[Snyk] Fix for 7 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	643/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 5	Command Injection SNYK-JS-SNYKDOCKERPLUGIN-3039679	Yes	Proof of Concept
	643/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 5	Command Injection SNYK-JS-SNYKGRADLEPLUGIN-3038624	No	Proof of Concept
	643/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 5	Command Injection SNYK-JS-SNYKMVNPLUGIN-3038623	No	Proof of Concept
	643/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 5	Command Injection SNYK-JS-SNYKPYTHONPLUGIN-3039677	No	Proof of Concept
	643/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 5	Command Injection SNYK-JS-SNYKSBTPLUGIN-3038626	No	Proof of Concept
	643/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 5	Command Injection SNYK-JS-SNYKSNYKCOCOAPODSPLUGIN-3038625	No	Proof of Concept
	643/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 5	Command Injection SNYK-JS-SNYKSNYKHEXPLUGIN-3039680	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @snyk/snyk-cocoapods-plugin

The new version differs by 9 commits.

• ad6d93a Merge pull request [Snyk] Security upgrade python from 3.6-slim to 3.11.0b5-slim #31 from snyk/fix/quote-args
• c73e049 fix: quote args
• eb1737c Merge pull request [Snyk] Security upgrade python from 3.6-slim to 3.7-slim #30 from snyk/chore/update-dependencies
• 94be128 chore: update dependencies
• 8df6ea6 Merge pull request [Snyk] Security upgrade python from 3.8-slim to 3.9-slim #29 from snyk/chore/move-to-circleci
• 99f3b0d chore: move to CircleCI
• 92f6b11 Merge pull request [Snyk] Security upgrade python from 3.6-slim to 3.7-slim #27 from snyk/chore/update-co
• 82cd73f chore: fix lint
• 4182af2 chore: update co file

See the full diff

Package name: @snyk/snyk-hex-plugin

The new version differs by 15 commits.

• 95708c2 Merge pull request [Snyk] Security upgrade python from 3.6-slim to 3.10-slim #25 from snyk/fix/quote-spawn-args
• e8dd2a3 fix: quote spawn args
• 86090ee Merge pull request [Snyk] Security upgrade python from 3.6-slim to 3.7-slim #23 from snyk/chore/fix-release-node-image
• 7d6fcb0 chore: fix node image for release step
• 7e06ca8 Merge pull request [Snyk] Security upgrade python from 3.6-slim to 3.9.13-slim #22 from snyk/chore/bump-node-to-16
• 205bdfc chore: bump node version to 16
• 404fd22 Merge pull request [Snyk] Security upgrade python from 3.6-slim to 3.11.0a7-slim #21 from snyk/chore/fix-lint-and-windows-tests
• cdc219a fix: use scoop instead of choco
• 882133e fix: change back to 2.4.0 windows orb
• 368a2ae fix: use windows 5.0.0 orb
• 43635cd chore: use elixir 1.13.3 in test
• d17cbc5 chore: try remove allow downgrade
• 11d403e chore: fix lint
• 1f4db02 Merge pull request [Snyk] Security upgrade python from 3.6-slim to 3.8-slim #19 from snyk/chore/add-contributing
• ba911a8 chore: add CONTRIBUTING.md

See the full diff

Package name: snyk-docker-plugin

The new version differs by 157 commits.

• 434e588 Merge pull request feat: Add support for 'scratch' based docker images snyk/cli#463 from snyk/fix/quote-args
• d730d76 fix: quote spawn args
• 2b999b8 Merge pull request feat: add git metadata to monitor payload snyk/cli#462 from snyk/fix/do-not-trim-go-versions
• 9043afb fix: use full version of go modules in dep-graph
• 9cd135f test: update snapshots for dep-graph schema 1.3.0
• 6af6f1a Merge pull request fix: improve gzip compression of the payloads to handle some larger ones snyk/cli#461 from snyk/fix/go-filepath-determination
• ad14d23 fix: go binary file path determination
• 64ec975 Merge pull request #451 from snyk/fix/go-binary-project-names
• 7c1c91d test: add test for Go binary without PCLN table
• c5f889d fix: handle Go binaries from the Go distributions
• abd3f57 Merge pull request fix: handle PHP projects with interdependent packages snyk/cli#460 from snyk/fix/manifest-unknown-err
• 8165c0c Merge pull request #457 from snyk/feat/support-deleted-files
• d6c1c53 fix: amending condition for 'manifest unknown' errors
• b03fd7b Merge pull request feat: depGraph snyk-test for npm and yarn snyk/cli#459 from snyk/feat/MYC-41-return-content-sets-from-plugin
• 6232182 feat: return RedHat repositories with the scanResult
• 38e1c55 Merge pull request feat: updating nuget-plugin - add assets-project-name flag snyk/cli#458 from snyk/chore/windows-excutor-bump
• 7753f96 chore: bump windows executor
• 245a8b5 feat: support deleted files
• e0bed79 Merge pull request feat: Release improved project naming for csproj behind a flag snyk/cli#456 from snyk/fix/annotate-error
• 7aee68c fix: skip CGo binaries without PCLNTable
• 7963ff2 Merge pull request feat: new debug logs around plugin's inspect snyk/cli#453 from snyk/fix/python-scan-performance-improvements
• 2a5d559 fix: handle cyclic dependencies in python apps
• 03391a9 fix: improve python app analysis performance
• 34cf66e Merge pull request fix: do not fail if csproj not found snyk/cli#452 from snyk/test/fix-recurring-test

See the full diff

Package name: snyk-gradle-plugin

The new version differs by 61 commits.

• 46fb3e3 Merge pull request [Snyk] Upgrade @slack/webhook from 5.0.4 to 7.0.2 #240 from snyk/fix/escape-child-process-arguments
• bb1c1c7 fix: escape child process arguments
• f115e10 fix: identify projects by path ([Snyk] Security upgrade python from 3.9-slim to 3.13.0b1-slim #234)
• 9398d14 Merge pull request [Snyk] Upgrade @slack/webhook from 5.0.4 to 7.0.2 #238 from snyk/fix/rest-packages-path
• ce194cd fix: TS2304 cannot find name 'Blob'
• 6643455 chore: default to node 12 when performing lint
• aa86b13 fix: rest package path
• b3e2b00 test: add gradleProjectName ([Snyk] Security upgrade python from 3.7-slim to 3.13.0b1-slim #237)
• 84f728b Merge pull request [Snyk] Security upgrade python from 3.8-slim to 3.13.0b1-slim #236 from snyk/fix/remove-reachability
• 547d91b fix: remove reachability
• 9af47fc fix: don't fail if matching config doesn't exist ([Snyk] Upgrade @slack/webhook from 5.0.4 to 7.0.2 #235)
• 90d2c57 Merge pull request [Snyk] Security upgrade python from 3.6-slim to 3.13.0b1-slim #232 from snyk/feat/use-best-practice-packages-route
• edef32e feat: use /rest/packages best practice Snyk REST API endpoint
• b855db9 fix: display more accurate error message ([Snyk] Security upgrade python from 3.6-slim to 3.13.0b1-slim #233)
• 9253f07 refactor: get target project ([Snyk] Upgrade @slack/webhook from 5.0.4 to 7.0.2 #231)
• 0ed9feb test: change name assertions to be exact ([Snyk] Upgrade @slack/webhook from 5.0.4 to 7.0.2 #230)
• 76ef3b0 Merge pull request [Snyk] Upgrade typescript from 4.3.2 to 5.4.5 #228 from snyk/fix/add-needle-types
• b8869f0 fix: add @ types/needle
• a4eb261 Merge pull request [Snyk] Upgrade p-map from 4.0.0 to 7.0.2 #226 from snyk/feat/normalize-deps
• cad5070 feat: implement gradle-normalize-deps hash searching
• 3ea5ec1 fix: subproject with same name as root ([Snyk] Upgrade typescript from 4.3.2 to 5.4.3 #222)
• 79a8a08 fix: matching configuration error on version-catalog ([Snyk] Security upgrade python from 3.7-slim to 3.13.0a6-slim #221)
• c1c2e41 feat: add debug logging for configs with failing resolvedConfiguration ([Snyk] Security upgrade python from 3.8-slim to 3.13.0a6-slim #218)
• d8b0a60 test: run pipeline tests on master branch ([Snyk] Security upgrade python from 3.6-slim to 3.13.0a6-slim #216)

See the full diff

Package name: snyk-mvn-plugin

The new version differs by 59 commits.

• 2bfb3e2 Merge pull request [Snyk] Upgrade @slack/webhook from 5.0.4 to 7.0.1 #141 from snyk/fix/quote-args
• 02cda9b fix: escape child process arguments
• 13c6f33 Merge pull request [Snyk] Upgrade @slack/webhook from 5.0.4 to 7.0.1 #140 from snyk/chore/update-readme
• 38010e0 chore: update supported node versions
• a52d276 Merge pull request [Snyk] Upgrade typescript from 4.3.2 to 5.3.3 #139 from snyk/chore/refactor-update-circleci-config
• 9325c10 chore: update circleci config to use matrix
• b5d1b31 Merge pull request [Snyk] Upgrade @slack/webhook from 5.0.4 to 7.0.1 #138 from snyk/fix/remove-reachability
• 0b968bb fix: remove reachability
• 41d2614 Merge pull request [Snyk] Upgrade p-map from 4.0.0 to 7.0.0 #137 from snyk/fix/unmanaged-scan-unknown-archives
• 033e55d fix: unmanaged scan unknown archives
• e3e6313 Merge pull request [Snyk] Upgrade @slack/webhook from 5.0.4 to 7.0.1 #136 from snyk/feat/maven-aggregate-project-option
• c1b44f5 feat: maven aggregate project option
• 7c4108e Merge pull request chore(deps): bump aws/aws-sdk-php from 3.0.0 to 3.278.3 in /test/acceptance/workspaces/composer-app #135 from snyk/refactor/build-dep-graph
• 2105f20 refactor: build dep-graph
• 8908d19 Merge pull request [Snyk] Upgrade @slack/webhook from 5.0.4 to 7.0.1 #134 from snyk/refactor/parse-stdout
• f6aa59d refactor: parse stdout
• e5ce697 Merge pull request [Snyk] Upgrade typescript from 4.3.2 to 5.3.2 #133 from snyk/refactor/parse-digraph
• 28ab493 refactor: parse digraph output
• 734ee3d Merge pull request [Snyk] Upgrade @octokit/rest from 18.5.4 to 20.0.2 #131 from snyk/refactor/parse-dependency
• eccea58 refactor: parse dependency
• 1d66754 Merge pull request [Snyk] Upgrade @slack/webhook from 5.0.4 to 7.0.1 #132 from snyk/chore/upgrade-linter
• 533f137 chore: update nvmrc
• 0282044 chore: update linter
• 7afa8d5 Merge pull request [Snyk] Upgrade @slack/webhook from 5.0.4 to 7.0.1 #129 from snyk/feat/improve-sub-process-debug-logging

See the full diff

Package name: snyk-python-plugin

The new version differs by 19 commits.

• 6144e09 Merge pull request [Snyk] Upgrade @octokit/rest from 18.5.4 to 20.0.2 #197 from snyk/fix/quote-spawn-args
• 8591abd fix: quote spawn args
• 43d4b85 Merge pull request [Snyk] Upgrade @octokit/rest from 18.5.4 to 20.0.2 #192 from snyk/fix/support-pipenv-with-empty-packages
• a199379 fix: support pipenv empty packages
• 7938b02 Merge pull request [Snyk] Upgrade @slack/webhook from 5.0.4 to 7.0.2 #191 from snyk/chore/fix-broken-tests-and-bump-node-to-16
• 9aa61ba chore: fix broken tests and bump node to 16
• 60e23db Merge pull request [Snyk] Security upgrade python from 3.7-slim to 3.13.0a3-slim #188 from snyk/feat/support-files-with-bom
• 1943319 feat: support requirements.txt files with bom enconding
• 94f5668 Merge pull request [Snyk] Security upgrade python from 3.7-slim to 3.8.18-slim #185 from snyk/chore/fix-broken-tests-and-remove-pip9-support
• c5c9d66 chore: fix broken tests and remove support for pip 9.0.3
• 3cc5bad Merge pull request [Snyk] Upgrade @slack/webhook from 5.0.4 to 7.0.2 #181 from snyk/fix/key-not-found-in-packageToDepTreeMap
• 3bd2ade fix: fix key XXX not found in packageToDepTreeMap
• fdc05b7 Merge pull request [Snyk] Upgrade @octokit/rest from 18.5.4 to 20.0.2 #180 from snyk/fix/requirements-line-with-more-than-one-space
• 6c8fa99 Merge branch 'master' into fix/requirements-line-with-more-than-one-space
• 9594b20 fix: when a line inside "requirements.txt" has more than one space
• 5871df7 Merge pull request chore(deps): bump django from 1.6.1 to 3.2.24 in /test/acceptance/workspaces/fail-on/pinnable #179 from snyk/feat/allow-empty-manifest-flag
• 7c711fa feat: allow empty manifest flag
• 155177f Merge pull request chore(deps): bump nokogiri from 1.6.8.1 to 1.16.2 in /test/acceptance/workspaces/mono-repo-project #176 from snyk/fix/correct-ge-version-cmp-to-match-pep508
• 8f404e4 fix: use correct requirements filter regex for 'ge'

See the full diff

Package name: snyk-sbt-plugin

The new version differs by 24 commits.

• 3e02fa4 Merge pull request [Snyk] Upgrade @octokit/rest from 18.5.4 to 20.0.2 #120 from snyk/fix/quote-args
• 99c09eb fix: escape child process arguments
• 63e5c44 Merge pull request [Snyk] Upgrade @octokit/rest from 18.5.4 to 20.0.2 #118 from snyk/fix/scopekey-error-in-plugin-inspect
• 179e8c2 fix: filter out configs where isPublic is false
• 3aff460 Merge pull request [Snyk] Upgrade @slack/webhook from 5.0.4 to 7.0.1 #117 from snyk/chore/remove-redundant-files
• 07b8dad chore: remove redundant files from fixtures
• c1c8ba3 Merge pull request [Snyk] Upgrade @slack/webhook from 5.0.4 to 7.0.0 #115 from snyk/feat/relax-conditions-for-plugin-inspect
• 37e0114 feat: relax conditions for plugin inspect
• e451665 Merge pull request [Snyk] Upgrade @slack/webhook from 5.0.4 to 7.0.0 #114 from snyk/test/add-tests-for-latest-sbt-versions
• 24c0bc7 test: add tests for sbt 1.7.0
• 331f46b Merge pull request chore(deps): bump aiohttp from 2.2.2 to 3.8.6 in /test/acceptance/workspaces/mono-repo-project #112 from snyk/chore/add-debug-logs
• 4358d57 chore: add debug logs
• ef3f1f6 Merge pull request chore(deps): bump yiisoft/yii from 1.1.14 to 1.1.29 in /test/acceptance/workspaces/composer-app #111 from snyk/fix/reduce-sbt-output
• 735776e fix: reduce scala script output size
• 0c104cb Merge pull request [Snyk] Upgrade @octokit/rest from 18.5.4 to 20.0.2 #108 from snyk/test/sbt-1.7.0
• 05c1bc1 test: support for sbt v.1.7.0
• c6a1177 Merge pull request [Snyk] Upgrade @octokit/rest from 18.5.4 to 20.0.2 #107 from snyk/feat/ignore-comments
• 4ff22d0 feat: ignore single-line and multi-line comments in plugin search
• ebf261f Merge pull request chore(deps): bump symfony/symfony from 2.3.1 to 4.1.13 in /test/acceptance/workspaces/composer-app #106 from snyk/feat/scalafix-and-project-layout-heuristics
• 2a307dd feat: fix for scalafix and multi-project fodler layout heuristics
• b2edcea Merge pull request [Snyk] Upgrade @slack/webhook from 5.0.4 to 7.0.0 #104 from snyk/feat/add-testing-to-sbt-1.4
• 3996a6d feat: warn users when using new sbt-dependency-graph annotation
• 9e6577b Merge pull request [Snyk] Upgrade @octokit/rest from 18.5.4 to 20.0.2 #103 from snyk/feat/support-new-sbt-dep-graph-plugin
• 1d2c92b feat: search sbt dep graph plugin in the new naming

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

[cloudflare-pages]

Deploying with    Cloudflare Pages

Latest commit:	1f79f18
Status:	🚫  Build failed.

View logs

[secure-code-warrior-for-github]

Micro-Learning Topic: OS command injection (Detected by phrase)

Matched on "Command Injection"

What is this? (2min video)

In many situations, applications will rely on OS provided functions, scripts, macros and utilities instead of reimplementing them in code. While functions would typically be accessed through a native interface library, the remaining three OS provided features will normally be invoked via the command line or launched as a process. If unsafe inputs are used to construct commands or arguments, it may allow arbitrary OS operations to be performed that can compromise the server.

Try a challenge in Secure Code Warrior

Helpful references

• OWASP Command Injection - OWASP community page with comprehensive information about command injection, and links to various OWASP resources to help detect or prevent it.
• OWASP testing for Command Injection - This article is focused on providing testing techniques for identifying command injection flaws in your applications