New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 10 vulnerabilities #309

Open

aliscco wants to merge 1 commit into master from snyk-fix-d98feb351389f5b573a55eb369402013

Owner

aliscco commented Apr 28, 2023

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- deps/npm/node_modules/qs/package.json
- deps/npm/node_modules/qs/.snyk

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	619/1000 Why? Has a fix available, CVSS 8.1	Prototype Pollution SNYK-JS-AJV-584908	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	No	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	No	Proof of Concept
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	No	Proof of Concept
	541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	No	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: eslint

The new version differs by 148 commits.

36ced0a 5.0.0
5fd5632 Build: changelog update for 5.0.0
0feedfd New: Added max-lines-per-function rule (fixes test: replace assert.equal with assert.strictEqual nodejs/node#9842) (test: refactor test-handle-wrap-close-abort nodejs/node#10188)
daefbdb Upgrade: eslint-scope and espree to 4.0.0 (refs lib,src: make constants not inherit from Object nodejs/node#10458) (test: basic functionalities of readFloatBE() nodejs/node#10500)
077358b Docs: no-process-exit: recommend process.exitCode (codeandlearn: use strictEqual instead of equal nodejs/node#10478)
f93d6ff Fix: do not fail on unknown operators from custom parsers (fixes Compile error: InspectorProtocol.cpp:23:5: error: 'snprintf' is not a member of 'std' nodejs/node#10475) (Arguments object scope not maintained within inner functions when using function shorthand () nodejs/node#10476)
05343fd Fix: add parens for yield statement (fixes Prevent EMFILE nodejs/node#10432) (Create a new function to listen to a server. nodejs/node#10468)
d477c5e Fix: check destructuring for "no-shadow-restricted-names" (fixes fs: runtime deprecation for fs.SyncWriteStream nodejs/node#10467) (v4.x: backport test: refactor and fix test-dns nodejs/node#10470)
7a7580b Update: Add considerPropertyDescriptor option to func-name-matching (about getter/setter nodejs/node#9078)
e0a0418 Fix: crash on optional catch binding (test: improve code in test-vm-symbols nodejs/node#10429)
de4dba9 Docs: styling team members (v4.x: backport test: fix test-buffer-slow nodejs/node#10460)
5e453a3 Docs: display team members in tables. (process: improve performance of nextTick (v4.x backport) nodejs/node#10433)
b1895eb Docs: Restore intentional spelling mistake (v6.x: backport test: fix test-buffer-slow nodejs/node#10459)
a9da57d 5.0.0-rc.0
3ac3df6 Build: changelog update for 5.0.0-rc.0
abf400d Update: Add ignoreDestructing option to camelcase rule (fixes test: refactor and fix test-crypto nodejs/node#9807) (v4.x: backport of "make configure file parseable on python3" nodejs/node#10373)
e2b394d Upgrade: espree and eslint-scope to rc versions (Debugger isn't stopped at the debugger; statement when debugging using --inspect nodejs/node#10457)
a370da2 Chore: small opt to improve readability (stream, test: add test for _readableState.needReadable nodejs/node#10241)
640bf07 Update: Fixes multiline no-warning-comments rule. (fixes [tests]Changed var -> const, assert.equal -> assert.strictEqual nodejs/node#9884) (doc: add Michaël Zasso to the CTC nodejs/node#10381)
831c39a Build: Adding rc release script to package.json (build: enable debugger tests in CI nodejs/node#10456)
dc4075e Update: fix false negative in no-use-before-define (fixes src: don't overwrite non-writable vm globals nodejs/node#10227) (test: improve test-cluster-worker-constructor.js nodejs/node#10396)
3721841 Docs: Add new experimental syntax policy to README (fixes test: refactor test-util-inspect nodejs/node#9804) (url: make WHATWG URL properties spec compliant nodejs/node#10408)
d0aae3c Docs: Create docs landing page (VM: VM is much slower when timeout was specified nodejs/node#10453)
fe8bec3 Fix: fix writing config file when `source` is `prompt` (Error: read ECONNRESET - HTTP post request from Meteor to Node js server nodejs/node#10422)

See the full diff

Package name: evalmd

The new version differs by 2 commits.

2482165 updated version
3034641 update lodash, _.contains to _.includes

See the full diff

Package name: safe-publish-latest

The new version differs by 8 commits.

f32d708 v2.0.0
189699b [meta] add `auto-changelog`
f44edd4 [Breaking] `getLatestError`: refactor to use Promises
222b068 [Breaking] add `exports`
a3f5337 [Breaking] `getLatestError`: remove unused `options` param
48455b3 [readme] remove travis badge; add github actions/codecov badges
3a8d144 [Breaking] drop node < 12
72dfebb [meta] editorconfig: ignore more stuff in coverage

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Regular Expression Denial of Service (ReDoS)


          fix: deps/npm/node_modules/qs/package.json & deps/npm/node_modules/qs…

bfc5dec

…/.snyk to reduce vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-AJV-584908
- https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908
- https://snyk.io/vuln/SNYK-JS-LODASH-1018905
- https://snyk.io/vuln/SNYK-JS-LODASH-1040724
- https://snyk.io/vuln/SNYK-JS-LODASH-450202
- https://snyk.io/vuln/SNYK-JS-LODASH-567746
- https://snyk.io/vuln/SNYK-JS-LODASH-608086
- https://snyk.io/vuln/SNYK-JS-LODASH-73638
- https://snyk.io/vuln/SNYK-JS-LODASH-73639
- https://snyk.io/vuln/npm:lodash:20180130


The following vulnerabilities are fixed with a Snyk patch:
- https://snyk.io/vuln/npm:lodash:20180130

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment