New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Security upgrade @lhci/server from 0.3.14 to 0.11.0 #40

Open

thexdesk wants to merge 1 commit into master from snyk-fix-956d6e7c2a4be885588d5b7b26de45a2

Owner

thexdesk commented Nov 27, 2023

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- docs/recipes/heroku-server/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASHSET-1320032	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Open Redirect SNYK-JS-NODEFORGE-2330875	No	Proof of Concept
	529/1000 Why? Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-NODEFORGE-2331908	No	No Known Exploit
	494/1000 Why? Has a fix available, CVSS 5.6	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430337	No	No Known Exploit
	579/1000 Why? Has a fix available, CVSS 7.3	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430339	No	No Known Exploit
	494/1000 Why? Has a fix available, CVSS 5.6	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430341	No	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	No	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	No	Proof of Concept
	484/1000 Why? Has a fix available, CVSS 5.4	XML External Entity (XXE) Injection SNYK-JS-XMLDOM-1084960	No	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Improper Input Validation SNYK-JS-XMLDOM-1534562	No	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Prototype Pollution SNYK-JS-XMLDOM-3042242	No	No Known Exploit
	811/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 9.8	Improper Input Validation SNYK-JS-XMLDOM-3092935	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @lhci/server

The new version differs by 250 commits.

2618b5f feat(cli): use requestedUrl instead of finalUrl for upload context naming (feat(cli): use requestedUrl instead of finalUrl for upload context naming GoogleChrome/lighthouse-ci#849)
3bf80bf feat: upgrade to lighthouse 9.6.8 (feat: upgrade to lighthouse 9.6.8 GoogleChrome/lighthouse-ci#840)
60aa39c chore(dep): upgrade to puppeteer 19.7.1 (chore(dep): upgrade to puppeteer 19.7.1 GoogleChrome/lighthouse-ci#871)
1a797a3 tests: fix windows unit tests (tests: fix windows unit tests GoogleChrome/lighthouse-ci#872)
3560e81 chore: update docker images with latest version
71d3af2 chore: bump to node 16 in dockerfiles (chore: bump to node 16 in dockerfiles GoogleChrome/lighthouse-ci#841)
43afef4 fix(docker): include globally installed puppeteer (fix(docker): include globally installed puppeteer GoogleChrome/lighthouse-ci#736)
55fd467 feat(cli): API requests will respect HTTP_PROXY env variable (feat(cli): API requests will respect HTTP_PROXY env variable GoogleChrome/lighthouse-ci#727)
e4c2b2c chore(deps): node 16, storybook, esbuild (chore(deps): node 16, storybook, esbuild GoogleChrome/lighthouse-ci#839)
ada2782 feat(cli): added url hash to differentiate between urls (feat(cli): Added url hash to differentiate between urls GoogleChrome/lighthouse-ci#835)
75f4bb8 docs: clarify when Github status checks apply (docs: clarify when Github status checks apply GoogleChrome/lighthouse-ci#822)
b7f59c6 chore(docs): update security tradeoff link (chore(docs): update security tradeoff link GoogleChrome/lighthouse-ci#815)
fbd4465 fix typecheck
908b075 tests: use relative path in utils test files (tests: use relative path in utils test files GoogleChrome/lighthouse-ci#737)
0da6496 docs(heroku): fix recipe for Heroku to support LHCI 0.9.0 (docs(heroku): fix recipe for Heroku to support LHCI 0.9.0 GoogleChrome/lighthouse-ci#782)
d218192 feat: extract type defs to assert.d.ts (feat: extract type defs to assert.d.ts GoogleChrome/lighthouse-ci#785)
ff1f14d chore(docs): s/enviroment/environment (docs: s/enviroment/environment GoogleChrome/lighthouse-ci#720)
d41928d docs: update CircleCI config example (docs: update CircleCI config example GoogleChrome/lighthouse-ci#721)
c9a3684 chore: add commitMessage to storybook tests (chore: add commitMessage to storybook tests GoogleChrome/lighthouse-ci#744)
fea2fd4 chore(deps): remove update-notifier (chore(deps): remove update-notifier GoogleChrome/lighthouse-ci#756)
c8957a8 Update minimum node version requirement ((docs) - Updated minimum node version requirements GoogleChrome/lighthouse-ci#803)
72270e7 fix standalone viewer build via build-app adjustments (fix standalone viewer build via build-app adjustments GoogleChrome/lighthouse-ci#786)
aa10d00 fix(docker): update deps in docker-server to match global deps (fixes #775: Update deps in docker-server to match global deps GoogleChrome/lighthouse-ci#779)
0fe44dd fix(server): CLS diff not showing on compare screen (CLS diff not showing on compare screen GoogleChrome/lighthouse-ci#784)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Open Redirect
🦉 Server-side Request Forgery (SSRF)
🦉 More lessons are available in Snyk Learn


          fix: docs/recipes/heroku-server/package.json to reduce vulnerabilities

bb20ecc

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-LODASHSET-1320032
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-2330875
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-2331908
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-2430337
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-2430339
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-2430341
- https://snyk.io/vuln/SNYK-JS-REQUEST-3361831
- https://snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873
- https://snyk.io/vuln/SNYK-JS-XMLDOM-1084960
- https://snyk.io/vuln/SNYK-JS-XMLDOM-1534562
- https://snyk.io/vuln/SNYK-JS-XMLDOM-3042242
- https://snyk.io/vuln/SNYK-JS-XMLDOM-3092935

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment