New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 6 vulnerabilities #90

Open

mtdev2 wants to merge 1 commit into latest from snyk-fix-1e38fbb7bc98aa8adfa49643adb4f7f2

Owner

mtdev2 commented Nov 27, 2023

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
- package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	No	Proof of Concept
	484/1000 Why? Has a fix available, CVSS 5.4	Open Redirect SNYK-JS-GOT-2932019	No	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-YARGSPARSER-560381	No	Proof of Concept
	469/1000 Why? Has a fix available, CVSS 5.1	Denial of Service (DoS) npm:mem:20180117	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: lock-verify

The new version differs by 5 commits.

b232554 2.2.2
5f9c66b update repo references
0b908c2 update deps
a6d8081 2.2.1
cd660d6 chore: add deprecation notice

See the full diff

Package name: node-gyp

The new version differs by 131 commits.

989abc7 v8.0.0: bump version and update changelog
0da2e01 gyp: update gyp to v0.8.1 (remove some unused modules npm/cli#2355)
0093ec8 gyp: Improve our flake8 linting tests
06ddde2 deps: sync mutual dependencies with npm
a5fd1f4 doc: add downloads badge (error cb() never called! npm/cli#2352)
0d8a6f1 ci: update actions/setup-node to v2 (refactor deprecate command and add tests npm/cli#2302)
1bd18f3 lib: drop Python 2 support in find-python.js (Release/v7.1.2 npm/cli#2333)
e81602e lib: migrate requests to fetch ([BUG] postpack script runs BEFORE the tarball has been generated and moved to its final destination. npm/cli#2220)
a78b584 gyp: remove support for Python 2 ([BUG] npm config removes _auth from .npmrc npm/cli#2300)
392b776 lib: avoid changing process.config ([BUG] NPM UPDATE removes dependencies npm/cli#2322)
c3c510d gyp: update gyp to v0.8.0 (Error when running 'npx cypress open' npm/cli#2318)
cc1cbce doc: update macOS_Catalina.md (test: add lib/shrinkwrap.js tests npm/cli#2293)
9e1397c gyp: update gyp to v0.7.0 ([BUG] Config environment variable forwarding breaks with false config values npm/cli#2284)
6287118 doc: updated README.md to copy easily ([BUG] cb() never called! npm/cli#2281)
15a5c7d ci: migrate deprecated grammar ([BUG] <title>npm ERR! cb() never called! npm/cli#2285)
66c0f04 doc: add missing `sudo` to Catalina doc
19e0f3c v7.1.1: bump version and update changelog
096e3ad gyp: update gyp to 0.6.2
54f97cd doc: add cmd to reset `xcode-select` to initial state
b9e3ad2 v7.1.1: bump version and update changelog
18bf2d1 deps: update deps to match npm@7
ee6a837 gyp: update gyp to 0.6.1
3e7f8cc lib: better log message when ps fails
7fb3143 test: GitHub Actions: Test on Python 3.9

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Open Redirect
🦉 Server-side Request Forgery (SSRF)
🦉 More lessons are available in Snyk Learn


          fix: package.json & package-lock.json to reduce vulnerabilities

2ba8f1d

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908
- https://snyk.io/vuln/SNYK-JS-GOT-2932019
- https://snyk.io/vuln/SNYK-JS-REQUEST-3361831
- https://snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873
- https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381
- https://snyk.io/vuln/npm:mem:20180117

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment