Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 1 vulnerable dependencies #1114

Closed
wants to merge 1 commit into from
Closed

[Snyk] Fix for 1 vulnerable dependencies #1114

wants to merge 1 commit into from

Conversation

snyk-bot
Copy link
Contributor

@snyk-bot snyk-bot commented Jul 4, 2019

Description

This PR fixes one or more vulnerable packages in the yarn dependencies of this project.
See the Snyk test report for more details.

Snyk Project: postgraphql/postgraphql:package.json

Snyk Organization: benjie

Lockfile

If you are using package-lock.json or yarn.lock, please re-lock your dependencies and push an updated lockfile before merging this PR.

Changes included in this PR

  • A Snyk policy (.snyk) file, with updated settings.

Vulnerabilities that will be fixed

With a Snyk patch:

You can read more about Snyk's upgrade and patch logic in Snyk's documentation.

Check the changes in this PR to ensure they won't cause issues with your project.

Stay secure,
The Snyk team

Note: You are seeing this because you or someone else with access to this repository has authorised Snyk to open Fix PRs. To review the settings for this Snyk project please go to the project settings page.

fix: .snyk & package.json to reduce vulnerabilities
8deb422 
The following vulnerabilities are fixed with a Snyk patch:
- https://snyk.io/vuln/SNYK-JS-LODASH-450202
@benjie
Copy link
Member

benjie commented Jul 4, 2019

Snyk has detected a prototype pollution vulnerability in the defaultsDeep method within the lodash package (a package that contains hundreds of utility methods for working with JavaScript). This could potentially be a very dangerous vulnerability if a remote attacker were able to exploit it. PostGraphile, along with roughly 4.3 million other projects, uses this package. The vulnerability has been fixed in lodash master but a new release of lodash is still pending.

I've searched our codebase and dependencies (with a recursive grep) for any mention of defaultsDeep, and the only hits were in the lodash package itself. Further, I've reviewed these hits within the lodash package, they are either the actual function itself, re-exports of the function, or comments referencing the function - no other lodash method seems to call defaultsDeep. I did not check the lodash/fp files as we do not use this, but I expect the results there will be similar. Therefore I believe PostGraphile to be UNAFFECTED by this vulnerability.

If you are concerned, I recommend that you use the snyk CLI to patch the issue in your applications.

More details can be found here:

https://snyk.io/vuln/SNYK-JS-LODASH-450202

This was referenced Jul 4, 2019
Closed
Closed
Closed
@benjie
Copy link
Member

benjie commented Aug 6, 2019

Fixed in 8f70cfa

@benjie benjie closed this Aug 6, 2019
@benjie benjie deleted the snyk-fix-5b1011062aff49889c350e9ea59b3b1c branch June 3, 2020 15:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@itsrrworld itsrrworld itsrrworld approved these changes

Assignees
No one assigned
Labels
✖️ invalid
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@snyk-bot @benjie @itsrrworld