New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Security upgrade @uppy/companion from 0.17.5 to 4.0.0 #123

Open

snyk-bot wants to merge 1 commit into master from snyk-fix-2f81dc2b2afbee507785737d8a5c2607

snyk-bot commented Sep 26, 2022

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- packages/@uppy/companion/examples/serverless/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	619/1000 Why? Has a fix available, CVSS 8.1	Prototype Pollution SNYK-JS-AJV-584908	Yes	No Known Exploit
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-AWSSDK-1059424	Yes	Proof of Concept
	584/1000 Why? Has a fix available, CVSS 7.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-HAWK-2808852	Yes	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Configuration Override SNYK-JS-HELMETCSP-469436	Yes	No Known Exploit
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASHMERGE-173732	Yes	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-LODASHMERGE-173733	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-REDIS-1255645	Yes	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Information Exposure SNYK-JS-UPPYCOMPANION-2414367	Yes	Proof of Concept
	679/1000 Why? Has a fix available, CVSS 9.3	Server-side Request Forgery (SSRF) SNYK-JS-UPPYCOMPANION-574719	Yes	No Known Exploit
	679/1000 Why? Has a fix available, CVSS 9.3	Server-side Request Forgery (SSRF) SNYK-JS-UPPYCOMPANION-609858	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090599	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090600	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090601	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090602	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @uppy/companion

The new version differs by 250 commits.

aa4548b Merge 071974c into ac10c6d
071974c Nest 3.0-beta changelogs in 3.0 release
8c1a5e1 @ uppy/react-native is beta still
3fe8707 Release: uppy@3.0.0
ac10c6d Update README.md
f3aeac4 Update README.md
da27a55 meta: Use RemoteSources in readme example (meta: Use RemoteSources in readme example transloadit/uppy#4030)
8773dcd Add migration guide for Uppy 3.x, Companion 4.x, and Robodog (Add migration guide for Uppy 3.x, Companion 4.x, and Robodog transloadit/uppy#3913)
7d74d3a example: upgrade React example to use React 18 (example: upgrade React example to use React 18 transloadit/uppy#4002)
bbcc146 readme: Use new ESM syntax (readme: Use new ESM syntax transloadit/uppy#4028)
ee83d33 fixup! meta: fix linter failures (meta: fix linter failures transloadit/uppy#4029)
524b783 @ uppy/vue: move `@ uppy/` packages to peer dependencies (@uppy/vue: move @uppy/ packages to peer dependencies transloadit/uppy#4024)
70a4615 meta: fix linter failures (meta: fix linter failures transloadit/uppy#4029)
4bb9988 @ uppy/robodog: remove package (@uppy/robodog: remove package transloadit/uppy#3946)
bef7b58 example: migrate `digitalocean-spaces` to ESM (example: migrate digitalocean-spaces to ESM transloadit/uppy#4015)
183187d example: replace Robodog example with Transloadit + RemoteSources + Form (example: replace Robodog example with Transloadit + RemoteSources + Form transloadit/uppy#4027)
0da66ff website: replace Robodog example with Uppy plugins (website: replace Robodog example with Uppy plugins transloadit/uppy#4026)
d7180db @ uppy/tus, @ uppy/xhr-upload, @ uppy/aws-s3: `metaFields` -> `allowedMetaFields` (@uppy/tus, @uppy/xhr-upload, @uppy/aws-s3: metaFields -> allowedMetaFields transloadit/uppy#4023)
089aaed example: showcase migration out of Robodog (example: showcase migration out of Robodog transloadit/uppy#4021)
ff2eed4 example: fix Svelte dev mode (example: fix Svelte dev mode transloadit/uppy#4025)
5353874 example: fix docs and env for Vite examples (example: fix docs and env for Vite examples transloadit/uppy#4018)
97c6507 @ uppy/tus: avoid crashing when Tus client reports an error (@uppy/tus: avoid crashing when Tus client report an error before any … transloadit/uppy#4019)
ef7cbea @ uppy/react: move `@ uppy/` packages to peer dependencies (@uppy/react: move @uppy/ packages to peer dependencies transloadit/uppy#4004)
7c460f3 core: uppy.addFile should accept browser File objects (core: uppy.addFile should accept browser File objects transloadit/uppy#4020)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Regular Expression Denial of Service (ReDoS)
🦉 More lessons are available in Snyk Learn


          fix: packages/@uppy/companion/examples/serverless/package.json to red…

e4a098f

…uce vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-AJV-584908
- https://snyk.io/vuln/SNYK-JS-AWSSDK-1059424
- https://snyk.io/vuln/SNYK-JS-HAWK-2808852
- https://snyk.io/vuln/SNYK-JS-HELMETCSP-469436
- https://snyk.io/vuln/SNYK-JS-LODASHMERGE-173732
- https://snyk.io/vuln/SNYK-JS-LODASHMERGE-173733
- https://snyk.io/vuln/SNYK-JS-REDIS-1255645
- https://snyk.io/vuln/SNYK-JS-UPPYCOMPANION-2414367
- https://snyk.io/vuln/SNYK-JS-UPPYCOMPANION-574719
- https://snyk.io/vuln/SNYK-JS-UPPYCOMPANION-609858
- https://snyk.io/vuln/SNYK-JS-VALIDATOR-1090599
- https://snyk.io/vuln/SNYK-JS-VALIDATOR-1090600
- https://snyk.io/vuln/SNYK-JS-VALIDATOR-1090601
- https://snyk.io/vuln/SNYK-JS-VALIDATOR-1090602
- https://snyk.io/vuln/SNYK-JS-WS-1296835

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment