New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 18 vulnerabilities #77

Open

snyk-bot wants to merge 1 commit into master from snyk-fix-1575460c867aedc69f19cebe127b9753

snyk-bot commented Apr 12, 2023

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- examples/preact/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LOADERUTILS-3042992	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-LOADERUTILS-3043105	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LOADERUTILS-3105943	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-MERGE-1040469	Yes	No Known Exploit
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-MERGE-1042987	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Open Redirect SNYK-JS-NODEFORGE-2330875	Yes	Proof of Concept
	529/1000 Why? Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-NODEFORGE-2331908	Yes	No Known Exploit
	494/1000 Why? Has a fix available, CVSS 5.6	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430337	Yes	No Known Exploit
	579/1000 Why? Has a fix available, CVSS 7.3	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430339	Yes	No Known Exploit
	494/1000 Why? Has a fix available, CVSS 5.6	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430341	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-NTHCHECK-1586032	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-POSTCSS-1255640	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-PROMPTS-1729737	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Command Injection SNYK-JS-REACTDEVUTILS-1083268	Yes	Proof of Concept
	619/1000 Why? Has a fix available, CVSS 8.1	Cross-site Scripting (XSS) SNYK-JS-SERIALIZEJAVASCRIPT-536840	No	No Known Exploit
	706/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.7	Arbitrary Code Injection SNYK-JS-SERIALIZEJAVASCRIPT-570062	No	Proof of Concept
	619/1000 Why? Has a fix available, CVSS 8.1	Remote Code Execution (RCE) SNYK-JS-SHELLQUOTE-1766506	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @svgr/webpack

The new version differs by 250 commits.

af9a6cb v6.0.0
e9469c3 Merge pull request Doc : fix obsolete doc of switches mui/material-ui#629 from gregberge/rewriting-docs
eb3282b docs: rewriting
6f832f0 Merge pull request In Safari, focus-ripple doesn't pulsate mui/material-ui#627 from gregberge/support-css-variables
cbdb47f fix: support CSS variables
985444d chore: fix package-lock.json
a5effba v6.0.0-alpha.4
3f071d6 Merge pull request Fix: display flat-button's background correctly when focused mui/material-ui#626 from gregberge/upgrade-deps
daf6a08 chore(deps): upgrade
1c5f163 Merge pull request Issues when flat button is focused with a keyboard mui/material-ui#625 from gregberge/icon-size
483560d chore: fix package-lock.json
3c0b779 feat: allow to specify icon size
6ba16a3 Merge pull request Fix typo in property name mui/material-ui#624 from gregberge/various-things
f61c8ba chore: fix ref following refactoring
261e1b5 v6.0.0-alpha.3
fe5c117 Merge pull request Replace all instances of getDOMNode with findDOMNode mui/material-ui#623 from gregberge/webpack
9a4cbce docs(examples): update examples
1a8cc98 fix(webpack): fix webpack 5 behaviour with url-loader
a857bb1 feat: support mask-type property (Consistently use contentFontFamily as a theme property mui/material-ui#621)
5966714 fix(template): make it possible to use type in template (Font-family is not set correctly on buttons mui/material-ui#619)
9ea5da4 refactor(core): use exportName transform (bundle jsx and react-tools as dev-dependencies mui/material-ui#616)
8a1b0aa docs(readme): Fixing CRA link (WebPack support mui/material-ui#618)
00a1d4b chore: fix package-lock.json
f729efa v6.0.0-alpha.2

See the full diff

Package name: css-loader

The new version differs by 71 commits.

634ab49 chore(release): 2.0.0
6ade2d0 refactor: remove unused file ([Slider] Take and use step props mui/material-ui#860)
e7525c9 test: nested url ([AppBar] Dark theme doesn't change AppBar color mui/material-ui#859)
7259faa test: css hacks ([ListItem] List/ListItem glitches mui/material-ui#858)
5e6034c feat: allow to filter import at-rules (Modular Card component mui/material-ui#857)
5e702e7 feat: allow filtering urls (Fixed syntax on example usage code mui/material-ui#856)
9642aa5 test: css stuff (Customize UI components: Toggle. mui/material-ui#855)
3338656 fix: reduce number of require for url (ListItem jump mui/material-ui#854)
533abbe test: issue 636 (Added size prop to progress component mui/material-ui#853)
08c551c refactor: better warning on invalid url resolution (run doc error mui/material-ui#852)
b0aa159 test: issue Time Picker Component mui/material-ui#589 (How to use table in material UI or is there any alternative method (for e.g list) mui/material-ui#851)
f599c70 fix: broken unucode characters (Button wrapped with Link from react-router does not work in Safari mui/material-ui#850)
1e551f3 test: issue 286 (How to use Icon ? mui/material-ui#849)
419d27b docs: improve readme ([LeftNav] Support show LeftNav with wipe gesture mui/material-ui#848)
d94a698 refactor: webpack-default ([toolbar-group] Fixed error when a child element is null mui/material-ui#847)
b97d997 feat: schema options
453248f fix: support module resolution in composes (gulp jshint.js mui/material-ui#845)
8a6ea10 refactor: postcss plugins ([Drop-down-menu] Added multiple items selection support mui/material-ui#844)
fdcf687 fix: url resolving logic ([menu] fix too long height on dropdownmenu and dropdownicon mui/material-ui#843)
889dc7f feat: allow to disable css modules and disable their by default ([Buttons] Adding full width (block) prop to button component mui/material-ui#842)
ee2d253 test: importLoaders option (CSS class position is overriden by internal inline style mui/material-ui#841)
1dad1fb feat: reuse postcss ast from other loaders (i.e `postcss-loader`) (#840)
fe94ebc test: icss reserved keywords ([Toolbar] firefox; appbar and toolbar not positioned correctly. mui/material-ui#839)
9eaba66 refactor: migrate on message api for postcss-icss-plugin (Readme Usage Typo mui/material-ui#838)

See the full diff

Package name: optimize-css-assets-webpack-plugin

The new version differs by 11 commits.

09d29b3 5.0.5
d0a7da7 feat(deps): update dependencies (DropDownMenu should not auto selectedIndex mui/material-ui#154)
41d1e23 Redirect to css-minimizer-webpack-plugin for webpack 5 or above
e9b84f1 5.0.4
b3a3ada Update dependencies (Remove @jsx pragma mui/material-ui#133)
0a410a9 5.0.3
71d09f3 Force npm version
eb7de19 5.0.2
110cc11 Upgrade dependency versions
5cdda05 small formatting improvements to README.md (Error in mixins/classable.js - need to require react/addons mui/material-ui#96)
64f8309 Handle query string in assetName (What about additional components mui/material-ui#82)

See the full diff

Package name: terser-webpack-plugin

The new version differs by 20 commits.

467f505 chore(release): 1.4.4
915e25b fix: security problem (raisedButton will reset state when receives new props mui/material-ui#257)
f816d96 chore(release): 1.4.3
68611d9 chore(release): 1.4.2
aa12914 chore(release): 1.4.1
bc19b72 fix: removed unnecessary dependency (Use of react-tap-event-plugin to enable onTouchTap mui/material-ui#111)
2b2cb8a chore(release): 1.4.0
9d777f0 feat: generate higher quality SourceMaps (Query related the HTML Version mui/material-ui#109)
45ddf2f chore(defaults): update (Fixes issue #106 mui/material-ui#110)
a0d8317 chore(release): 1.3.0
15d1595 feat: update terser to 4 version (Please port this library in Dart! mui/material-ui#97)
e5de064 chore(defaults): update (Error in mixins/classable.js - need to require react/addons mui/material-ui#96)
6d7aaa7 chore(release): 1.2.4
d9533dd fix: disable parallel on WSL due bugs (Add Slider component mui/material-ui#90)
449e0fc chore(defualts): update (sub items of the nested menu component not showing properly mui/material-ui#88)
3cdd2ed fix: fallback for cache directory (Enhancement of Dialog dismiss function mui/material-ui#86)
2388f2a docs: link on `terser-webpack-plugin-legacy` ([Snyk] Fix for 18 vulnerabilities #77)
22352b0 chore(release): 1.2.3
675edfd fix: invalidate cache after changing node version
6abc66c chore(defaults): update ([Snyk] Security upgrade next from 8.1.0 to 9.3.4 #72)

See the full diff

Package name: webpack-dev-server

The new version differs by 250 commits.

5280ee7 docs: fix typo
d834582 chore(release): 4.7.3
7b8c85b chore(deps): update `selfsigned` ([Form components] Set cursor:not-allowed style when disabled mui/material-ui#4170)
d598325 chore: fix lint
c1907f1 refactor: remove redundant `if` statements (Button ripple effect is not working in Firefox or IE11 mui/material-ui#4158)
e535f25 ci: debug ([FlatButton] icon props are not passed through mui/material-ui#4144)
75999bb chore(release): 4.7.2
90a96f7 ci: fix (rendertostaticmarkup not working with muitheme mui/material-ui#4143)
f6bc644 fix: compatible with `onAfterSetupMiddleware`
317e4b9 docs: fix testing instructions (Is react 15.x supported? mui/material-ui#4133)
ff4550e test: remove redundant test cases related to 3rd party code ([Tests] Switch coverage service for coveralls mui/material-ui#4131)
0dd1ee6 test: add e2e tests for `setupExitSignals` option ([Buttons] Fixed alignment related regressions mui/material-ui#4130)
afe4975 chore(release): 4.1.7
4e5d8ea fix: droped `url` package ([Tests] Switch coverage service for coveralls mui/material-ui#4132)
b0c98f0 chore(release): 4.7.0
3138213 chore(deps): update ([EnhancedButton] Fix keyboard focus jumping mui/material-ui#4127)
8f02c3f feat: added types
f4fb15f fix: update description of `onAfterSetupMiddleware` and `onBeforeSetupMiddleware` options ([Style] Add a withWidth HOC mui/material-ui#4126)
37b73d5 test: add e2e test for `WEBPACK_SERVE` env variable (Popover doesn't work if you have many of them on one page mui/material-ui#4125)
f5a9d05 chore(deps-dev): bump eslint from 8.4.1 to 8.5.0 ([Table] Add an ability to style a checkbox of table row mui/material-ui#4121)
c9b959f chore(deps): bump ws from 8.3.0 to 8.4.0 (something may dynamical make a css and conflict with style position:'fixed' mui/material-ui#4124)
42208aa chore(deps-dev): bump lint-staged from 12.1.2 to 12.1.3 ([EnhancedButton] Fix not setting focus when keyboardFocused prop set mui/material-ui#4122)
f440f84 chore(deps): bump express from 4.17.1 to 4.17.2 (It will be an Error when import Manu and ManuItem mui/material-ui#4120)
c13aa56 feat: added the `setupMiddlewares` option (Tab emits strange character? mui/material-ui#4068)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Open Redirect
🦉 More lessons are available in Snyk Learn


          fix: examples/preact/package.json to reduce vulnerabilities

508f2cb

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-LOADERUTILS-3042992
- https://snyk.io/vuln/SNYK-JS-LOADERUTILS-3043105
- https://snyk.io/vuln/SNYK-JS-LOADERUTILS-3105943
- https://snyk.io/vuln/SNYK-JS-MERGE-1040469
- https://snyk.io/vuln/SNYK-JS-MERGE-1042987
- https://snyk.io/vuln/SNYK-JS-MINIMATCH-3050818
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-2330875
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-2331908
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-2430337
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-2430339
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-2430341
- https://snyk.io/vuln/SNYK-JS-NTHCHECK-1586032
- https://snyk.io/vuln/SNYK-JS-POSTCSS-1255640
- https://snyk.io/vuln/SNYK-JS-PROMPTS-1729737
- https://snyk.io/vuln/SNYK-JS-REACTDEVUTILS-1083268
- https://snyk.io/vuln/SNYK-JS-SERIALIZEJAVASCRIPT-536840
- https://snyk.io/vuln/SNYK-JS-SERIALIZEJAVASCRIPT-570062
- https://snyk.io/vuln/SNYK-JS-SHELLQUOTE-1766506

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment