec4e015a4816da branch

October 16, 2020 15:01

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment