New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 13 vulnerabilities #115

Open

anarh wants to merge 1 commit into master from snyk-fix-0f1b069f4c0ba5c91fdf7e996c63db74

Owner

anarh commented Nov 28, 2023

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-HTMLMINIFIER-3091181	Yes	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Information Exposure SNYK-JS-NODEFETCH-2342118	Yes	No Known Exploit
	520/1000 Why? Has a fix available, CVSS 5.9	Denial of Service SNYK-JS-NODEFETCH-674311	Yes	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-SOCKETIOPARSER-1056752	Yes	Proof of Concept
	704/1000 Why? Has a fix available, CVSS 9.8	Improper Input Validation SNYK-JS-SOCKETIOPARSER-3091012	Yes	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Yes	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:parsejson:20170908	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: html-loader

The new version differs by 141 commits.

d7cccfa chore(release): 1.0.0
3c9a1d8 refactor: `attributes` option (i18nlint: add ignore Automattic/wp-calypso#265)
8c73761 feat: `preprocessor` option (Editor: Prevent Use of Editor from Core-Apps Webviews Automattic/wp-calypso#263)
f2ce5b1 feat: improve errors
9923244 chore(deps): update (Purchases: Allow disabling input fields in credit card form Automattic/wp-calypso#260)
9835bde feat: supports `link:href` attribute for css (Purchases: Certain texts on expired upgrades are hard to read Automattic/wp-calypso#258)
7af2eff refactor: improve schema (Purchases: Verification screen for cancelled purchase Automattic/wp-calypso#257)
98412f9 docs: `filter` sources (Signup: Theme step should use ThemesList component Automattic/wp-calypso#256)
ff0f44c feat: implement the `filter` option for filtering some of sources (NUX: account + site signup sends old version of the welcome email Automattic/wp-calypso#255)
1c24662 refactor: move the `root` option under the `attributes` option (Signup: Choose a display name rather than a username Automattic/wp-calypso#254)
888b8fe docs: add footnote for `-attributes` (Signup: Accessibility fixes Automattic/wp-calypso#252)
3d2907e refactor: remove the `interpolate` option
bd979e2 refactor: remove the `interpolate` option
fcba4ec fix: handle only valid srcset tags (Signup: List of all active flows Automattic/wp-calypso#253)
9e5ce56 perf: improve source parse (Signup: Plans: custom header text for /start/premium Automattic/wp-calypso#251)
c9c8dad refactor: improve source parse (NUX: user-only version of the welcome email Automattic/wp-calypso#250)
079d623 fix: respect `#hash` in sources
a17df49 fix: reduce `import`/`require` count
d0b0150 fix: adding quotes when necessary for unquoted sources (i18n: Add plural variant to strings using timeLapsed variable Automattic/wp-calypso#247)
e3727ab test: minifier
0bbe29c feat: migrate on `htmlparse2`
b7af031 fix: escape `\u2028` and `\u2029` characters (Editor: Notice z-index issue Automattic/wp-calypso#244)
24b0427 fix: parser tags and attributes according spec (Sidebar: visual issue when resizing from small to large viewport Automattic/wp-calypso#243)
3df909d feat: support `script:src` attributes

See the full diff

Package name: node-sass

The new version differs by 250 commits.

3b556c1 7.0.2
c716359 Bump sass-graph@^4.0.1 (Pickup new xgettext version to fix #3239 Automattic/wp-calypso#3292)
24741b3 docs(readme): fix docpad plugin link
1523330 feat: Drop Node 12
365d357 update https://registry.npm.taobao.org to https://registry.npmmirror.com
1456114 build(deps): bump actions/upload-artifact from 2 to 3
b465b69 chore: bump GitHub Actions to Windows 2019 (Notification Settings: Add duration to notice after successfully saving Automattic/wp-calypso#3254)
e6194b1 build(deps): bump make-fetch-happen from 9.1.0 to 10.0.4
4edf594 build(deps): bump node-gyp from 8.4.1 to 9.0.0
29e2344 build(deps): bump actions/checkout from 2 to 3
85b0d22 build(deps): bump actions/setup-node from 2 to 3
3bb51da Use make-fetch-happen instead of request (Components: Consolidate PostSelector styles for standalone usage Automattic/wp-calypso#3193)
adc2f8b build(deps): bump true-case-path from 1.0.3 to 2.2.1 (Fix metric explosion in grafana Automattic/wp-calypso#3000)
77d12f0 chore: disable Apline for Node 16/17 builds
308d533 ci: use Python 3 for Node 12
c818907 ci: unpin actions/setup-node to v2
99242d7 7.0.1
77049d1 build(deps): bump sass-graph from 2.2.5 to 4.0.0 (Signup: Remove /next Automattic/wp-calypso#3224)
c929f25 build(deps): bump node-gyp from 7.1.2 to 8.4.1 (Desktop: Fix selectors for notification button Automattic/wp-calypso#3209)
918dcb3 Lint fix
0a21792 Set rejectUnauthorized to true by default (Domains: Show a notice when undoing the removal of a DNS record Automattic/wp-calypso#3149)
e80d4af chore: Drop EOL Node 15 (Global Notices: fixed notice__action for global notices Automattic/wp-calypso#3122)
d753397 feat: Add Node 17 support (People: Remove debug UI from invite form Automattic/wp-calypso#3195)
dcf2e75 build(deps-dev): bump eslint from 7.32.0 to 8.0.0

See the full diff

Package name: npm-run-all

The new version differs by 14 commits.

59219e8 4.1.0
f7f7b43 Fix: MaxListenersExceededWarning (fixes [Snyk] Security upgrade webpack-dashboard from 0.2.1 to 2.0.0 #105)
64f6479 Chore: use async/await in tests
66fa8ff Chore: upgrade dependencies
8c8bec0 Docs: update docs
8c6debf Chore: tweak CI settings
5fcc2c6 Chore: no package-lock
e07e782 New: add `--aggregate-output` option (fixes [Snyk] Fix for 1 vulnerabilities #36)([Snyk] Fix for 1 vulnerabilities #104)
dff6409 Docs: add note about Yarn compatibility ([Snyk] Security upgrade webpack-dashboard from 0.2.1 to 2.0.0 #103)
94f1b64 Merge pull request [Snyk] Fix for 1 vulnerabilities #101 from ntwb/patch-1
a8364ce Add Node.j 8.x to AppVeyor CI
c6d3092 Add Node.js 8.x to Travis CI
873f036 Merge pull request [Snyk] Fix for 1 vulnerabilities #95 from goto-bus-stop/feature/docs-in-pkg
0fca0e0 Include docs in published npm package.

See the full diff

Package name: postcss-cli

The new version differs by 250 commits.

745ad2c 7.0.0
cf6ea09 Update eslint config
ea1cec4 Update eslint-config-problems to version 3.1.0 (Editor: Add spellcheck / proofreading feature Automattic/wp-calypso#306)
1519430 Update globby to version 10.0.1 (Editor: Add "link to existing content" feature Automattic/wp-calypso#303)
5b47456 Update eslint to version 6.8.0 (Framework: replace wpcom-private by wpcom-unpublished Automattic/wp-calypso#305)
e241672 Update nyc to version 15.0.0 (Purchases: Deploy /purchases to production Automattic/wp-calypso#297)
4a87ff1 Update chalk to version 3.0.0 (Fix typo in the readme Automattic/wp-calypso#294)
e666505 Update prettier to version 1.19.1 (Plugins: Show disabled autoupdate info Automattic/wp-calypso#304)
0d3591a Update ava to version 2.4.0 (Framework: Allow for a sans-sidebar layout and adjust accordingly Automattic/wp-calypso#302)
cb9f451 Update fs-extra to version 8.1.0 (Don't allow private registration to be removed from the cart Automattic/wp-calypso#301)
4f68a46 Update chokidar to version 3.3.0 (Editor: Add word count Automattic/wp-calypso#300)
5c22ddb Update yargs to version 15.0.2 (Editor: Fix iOS 8.4 Focus Issues Automattic/wp-calypso#298)
79eb0ac Update get-stdin to version 7.0.0 (Purchases: Domain renewals: Removing private registration Automattic/wp-calypso#273)
71384c6 Update Travis config; remove AppVeyor
6b92df3 BREAKING: Drop Node 6 & 8; test on new Node versions
7091819 6.1.3
0de7ccf Fix map file path creation (Purchases: Renewals: Use a temporary cart Automattic/wp-calypso#286)
f1c7352 Update prettier to version 1.18.0 (Purchases: Manage: Implement Use This Card feature Automattic/wp-calypso#281)
035bab8 Update nyc to version 14.0.0 (Server Side Rendering: Bundle localization json files Automattic/wp-calypso#274)
541048e Update prettier to version 1.17.0 (Purchases: style issues for PayPal in Edit Payment Method Automattic/wp-calypso#272)
8fd79b0 6.1.2
72376fc Upgrade prettier to ~1.16.4
87a7286 Update globby to v9.0.0 (Stats: Insights module labels and numbers misaligned Automattic/wp-calypso#270)
c079cff Test Node 10 & 11

See the full diff

Package name: rtlcss

The new version differs by 20 commits.

f1e9a8e 2.2.0
583ac3e 2.2.0
f8e1140 Update README.md
5894fcf 2.1.2
58f4043 add node 6.x
b1f99f8 CI for node 4 and above
81c54dc 2.1.1
0bee389 fixes [Snyk] Fix for 1 vulnerabilities #88
f45d739 2.1.0
31f0d66 Support CSS background-position edge offsets
222a98c 2.0.7
1f23978 Closes [Snyk] Security upgrade tinymce from 4.6.3 to 5.10.0 #85
ad4b561 Fixes [Snyk] Security upgrade prismjs from 1.6.0 to 1.25.0 #84
46688c6 Update README.md
243cbb4 Merge pull request [Snyk] Fix for 1 vulnerabilities #83 from gitter-badger/gitter-badge
e3dde6e Add Gitter badge
440340e link to rtlcss.com
7929fc5 Update README.md
89b7584 Update README.md
c653d8f Update README.md

See the full diff

Package name: socket.io-client

The new version differs by 137 commits.

d30914d [chore] Release 2.0.0
9e7b543 [chore] Bump engine.io to version 3.1.0 (Editor: text is stripped within code tags Automattic/wp-calypso#1109)
442587e [chore] Bump dev dependencies (Invites: move /accept-invite to /my-sites/invites Automattic/wp-calypso#1108)
ff4cb3e [feat] Move binary detection to the parser (Reader: Fixes post excerpt link going under the help icon Automattic/wp-calypso#1103)
b4c7e49 [chore] Bump debug to version 2.6.4 (Framework: Move /accept-invite to /lib/invites Automattic/wp-calypso#1101)
3f19445 Merge pull request Docs: update components/readme to link to main doc Automattic/wp-calypso#1096 from satya164/patch-1
628eb3b Fix dependencies
d32bc5b [docs] Fix messed events documentation (Reader: Edit List heading is too close to the nav Automattic/wp-calypso#1089)
2135ed8 [docs] Fix Manager constructor documentation (Editor: Fixes sticky panel overlapping navbar Automattic/wp-calypso#1093)
25321d1 [docs] Fix format in API.md (Editor: The Sticky Panel is overlapping the nav Automattic/wp-calypso#1090)
9064608 [docs] Add note regarding the Emitter class (Signup: Replace usage of ThemeThumbnail for ThemesList component on Theme Selection Signup Step Automattic/wp-calypso#1079)
49fb3e0 [fix] Run tests on the minified files (Reader: Show a list of people who have liked a post Automattic/wp-calypso#1042)
4af8fd3 [docs] Add missing path option in the documentation (Invites: Centers text in logged in accept buttons Automattic/wp-calypso#1078)
2dcc794 [feature] Allow the use of a custom parser (Revert "Desktop: Request 2nd factor auth code as text message." Automattic/wp-calypso#1075)
4322cf2 [docs] Fix typo (Using a function for oauth constants Automattic/wp-calypso#1076)
1ac8374 [chore] Bump engine.io-client to version 2.0.2 (Framework: Adding 4 new gridicons: book, briefcase, institution, speaker Automattic/wp-calypso#1074)
3d63875 [chore] Bump socket.io-parser to version 2.3.2 (Framework: Standardize Placeholder Styles Automattic/wp-calypso#1071)
8fc4b44 [docs] Fix typo (Editor: Cannot scroll in preview in iOS Automattic/wp-calypso#1066)
a98f94d [chore] Bump engine.io-client to version 2.0.0 (Search: Safari is not handling search url links Automattic/wp-calypso#1062)
fcb5c43 [fix] Add nsp prefix to socket.id (Framework: infinite-list should remember position when crossing calypso threshold Automattic/wp-calypso#1058)
ba5dca3 [test] Update browsers matrix (Editor: allow long titles to wrap to multiple lines Automattic/wp-calypso#1059)
7a533cd [chore] Update issue template with fiddle (Framework: rethink search/filter interactions on mobile Automattic/wp-calypso#1057)
55411df [docs] Add `connect_error` and `connect_timeout` events (Media: Include option to copy item's URL Automattic/wp-calypso#1051)
558163d [docs] API documentation (Signup: Fix checkout sidebar overlap Automattic/wp-calypso#1049)

See the full diff

Package name: webpack

The new version differs by 250 commits.

610f368 5.0.0
5ce65c1 update examples
bbe1230 Merge pull request Themes: Conflicting Details Shown After Uploading Self-hosted version of a WP.COM theme. Automattic/wp-calypso#11628 from webpack/bugfix/real-content-hash
75ecff2 5.0.0-rc.6
bfc35d6 Merge pull request Merging wp-desktop with wp-calypso: Folder structure & webpack resolvers Automattic/wp-calypso#11603 from MayaWolf/master
76e8cbd Merge pull request Replace Dyad with Dyad 2 in signup Automattic/wp-calypso#11622 from webpack/dependabot/npm_and_yarn/types/node-13.13.25
9fd1be2 chore(deps-dev): bump @ types/node from 13.13.23 to 13.13.25
36bcfaa Merge pull request Themes: Fix try&customize for themes on AT sites Automattic/wp-calypso#11621 from webpack/bugfix/11619
9130d10 fix called variables with ProvidePlugin
3e42105 Merge pull request WIP: Create a plugin interface for wp-admin from Calypso Automattic/wp-calypso#11620 from webpack/bugfix/11617
4709719 skip connections copied to concatenated module
57b493f 5.0.0-rc.5
1658e2f Merge pull request Reader: clean up cardpicking logic / move off sitestore/feedstore Automattic/wp-calypso#11618 from webpack/bugfix/11615
a8fb45d fixes crash in SideEffectsFlagPlugin
84b196d emit error instead of crashing when unexpected problem occurs
5573fed Merge pull request Signup: Fix site path through domain-first flow Automattic/wp-calypso#11601 from Hornwitser/improve-suggested-polyfill-config
9b5cce9 Merge pull request Jetpack Settings: Consolidate info link container styles Automattic/wp-calypso#11609 from snitin315/export-types
37c495c export type RuleSetUseItem
39faf34 export type RuleSetUse
e5fd246 export type RuleSetConditionAbsolute
660baad export RuleSetCondition types
13e3ca5 Merge pull request Stats: Fix loading state on summarized views. Automattic/wp-calypso#11602 from webpack/bugfix/shared-runtime-chunk
9c0587e Merge pull request Accept comments argument in showSelectedPost Automattic/wp-calypso#11606 from webpack/dependabot/npm_and_yarn/simple-git-2.21.0
502d166 Merge pull request CRO: Test removing monthly payment option and matching WP.com plans UI Automattic/wp-calypso#11607 from webpack/dependabot/npm_and_yarn/acorn-8.0.4

See the full diff

Package name: webpack-dashboard

The new version differs by 77 commits.

5b65faa 2.0.0
8a32cd1 [Major] Integrate inspectpack3 - faster, better, and more colorful! (Domain Management: Domain Locking doesn't refresh automatically on Transfer page Automattic/wp-calypso#249)
9a9a020 1.1.1
719dd0c Allow better fallback for real metrics. (Me: Layout issues on Scan-the-QR-Code page on narrow screens Automattic/wp-calypso#232)
6738152 1.1.0
7f99b31 Feature: Enable opt-out of minified, gzip calculations. (Me: Button stacking on narrow screens needs improvement Automattic/wp-calypso#230)
812f072 1.0.2
338cc53 fix issue when bundle don't have metrics at all (Purchases: improve feedback when updating payment details Automattic/wp-calypso#221)
4f56a22 1.0.1
839fbde Wait until apply to create inspectpack daemon (Framework: document the layout and rendering order Automattic/wp-calypso#215)
44efac4 Update yarn.lock.
9c532ff v1.0.0
2f24fe9 Feature - Add plugin host option (Server Side Rendering: Create a new ThemesList, Dispatcher, and likely Themes instance for each request Automattic/wp-calypso#188)
3f558c3 Added OS support section (Stats: static front page stats are labeled with the page title instead of "Home page" Automattic/wp-calypso#210)
c9be427 Add basic tests. (Posts: post-count tests in wpcom api test suite should be updated Automattic/wp-calypso#208)
7f02ea9 Merge pull request .org Plans: Confirmation page should link to specific sections of the support page Automattic/wp-calypso#204 from FormidableLabs/node-env-support
9bfeab3 Use getOr and fix minor error in readme
b8f0a49 Added docs and simplifed prod warning messaging.
f5645a8 Fixed spacing.
a73fa95 Added support for node env provide plugin.
f686a02 Merge pull request Framework: Account for Preferences settings 2FA refresh response Automattic/wp-calypso#202 from FormidableLabs/inspectpack-reporting-sizes
6141b80 Use path.sep for path separator
f723dcd Merge pull request .org Plans: Receipt sometimes not sent / emailed for plan purchases Automattic/wp-calypso#203 from FormidableLabs/keyboard-log-nav
9de6469 Added keyboard navigation for main log.

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Server-side Request Forgery (SSRF)
🦉 Improper Input Validation
🦉 More lessons are available in Snyk Learn


          fix: package.json to reduce vulnerabilities

9a70b00

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908
- https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905
- https://snyk.io/vuln/SNYK-JS-HTMLMINIFIER-3091181
- https://snyk.io/vuln/SNYK-JS-NODEFETCH-2342118
- https://snyk.io/vuln/SNYK-JS-NODEFETCH-674311
- https://snyk.io/vuln/SNYK-JS-REQUEST-3361831
- https://snyk.io/vuln/SNYK-JS-SOCKETIOPARSER-1056752
- https://snyk.io/vuln/SNYK-JS-SOCKETIOPARSER-3091012
- https://snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873
- https://snyk.io/vuln/SNYK-JS-UNSETVALUE-2400660
- https://snyk.io/vuln/npm:debug:20170905
- https://snyk.io/vuln/npm:ms:20170412
- https://snyk.io/vuln/npm:parsejson:20170908

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet