Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Security upgrade xmldom from 0.4.0 to 0.5.0 #5

Closed
wants to merge 125 commits into from
Closed

[Snyk] Security upgrade xmldom from 0.4.0 to 0.5.0 #5

wants to merge 125 commits into from

Conversation

vid
Copy link

@vid vid commented Mar 10, 2021

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

merge advice

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json
    • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
medium severity 556/1000
Why? Recently disclosed, Has a fix available, CVSS 5.4		 XML External Entity (XXE) Injection
SNYK-JS-XMLDOM-1084960		 No No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: xmldom The new version differs by 26 commits.

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

markstos and others added 30 commits February 12, 2020 14:55
@markstos
v1.3.2
e70b6db
@markstos
Merge branch 'master' of github.com:bergie/passport-saml
9f1a481
@markstos
v1.3.3
74fa630
@willemli
Fix typo
bf83d23
@stavros-wb
Fix multi saml strategy race conditions (node-saml#426)
ffbd2f6 
* Fix multi saml strategy race conditions

node-saml#425

* Add warning for MultiSaml in Readme
@markstos
Merge branch 'master' of github.com:bergie/passport-saml
aafdc36
@markstos
bump version.
66bf7d6
@markstos
add yarn-error.log to .gitignore
8fdd087
@markstos
doc: announce site move.
f64cc7a
@mans0954
Revert "doc: announce site move." (node-saml#446)
bb025e6 
This reverts commit f64cc7a.
@mans0954
Return object for XML-valued AttributeValues (node-saml#447)
aed4a3d 
* Return XML object for AttributeValue if not a string

* Test XML-valued AttributeValue returns object
@dependabot
Bump acorn from 7.1.0 to 7.4.0 (node-saml#448)
8a8d82b 
Bumps [acorn](https://github.com/acornjs/acorn) from 7.1.0 to 7.4.0.
- [Release notes](https://github.com/acornjs/acorn/releases)
- [Commits](acornjs/acorn@7.1.0...7.4.0)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
Bump lodash from 4.17.15 to 4.17.20 (node-saml#449)
5abba17 
Bumps [lodash](https://github.com/lodash/lodash) from 4.17.15 to 4.17.20.
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.15...4.17.20)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@markstos
Update issue templates
85ffa05
@markstos
Update issue templates
bfcdb78 
Fix duplicate bug report templates.
@markstos
deps: bump xml-encryption to address node-forge sub-dep vuln.
1e6ec39
@markstos
docs: Update package.json / README to reflect site move.
af98f36
@markstos
deps: really bump xml-encryption for node-forge sub-dep upgrade to ad…
b696e58 
…dress vuln.
@markstos
bump version to 1.3.5
9115a02
@markstos
docs: remove badges broken by project rename.
e0480e1
@bryan-lockhart
add catch block to NameID decryption (node-saml#461)
43465d6
@mans0954
Add test for issue 459
7995eef
@walokra
Add GitHub Actions as Continuos Integration provider (node-saml#463)
df8eb78
@mans0954
Only make an attribute an object if it has child elements
384b28d
@mans0954
Merge pull request node-saml#464 from node-saml/csh-issue-459-attr-va…
cbd1bc3 
…lue-regression-some

Only make an attribute an object if it has child elements
@mans0954
Bump xml-crypto from 1.4.0 to 1.5.3
cbf7483
@mans0954
Include package-lock.json in repo
b4b7fcc
@mans0954
Merge pull request node-saml#465 from node-saml/csh-issue-456-xml-cry…
69c19b8 
…pto-upgrade

Upgrade xml-crypto dependancy
@rod-stuchi
try to use curl when wget is not available (node-saml#468)
026edf2
@mans0954
Merge pull request node-saml#434 from willemli/patch-1
cb39845 
Fix typo
gugu and others added 27 commits January 7, 2021 15:48
@gugu
use PRs as a source for changelog
0c2206c
@gugu
add more tags to PRs, remove tags without releases
9323c09
@cjbarth
Add code to use a ISO date. Set CHANGELOG generating script.
e3d9b86
@gugu
regenerate changelog using ISO date format
e801935
@gugu
correct commandline options for gren
30ee467
@cjbarth
Use correct function argument list
a74b1db
@cjbarth
Set config values for gren to be project-specific
d03bc6d
@cjbarth
Use Prettier on files modified
8eaf95c
@gugu
Merge pull request node-saml#518 from node-saml/changelog
dac23a1 
Generating changelog using gren
@markstos
chore: Follow our Github release name convention.
5a6ca44
@markstos
Release 2.0.4
932da9d
@dosullivan557
Ignore test folder when building npm package (node-saml#526)
6996cb8 
* Added in npmignore to ignore any pems, certs or keys

* 2.0.5

* Updated pr to not include in bundle and added DS_Store to .gitignore

Co-authored-by: Daniel O'Sullivan <daniel.o'sullivan@lloydsbanking.com>
@gugu
async/await for saml.ts (node-saml#496)
c6c4510 
* one method uses async/await

* async/await for saml.ts, deprecate callback functions
@cjbarth
Format code and enforce code style on PR (node-saml#527)
aefee33 
* Format code and enforce code style on PR

* Use line length of 100
@cjbarth
Have build action run on PR
add499c
@cjbarth
Fix code formatting
e511c49
@cjbarth
Allow manual trigger of build action
ef175f3
@gugu
Update readme on using multiSamlStrategy
e4b3da7 
passport-saml/multiSamlStrategy.js is something I'd like to remove:
1. it contains nothing, just import
2. it is outside of the source root and tsc/other tools don't include this file
3. old import depends on internal structure of the project
4. it uses module-level export

For now let's keep the file for compatibility, but let's update README so new people will not use the old way
@gugu
remove multisaml strategy in the old location
46c6df1
@gugu
update tests to use multisamlstrategy.js from the correct place
6182dde
@gugu
Merge pull request node-saml#531 from node-saml/multisaml-strategy-re…
54809d1 
…adme

Update readme on using multiSamlStrategy
@gugu
async / await in cache interface (node-saml#532)
54704de 
* async / await in cache interface
* eslint warnings fixed for cache, remove comments and checks for node < 0.9
@mhesler74 @cjbarth
Allow for authnRequestBinding in SAML options (node-saml#529)
ed4be0c 
Co-authored-by: Mike Hesler <mhesler@grapevine6.com>
Co-authored-by: Mike Hesler <mhesler@seismic.com>
Co-authored-by: Chris Barth <chrisjbarth@hotmail.com>
@gugu @cjbarth
Tests use typescript (node-saml#534)
f1a436f 
Co-authored-by: Chris Barth <chrisjbarth@hotmail.com>
@gugu
remove old callback functions, tests use async/await (node-saml#545)
8a1a377
@harrdou
Merge remote-tracking branch 'upstream/master'
30432b2
@snyk-bot
fix: package.json & package-lock.json to reduce vulnerabilities
a85c0a6 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-XMLDOM-1084960
@vid vid closed this Apr 9, 2021
@vid vid deleted the snyk-fix-6ee0a593c624fa70728186a59a531db8 branch April 9, 2021 16:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone