[Snyk-local] Fix for 10 vulnerabilities #5677

snyk-bot · 2020-09-07T08:15:42Z

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- large-file/package.json
- large-file/package-lock.json
- large-file/.snyk

Vulnerabilities that will be fixed

With an upgrade:

Priority Score (*)	Issue	Breaking Change	Exploit Maturity
479/1000 Why? Has a fix available, CVSS 5.3	Denial of Service (DoS) SNYK-JS-AXIOS-174505	Yes	No Known Exploit
601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:braces:20180219	Yes	Proof of Concept
761/1000 Why? Mature exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) npm:ws:20171108	No	Mature

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: engine.io

The new version differs by 14 commits.

1a685c0 [chore] Release 3.1.4
b3f1d35 [chore] Bump ws to version 3.3.1 ([Snyk(Unlimited)] Upgrade truwrap from 0.8.1 to 0.8.4 #543)
3ee803a [chore] Release 3.1.3
49362ab [fix] Fix undefined remoteAddress when using uws ([Snyk(Unlimited)] Upgrade debug from 2.0.0 to 2.6.9 #533)
3c77780 [chore] Bump debug to version 2.6.9 ([Snyk(Unlimited)] Upgrade color-convert from 1.9.2 to 1.9.3 #532)
bf24359 [chore] Release 3.1.2
a8ff89c [chore] Release 3.1.1
e0d720c [fix] Check whether 'Origin' header has invalid characters ([Snyk(Unlimited)] Upgrade @thebespokepixel/es-tinycolor from 0.3.1 to 0.3.2 #531)
38d639a [fix] Use explicit require of wsEngine ([Snyk(Unlimited)] Upgrade node-uuid from 1.4.0 to 1.4.8 #523)
f9d3f06 [docs] Fix wsEngine default value in README ([Snyk(Unlimited)] Upgrade term-ng from 0.8.1 to 0.8.5 #526)
fd20b91 [test] Use npm scripts instead of gulp ([Snyk(Unlimited)] Upgrade verbosity from 0.9.2 to 0.10.1 #530)
7f63d38 [fix] Fix undeterministic error in polling buffer processing ([Snyk(Unlimited)] Upgrade @thebespokepixel/meta from 0.2.3 to 0.2.5 #529)
3dcc2d5 [fix] Use workaround for setEncoding bug in node 0.10+ ([Snyk(Unlimited)] Upgrade sgr-composer from 0.5.0 to 0.5.3 #527)
e76e035 [fix] Fix null payload when aborting connection ([Snyk(Unlimited)] Upgrade debug from 2.0.0 to 2.6.9 #503)

See the full diff

Package name: engine.io-client

The new version differs by 12 commits.

90f4d17 [chore] Release 3.1.4
7fab005 [chore] Bump ws to version 3.3.1 ([Snyk(Unlimited)] Upgrade sgr-composer from 0.5.0 to 0.5.3 #587)
4558b25 [chore] Release 3.1.3
a28776e [refactor] Update entry point in webpack configuration ([Snyk(Unlimited)] Upgrade term-ng from 0.8.1 to 0.8.5 #586)
42501c6 [revert] [refactor] Remove usuless indexof dependency ([Snyk(Unlimited)] Upgrade qs from 0.0.6 to 0.6.6 #582)
8ce2432 [chore] Bump xmlhttprequest-ssl to version 1.5.4 ([Snyk(Unlimited)] Upgrade lodash from 4.17.10 to 4.17.15 #585)
4a551a1 [chore] Bump debug to version 2.6.9 ([Snyk(Unlimited)] Upgrade @thebespokepixel/string from 0.5.2 to 0.5.7 #584)
d8fdf9b [refactor] Remove useless entry point ([Snyk(Unlimited)] Upgrade node-uuid from 1.4.0 to 1.4.8 #583)
6043c49 [refactor] Remove usuless indexof dependency ([Snyk(Unlimited)] Upgrade qs from 0.0.6 to 0.6.6 #582)
5d29c1c [test] Remove IE6 and IE7 tests ([Snyk(Unlimited)] Upgrade adm-zip from 0.4.7 to 0.4.13 #581)
1cbab34 [chore] Release 3.1.2
0b26bc3 [fix] Remove parsejson dependency ([Snyk(Unlimited)] Upgrade node-uuid from 1.4.0 to 1.4.8 #580)

See the full diff

Package name: karma

The new version differs by 36 commits.

a4d5bdc chore: release v3.0.0
75f466d chore: release v2.0.6
5db9399 chore: update contributors
eb3b1b4 chore(deps): update mime -> 2.3.1 ([Snyk(Unlimited)] Upgrade mongoose from 4.2.4 to 4.13.19 #3107)
732396a fix(travis): Up the socket timeout 2->20s. ([Snyk(Unlimited)] Upgrade debug from 2.0.0 to 2.6.9 #3103)
173848e Remove erroneous change log entries for 2.0.3
1002569 chore(ci): drop node 9 from travis tests ([Snyk(Unlimited)] Upgrade @thebespokepixel/string from 0.5.2 to 0.5.10 #3100)
02f54c6 fix(server): Exit clean on unhandledRejections. ([Snyk(Unlimited)] Upgrade term-ng from 0.8.1 to 0.8.5 #3092)
0fdd8f9 chore(deps): update socket.io -> 2.1.1 ([Snyk(Unlimited)] Upgrade yargs from 11.1.0 to 11.1.1 #3099)
90f5546 fix(travis): use the value not the key name. ([Snyk(Unlimited)] Upgrade @thebespokepixel/es-tinycolor from 0.3.1 to 0.3.2 #3097)
fba5d36 fix(travis): validate TRAVIS_COMMIT if TRAVIS_PULL_REQUEST_SHA is not set. ([Snyk(Unlimited)] Upgrade truwrap from 0.8.1 to 0.8.4 #3094)
56fda53 fix(init): add "ChromeHeadless" to the browsers' options ([Snyk(Unlimited)] Upgrade verbosity from 0.9.2 to 0.10.1 #3096)
f6d2f0e fix(config): Wait 30s for browser activity per Travis. ([Snyk(Unlimited)] Upgrade lodash from 4.17.10 to 4.17.15 #3091)
a58fa45 fix(travis): Validate TRAVIS_PULL_REQUEST_SHA rather than TRAVIS_COMMIT. ([Snyk(Unlimited)] Upgrade sgr-composer from 0.5.0 to 0.5.3 #3093)
88b977f fix(config): wait 20s for browser activity. ([Snyk(Unlimited)] Upgrade consolidate from 0.14.5 to 0.15.1 #3087)
94a6728 chore: remove support for node 4, update log4js ([Snyk(Unlimited)] Upgrade dustjs-helpers from 1.5.0 to 1.7.4 #3082)
c5dc62d docs: better clarity for API usage
0018947 chore: release v2.0.5
02dc1f4 chore: update contributors
dc7265b fix(browser): ensure browser state is EXECUTING when tests start ([Snyk(Unlimited)] Upgrade express from 4.12.4 to 4.17.1 #3074)
7617279 refactor(filelist): rename promise -> lastCompletedRefresh and remove unused promise ([Snyk(Unlimited)] Upgrade moment from 2.15.1 to 2.24.0 #3060)
a701732 fix(doc): Document release steps for admins ([Snyk(Unlimited)] Upgrade st from 0.2.4 to 0.5.5 #3063)
93ba05a fix(middleware): Obey the Promise API.
518cb11 fix: remove circular reference in Browser

See the full diff

Package name: precinct

The new version differs by 25 commits.

e1555eb 5.0.1
cf0fc85 Merge pull request [Snyk] Fix for 2 vulnerable dependencies #45 from dependents/bump
366677c bump deps
5a51c9f 5.0.0
926e522 Merge pull request [Snyk] Fix for 1 vulnerable dependencies #44 from dependents/bump_deps
83d4cf3 Bump dependencies
5447ea3 4.3.0
a111892 Merge pull request [Snyk] Fix for 1 vulnerable dependencies #43 from realityking/dependencies
3319f22 Update detective-typescript@3
b169ef1 Update mocha@5.2, sinon@6 and rewire@4
34c17a8 Regenerate package-lock.json
2449488 4.2.0
458c075 Merge pull request [Snyk] Fix for 1 vulnerable dependencies #41 from dependents/bump
70f0c05 bump postcss for url sniffing option
26d7a4c 4.1.0
6553f16 Merge pull request [Snyk] Fix for 1 vulnerable dependencies #40 from joscha/joscha/postcss
5068a88 paperwork test
bec9b5e add CSS to list
c93a1a8 feat: add CSS (PostCSS dialect)
ab7f601 Merge pull request [Snyk] Fix for 1 vulnerable dependencies #39 from akkumar/update_versions
599bde7 chore: update devDependencies and detective-less to 1.0.1. check in package-lock
e886f1d 4.0.0
7251ccd Merge pull request [Snyk] Fix for 1 vulnerable dependencies #38 from dependents/bump_typescript
34cd9a7 Use newer node version and specify it

See the full diff

With a Snyk patch:

Priority Score (*)	Issue	Exploit Maturity
636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-LODASH-567746	Proof of Concept
399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	No Known Exploit
529/1000 Why? Has a fix available, CVSS 6.3	Prototype Pollution npm:hoek:20180212	No Known Exploit
529/1000 Why? Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	No Known Exploit
399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	No Known Exploit
576/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.1	Uninitialized Memory Exposure npm:tunnel-agent:20170305	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

…le/.snyk to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - http://localhost:8000/vuln/SNYK-JS-AXIOS-174505 - http://localhost:8000/vuln/SNYK-JS-MINIMIST-559764 - http://localhost:8000/vuln/npm:braces:20180219 - http://localhost:8000/vuln/npm:ws:20171108 The following vulnerabilities are fixed with a Snyk patch: - http://localhost:8000/vuln/SNYK-JS-LODASH-567746 - http://localhost:8000/vuln/npm:debug:20170905 - http://localhost:8000/vuln/npm:hoek:20180212 - http://localhost:8000/vuln/npm:lodash:20180130 - http://localhost:8000/vuln/npm:ms:20170412 - http://localhost:8000/vuln/npm:tunnel-agent:20170305

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Snyk-local] Fix for 10 vulnerabilities #5677

[Snyk-local] Fix for 10 vulnerabilities #5677

snyk-bot commented Sep 7, 2020

[Snyk-local] Fix for 10 vulnerabilities #5677

Are you sure you want to change the base?

[Snyk-local] Fix for 10 vulnerabilities #5677

Conversation

snyk-bot commented Sep 7, 2020

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Vulnerabilities that will be fixed

With an upgrade:

With a Snyk patch: