[Snyk] Security upgrade aegir from 37.12.1 to 39.0.0 by adamlaska · Pull Request #62 · adamlaska/js-ipfs

adamlaska · 2023-06-22T22:48:59Z

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- packages/ipfs-message-port-server/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	658/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: aegir

The new version differs by 37 commits.

abd1a33 chore(release): 39.0.0 [skip ci]
fd02d90 deps: bump @ semantic-release/npm from 9.0.2 to 10.0.3 (feat: jsipfs add --only-hash ipfs/js-ipfs#1233)
7806e55 deps: bump semantic-release from 20.1.3 to 21.0.1 (docs: Add browser example for streaming files ipfs/js-ipfs#1223)
a53d306 deps(dev): bump electron from 23.2.4 to 24.1.2 (Add Docker to README ipfs/js-ipfs#1240)
d03ce94 deps: bump eslint-config-ipfs from 3.1.7 to 4.0.0 (file.cat API not supporting CIDs ipfs/js-ipfs#1229)
6b01e36 feat!: check for unused dependencies by default (How can I make a service on windows? ipfs/js-ipfs#1177)
15f01ea chore(release): 38.1.8 [skip ci]
b173aba fix: use WebWorker lib in tsconfig (Can't connect nodejs and browser nodes ipfs/js-ipfs#1219)
17f7230 update .github/workflows/js-test-and-release.yml (Fixed broken link referencing IPFS-Core API docs in example project ipfs/js-ipfs#1214)
32e89e1 update .github/workflows/js-test-and-release.yml (Full DAG support from CLI ipfs/js-ipfs#1212)
971fdbd chore(release): 38.1.7 [skip ci]
2285b4e fix: remove it-glob dependency (feat: ipfs shutdown ipfs/js-ipfs#1200)
e0bd5b0 update .github/workflows/js-test-and-release.yml (Implement Stats API ipfs/js-ipfs#1197)
72a9f4e chore(release): 38.1.6 [skip ci]
c103f37 deps: bump gh-pages from 4.0.0 to 5.0.0 (docs: add missing pointers to the Files API calls ipfs/js-ipfs#1173)
8761e36 deps: bump esbuild from 0.16.17 to 0.17.9 (TypeError: Cannot read property 'put' of undefined ipfs/js-ipfs#1194)
5a71818 deps: bump execa from 6.1.0 to 7.0.0 (feat: Add /ip6 addresses to bootstrap ipfs/js-ipfs#1191)
6e58c9e deps(dev): bump electron from 22.3.0 to 23.1.0 (Validate config and provide good error messages if something is wrong ipfs/js-ipfs#1193)
f2611aa chore(release): 38.1.5 [skip ci]
8d37a9a fix: revert pinning of esquery dep
e39e245 chore(release): 38.1.4 [skip ci]
eff8550 fix: pin esquery version temporarily
2dad5f2 fix: do not create .gitignore files for monorepo workspace projects
1cefa04 fix: allow not overwriting files

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)

…bilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-SEMVER-3247795

google-cla · 2023-06-22T22:49:04Z

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

socket-security · 2023-06-22T22:55:37Z

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Issue	Package	Version	Note	Source
HTTP dependency	aegir	39.0.10	Dependency: @semantic-release/github @https://registry.npmjs.org/@achingbrain/semantic-release-github/-/semantic-release-github-0.0.2.tgz Location: package.json	`packages/ipfs-message-port-server/package.json`

Next steps

What are http dependencies?

Contains a dependency which resolves to a remote HTTP URL which could be used to inject untrusted code and reduce overall package reliability.

Publish the HTTP URL dependency to npm or a private package repository and consume it from there.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@* or ignore all packages with @SocketSecurity ignore-all

@SocketSecurity ignore aegir@39.0.10

socket-security · 2023-06-22T22:55:40Z

New and updated dependency changes detected. Learn more about Socket for GitHub ↗︎

Packages		Version	New capabilities	Transitives¹	Size	Publisher
aegir	🆕	39.0.10	None	`+102`	222 MB	npm-service-account-ipfs

https://docs.socket.dev ↩

fix: packages/ipfs-message-port-server/package.json to reduce vulnera…

85e2dec

…bilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-SEMVER-3247795

prmerger-automator bot added the do-not-merge label Jun 22, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Snyk] Security upgrade aegir from 37.12.1 to 39.0.0#62

[Snyk] Security upgrade aegir from 37.12.1 to 39.0.0#62
adamlaska wants to merge 1 commit intomasterfrom
snyk-fix-5f0f340934291c1e6b357a1c1c9573c9

adamlaska commented Jun 22, 2023

Uh oh!

google-cla bot commented Jun 22, 2023

Uh oh!

socket-security bot commented Jun 22, 2023

Uh oh!

socket-security bot commented Jun 22, 2023

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

adamlaska commented Jun 22, 2023

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Vulnerabilities that will be fixed

With an upgrade:

Uh oh!

google-cla bot commented Jun 22, 2023

Uh oh!

socket-security bot commented Jun 22, 2023

Next steps

Uh oh!

socket-security bot commented Jun 22, 2023

Footnotes

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants