Skip to content

[Snyk] Fix for 10 vulnerabilities #28

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
lfox91 wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Fix for 10 vulnerabilities #28

lfox91 wants to merge 1 commit into from
+4 −4

Conversation

@lfox91
Copy link
Owner

@lfox91 lfox91 commented Nov 28, 2023

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-ANSIREGEX-1583908		 Yes Proof of Concept
critical severity 679/1000
Why? Has a fix available, CVSS 9.3		 Incomplete List of Disallowed Inputs
SNYK-JS-BABELTRAVERSE-5962463		 Yes No Known Exploit
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-CSSWHAT-3035488		 No Proof of Concept
medium severity 641/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.4		 Prototype Pollution
SNYK-JS-JSON5-3182856		 Yes Proof of Concept
high severity 681/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.2		 Command Injection
SNYK-JS-LODASHTEMPLATE-1088054		 Yes Proof of Concept
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-MARKED-2342073		 Yes Proof of Concept
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-MARKED-2342082		 Yes Proof of Concept
medium severity 520/1000
Why? Has a fix available, CVSS 5.9		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-MARKED-584281		 Yes No Known Exploit
medium severity 646/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.5		 Server-side Request Forgery (SSRF)
SNYK-JS-REQUEST-3361831		 Yes Proof of Concept
medium severity 646/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.5		 Prototype Pollution
SNYK-JS-TOUGHCOOKIE-5672873		 Yes Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: babelify The new version differs by 6 commits.
  • b06b778 8.0.0
  • ea73917 Remove path-is-absolute devDep
  • 02f97ec drop node 0.10/0.12, add peerDep on babel-core instead of dep, drop object-assign, add package-lock
  • 6d45fa8 Explicitly test Node 4, 5 and 6 in travis
  • 9944a55 Explain the double negatives a bit better (#197)
  • d9e3029 babelify in quotes in example (#198)

See the full diff

Package name: cheerio The new version differs by 56 commits.
  • c3ec1cd Release 0.20.0
  • ef848ca Add coveralls badge, remove link to old report
  • dbcbe90 Merge pull request #808 from leifhanack/lodash4
  • c04ead1 Merge pull request #668 from rwaldin/prop-method
  • b5531bb Merge pull request #671 from twolfson/dev/fallback.select.content.sqwished
  • 9d98bd7 Merge pull request #704 from Rycochet/master
  • 1b9c5c9 Merge pull request #797 from Delgan/641-appendTo_prependTo
  • b12cbe8 Update lodash dependeny to 4.1.0
  • 8c9b2e0 Merge pull request #796 from Delgan/fix_780
  • b09db31 Fix PR #726 adding 'appendTo()' and 'prependTo()'
  • ce8829d Added appendTo and prependTo with tests #641
  • 4779762 Fix #780 by changing options context in '.find()'
  • 8dc1cc9 Add an unit test checking the query of child
  • b27bed6 fix #667: attr({foo: null}) removes attribute foo, like attr('foo', null)
  • 70c5608 Include reference to dedicated "Loading" section
  • fa70a84 Added load method to $
  • 4e8483a update css-select to 1.2.0
  • 5f2777a Merge pull request #732 from jugglinmike/reinstate-toarray
  • 106e42a Merge pull request #776 from dYale/master
  • 97149d3 Fixing Grammatical Error
  • a1367ee Merge pull request #739 from TrySound/npm-files
  • 6c73b7a Merge pull request #773 from JaKXz/patch-1
  • 48bb22d Test against node v0.12 --> v4.2
  • ec2414d Correct output in example

See the full diff

Package name: gulp-notify The new version differs by 25 commits.
  • 398d0a4 v3.1.0
  • fc51ff2 Merge pull request #124 from ohbarye/replace-gulp-util
  • 46efdc6 Move vinyl to devDependencies
  • 173fcb0 Use ansi-colors instead of chalk due to node version compatibility
  • 1e8c372 Remove unused through import
  • 3284a51 Drop dependency on deprecated gulp-util
  • 455250c npm install chalk fancy-log plugin-error lodash.template vinyl
  • 658efc5 v3.0.0
  • b1ba7a2 Adds changelog for bump with node-notifier
  • 7d6944e Updates all dependencies
  • 08244ea Adds log files to ignore
  • 8df5320 Bumps node-notifier dependency to latest
  • 507e21f Merge pull request #105 from queicherius/patch-1
  • f32b692 Update node-notifier dependency
  • f5d3f46 Merge pull request #103 from Toby-S/patch-1
  • bbcc4d1 Correct indent_style in .editorconfig
  • c0d7501 Update README.md
  • 21eed88 Update README.md
  • 084f6a1 Adds support for overriding host/port/appname onError. Fixes #91
  • e45ef63 Merge pull request #85 from stevelacy/patch-1
  • ef56795 Update license attribute
  • 80a4c0d Merge pull request #72 from dhruska/master
  • 0783a5c Typo fix in README
  • b4e95ec Merge pull request #71 from Andorbal/master

See the full diff

Package name: request-promise The new version differs by 45 commits.
  • 9b533b0 Version 4.0.0
  • 796b317 docs: updated for v4 release
  • 6833954 chore: updated promise-core
  • 8aa5d1a docs: updated instructions for running request tests
  • e791f17 feat: better error message for missing peer dependency
  • 8c42fda feat: inform about dropped CLS support
  • 82ed81d docs: added change for the upcoming v4 release
  • 510e272 docs: listed changes for the upcoming v4 release
  • b963290 docs: grammar
  • 1cc3202 feat: full reimplementation using (at)request/promise-core
  • 56a6fa1 Merge pull request #118 from jmm/api-opt-defaults
  • 2b1c11b Add default opt values to API docs
  • 061a6ae chore: node v6 support
  • 364ec40 chore: improved formatting
  • 7a5522f fix: typo
  • ee171f9 Merge pull request #115 from EvanCarroll/master
  • c3bb0dc updated to better differentiate json/html forms because underlying request.pm is really bad at giving a sane error here.
  • 2854e04 Version 3.0.0
  • 32d988a fix: TransformError for transform that returns rejected Promise
  • 296b08d feat: apply transform to non-200 responses also in simple mode (issue #86)
  • 0cfa8f2 feat: introduced TransformError for failed transforms
  • d678f35 refactor: error attribute assignment
  • 2ad8792 feat: better StatusCodeError.message
  • dcd18ad v3 not yet released

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Server-side Request Forgery (SSRF)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@lfox91 @snyk-bot