[Snyk] Fix for 5 vulnerabilities #3972

chdorner-snyk · 2022-09-30T16:04:20Z

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- test/acceptance/workspaces/npm-out-of-sync-graph/package.json
- test/acceptance/workspaces/npm-out-of-sync-graph/package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Priority Score (*)	Issue	Breaking Change	Exploit Maturity
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-AWSSDK-1059424	No	Proof of Concept
616/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.9	Server-Side Request Forgery (SSRF) SNYK-JS-AXIOS-1038255	No	Proof of Concept
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-AXIOS-1579269	No	Proof of Concept
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Denial of Service (DoS) SNYK-JS-AXIOS-174505	No	Proof of Concept
636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-UNDEFSAFE-548940	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: aws-sdk

The new version differs by 250 commits.

8875a35 Updates SDK to v2.814.0
dd83d67 throw at invalid profile name in shared ini file ([Snyk-dev] Security upgrade tap from 11.1.3 to 14.6.8 #3585)
ee0c5a3 Updates SDK to v2.813.0
468d15b Updates SDK to v2.812.0
c50132f Update README.md with references to JS SDK V3 ([Snyk-dev] Security upgrade tap from 11.1.3 to 14.6.8 #3582)
3e19b08 Updates SDK to v2.811.0
f26c00d Updates SDK to v2.810.0
b393a6e Adds automatic PreSignedUrl generation to RDS.StartDBInstanceAutomatedBackupsReplication (fix: Ensure the test spinner stops #3566)
fa57967 Updates SDK to v2.809.0
9a52018 Updates SDK to v2.808.0
1958076 Updates SDK to v2.807.0
ffcad20 Updates SDK to v2.806.0
2f37893 chore: remove cognitoidentity customizations to disable auth ([Snyk] Security upgrade django from 1.6.1 to 3.2.15 #3543)
c6fe3c0 Updates SDK to v2.805.0
71d6fa9 Fix dual-callback case ([Snyk] Security upgrade django from 2.0.1 to 3.2.15 #3537)
b981971 Updates SDK to v2.804.0
332573f Updates SDK to v2.803.0
deb7bc7 Updates SDK to v2.802.0
b6401d0 Remove incorrectly named service named 'Profile' (fix: missing release in package version string #3562)
3364d4b Updates SDK to v2.801.0
d400577 Updates SDK to v2.800.0
21c7dc0 Updates SDK to v2.799.0
d2b8964 Updates SDK to v2.798.0
44ded82 fix: test IAM.getUser instead of listUsers ([Snyk-dev] Fix for 4 vulnerabilities #3542)

See the full diff

Package name: axios

The new version differs by 250 commits.

e367be5 [Releasing] 0.21.3
83ae383 Correctly add response interceptors to interceptor chain ([Snyk-dev] Security upgrade tap from 11.1.3 to 15.0.0 #4013)
c0c8761 [Updating] changelog to include links to issues and contributors
619bb46 [Releasing] v0.21.2
82c9455 Create SECURITY.md ([Snyk] Security upgrade snyk from 1.320.0 to 1.996.0 #3981)
5b45711 Security fix for ReDoS ([Snyk] Security upgrade snyk from 1.101.1 to 1.996.0 #3980)
5bc9ea2 Update ECOSYSTEM.md (chore: implement --about #3817)
e72813a Fixing README.md (chore: remove version prefix #3818)
e10a027 Fix README typo under Request Config (chore: install git on alpine and re-enable test #3825)
e091491 Update README.md ([Snyk] Fix for 2 vulnerabilities #3936)
b42fbad Removed un-needed bracket
520c8dc Updating CI status badge ([Snyk] Fix for 4 vulnerabilities #3953)
4fbeecb Adding CI on Github Actions. ([Snyk] Fix for 4 vulnerabilities #3938)
e9965bf Fixing the sauce labs tests ([Snyk] Upgrade needle from 2.6.0 to 2.9.1 #3813)
dbc634c Remove charset in tests ([Snyk] Upgrade @snyk/cli-interface from 2.11.0 to 2.11.3 #3807)
3958e9f Add explanation of cancel token (fix: bump golang plugin version #3803)
69949a6 Adding custom return type support to interceptor ([Snyk] Upgrade node-uuid from 1.4.0 to 1.4.8 #3783)
49509f6 Create FUNDING.yml ([Snyk] Upgrade snyk-nodejs-lockfile-parser from 1.38.0 to 1.41.0 #3796)
199c8aa Adding parseInt to config.timeout ([Snyk] Upgrade node-uuid from 1.3.0 to 1.4.8 #3781)
94fc4ea Adding isAxiosError typeguard documentation ([Snyk] Upgrade request from 2.57.0 to 2.88.2 #3767)
0ece97c Fixing quadratic runtime when setting a maxContentLength ([Snyk] Upgrade end-of-stream from 1.0.0 to 1.4.4 #3738)
a18a0ec Updating `lib/core/README.md` about Dispatching requests ([Snyk] Upgrade @google-cloud/trace-agent from 4.0.1 to 4.2.5 #3772)
59fa614 [Updated] follow-redirects to the latest version ([Snyk] Upgrade grpc from 1.22.2 to 1.24.11 #3771)
7821ed2 Feat/json improvements ([Snyk] Upgrade string_decoder from 0.10.31 to 0.11.10 #3763)

See the full diff

Package name: undefsafe

The new version differs by 6 commits.

f272681 fix: prevent changes in prototype chain
f495954 chore: prettier changes
e4180ba fix: add .npmignore (#11)
29c8d32 Merge branch 'master' of github.com:remy/undefsafe
9a1631a fix: handle null as the root object
2d38e72 feat: * rule returns all matches (#7)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Server-Side Request Forgery (SSRF)
🦉 Regular Expression Denial of Service (ReDoS)
🦉 More lessons are available in Snyk Learn

…test/acceptance/workspaces/npm-out-of-sync-graph/package-lock.json to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-AWSSDK-1059424 - https://snyk.io/vuln/SNYK-JS-AXIOS-1038255 - https://snyk.io/vuln/SNYK-JS-AXIOS-1579269 - https://snyk.io/vuln/SNYK-JS-AXIOS-174505 - https://snyk.io/vuln/SNYK-JS-UNDEFSAFE-548940

github-actions · 2022-09-30T16:09:20Z

	Warnings
⚠️	"fix: test/acceptance/workspaces/npm-out-of-sync-graph/package.json & test/acceptance/workspaces/npm-out-of-sync-graph/package-lock.json to reduce vulnerabilities" is too long. Keep the first line of your commit message under 72 characters.

Generated by 🚫 dangerJS against 76a10ce

chdorner-snyk requested review from a team as code owners September 30, 2022 16:04

chdorner-snyk requested review from jonathansantilli, florindumitrascu and dagrest September 30, 2022 16:04

lili2311 closed this Oct 13, 2022

darscan deleted the snyk-fix-8e88afacced9f2e50a4b991e49022e7c branch January 20, 2023 18:19

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Snyk] Fix for 5 vulnerabilities #3972

[Snyk] Fix for 5 vulnerabilities #3972

chdorner-snyk commented Sep 30, 2022

github-actions bot commented Sep 30, 2022

[Snyk] Fix for 5 vulnerabilities #3972

[Snyk] Fix for 5 vulnerabilities #3972

Conversation

chdorner-snyk commented Sep 30, 2022

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Vulnerabilities that will be fixed

With an upgrade:

github-actions bot commented Sep 30, 2022