New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 6 vulnerabilities #23

Open

Bhanditz wants to merge 1 commit into master from snyk-fix-95a604da156b49e9cd3472e9bd1f9035

Owner

Bhanditz commented Nov 25, 2023

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	484/1000 Why? Has a fix available, CVSS 5.4	Open Redirect SNYK-JS-GOT-2932019	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-HTTPCACHESEMANTICS-3248783	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASHSET-1320032	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @semantic-release/github

The new version differs by 55 commits.

e328b76 fix(package): update @ octokit/rest to version 17.0.0
edc8b68 chore(package): update sinon to version 9.0.0
9416ec3 chore(package): update nock to version 12.0.0
b8711e6 chore(package): update xo to version 0.26.0
f71c98e chore(package): update tempy to version 0.4.0
3a5d3e4 fix(package): update https-proxy-agent to version 5.0.0
c1ae4ac fix: address `@ octokit/rest` deprecations (Update github to version 2.1.0 🚀 semantic-release/semantic-release#249)
e055e41 fix(package): update globby to version 11.0.0
eeb636d chore(package): update ava to version 3.1.0
3242d9f chore(package): update semantic-release to version 17.0.0
fb249b7 chore: require Node.js >=10.18
2a0a8f8 fix(package): update http-proxy-agent to version 4.0.0
b02a35b fix(package): update issue-parser to version 6.0.0
714929b ci: use shared Travis config from semantic-release master branch
c5f47b6 chore(package): update semantic-release to version 16.0.0
6c6a21a Merge remote-tracking branch 'origin/beta'
4c6cd03 Merge remote-tracking branch 'origin/master' into beta
2d0ad27 chore(package): update nyc to version 15.0.0
a36075c chore(package): update sinon to version 8.0.0
98bbcce Merge branch 'master' into beta
bd4322d feat: require Node.js >=10.13
7aaeb0f fix: use the `branch.main` flag to determine is the release need the `prerelease` flag
5ffcf51 style: prettier formatting
742b521 fix: use correct peerDependencies for semantic-release

See the full diff

Package name: @semantic-release/npm

The new version differs by 129 commits.

a15c017 feat: use npm v7 (Fix multiline affects semantic-release/semantic-release#304)
7338fc2 chore(deps): lock file maintenance (Fix 'home' link in package.json semantic-release/semantic-release#348)
cc771b8 docs(readme): fix postpublish script suggestion (This test run was triggered by a pull request... so cant release semantic-release/semantic-release#346)
1800e75 chore(deps): update dependency p-retry to v4.4.0 (ar semantic-release/semantic-release#345)
8af06fd chore(deps): lock file maintenance (ERR! - Multiple Errors when I... npm install -g semantic-release-cli semantic-release/semantic-release#344)
0be991b chore(deps): update dependency semantic-release to v17.3.9 (Update nopt to the latest version 🚀 semantic-release/semantic-release#343)
8c818d4 chore(deps): update dependency semantic-release to v17.3.8 (feat(errors): detect non-terminating errors and use appropriate exit code semantic-release/semantic-release#342)
219dbec chore(deps): lock file maintenance (Update commitizen config semantic-release/semantic-release#341)
94679ae chore(deps): update dependency delay to v5 (semantic-release WARN pre undefined semantic-release/semantic-release#337)
d93b5f0 chore(deps): lock file maintenance (Update github to the latest version 🚀 semantic-release/semantic-release#336)
97dcc9d chore(deps): lock file maintenance (Get "## commits to master since this release" working semantic-release/semantic-release#335)
722bc6a chore(deps): update dependency delay to v4.4.1 (docs(readme): fix link to how the CLI works semantic-release/semantic-release#334)
5593110 chore(deps): lock file maintenance (fix: use spawn instead of exec for 'git log' to avoid maxBuffer err semantic-release/semantic-release#332)
a35942e chore(deps): update dependency sinon to v9.2.4 (fix(commits): Use --no-color for git branch-command semantic-release/semantic-release#331)
bf48ca7 chore(deps): update dependency p-retry to v4.3.0 (fix: use travis-deploy-once to reenable travis-pro support semantic-release/semantic-release#330)
ef6ff42 chore(deps): update dependency semantic-release to v17.3.7 (Unable to run on Jenkins semantic-release/semantic-release#329)
49d7cf5 chore(deps): update dependency semantic-release to v17.3.6 (Update dependencies to enable Greenkeeper 🌴 semantic-release/semantic-release#327)
84a93e1 chore(deps): update dependency semantic-release to v17.3.5 (Update tap to version 8.0.0 🚀 semantic-release/semantic-release#326)
1fd4f08 chore(deps): update dependency semantic-release to v17.3.4 (Update github to version 5.3.3 🚀 semantic-release/semantic-release#325)
88e5862 fix: improve error message text for npm tokens (Update nock to version 9.0.0 🚀 semantic-release/semantic-release#323)
36c3373 chore(deps): update dependency semantic-release to v17.3.3 (Update nyc to version 8.3.2 🚀 semantic-release/semantic-release#321)
2500650 chore(deps): update dependency semantic-release to v17.3.2 (support for LTS, multiple majors, or service patches? semantic-release/semantic-release#320)
3edb9bc chore(deps): lock file maintenance (straddling multiple CI providers / test suites (e.g. Travis + AppVeyor) ? semantic-release/semantic-release#319)
87e8269 chore(deps): update dependency sinon to v9.2.3 (Update github to version 5.2.1 🚀 semantic-release/semantic-release#317)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Open Redirect
🦉 Prototype Pollution
🦉 More lessons are available in Snyk Learn


          fix: package.json to reduce vulnerabilities

83727d8

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908
- https://snyk.io/vuln/SNYK-JS-GOT-2932019
- https://snyk.io/vuln/SNYK-JS-HTTPCACHESEMANTICS-3248783
- https://snyk.io/vuln/SNYK-JS-LODASHSET-1320032
- https://snyk.io/vuln/SNYK-JS-REQUEST-3361831
- https://snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment