New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 9 vulnerabilities #134

Open

kevinjm39 wants to merge 1 commit into master from snyk-fix-22bcd541f9085306e4b10cbd805bc541

Owner

kevinjm39 commented Dec 19, 2023

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
- package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	786/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 9.3	Incomplete List of Disallowed Inputs SNYK-JS-BABELTRAVERSE-5962462	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-DECODEURICOMPONENT-3149970	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHPARSE-1077067	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: ava

The new version differs by 119 commits.

b4cfc8d 3.0.0
776788f Ship v3 🎉
0d11ff7 More issue template tweaks
9983976 Update various contributing documents and GitHub configuration
5a33572 Fix fail-fast interrupt test
61e0d05 Fix VSCode debugging instructions
630aac3 Fix remaining AVA link
5c8bcec Fix AVA link in snapshot reports
7b20f6c Allow Node arguments to be configured
ad27246 3.0.0-beta.2
ae948d8 Lowercase CLI argument description asides
ac8c852 Update dependencies
2bd890f Disable timeouts in debug mode
15d73ca Make console & process globals available to ava.config.js files
efa8635 Fix patterns and unpin picomatch
580705e Fix --update-snapshots
cf26b6d Ensure t.assert() counts as a passed assertion
82cef5c Add Selenium WebDriverJS recipe
090884b Use question mark to indicate optional argument in docs
7c352db 3.0.0-beta.1
66dd09f Rebuild package-lock
f02ac7a Install latest @ ava/babel
8bdcf8b Anticipate asynchronous loads
e919b40 Pass extensions to load as modules to Babel provider

See the full diff

Package name: braces

The new version differs by 18 commits.

abcf341 3.0.0
68a3fdf refactor
bb5b5ba Remove appveyor from readme.
086008a travis: Drop sudo: false.
4ed704b add unit tests
60eb988 ranges
7b1abf0 Use proper nodejs versions for appveyor.
7b106b6 braces api
80eae1f Drop duplicate node v11 for travis.
58d868e windows support
27f7344 Appveyor: Drop support for nodejs <8 for now.
25424ec Drop support for nodejs <8 for now.
ceef790 cover sets
f5bf204 clean up examples
92ec96d start refactoring
cd50063 2.3.2
8a3edbb lint, try to remove a couple of deps
8965a2f Remove unnecessary escape in Regex. ([Snyk] Security upgrade ava from 2.1.0 to 2.2.0 #14)

See the full diff

Package name: eslint-plugin-github

The new version differs by 224 commits.

01080b3 4.0.0
70e8521 Merge pull request Bump minimatch from 3.0.4 to 3.1.2 #107 from github/update-eslint
fc66f23 deprecate node 8
3a1d75e set output in tests
131f3f5 set root file
c80bb30 update eslint
46b2170 4.0.0-1
9f552f1 Merge pull request [Snyk] Security upgrade gatsby from 3.13.0 to 5.0.0 #104 from github/change-typescript-rules
be71c95 turn off `interface-name-prefix` rule
eae37ab turn off `no-unused-vars` rule in typescript config
54bd28d Merge pull request [Snyk] Security upgrade gatsby from 3.13.0 to 4.14.0 #103 from github/use-prettier-config-package
ee6c421 4.0.0-0
40fbc4a use prettier from npm package
a6c489b Merge pull request [Snyk] Security upgrade gatsby from 3.13.0 to 4.14.0 #101 from github/fix-camelcase-rule-in-typescript-config
882f4ed Merge pull request [Snyk] Security upgrade gatsby from 3.13.0 to 4.14.0 #102 from github/disable-no-none-null-assertion-rule
7bbc89a turn off `no-non-nul-assertion` rule
9b9bba3 turn eslint `camelcase` rule off in typescript config
a50a31a Merge pull request Bump @primer/gatsby-theme-doctocat from 1.3.0 to 4.2.1 in /docs #100 from github/update-deps
14f8162 update `svg-element-attributes`
bedd852 update @ typescript-eslint packages to their latest versions
4d10286 update mocha
d77c6e5 update eslint and friends
ccd340b Merge pull request Bump @primer/gatsby-theme-doctocat from 1.3.0 to 4.2.0 in /docs #99 from github/remove-scripts
f547093 Merge pull request Bump moment from 2.24.0 to 2.29.4 in /lib/octicons_styled #91 from github/dependabot/npm_and_yarn/acorn-7.1.1

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Denial of Service (DoS)
🦉 Command Injection
🦉 Prototype Pollution


          fix: package.json & package-lock.json to reduce vulnerabilities

9b25912

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-BABELTRAVERSE-5962462
- https://snyk.io/vuln/SNYK-JS-DECODEURICOMPONENT-3149970
- https://snyk.io/vuln/SNYK-JS-LODASH-1018905
- https://snyk.io/vuln/SNYK-JS-LODASH-1040724
- https://snyk.io/vuln/SNYK-JS-LODASH-567746
- https://snyk.io/vuln/SNYK-JS-MINIMIST-2429795
- https://snyk.io/vuln/SNYK-JS-MINIMIST-559764
- https://snyk.io/vuln/SNYK-JS-PATHPARSE-1077067
- https://snyk.io/vuln/npm:debug:20170905

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet