Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 19 vulnerabilities #68

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Fix for 19 vulnerabilities #68

wants to merge 1 commit into from

Conversation

snyk-bot
Copy link

@snyk-bot snyk-bot commented Aug 5, 2021

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 619/1000
Why? Has a fix available, CVSS 8.1		 Prototype Pollution
SNYK-JS-AJV-584908		 Yes No Known Exploit
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-1018905		 Yes Proof of Concept
high severity 681/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.2		 Command Injection
SNYK-JS-LODASH-1040724		 Yes Proof of Concept
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3		 Prototype Pollution
SNYK-JS-LODASH-450202		 Yes Proof of Concept
medium severity 636/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.3		 Prototype Pollution
SNYK-JS-LODASH-567746		 Yes Proof of Concept
critical severity 704/1000
Why? Has a fix available, CVSS 9.8		 Prototype Pollution
SNYK-JS-LODASH-590103		 Yes No Known Exploit
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3		 Prototype Pollution
SNYK-JS-LODASH-608086		 Yes Proof of Concept
high severity 579/1000
Why? Has a fix available, CVSS 7.3		 Prototype Pollution
SNYK-JS-LODASH-73638		 Yes No Known Exploit
medium severity 434/1000
Why? Has a fix available, CVSS 4.4		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-73639		 Yes No Known Exploit
medium severity 479/1000
Why? Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-MARKED-174116		 Yes No Known Exploit
medium severity 479/1000
Why? Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-MARKED-451540		 Yes No Known Exploit
medium severity 520/1000
Why? Has a fix available, CVSS 5.9		 Regular Expression Denial of Service (ReDoS )
SNYK-JS-MARKED-584281		 Yes No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Prototype Pollution
SNYK-JS-MERGE-1040469		 Yes No Known Exploit
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3		 Prototype Pollution
SNYK-JS-MERGE-1042987		 Yes Proof of Concept
medium severity 601/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.6		 Prototype Pollution
SNYK-JS-MINIMIST-559764		 Yes Proof of Concept
high severity 635/1000
Why? Has a fix available, CVSS 8.2		 Information Disclosure
SNYK-JS-SEMANTICRELEASE-1041706		 Yes No Known Exploit
medium severity 601/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.6		 Prototype Pollution
SNYK-JS-YARGSPARSER-560381		 Yes Proof of Concept
low severity 506/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 3.7		 Regular Expression Denial of Service (ReDoS)
npm:braces:20180219		 Yes Proof of Concept
medium severity 469/1000
Why? Has a fix available, CVSS 5.1		 Denial of Service (DoS)
npm:mem:20180117		 Yes No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: commitizen The new version differs by 94 commits.
  • e434901 fix(deps): update find-node-modules to ^2.1.2 (#824)
  • 12442c1 chore(release): use conventionalcommits preset in semantic-release (#793)
  • f2fad87 fix: revert "use cz-conventional-changelog as default adapter (#778)" (#792)
  • 2663ff4 chore(deps): update dependency uuid to v3.4.0 (#668)
  • d1481b9 chore(deps): update dependency semantic-release to v15.14.0 (#660)
  • 1e9dda8 chore(deps): bump node-fetch from 2.6.0 to 2.6.1 (#775)
  • 95a20d4 fix(cli): Exit CLI with 1(as failed) when received SIGINT (#736)
  • ba7eeb6 chore(renovate): Initial enhanced configuration (#786)
  • e6b75cb feat!: use cz-conventional-changelog as default adapter (#778)
  • a97e808 docs(readme): specify environment in code blocks (#781)
  • 4620006 chore(deps): pin dependencies (#651)
  • e22dd6c docs(readme.md): add new reference to new adapter (#780)
  • 3402fdd chore(deps): update babel monorepo (#728)
  • 1b813ce docs: update path to commitlint and commitlint adapter (#741)
  • 4929d03 fix: git-cz commit repoPath (#676)
  • c3c533f feat: use cz as binary name (#767)
  • f7257f8 fix(deps): update dependency inquirer to v6.5.2 (#664)
  • bf275d0 chore(deps): update dependency semver to v6.3.0 (#659)
  • 33a77cc chore(deps): update dependency babel-plugin-istanbul to v5.2.0 (#658)
  • 994f3b0 fix(cli): determine correct location of `COMMIT_EDITMSG` (#737)
  • c3a4542 chore(deps): update dependency nyc to v15.1.0 (#745)
  • 7a61389 docs: add adapter for jira (#748)
  • 2fbd7ea docs: Update `commitlint` adapter link (#751)
  • a333b08 docs: add cz-format-extension (#758)

See the full diff

Package name: eslint The new version differs by 148 commits.
  • 36ced0a 5.0.0
  • 5fd5632 Build: changelog update for 5.0.0
  • 0feedfd New: Added max-lines-per-function rule (fixes #9842) (#10188)
  • daefbdb Upgrade: eslint-scope and espree to 4.0.0 (refs #10458) (#10500)
  • 077358b Docs: no-process-exit: recommend process.exitCode (#10478)
  • f93d6ff Fix: do not fail on unknown operators from custom parsers (fixes #10475) (#10476)
  • 05343fd Fix: add parens for yield statement (fixes #10432) (#10468)
  • d477c5e Fix: check destructuring for "no-shadow-restricted-names" (fixes #10467) (#10470)
  • 7a7580b Update: Add considerPropertyDescriptor option to func-name-matching (#9078)
  • e0a0418 Fix: crash on optional catch binding (#10429)
  • de4dba9 Docs: styling team members (#10460)
  • 5e453a3 Docs: display team members in tables. (#10433)
  • b1895eb Docs: Restore intentional spelling mistake (#10459)
  • a9da57d 5.0.0-rc.0
  • 3ac3df6 Build: changelog update for 5.0.0-rc.0
  • abf400d Update: Add ignoreDestructing option to camelcase rule (fixes #9807) (#10373)
  • e2b394d Upgrade: espree and eslint-scope to rc versions (#10457)
  • a370da2 Chore: small opt to improve readability (#10241)
  • 640bf07 Update: Fixes multiline no-warning-comments rule. (fixes #9884) (#10381)
  • 831c39a Build: Adding rc release script to package.json (#10456)
  • dc4075e Update: fix false negative in no-use-before-define (fixes #10227) (#10396)
  • 3721841 Docs: Add new experimental syntax policy to README (fixes #9804) (#10408)
  • d0aae3c Docs: Create docs landing page (#10453)
  • fe8bec3 Fix: fix writing config file when `source` is `prompt` (#10422)

See the full diff

Package name: semantic-release The new version differs by 250 commits.
  • c8d38b6 style: removed line breaks to align with xo rule (#1689)
  • ca90b34 fix: mask secrets when characters get uri encoded
  • 63fa143 docs(plugins): add listing for new plugin (#1686)
  • 2bf3771 fix: use valid git credentials when multiple are provided (#1669)
  • 77a75f0 fix: don't parse port as part of the path in repository URLs (#1671)
  • d74ffef docs: add npm-deprecate-old-versions in plugins list (#1667)
  • 3abcbaf Revert "feat: throw an Error if package.json has duplicate "repository" key (#1656)"
  • b8fb35c feat: throw an Error if package.json has duplicate "repository" key (#1656)
  • 18e35b2 docs: reorder default plugins list (#1650)
  • e35e5bb docs(contributing): fix commit message examples (#1648)
  • 311c465 docs(README): welcome @ travi, add alumni section
  • b4c5d0a fix: add logging for when ssh falls back to http (#1639)
  • c982249 docs(contributing): typo fix (#1638)
  • 9635f50 docs: improve github actions recipe on git plugin (#1626)
  • d036a89 ci(docs): use actions/checkout@v2 (#1620)
  • 9303d1d docs(resources.md): added more sematnic release article (#1610)
  • b72cdb3 docs(configuration.md): Updated documentation for dry-run feature of semantic Release (#1607)
  • ee44ee8 docs(github-actions): suggest action_dispatch as trigger (#1605)
  • b24d247 docs: add `semantic-release-rubygem` to community plugins (#1602)
  • 6d118c6 docs: be clear about what module of semantic-release handles updating the package.json (#1601)
  • b5c9dea docs: update github documentation to `docs.github.com`
  • 1405b94 docs: added recipe for Jenkins CI configuration (Feat/add tap reporter聽#1) (#1591)
  • 0f0c650 fix: use correct ci branch context (#1521)
  • a465801 feat(bitbucket-basic-auth): support for bitbucket server basic auth (#1578)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
馃 View latest project report

馃洜 Adjust project settings

馃摎 Read more about Snyk's upgrade and patch logic

@snyk-bot
fix: package.json to reduce vulnerabilities
a678fe3 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-AJV-584908
- https://snyk.io/vuln/SNYK-JS-LODASH-1018905
- https://snyk.io/vuln/SNYK-JS-LODASH-1040724
- https://snyk.io/vuln/SNYK-JS-LODASH-450202
- https://snyk.io/vuln/SNYK-JS-LODASH-567746
- https://snyk.io/vuln/SNYK-JS-LODASH-590103
- https://snyk.io/vuln/SNYK-JS-LODASH-608086
- https://snyk.io/vuln/SNYK-JS-LODASH-73638
- https://snyk.io/vuln/SNYK-JS-LODASH-73639
- https://snyk.io/vuln/SNYK-JS-MARKED-174116
- https://snyk.io/vuln/SNYK-JS-MARKED-451540
- https://snyk.io/vuln/SNYK-JS-MARKED-584281
- https://snyk.io/vuln/SNYK-JS-MERGE-1040469
- https://snyk.io/vuln/SNYK-JS-MERGE-1042987
- https://snyk.io/vuln/SNYK-JS-MINIMIST-559764
- https://snyk.io/vuln/SNYK-JS-SEMANTICRELEASE-1041706
- https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381
- https://snyk.io/vuln/npm:braces:20180219
- https://snyk.io/vuln/npm:mem:20180117
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@snyk-bot