Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 3 vulnerabilities #24

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Fix for 3 vulnerabilities #24

wants to merge 1 commit into from

Conversation

snyk-bot
Copy link
Contributor

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json
    • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
medium severity 551/1000
Why? Recently disclosed, Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-MARKDOWNIT-2331914		 No No Known Exploit
medium severity 658/1000
Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-MARKED-2342073		 Yes Proof of Concept
medium severity 658/1000
Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-MARKED-2342082		 Yes Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: markdownlint The new version differs by 250 commits.
  • 2d19c06 Update to version 0.25.1.
  • 61bb059 Make all package.json dependency versions explicit for more deterministic installs.
  • 66d533d Update npx invocation to pass --yes to avoid prompting to install missing packages.
  • 23d8ed7 Add test case for custom rule that imports an ESM module (refs #477).
  • b1aef98 Empty commit to note that previous commit fixes #478.
  • f77eca0 Update dependency: markdown-it to 12.3.2.
  • 05b4b5f Update copyright year to 2022.
  • 02707cf Merge branch 'next' into main
  • 4ff4cbc Update to version 0.25.0.
  • e298e3d Include async/await function in custom rules test for asynchronous mode.
  • 11e9a20 Update dependency: globby to 12.0.2.
  • 05b9e6e Update dependency: strip-json-comments to 4.0.0.
  • 528758e Update dependencies: eslint to 8.5.0, eslint-plugin-jsdoc to 37.4.0.
  • fd24b95 Remove require("os") from helpers to reduce dependencies for browser scenarios.
  • 9ec14f1 Include custom rule markdownlint-rule-github-internal-links when validating project Markdown files.
  • 5f00406 Deep freeze name/tokens/lines/frontMatterLines properties of params object before passing to (custom) rules for shared access.
  • 5253669 Fix array indexing for markdownlint-disable-next-line when front matter is present.
  • 7a76f1d Update MD039/no-space-in-links to fix reference-style links, be slightly more permissive matching link content.
  • 064a1e3 Update Node version for TestRepos workflow from 12 to 16.
  • ff8f4ea Reduce execution time by ~50% by updating getEnabledRulesPerLineNumber to make enabledRules immutable and copy only when changed (also, simplify handleInlineConfig slightly).
  • 7cf9c2d Update MD037/no-space-in-emphasis to ignore embedded underscore emphasis markers (fixes #444, fixes #408, fixes #354, fixes #324).
  • 3e8d332 Add test for outdated ignore expressions to markdownlint-test-repos.
  • 6dea678 Update definition of helpers.isBlankLine to treat unterminated start/end comments as potentially blank lines (fixes #431).
  • 1b23976 Update dependencies: eslint-plugin-jsdoc to 37.2.8, eslint-plugin-unicorn to 39.0.0.

See the full diff

Package name: marked The new version differs by 250 commits.
  • ae01170 chore(release): 4.0.10 [skip ci]
  • fceda57 πŸ—œοΈ build [skip ci]
  • 8f80657 fix(security): fix redos vulnerabilities
  • c4a3ccd Merge pull request from GHSA-rrrm-qjm4-v8hf
  • d7212a6 chore(deps-dev): Bump jasmine from 4.0.0 to 4.0.1 (#2352)
  • 5a84db5 chore(deps-dev): Bump rollup from 2.62.0 to 2.63.0 (#2350)
  • 2bc67a5 chore(deps-dev): Bump markdown-it from 12.3.0 to 12.3.2 (#2351)
  • 98996b8 chore(deps-dev): Bump @ babel/preset-env from 7.16.5 to 7.16.7 (#2353)
  • ebc2c95 chore(deps-dev): Bump highlight.js from 11.3.1 to 11.4.0 (#2354)
  • e5171a9 chore(release): 4.0.9 [skip ci]
  • 41990a5 πŸ—œοΈ build [skip ci]
  • a9696e2 fix: retain line breaks in tokens properly (#2341)
  • 6aacd13 chore(deps-dev): Bump jasmine from 3.10.0 to 4.0.0 (#2343)
  • 55e5df9 chore(deps-dev): Bump @ babel/core from 7.16.5 to 7.16.7 (#2344)
  • 4f4cab4 chore(deps-dev): Bump eslint-plugin-import from 2.25.3 to 2.25.4 (#2345)
  • 97ea9f2 chore(deps-dev): Bump eslint from 8.5.0 to 8.6.0 (#2346)
  • 4c3b853 chore(deps-dev): Bump rollup-plugin-license from 2.6.0 to 2.6.1 (#2347)
  • 9396896 chore(deps-dev): Bump rollup from 2.61.1 to 2.62.0 (#2338)
  • 103a56c chore(deps-dev): Bump @ babel/preset-env from 7.16.4 to 7.16.5 (#2333)
  • be771c9 chore(deps-dev): Bump eslint from 8.4.1 to 8.5.0 (#2334)
  • 67d5a65 chore(deps-dev): Bump @ babel/core from 7.16.0 to 7.16.5 (#2335)
  • 991493a chore(deps-dev): Bump eslint-plugin-promise from 5.2.0 to 6.0.0 (#2336)
  • 59375fb chore(release): 4.0.8 [skip ci]
  • 4734c82 πŸ—œοΈ build [skip ci]

See the full diff

Package name: newman The new version differs by 250 commits.
  • 62dbd15 Merge branch 'release/5.2.4'
  • 1052ecf Release v5.2.4
  • 0493253 Update dependencies
  • d94055c Merge branch 'release/5.2.3' into develop
  • ba2b4df Merge branch 'release/5.2.3'
  • c5aab0c Release v5.2.3
  • c597871 Update dependencies
  • 811d2d1 Merge pull request #2721 from Suhas-Gaikwad/patch-1
  • dcc5b9b Create SECURITY.md
  • 2a57036 Merge pull request #2692 from postmanlabs/dependabot/npm_and_yarn/postman-runtime-7.27.0
  • a02f666 Chore(deps): bump postman-runtime from 7.26.10 to 7.27.0
  • bc8dbe9 Merge pull request #2683 from postmanlabs/dependabot/npm_and_yarn/postman-collection-3.6.10
  • d8565e0 Merge pull request #2684 from postmanlabs/dependabot/npm_and_yarn/sinon-10.0.0
  • d16d0d4 Chore(deps): bump postman-collection from 3.6.9 to 3.6.10
  • 6651ad9 Merge pull request #2689 from postmanlabs/dependabot/npm_and_yarn/y18n-4.0.1
  • aa7785f Merge pull request #2693 from postmanlabs/dependabot/npm_and_yarn/semver-7.3.5
  • 57bc14a Merge pull request #2686 from postmanlabs/dependabot/npm_and_yarn/commander-7.2.0
  • 5a6cb9c Merge branch 'develop' into dependabot/npm_and_yarn/sinon-10.0.0
  • 760475c Merge pull request #2682 from postmanlabs/dependabot/npm_and_yarn/postman-request-2.88.1-postman.29
  • c814e15 Chore(deps): bump semver from 7.3.4 to 7.3.5
  • 3de8d0e Merge branch 'develop' into dependabot/npm_and_yarn/y18n-4.0.1
  • cfb1227 Merge pull request #2685 from postmanlabs/dependabot/npm_and_yarn/eslint-7.23.0
  • 6871d37 Merge pull request #2687 from postmanlabs/dependabot/npm_and_yarn/jsdoc-to-markdown-7.0.1
  • be037ab Merge branch 'develop' into dependabot/npm_and_yarn/postman-request-2.88.1-postman.29

See the full diff

Package name: typedoc The new version differs by 250 commits.
  • 0cdc5a8 Bump version to 0.22.11
  • 08c0321 Upgrade dependencies
  • 3bc9c78 Merge pull request #1851 from stefanobaghino-da/bump-to-marked-4.0.10
  • d959b71 Restore v2 lockfile
  • 7732d3c Bump marked from 3.0.8 to 4.0.10
  • 70633ed Merge pull request #1849 from adeniszczyc/bug/anchor-links-offset-top
  • 3f501a3 Fix offset on member anchor links
  • d28c224 Update changelog to reflect recent commits
  • 05e32d3 Merge pull request #1843 from adeniszczyc/feat/anchor-links-hover-members
  • 59d312d Add support for anchor links on hover on members
  • a67e40b Merge pull request #1826 from dragomirtitian/feat-improve-index-loading-perf
  • 2767ae9 Changed how index is loaded to improve performance
  • 7ec2b26 Fix identical background for code and text
  • 4597587 Merge branch 'gh1832'
  • be3f5cb Merge pull request #1834 from matteobruni/issue-1803
  • 3c71fa7 build: added entry on changelog
  • 52c8c4f Fix namespaced names passed to addUnknownSymbolResolver
  • cc0e509 build: restored some files
  • cbe7292 feat: added cname options for CNAME file
  • 3f0dbea Merge pull request #1806 from srmagura/heading-line-height
  • 9548c4e Fix changelog entry under the wrong release
  • 7d4bc90 Merge pull request #1805 from srmagura/fix-example-typescript
  • e218745 Set line-height of all headings to 1.2
  • 3959776 Upgrade dependencies of example

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

πŸ›  Adjust project settings

πŸ“š Read more about Snyk's upgrade and patch logic

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@snyk-bot