[Snyk] Fix for 4 vulnerabilities #35

tjenkinson · 2024-02-02T18:50:43Z

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
- package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Priority Score (*)	Issue	Breaking Change	Exploit Maturity
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	Yes	No Known Exploit
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHPARSE-1077067	Yes	Proof of Concept
506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:braces:20180219	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: rollup-plugin-babel

The new version differs by 112 commits.

05fb203 4.4.0
c2821d0 Allow Rollup 2 in peer dependency range
4d8c0c5 4.3.3
e386e1f Update rollup-pluginutils@2.8.1 (Remove sponsor - Update infographic jsdelivr/www.jsdelivr.com#311)
54a166a chore: npm audit fix
18e4232 chore: audit fixes
8357816 Update CHANGELOG with note about 4.3.2
79941b5 4.3.2
a7e7676 Fix usage with externalHelpers flag
66f2f41 Add note to CHANGELOG about v4.3.1
a7aaac7 4.3.1
214882b Add js extention to helper file (Package not found jsdelivr/www.jsdelivr.com#296)
e746832 Update CHANGELOG
551ef31 Fix reference to the plugin in the README
bf9f1a2 4.3.0
97ac95b Merge branch 'custom-builder'
f250dea Add docs about .custom builder
542c143 Merge branch 'master' into custom-builder
ba2559a Fail build when trying plugin tries to add non-existent helper (ERR_CERT_AUTHORITY_INVALID jsdelivr/www.jsdelivr.com#290)
0a764c0 Remove unnecessary guard against missing plugins in preflight check
31a6f88 Tweak .custom API, validate options hook - it cant be async
54d3cee Merge branch 'master' into custom-builder
0752385 Update devDep to rollup@1
c8983e5 4.2.0

See the full diff

Package name: rollup-plugin-commonjs

The new version differs by 85 commits.

12a11c2 10.1.0
82ca3a2 Update changelog
fcd9826 Normalize ids before looking up in named export map (Recheck image sizes jsdelivr/www.jsdelivr.com#406)
e431c29 Update README.md with note on symlinks (New design upgrades jsdelivr/www.jsdelivr.com#405)
de40daa 10.0.2
e741130 Update changelog
8f91234 Support preserveSymlinks: false (fixes Redesign jsdelivr/www.jsdelivr.com#400) (Update libs "clipboard" and "marked" jsdelivr/www.jsdelivr.com#401)
1bc5896 10.0.1
504ec54 Update changelog
668d888 Update dependencies
99d1ff5 Handle builins appropriately for resolve 1.11.0. Fixes Gh 393 jsdelivr/www.jsdelivr.com#394. (Test jsdelivr/www.jsdelivr.com#395)
3bf824b Update changelog
29cfe83 Make tests run with Node 6 again and update dependencies (jsdelivr.com is down jsdelivr/www.jsdelivr.com#389)
a2f3ff4 10.0.0
1fd9168 Update changelog
c8fabd7 Use new context functions, fix issue when resolveId returns an object (🚨 Potential Improper Access Control jsdelivr/www.jsdelivr.com#387)
851ed8e 9.3.4
2c447af Update changelog
5cb3b2d set same typing to include and exclude properties (Add rel="noopener" attribute for external links jsdelivr/www.jsdelivr.com#385)
456a223 make "extensions" optional (Add Lazyload attribute to images jsdelivr/www.jsdelivr.com#384)
3921f28 9.3.3
28421a0 Update changelog
e63e57f fix: remove colon from module prefixes (Handle unpublished packages jsdelivr/www.jsdelivr.com#371)
a34ebbc 9.3.2

See the full diff

Package name: rollup-plugin-json

The new version differs by 25 commits.

476dc4c 4.0.0
c4045b4 Update changelog
68ac0b5 Pass all data to dataToEsm and fix array formatting in compact mode (Added GA jsdelivr/www.jsdelivr.com#53)
bb64f65 3.1.0
97615d6 Update changelog
1bcf81b Update dependencies and make tests rollup1.0 compatible (buttons should go to GitHub, remove "add to collection" jsdelivr/www.jsdelivr.com#46)
4df5395 Update changelog
2a528e3 Expose the "compact" and "namedExports" options (hidden sponsors if not full screen jsdelivr/www.jsdelivr.com#45)
e9c01b9 Update changelog
8de10c0 Update rollup-pluginutils to support null values in json (Scroll to search results on the Hero Unit when the user stops typing jsdelivr/www.jsdelivr.com#44)
2b2fd1c 3.0.0
6fbcf89 Merge branch 'real-ast'
82ed3f2 Remove peer dependency requirement as this version will now work
f1637b4 Add prepare script and precommit linting
032da3d Update to latest version of rollup-pluginutils
fb60b3e Use dataToEsm in plugin
70856b5 Update dependencies (as the next release will be a major version
d3f1293 Now longer create a fake AST but let rollup handle it
50db997 2.3.1
1cbc065 Update changelog
c204154 Merge branch 'nebulousdog-some-options-renamed'
b33e267 Produce a warning when installing this version alongside rollup 0.59+
0cf87fd Produce a warning when installing this version alongside rollup 0.59+
39c5119 updates README example with updated options names

See the full diff

Package name: rollup-plugin-node-resolve

The new version differs by 72 commits.

07b00d0 5.2.0
be9d14b Update changelog
df90657 feat(): dedupe accepts a function (Package not found jsdelivr/www.jsdelivr.com#225)
3a8ebf1 5.1.1
f054cf1 Update changelog
02f0e6d Move Rollup version check to buildStart hook to avoid issues because (feat(search): add analytics tag to main search jsdelivr/www.jsdelivr.com#232)
84471e4 Use async fs methods (Package not found jsdelivr/www.jsdelivr.com#230)
4b1e355 5.1.0
fc69994 Update changelog
f3c8320 Fix path fragment inputs (Package not found jsdelivr/www.jsdelivr.com#229)
b8ff12f Downgrade ESLint again
a89d5c9 5.0.4
21409a9 Update changelog and minor dependencies
d49e257 Treat sideEffects array as inclusion list (Package not found jsdelivr/www.jsdelivr.com#227)
cdb7448 5.0.3
d647abc Update changelog
1719511 fix(): make empty.js virtual (deepFreeze not found jsdelivr/www.jsdelivr.com#224)
75bebd4 5.0.2
a16adde Update changelog
05b272e Support resolve 1.11.1, add built-in test (Make homepage responsive above 1080p jsdelivr/www.jsdelivr.com#223)
9a47c45 5.0.1
b92a157 Update changelog
6f330e0 chore: upgrade resolve@1.11.0 (Package not found jsdelivr/www.jsdelivr.com#220)
07234b4 5.0.0

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)

The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905 - https://snyk.io/vuln/SNYK-JS-MINIMATCH-3050818 - https://snyk.io/vuln/SNYK-JS-PATHPARSE-1077067 - https://snyk.io/vuln/npm:braces:20180219

socket-security · 2024-02-02T18:51:38Z

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@babel/helper-module-imports@7.22.15	Transitive: environment	`+4`	2.55 MB	nicolo-ribaudo
npm/@babel/helper-string-parser@7.23.4	None	`0`	31.6 kB	nicolo-ribaudo
npm/@babel/helper-validator-identifier@7.22.20	None	`0`	49.1 kB	nicolo-ribaudo
npm/@babel/types@7.23.9	environment	`+3`	2.49 MB	nicolo-ribaudo
npm/@types/resolve@0.0.8	None	`+1`	6.59 kB	types
npm/builtin-modules@3.3.0	unsafe	`0`	4.51 kB	sindresorhus
npm/function-bind@1.1.2	None	`0`	31.4 kB	ljharb
npm/hasown@2.0.0	None	`+1`	42.3 kB	ljharb
npm/is-core-module@2.13.1	None	`+2`	72.5 kB	ljharb
npm/is-reference@1.2.1	None	`+1`	24 kB	rich_harris
npm/magic-string@0.25.9	None	`+1`	405 kB	antfu
npm/path-parse@1.0.7	None	`0`	4.51 kB	jbgutierrez
npm/resolve@1.22.8	environment, filesystem	`+5`	232 kB	ljharb
npm/rollup-plugin-babel@4.4.0	Transitive: environment, filesystem, unsafe	`+63`	6.5 MB	andarist
npm/rollup-plugin-commonjs@10.1.0	filesystem Transitive: environment, unsafe	`+63`	4.44 MB	lukastaegert
npm/rollup-plugin-json@4.0.0	None	`0`	9.08 kB	lukastaegert
npm/rollup-plugin-node-resolve@5.2.0	filesystem Transitive: environment, unsafe	`+66`	3.93 MB	lukastaegert
npm/sourcemap-codec@1.4.8	None	`0`	31.8 kB	rich_harris
npm/supports-preserve-symlinks-flag@1.0.0	None	`0`	9.18 kB	ljharb

🚮 Removed packages: npm/is-reference@1.1.0, npm/magic-string@0.22.5, npm/path-parse@1.0.5, npm/resolve@1.5.0, npm/rollup-plugin-babel@3.0.3, npm/rollup-plugin-commonjs@9.1.0, npm/rollup-plugin-json@2.3.0, npm/rollup-plugin-node-resolve@3.3.0, npm/sourcemap-codec@1.4.1, npm/vlq@0.2.3

View full report↗︎

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Snyk] Fix for 4 vulnerabilities #35

[Snyk] Fix for 4 vulnerabilities #35

tjenkinson commented Feb 2, 2024

socket-security bot commented Feb 2, 2024

[Snyk] Fix for 4 vulnerabilities #35

Are you sure you want to change the base?

[Snyk] Fix for 4 vulnerabilities #35

Conversation

tjenkinson commented Feb 2, 2024

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Vulnerabilities that will be fixed

With an upgrade:

socket-security bot commented Feb 2, 2024