New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 17 vulnerabilities #2

Merged

0xSebin merged 1 commit into master from snyk-fix-6bc8d7ee57485152ab3d7772d903d1ab

Feb 19, 2022

snyk-bot commented Feb 19, 2022

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- examples/using-javascript-transforms/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-CSSWHAT-1298035	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Open Redirect SNYK-JS-NODEFORGE-2330875	Yes	Proof of Concept
	529/1000 Why? Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-NODEFORGE-2331908	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Improper Certificate Validation SNYK-JS-NODESASS-1059081	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-NTHCHECK-1586032	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-POSTCSS-1255640	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Command Injection SNYK-JS-REACTDEVUTILS-1083268	Yes	Proof of Concept
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536528	Yes	No Known Exploit
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536531	Yes	No Known Exploit
	410/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579147	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579152	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579155	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-TRIM-1017038	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-TRIMNEWLINES-1298042	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: gatsby

The new version differs by 250 commits.

441e6da chore(release): Publish
ed1a9b5 fix(gatsby-cli): relax error location validation and ignore extra fields (fix(gatsby-cli): relax error location validation and ignore extra fields gatsbyjs/gatsby#34559) (fix(gatsby-cli): relax error location validation and ignore extra fields (#34559) gatsbyjs/gatsby#34588)
e39f6cd fix(gatsby): don't remove onPluginInit in graphql-engine (fix(gatsby): don't remove onPluginInit in graphql-engine gatsbyjs/gatsby#34558) (fix(gatsby): don't remove onPluginInit in graphql-engine (#34558) gatsbyjs/gatsby#34586)
17e8698 feat(gatsby-plugin-gatsby-cloud): request customer feedback (feat(gatsby-plugin-gatsby-cloud): request customer feedback gatsbyjs/gatsby#34471)
94ffe33 chore(docs): Update client-only self-hosting instructions (chore(docs): Update client-only self-hosting instructions gatsbyjs/gatsby#34537)
e1e55c9 chore(docs): Update FS route api client only splat description (chore(docs): Update FS route api client only splat description gatsbyjs/gatsby#34546)
e9cd0ba chore(docs): Update links on gatsby-for-ecommerce (chore(docs): Update links on gatsby-for-ecommerce gatsbyjs/gatsby#34517)
1f28c1c chore(changelogs): update changelogs (chore(changelogs): update changelogs gatsbyjs/gatsby#34544)
d20c97b fix: add missing dependencies (fix: add missing dependencies gatsbyjs/gatsby#28759)
42ed5ef fix(plugin-schema-snapshot): unlink file on init (fix(plugin-schema-snapshot): unlink file on init gatsbyjs/gatsby#34527)
195188c docs(migrating-from-v3-to-v4): correct getNode snippet (docs(migrating-from-v3-to-v4): correct getNode snippet gatsbyjs/gatsby#34543)
d39265f docs(migrating-from-v2-to-v3): correct getNode snippet (docs(migrating-from-v2-to-v3): correct getNode snippet gatsbyjs/gatsby#34542)
bb85cef chore(release): Publish next
022ce14 fix(deps): update starters and examples gatsby packages to ^4.5.4 (fix(deps): update starters and examples gatsby packages to ^4.5.4 gatsbyjs/gatsby#34541)
3954944 fix(gatsby-remark-images): regenerate markdown when used image changes (fix(gatsby-remark-images): regenerate markdown when used image changes gatsbyjs/gatsby#34433)
f5bb0b6 chore(circleci): pin renovate cli version (chore(circleci): pin renovate cli version gatsbyjs/gatsby#34536)
77e4bb0 fix(gatsby): handle session storage not being available (fix(gatsby): handle session storage not being available gatsbyjs/gatsby#34525)
d2ba1f9 perf: move id: eq fast path handling to node-model so it's shared between query running strategies (perf: move id.eq fast path handling to node-model so it's shared between query running strategies gatsbyjs/gatsby#34520)
a3fa646 feat(gatsby-sharp): create more resilient wrapper around sharp (feat(gatsby-sharp): create more resilient wrapper around sharp gatsbyjs/gatsby#34339)
d319983 chore(changelogs): update changelogs (chore(changelogs): update changelogs gatsbyjs/gatsby#34521)
f10d0e5 feat(gatsby): content sync debugging tweaks (feat(gatsby): content sync debugging tweaks gatsbyjs/gatsby#34487)
15e549c fix(deps): update starters and examples - gatsby (fix(deps): update starters and examples - gatsby gatsbyjs/gatsby#34515)
7387918 chore(docs): Update links on plugins overview doc (chore(docs): Update links on plugins overview doc gatsbyjs/gatsby#34479)
44b2ef5 fix(create-gatsby): Respect telemetry disable (fix(create-gatsby): Respect telemetry disable gatsbyjs/gatsby#34495)

See the full diff

Package name: gatsby-transformer-remark

The new version differs by 250 commits.

e98cb62 chore(release): Publish
164f9a1 fix(gatsby-source-contentful): De-dupe type names (fix(gatsby-source-contentful): De-dupe type names gatsbyjs/gatsby#30834) (fix(gatsby-source-contentful): De-dupe type names (#30834) gatsbyjs/gatsby#30850)
0b99d00 fix(gatsby): webpack warnings are no longer in object format by default (fix(gatsby): webpack warnings are no longer in object format by default gatsbyjs/gatsby#30801) (fix(gatsby): webpack warnings are no longer in object format by default (#30801) gatsbyjs/gatsby#30853)
f561724 fix(gatsby): lower memory pressure in SSR (fix(gatsby): lower memory pressure in SSR gatsbyjs/gatsby#30793) (fix(gatsby): lower memory pressure in SSR (#30793) gatsbyjs/gatsby#30851)
96805d5 fix(gatsby-source-wordpress): change `console.warning` to `console.warn` (fix(gatsby-source-wordpress): error when sourcing nodes, change console.warning to console.warn gatsbyjs/gatsby#30764) (fix(gatsby-source-wordpress): change console.warning to console.warn (#30764) gatsbyjs/gatsby#30852)
e40c83d chore(release): Publish next
a5b5cf8 feat: upgrade to remark 13 (feat: upgrade to remark 13 gatsbyjs/gatsby#29678)
172cf4d chore(docs): Add link to perf implications siteContext (chore(docs): Add link to perf implications siteContext gatsbyjs/gatsby#30778)
4336d04 fix(gatsby-plugin-gatsby-cloud): Add missing index.js (so the plugin can be resolved in workspaces) (fix(gatsby-plugin-gatsby-cloud): Add missing index.js (so the plugin can be resolved in workspaces) gatsbyjs/gatsby#30761)
2bdd5a5 fix(gatsby-source-wordpress): only log out duplicate node if we have all the data we want to log (fix(gatsby-source-wordpress): only log out duplicate nodes if we have all the data we want to log gatsbyjs/gatsby#30751)
1a9b830 fix(gatsby-plugin-image): Don't inherit all img styles (fix(gatsby-plugin-image): Allow draggable=false on images gatsbyjs/gatsby#30754)
e0df4cc chore(docs): Change "whitelist" to "allow list" (chore(docs): Change "whitelist" to "allow list" gatsbyjs/gatsby#30756)
81ec270 chore: Add backport script (chore: Add backport script gatsbyjs/gatsby#30732)
63cc8fa fix(docs): Copy edits for debugging html doc + add React-specific example (fix(docs): Copy edits for debugging html doc + add React-specific example gatsbyjs/gatsby#30745)
eed1d43 fix(docs): Add link to how to enable DEV_SSR for fixing inconsistent css styles between dev/prod (fix(docs): Add link to how to enable DEV_SSR for fixing inconsistent css styles between dev/prod gatsbyjs/gatsby#30746)
ecd823f perf(gatsby): cache babel config items (perf(gatsby): cache babel config items gatsbyjs/gatsby#28738)
a60e92f chore(release): Publish next
dd9e95c docs(gatsby-plugin-image): Note on tracedSVG options name change (docs(gatsby-plugin-image): Note on tracedSVG options name change gatsbyjs/gatsby#30736)
a5869e3 fix(gatsby-plugin-image): Use bare GATSBY___IMAGE global (fix(gatsby-plugin-image): Use bare GATSBY___IMAGE global gatsbyjs/gatsby#30713)
0f3fa4e fix(contentful): make gatsby-plugin-image a peer dependency (fix(contentful): make gatsby-plugin-image a peer dependency gatsbyjs/gatsby#30709)
6b2fd94 fix(gatsby-source-wordpress): pass missing property helpers to gql fetch util (fix(gatsby-source-wordpress): pass missing property "helpers" to gql fetch util gatsbyjs/gatsby#30727)
c6fa488 chore(docs): Update wording of tutorial part 8 (chore(docs): Update wording of tutorial part 8 gatsbyjs/gatsby#30606)
a777367 fix(gatsby-cli): Update docs links in error-map (fix(gatsby-cli): Update docs links in error-map gatsbyjs/gatsby#30493)
c473abf chore(docs): include autoprefixer in tailwind install command (chore(docs): include autoprefixer in tailwind install command gatsbyjs/gatsby#30718)

See the full diff

Package name: node-sass

The new version differs by 74 commits.

99242d7 7.0.1
77049d1 build(deps): bump sass-graph from 2.2.5 to 4.0.0 ([gatsby-remark-copy-linked-files] Add support for HTML <audio> gatsbyjs/gatsby#3224)
c929f25 build(deps): bump node-gyp from 7.1.2 to 8.4.1 (_styledComponents.ServerStyleSheet is not a constructor error gatsbyjs/gatsby#3209)
918dcb3 Lint fix
0a21792 Set rejectUnauthorized to true by default (update docs org gatsbyjs/gatsby#3149)
e80d4af chore: Drop EOL Node 15 ([gatsby-image] Support image loading with JavaScript disabled gatsbyjs/gatsby#3122)
d753397 feat: Add Node 17 support (Using YML files as Markdown gatsbyjs/gatsby#3195)
dcf2e75 build(deps-dev): bump eslint from 7.32.0 to 8.0.0
bfa1a3c build(deps): bump actions/setup-node from 2.4.0 to 2.4.1
80d6c00 chore: Windows x86 on GitHub Actions (Add Gatsby Project to Showcase Section gatsbyjs/gatsby#3041)
566dc27 build(deps-dev): bump fs-extra from 0.30.0 to 10.0.0 (Gatsby doesn't extract graphql from TypeScript files gatsbyjs/gatsby#3102)
7bb5157 build(deps): bump npmlog from 4.1.2 to 5.0.0 ([gatsby-remark-code-repls] Add Ramda REPL gatsbyjs/gatsby#3156)
2efb38f build(deps): bump chalk from 1.1.3 to 4.1.2 (Rough draft of instructions for adding tags/categories gatsbyjs/gatsby#3161)
fca5257 build(deps): bump actions/setup-node from 2.3.0 to 2.4.0
6200b21 docs: Double word "support" (Consider removing words that shouldn't be used in educational writing from the docs (simply, easily, just) gatsbyjs/gatsby#3159)
eaf791a build(deps): bump actions/setup-node from 2.1.5 to 2.3.0
16b8d4b build(deps): bump coverallsapp/github-action from 1.1.2 to 1.1.3
c167004 6.0.1
911d4db remove mkdirp dep (Updates sitemap example URL gatsbyjs/gatsby#3108)
30a52f7 build(deps): bump meow from 3.7.0 to 9.0.0
7e08463 build(deps-dev): bump mocha from 8.4.0 to 9.0.1
cfcbb2c chore: Use default Apline version from docker-node (Can't use graphql in onCreateNode gatsbyjs/gatsby#3121)
886319b chore: Drop Node 10 support
c908f4f fix: Bump OSX minimum to 10.11

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic


          fix: examples/using-javascript-transforms/package.json to reduce vuln…

9e31ffc

…erabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908
- https://snyk.io/vuln/SNYK-JS-CSSWHAT-1298035
- https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-2330875
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-2331908
- https://snyk.io/vuln/SNYK-JS-NODESASS-1059081
- https://snyk.io/vuln/SNYK-JS-NTHCHECK-1586032
- https://snyk.io/vuln/SNYK-JS-POSTCSS-1255640
- https://snyk.io/vuln/SNYK-JS-REACTDEVUTILS-1083268
- https://snyk.io/vuln/SNYK-JS-TAR-1536528
- https://snyk.io/vuln/SNYK-JS-TAR-1536531
- https://snyk.io/vuln/SNYK-JS-TAR-1536758
- https://snyk.io/vuln/SNYK-JS-TAR-1579147
- https://snyk.io/vuln/SNYK-JS-TAR-1579152
- https://snyk.io/vuln/SNYK-JS-TAR-1579155
- https://snyk.io/vuln/SNYK-JS-TRIM-1017038
- https://snyk.io/vuln/SNYK-JS-TRIMNEWLINES-1298042

0xSebin merged commit 404d718 into master

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment