[Snyk] Security upgrade spectron from 10.0.1 to 14.0.0#98

Open

baby636 wants to merge 1 commit intomasterfrom

snyk-fix-4e50359b4b8f1763a1cc8eb45261a15e

Owner

baby636 commented Nov 28, 2023

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json

⚠️

Warning

Failed to update the package-lock.json, please update manually before merging.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	526/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.1	Arbitrary Code Injection SNYK-JS-EJS-1049328	Yes	Proof of Concept
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Remote Code Execution (RCE) SNYK-JS-EJS-2803307	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: spectron

The new version differs by 28 commits.

d2ecadc fix: disable contextIsolation on webframes
04f97b5 chore: disable windowByIndex commands
f60fdbc chore: set fixtures to contentIsolation: false, update deprecation log number
86bffe8 chore: upgrade to Electron 12, import @ electron/remote
f4d097a Merge pull request Self-destructed on auto-update from v0.6.0 to v0.6.1 ipfs/ipfs-desktop#783 from AviVahl/replace-request-with-got
87a00b7 v13.0.0
d515796 test(ci): use github actions Linux container (Add home and removable-media plug to the snap ipfs/ipfs-desktop#782)
495f7d8 chore(deps): replace "request" with "got"
1510a9b Merge pull request fix: gelocation of peers ipfs/ipfs-desktop#778 from AviVahl/electron-11
d763b84 chore(deps): electron@11, latest others
2bfc7dd Merge pull request Black screenshots - master branch ipfs/ipfs-desktop#772 from andersk/prepare
72ed944 Change prepack script to prepare
fc4c67e Version 12.0.0
89206bf chore: upgrade Electron to v10.0.0 (Improve UX when $IPFS_PATH/api exists and API is offline ipfs/ipfs-desktop#713)
cfeeebe chore: bump standard from 12.0.1 to 14.3.4 (Start addressing the tests ipfs/ipfs-desktop#604)
7b8520e chore: bump eslint from 7.3.1 to 7.9.0 (feat: i18n ipfs/ipfs-desktop#706)
22ee8ed chore: bump @ typescript-eslint/parser from 3.4.0 to 3.10.1 (fail to build source code ipfs/ipfs-desktop#690)
bb2a42c chore: bump @ typescript-eslint/eslint-plugin from 3.4.0 to 4.0.0 (docs: fix spelling ipfs/ipfs-desktop#698)
1439291 chore: bump typescript from 3.9.2 to 4.0.3 (fix: do not cleanup api and repo.lock files ipfs/ipfs-desktop#711)
1b75bf0 chore: bump webdriverio from 6.1.20 to 6.5.2 (fix: a typo in CORS header name ipfs/ipfs-desktop#712)
cf6d97c Version 11.1.0
c4fe27e chore: Add prettier and eslint (Bad UX on pinning big ipfs-pack trees ipfs/ipfs-desktop#633)
9fdb353 chore: upgrade webdriverio to 6.1.20 (Hangs on OSX ipfs/ipfs-desktop#631)
0e91e2b chore: bump electron from 8.0.0 to 9.0.0 (Option to only start Frontend ipfs/ipfs-desktop#611)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Arbitrary Code Injection
🦉 Prototype Pollution
🦉 More lessons are available in Snyk Learn


          fix: package.json to reduce vulnerabilities

16fef16

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908
- https://snyk.io/vuln/SNYK-JS-EJS-1049328
- https://snyk.io/vuln/SNYK-JS-EJS-2803307
- https://snyk.io/vuln/SNYK-JS-MINIMIST-2429795
- https://snyk.io/vuln/SNYK-JS-MINIMIST-559764
- https://snyk.io/vuln/SNYK-JS-REQUEST-3361831
- https://snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet