[Snyk] Fix for 7 vulnerabilities #32

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Open

rasputtintin wants to merge 1 commit into master from snyk-fix-41dbf074b5f9750f4f96722df1716485

Owner

rasputtintin commented Nov 28, 2023

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
- package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090599	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090600	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090601	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090602	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @mojaloop/central-services-error-handling

The new version differs by 7 commits.

3e636fd Feature/openapi backend changes (Bump @hapi/hapi from 18.3.1 to 18.3.2 mojaloop/ml-api-adapter#140)
7242737 Added error handlers to factory for bug 1314 (Bump @hapi/vision from 5.5.2 to 5.5.3 mojaloop/ml-api-adapter#139)
b1270b6 #1339: Fixes for 'cause' and '_cause' extension exclusion in error responses (Fix for #914 Extension Value fields in ExtensionList objects exceeding the size limit of 128 (#44) mojaloop/ml-api-adapter#137)
143c7a2 [Security] Bump acorn from 7.1.0 to 7.1.1 (Feature/796 improve health checks mojaloop/ml-api-adapter#124)
68dfbe7 Added updated Mojaloop license (Feature/746-748-747 Implement Bulk Transfer Fulfil mojaloop/ml-api-adapter#118)
3321654 updated to latest node lts version 12.16.0 (Feature/bulk transfers poc mojaloop/ml-api-adapter#112)
01324f6 Issue893-ValidateIncomingErrorCodesForErrorEnd-pointCallbackRequestsPerMojaloopSpec (Hotfixes for POST-GET /transfer operations mojaloop/ml-api-adapter#96)

See the full diff

Package name: @mojaloop/central-services-shared

The new version differs by 90 commits.

14f0b3e feat(2151)!: helm-release-v12.1.0 (Bump nodemon from 2.0.1 to 2.0.2 mojaloop/ml-api-adapter#297)
a5d9141 chore: fix service type typescript enum (Bump @mojaloop/central-services-shared from 8.7.0 to 8.7.1 mojaloop/ml-api-adapter#296)
5aaf087 fix(#2182)!: regex validations against swagger interface spec no longer working (Bump @mojaloop/central-services-shared from 8.6.1 to 8.7.0 mojaloop/ml-api-adapter#295)
0e538d8 chore: bump package version (Bump npm-check-updates from 3.2.2 to 4.0.1 mojaloop/ml-api-adapter#294)
fc4fe7e chore: add 'example' as whitelisted keyword (Bump @mojaloop/event-sdk from 8.3.0 to 8.6.2 mojaloop/ml-api-adapter#293)
6f9496d chore: address vulnerabilities (Feature/1003 add container scans 3 mojaloop/ml-api-adapter#291)
6275eb0 chore: add services endpoints (Update circleci to 2.1, add anchore image scanning config mojaloop/ml-api-adapter#290)
5860510 feat(#2119): fixes for updated for AJV error objects change (Bump hapi-swagger from 11.0.1 to 11.1.0 mojaloop/ml-api-adapter#289)
b83a8bd fixed typo (Bump @mojaloop/central-services-shared from 8.6.1 to 8.6.3 mojaloop/ml-api-adapter#288)
aee59ed Feature/#2057 refactoring for cs ([Snyk] Security upgrade @now-ims/hapi-now-auth from 2.0.0 to 2.0.1 #3) (Bump @mojaloop/event-sdk from 8.3.0 to 8.6.0 mojaloop/ml-api-adapter#284)
082d373 chore: add PATCH consentRequests endpoint (Bump @mojaloop/central-services-logger from 8.1.2 to 8.5.2 mojaloop/ml-api-adapter#279)
7702879 chore: add enums to interface (Bump @mojaloop/central-services-shared from 8.4.3 to 8.6.1 mojaloop/ml-api-adapter#278)
5dcbe73 chore: add consent and consent request events and patch action (Bump @mojaloop/central-services-error-handling from 8.5.0 to 8.6.2 mojaloop/ml-api-adapter#277)
9f8713f chore: add accounts callback endpoints (Bump @mojaloop/central-services-error-handling from 8.5.0 to 8.6.1 mojaloop/ml-api-adapter#275)
5e49222 chore: add enums and bump package (Bump @mojaloop/central-services-shared from 8.4.3 to 8.6.0 mojaloop/ml-api-adapter#274)
f6009d7 chore: 1975 update deps (Bump @mojaloop/central-services-shared from 8.4.3 to 8.5.0 mojaloop/ml-api-adapter#273)
f678b43 [Security] Bump axios from 0.21.0 to 0.21.1 (Bump nodemon from 1.19.4 to 2.0.0 mojaloop/ml-api-adapter#269)
a8bfb9c Bump urijs from 1.19.2 to 1.19.5 (Bump npm-check-updates from 3.2.1 to 3.2.2 mojaloop/ml-api-adapter#270)
7b00ed8 [Security] Bump urijs from 1.19.2 to 1.19.5 (Fixed standard, bumped versions mojaloop/ml-api-adapter#268)
46d88e6 #1885: Fix for "multiple servers per repo" use case (Bump @mojaloop/central-services-error-handling from 8.3.0 to 8.5.0 mojaloop/ml-api-adapter#267)
cbd0434 Hotfix: Fix dependencies for API documentation (Bump hapi-swagger from 10.3.0 to 11.0.0 mojaloop/ml-api-adapter#264)
327a51c chore: update license file (bumped dependencies as fix to #1030 mojaloop/ml-api-adapter#265)
df81389 #1885: Add API documentation utility, plugin, and endpoints (Updated configs for central-ledger docker mojaloop/ml-api-adapter#263)
9c88000 Add FSPIOP headers validation for bulk transfers (Fix/#1034 missing tags mojaloop/ml-api-adapter#262)

See the full diff

Package name: @mojaloop/central-services-stream

The new version differs by 11 commits.

65913b6 Updated dependencies (Fix/#755 Parsing of message body of messages in the ML Switch, JWS implications mojaloop/ml-api-adapter#106)
d64d4b2 make audit resolver run on production only by default, bump package to 10.2.0 (Adding source check for http-method mojaloop/ml-api-adapter#100)
b1c5d75 #1289 Log optimisation (#610 announcement notifications mojaloop/ml-api-adapter#91)
398c429 Update version to v9.2.0 (#572 added metrics mojaloop/ml-api-adapter#81)
be4acac Added updated Mojaloop license (Bug Fix: added the source header while sending notification mojaloop/ml-api-adapter#78)
1c70e43 Added updated Mojaloop license (update stream library mojaloop/ml-api-adapter#77)
0f2dfc1 updated dependencies and node version to latest LTS version (Feature/perf3.7 enhancements mojaloop/ml-api-adapter#75)
7b2f9f1 reduced log verbosity (Feature/410 user friendly message mojaloop/ml-api-adapter#59)
bcd2456 removed unnecessary logger (Develop mojaloop/ml-api-adapter#58)
623d5c1 Bug/1114 kafka queue full (Story #357 cleanup ml-api-adapter project mojaloop/ml-api-adapter#57)
90bd4b8 Remove unused code and dependencies (Develop mojaloop/ml-api-adapter#56)

See the full diff

Package name: @mojaloop/event-sdk

The new version differs by 31 commits.

e90cdda chore(release): 12.0.0 [skip ci]
52f81db chore(mojaloop/#3455): nodejs upgrade (Updated notification handler mojaloop/ml-api-adapter#73)
2aa1caf chore(release): 11.0.2 [skip ci]
f57c3b3 fix: moved logger dependency as a peerDependency to be consistent with other mojaloop repos
c7c7714 chore(release): 11.0.1 [skip ci]
0fab3e9 fix: postchangelog now will correctly work
28ce298 chore(release): 11.0.0 [skip ci]
6fa9f74 feat(mojaloop/#2092): upgrade nodeJS version for core services (changed the joi validation to use regex instead of hard-coded values mojaloop/ml-api-adapter#67)
f5d863a chore: add tsconfig option to build declaration file (Incrementing version to 3.7.2 mojaloop/ml-api-adapter#64)
085a6ae feat(2151): helm release v12.1.0 (Develop mojaloop/ml-api-adapter#56)
4eea6cd feat(2151): helm-release-v12.1.0 (incrementing ml-api-adapter version mojaloop/ml-api-adapter#55)
86d4c3d feat(ci/cd): add pr title check ([Snyk] Fix for 16 vulnerabilities #47)
8eec478 chore: update license file ([Snyk] Fix for 1 vulnerabilities #45)
fa0d1ff Bump ini from 1.3.5 to 1.3.7 ([Snyk] Fix for 1 vulnerabilities #46)
5aef313 Bump highlight.js from 10.1.1 to 10.4.1 ([Snyk] Fix for 1 vulnerabilities #44)
e6597ac update dependencies to remove vulnerabilities ([Snyk] Fix for 1 vulnerabilities #42)
45ca858 updated link ([Snyk] Security upgrade @mojaloop/central-services-shared from 8.7.0 to 18.3.0 #40)
bd02ba9 Resolve some of the audit issues ([Snyk] Fix for 1 vulnerabilities #39)
ea95367 Feature/#1383 doc update ([Snyk] Fix for 1 vulnerabilities #38)
726108f Fix/#1263 tracetags refresh ([Snyk] Security upgrade axios from 0.19.0 to 1.6.3 #37)
678319f Fix/#1263 encode tracestate missing tracestates on new ([Snyk] Fix for 26 vulnerabilities #36)
53735fe Feature/#1263 encode tracestate ([Snyk] Security upgrade @mojaloop/central-services-health from 8.3.0 to 13.0.0 #35)
1e3a873 Fix/other tracestate missing 2 ([Snyk] Fix for 1 vulnerabilities #34)
063e50d Fix/other tracestate missing ([Snyk] Fix for 1 vulnerabilities #33)

See the full diff

Package name: hapi-swagger

The new version differs by 228 commits.

002a3fb 14.5.4
ea26b62 Merge pull request #768 from hapi-swagger/swagger-parser-update
df315ac Merge pull request #767 from hapi-swagger/fix-examples
a3d27cb fix: issue #735 no required for arrays in swagger
c7512f8 fix: yarn.lock without good modules
6427bc7 Merge pull request #765 from AndriiNyzhnyk/remove_deprecated_components
72ad64b fix: broken example code regression issues
19c91af Merge pull request #766 from hapi-swagger/update-repo-urls
7b2e92a chore: remove deprecated 'good' module
4b544e8 chore: update repo urls to hapi-swagger
ea35827 update jsDoc
73f8838 remove unused variables
88c3316 rewrite function 'appendQueryString'
22b74c2 14.5.3
e9839c4 Merge pull request #763 from AndriiNyzhnyk/fix_issue_711
9a01c3f Merge pull request #764 from AndriiNyzhnyk/improve_test_coverage
bc3f65e remove not needed arguments
f225432 add test for function 'appendQueryString'
393a3dc move function 'appendQueryString' to 'Utilities'
7358d95 simplify condition
2dde132 improve coverage for function 'toJoiObject'
3106505 simplify function 'removeTrailingSlash'
5c170b1 add test for function 'removeTrailingSlash'
84cbf5a add test for function 'getJoiLabel'

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Server-side Request Forgery (SSRF)
🦉 Prototype Pollution


          fix: package.json & package-lock.json to reduce vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908
- https://snyk.io/vuln/SNYK-JS-REQUEST-3361831
- https://snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873
- https://snyk.io/vuln/SNYK-JS-VALIDATOR-1090599
- https://snyk.io/vuln/SNYK-JS-VALIDATOR-1090600
- https://snyk.io/vuln/SNYK-JS-VALIDATOR-1090601
- https://snyk.io/vuln/SNYK-JS-VALIDATOR-1090602

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet