Skip to content

[Snyk] Fix for 23 vulnerabilities#24

Open
dippyhippy wants to merge 1 commit intomasterfrom
snyk-fix-525b54c616c7bdbb4be49d21790a77f8
Open

[Snyk] Fix for 23 vulnerabilities#24
dippyhippy wants to merge 1 commit intomasterfrom
snyk-fix-525b54c616c7bdbb4be49d21790a77f8

Conversation

@dippyhippy
Copy link
Copy Markdown
Owner

@dippyhippy dippyhippy commented Nov 28, 2023

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-ANSIREGEX-1583908		 No Proof of Concept
critical severity 679/1000
Why? Has a fix available, CVSS 9.3		 Incomplete List of Disallowed Inputs
SNYK-JS-BABELTRAVERSE-5962463		 No No Known Exploit
medium severity 641/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.4		 Prototype Pollution
SNYK-JS-JSON5-3182856		 No Proof of Concept
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-1018905		 No Proof of Concept
high severity 681/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.2		 Command Injection
SNYK-JS-LODASH-1040724		 No Proof of Concept
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3		 Prototype Pollution
SNYK-JS-LODASH-450202		 No Proof of Concept
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3		 Prototype Pollution
SNYK-JS-LODASH-608086		 No Proof of Concept
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3		 Prototype Pollution
SNYK-JS-LODASH-73638		 No Proof of Concept
medium severity 541/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 4.4		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-73639		 No Proof of Concept
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-MINIMATCH-1019388		 No No Known Exploit
medium severity 479/1000
Why? Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-MINIMATCH-3050818		 No No Known Exploit
low severity 506/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 3.7		 Prototype Pollution
SNYK-JS-MINIMIST-2429795		 No Proof of Concept
medium severity 601/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.6		 Prototype Pollution
SNYK-JS-MINIMIST-559764		 No Proof of Concept
medium severity 646/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.5		 Server-side Request Forgery (SSRF)
SNYK-JS-REQUEST-3361831		 Yes Proof of Concept
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-SEMVER-3247795		 No Proof of Concept
medium severity 646/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.5		 Prototype Pollution
SNYK-JS-TOUGHCOOKIE-5672873		 Yes Proof of Concept
medium severity 596/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.5		 Arbitrary Code Injection
SNYK-JS-UNDERSCORE-1080984		 No Proof of Concept
low severity 354/1000
Why? Has a fix available, CVSS 2.8		 Insecure use of /tmp folder
npm:cli:20160615		 No No Known Exploit
medium severity 636/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.3		 Prototype Pollution
npm:lodash:20180130		 No Proof of Concept
low severity 399/1000
Why? Has a fix available, CVSS 3.7		 Regular Expression Denial of Service (ReDoS)
npm:mime:20170907		 Yes No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Regular Expression Denial of Service (ReDoS)
npm:minimatch:20160620		 No No Known Exploit
medium severity 469/1000
Why? Has a fix available, CVSS 5.1		 Remote Memory Exposure
npm:request:20160119		 Yes No Known Exploit
medium severity 479/1000
Why? Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
npm:semver:20150403		 No No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: nano The new version differs by 73 commits.
  • 8e52b3d remove old migration guide
  • 7e0d61d 9.0.0 README
  • 8655d40 Replace request with axios (#208)
  • 77224eb 8.2.3
  • 70cf681 8.2.2
  • 386e3e3 master --> main (#232)
  • c7751ae Merge pull request #226 from YC/info
  • 2804eac Add nano.info()
  • f04b24f improve MangoSelector TypeScript type - fixes issue #211 (#212)
  • 2699b78 8.2.1
  • f4909bc do not publish tests in npm package
  • 079ed5e stricter TypeScript definitions with tsc --strict, fixes issue #209 (#210)
  • de624b4 Fix markdown link in the menu
  • 9994f85 allow fetch to return errors as well as successes - fixes issue #203 (#204)
  • ee50585 improve TypeScript definitions for Mango selectors - fixes issue #202 (#205)
  • 0e2b69e fixed TypeScript definitions for follow functions - fixes issue #194 (#206)
  • 530cc60 switch to CouchDB 3 for the Travis tests - no admin party in CouchDB 3 (#207)
  • befbcd9 compatibility with nodejs-cloudant
  • 037a473 ensure TypeScript definitions are sound during testing (#201)
  • df6c040 Make sure nano works with _local docs (#200)
  • 3d23bb9 Bugfix (nano.d.ts): DocumentScope.atomic method returns a customizable data structure (#187)
  • ff5f425 Bugfix(README.md): Fixed typo (#188)
  • b9c5583 Fix for issue 189 (#190)
  • 0aa530a typescript definition for built-in reduce function in view's document (#192)

See the full diff

Package name: noflo The new version differs by 250 commits.
  • a1187c6 Bump
  • d1c13f2 Update Flowhub docs link
  • 49cfb8b Update fbp-protocol link
  • b25001e Update MsgFlo link
  • 9757b8d Merge pull request #534 from noflo/update_copyrights
  • f84ca06 Reassign copyrights
  • a790ba4 Make 'grunt test' run the build task instead of duplicating
  • 593a39d Bump
  • 05d38ad Document WirePattern Process API changes, refs #526
  • 452c57f Merge pull request #526 from noflo/process_wirepattern
  • 6ceab6f Merge pull request #532 from noflo/fix_null_undefined
  • efaba77 Fix ip.data turned from null to undefined
  • 76d10c6 Provide postpone/resume functions that throw a more user-friendly error
  • 4db7e7b Plug deprecation warnings back in
  • 9d15d3c Collation support for WirePattern group and field options in Process API
  • 5d322e2 Initial support for collating inputs by field
  • 4d4413e More consistent wrapper naming
  • 589e445 Make it possible to force WirePattern into legacy mode, either via env vars or with a config key
  • 2553bcd Expose component instance
  • 194ae10 Move more component initialization to proper befores
  • da8a8bf Move more component initialization to proper befores
  • 17ce316 With Process API the garbage collection tests don't make sense
  • 36ef4b3 Better debug message for WP legacy fallback
  • b3a21a4 Prevent multiple dones

See the full diff

Package name: noflo-flow The new version differs by 53 commits.
  • 3edfa58 Bump
  • 7a1ca17 Merge pull request #90 from noflo/process_api
  • 65249f6 Port Collate to Process API
  • ba5c436 Remove legacy graph
  • 062b40d Remove unused dependencies
  • f026ae6 Port Throttle to Process API
  • 810acae Port Stop to Process API
  • c6b7434 Port ReverseSplit to Process API
  • 5da7836 Port Reorder to Process API
  • 6c1d84e Port HasGroup to Process API
  • abbf3e8 Port Gate to Process API
  • e214267 Port Fork to Process API
  • 0a38447 Port Deny to Process API
  • e7de993 Port CountedMerge to Process API
  • 38b8b0c Port CountDown to Process API
  • b085aaa Port Concat to Process API
  • ec2ade7 Port CollectUntilIdle to Process API
  • fa08d7f Port CleanSplit to Process API
  • fec3254 Port CleanDisconnect to Process API
  • 8775f94 Port Accept to Process API
  • cab587a Depend on NoFlo 0.8
  • d60fdd6 Remove obsolete grunt-noflo-manifest
  • fc3bfc0 Remove obsolete component.io manifest
  • a6d779f Merge pull request #87 from noflo/greenkeeper/chai-4.0.0

See the full diff

Package name: noflo-nodejs The new version differs by 155 commits.
  • 0862625 Update deploy token
  • 68acfa5 Bump
  • bb0febb Merge pull request #108 from noflo/greenkeeper/noflo-0.8.0
  • a53b838 Update noflo-runtime-websocket
  • daba6d3 fix(package): update noflo-runtime-websocket to version 0.8.0
  • bc980e8 Update fbp-protocol
  • 466f815 Update noflo-runtime-base
  • 28958a2 fix(package): update noflo-runtime-base to version 0.8.1
  • 0b3d74c Update noflo-core
  • a267845 Merge remote-tracking branch 'origin/greenkeeper/noflo-runtime-base-0.8.0' into greenkeeper/noflo-0.8.0
  • b07d13f fix(package): update noflo-runtime-base to version 0.8.0
  • b94f99f fix(package): update noflo to version 0.8.0
  • 9959355 Merge pull request #104 from noflo/greenkeeper-flowhub-registry-0.1.0
  • 7dc1480 chore(package): update flowhub-registry to version 0.1.0
  • 2aed272 Merge pull request #84 from noflo/greenkeeper-password-maker-1.1.3
  • 0dea76d chore(package): update password-maker to version 1.1.3
  • 7a67f5d Merge pull request #103 from noflo/update_dependencies
  • 07e76bf Update yargs
  • 5856f71 Merge remote-tracking branch 'origin/greenkeeper-coffee-script-1.12.1' into update_dependencies
  • 7d579fa Merge remote-tracking branch 'origin/greenkeeper-uuid-3.0.1' into update_dependencies
  • 387380b Use fbp-protocol to increase test coverage
  • dd26982 Start preparing fbp-protocol tests
  • 39ffa21 chore(package): update yargs to version 6.6.0
  • 3b76503 chore(package): update coffee-script to version 1.12.1

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Server-side Request Forgery (SSRF)
🦉 More lessons are available in Snyk Learn

@snyk-bot
fix: package.json to reduce vulnerabilities
417157b 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908
- https://snyk.io/vuln/SNYK-JS-BABELTRAVERSE-5962463
- https://snyk.io/vuln/SNYK-JS-JSON5-3182856
- https://snyk.io/vuln/SNYK-JS-LODASH-1018905
- https://snyk.io/vuln/SNYK-JS-LODASH-1040724
- https://snyk.io/vuln/SNYK-JS-LODASH-450202
- https://snyk.io/vuln/SNYK-JS-LODASH-608086
- https://snyk.io/vuln/SNYK-JS-LODASH-73638
- https://snyk.io/vuln/SNYK-JS-LODASH-73639
- https://snyk.io/vuln/SNYK-JS-MINIMATCH-1019388
- https://snyk.io/vuln/SNYK-JS-MINIMATCH-3050818
- https://snyk.io/vuln/SNYK-JS-MINIMIST-2429795
- https://snyk.io/vuln/SNYK-JS-MINIMIST-559764
- https://snyk.io/vuln/SNYK-JS-REQUEST-3361831
- https://snyk.io/vuln/SNYK-JS-SEMVER-3247795
- https://snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873
- https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984
- https://snyk.io/vuln/npm:cli:20160615
- https://snyk.io/vuln/npm:lodash:20180130
- https://snyk.io/vuln/npm:mime:20170907
- https://snyk.io/vuln/npm:minimatch:20160620
- https://snyk.io/vuln/npm:request:20160119
- https://snyk.io/vuln/npm:semver:20150403
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dippyhippy @snyk-bot