New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 15 vulnerabilities #11

Open

skmezanul wants to merge 1 commit into master from snyk-fix-0f36c5069da6029d6e29791ee95fd991

Owner

skmezanul commented Jun 22, 2022

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	661/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.8	Arbitrary Code Injection SNYK-JS-MORGAN-72579	Yes	Proof of Concept
	761/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.8	Information Exposure SNYK-JS-SIMPLEGET-2361683	Yes	Proof of Concept
	529/1000 Why? Has a fix available, CVSS 6.3	Non-Constant Time String Comparison npm:cookie-signature:20160804	No	No Known Exploit
	484/1000 Why? Has a fix available, CVSS 5.4	Cross-site Scripting (XSS) npm:express:20140912	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:fresh:20170908	Yes	No Known Exploit
	469/1000 Why? Has a fix available, CVSS 5.1	Uninitialized Memory Exposure npm:ip:20170304	Yes	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:negotiator:20160616	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) npm:qs:20140806	No	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Denial of Service (DoS) npm:qs:20140806-1	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Override Protection Bypass npm:qs:20170213	Yes	No Known Exploit
	429/1000 Why? Has a fix available, CVSS 4.3	Directory Traversal npm:send:20140912	No	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Root Path Disclosure npm:send:20151103	No	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Cross-site Scripting (XSS) npm:serve-index:20150314	No	No Known Exploit
	369/1000 Why? Has a fix available, CVSS 3.1	Open Redirect npm:serve-static:20150113	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: torrent-stream

The new version differs by 58 commits.

064991e 1.0.2
b990ef1 prune deps
4148bdf 1.0.1
6f2c79f bump torrent-discovery
11090de Merge pull request ERR_INVALID_CALLBACK & ERR_HTTP_HEADERS_SENT on Nodjs10.X asapach/peerflix-server#150 from ralphtheninja/master
7d507a9 add dependency badges
1e42279 add travis badge
1205f9f add .travis.yml
09f05e9 Merge pull request How can I start peerflix-server at startup using forever? asapach/peerflix-server#141 from giacomocerquone/patch-1
224219c Added .on(idle), .on(torrent) and swarm.downloaded
ec8dd65 1.0.0
f37a085 Merge pull request Need help for create. asapach/peerflix-server#135 from feross/standard
b3dbefd Merge pull request Use official node image in Dockerfile, cleaned up Dockerfile asapach/peerflix-server#134 from feross/master
77dbda0 use standard
072bcb6 Use `torrent-discovery` package
cc3a748 Merge pull request Use official node image in dockerfile asapach/peerflix-server#133 from feross/master
c7f249c make tests work offline (more reliable)
0a1cbfd BREAKING: Stores based on `abstract-chunk-store`
e6771da Merge pull request heroku fails asapach/peerflix-server#132 from feross/master
2671882 use `torrent-piece` package
daced41 0.21.3
16334ef Merge pull request Added noindex, nofollow, noarchive meta asapach/peerflix-server#130 from bsuh/fix-metadata-crash
b5240d2 0.21.2
a335e05 Merge pull request unable to deploy it in heroku asapach/peerflix-server#128 from bsuh/fix-pulsing

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Arbitrary Code Injection
🦉 Cross-site Scripting (XSS)
🦉 Directory Traversal
🦉 More lessons are available in Snyk Learn


          fix: package.json to reduce vulnerabilities

e08b919

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-MORGAN-72579
- https://snyk.io/vuln/SNYK-JS-SIMPLEGET-2361683
- https://snyk.io/vuln/npm:cookie-signature:20160804
- https://snyk.io/vuln/npm:express:20140912
- https://snyk.io/vuln/npm:fresh:20170908
- https://snyk.io/vuln/npm:ip:20170304
- https://snyk.io/vuln/npm:mime:20170907
- https://snyk.io/vuln/npm:negotiator:20160616
- https://snyk.io/vuln/npm:qs:20140806
- https://snyk.io/vuln/npm:qs:20140806-1
- https://snyk.io/vuln/npm:qs:20170213
- https://snyk.io/vuln/npm:send:20140912
- https://snyk.io/vuln/npm:send:20151103
- https://snyk.io/vuln/npm:serve-index:20150314
- https://snyk.io/vuln/npm:serve-static:20150113

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet