Skip to content

[Snyk] Fix for 21 vulnerabilities#1

Open
snyk-bot wants to merge 1 commit into
masterfrom
snyk-fix-68ec5d9550bf8ca758d76bea8ab26642
Open

[Snyk] Fix for 21 vulnerabilities#1
snyk-bot wants to merge 1 commit into
masterfrom
snyk-fix-68ec5d9550bf8ca758d76bea8ab26642

Conversation

@snyk-bot

@snyk-bot snyk-bot commented Oct 7, 2020

Copy link
Copy Markdown

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

    • package.json
    • package-lock.json

  • Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
    Find out more.

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 405/1000
Why? CVSS 8.1		 Prototype Pollution
SNYK-JS-AJV-584908		 Yes No Known Exploit
medium severity 626/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.1		 Man-in-the-Middle (MitM)
SNYK-JS-HTTPSPROXYAGENT-469131		 Yes Proof of Concept
high severity 665/1000
Why? Has a fix available, CVSS 8.8		 NULL Pointer Dereference
SNYK-JS-NODESASS-535500		 No No Known Exploit
high severity 630/1000
Why? Has a fix available, CVSS 8.1		 Out-of-bounds Read
SNYK-JS-NODESASS-535501		 No No Known Exploit
high severity 600/1000
Why? Has a fix available, CVSS 7.5		 Uncontrolled Recursion
SNYK-JS-NODESASS-535503		 No No Known Exploit
medium severity 550/1000
Why? Has a fix available, CVSS 6.5		 Resource Exhaustion
SNYK-JS-NODESASS-535504		 No No Known Exploit
high severity 665/1000
Why? Has a fix available, CVSS 8.8		 NULL Pointer Dereference
SNYK-JS-NODESASS-535505		 No No Known Exploit
medium severity 539/1000
Why? Has a fix available, CVSS 6.5		 Denial of Service (DoS)
SNYK-JS-NODESASS-540982		 No No Known Exploit
medium severity 509/1000
Why? Has a fix available, CVSS 5.9		 Denial of Service (DoS)
SNYK-JS-NODESASS-542662		 No No Known Exploit
medium severity 601/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.6		 Prototype Pollution
SNYK-JS-YARGSPARSER-560381		 Yes Proof of Concept
low severity 506/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 3.7		 Regular Expression Denial of Service (ReDoS)
npm:braces:20180219		 Yes Proof of Concept
high severity 579/1000
Why? Has a fix available, CVSS 7.3		 Prototype Pollution
npm:deep-extend:20180409		 No No Known Exploit
high severity 579/1000
Why? Has a fix available, CVSS 7.3		 Prototype Pollution
npm:extend:20180424		 Yes No Known Exploit
medium severity 529/1000
Why? Has a fix available, CVSS 6.3		 Prototype Pollution
npm:hoek:20180212		 No No Known Exploit
high severity 796/1000
Why? Mature exploit, Has a fix available, CVSS 8.2		 Uninitialized Memory Exposure
npm:https-proxy-agent:20180402		 Yes Mature
medium severity 469/1000
Why? Has a fix available, CVSS 5.1		 Denial of Service (DoS)
npm:mem:20180117		 Yes No Known Exploit
medium severity 576/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.1		 Uninitialized Memory Exposure
npm:tunnel-agent:20170305		 No Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: github The new version differs by 113 commits.
  • e6a0950 docs(CONTRIBUTING): Merging the Pull Request & releasing a new version
  • bc32299 chore: remove CHANGELOG.md - moved to GitHub releases
  • 1f9216c chore(travis): semantic-release setup
  • 68e5367 chore(package): semantic-release setup
  • 493473c chore(gitignore): package-lock.json
  • 2abb33f chore(package): remove package-lock.json
  • f74b2f8 docs(readme): add Greenkeeper badge
  • cab5531 chore(package): update dependencies
  • f4845cf chore(package): nyc & coveralls
  • 4bcc50b docs(README): add coverage badge
  • 70ed5de chore(travis): upload coverage after success
  • c088e0f chore(gitignore): .nyc_output, coverage
  • 887a8ab chore(package): add @gr2m to contributors
  • a2738dc chore(examples): rename repo owner to octokit
  • ad9907b chore(CONTRIBUTING): rename repo owner to octokit
  • c74aac5 style: standard
  • f67b1d3 style(scripts): remove trailing spaces in comments
  • 439bf32 docs(examples): adapt for standard linter
  • 04661e6 docs(README): adapt examples to standard linter
  • d106fd8 chore(package): standard, standard-markdown
  • e8bcb8f chore(package): @octokit/fixtures@^2.4.0
  • 106b422 test: lock/unlock issue
  • 1ade57a chore: remove obsolete comments
  • 155a211 test: branch protection

See the full diff

Package name: node-sass The new version differs by 130 commits.
  • b54053a Update changelog
  • 01db051 4.13.1
  • 338fd7a Merge pull request from GHSA-f6rp-gv58-9cw3
  • c6f2e5a doc: README example fix (#2787)
  • fbc9ff5 Merge pull request #2754 from saper/no-map-if-not-requested
  • 60fad5f 4.13.0
  • 43db915 Merge pull request #2768 from sass/release-4-13
  • 0c8d308 Update references for v4.13 release
  • f1cc0d3 Use GCC 6 for Node 12 binaries (#2767)
  • 3838eae Use GCC 6 for Node 12 binaries
  • e84c6a9 Merge pull request #2766 from saper/node-modules-79
  • 64b6f32 Node 13 support
  • 8498f70 Fix #2394: sourceMap option should have consistent behaviour
  • 8d0acca Merge pull request #2753 from schwigri/master
  • b0d4d85 Fix broken link to NodeJS docs in README.md
  • 887199a Merge pull request #2730 from kessenich/master
  • b1f54d7 Fix #2614 - Update lodash version
  • 96aa279 Merge pull request #2726 from XhmikosR/master-xmr-typos
  • 8421979 Assorted typo fixes.
  • 2513e6a chore: Remove PR template
  • 7ab387c Merge pull request #2673 from abetomo/remove_sudo_setting_from_travis
  • 15355dd Remove sudo settings from .travis.yml
  • 0c1a49e chore: Add not in PR template about node-gyp 4.0
  • e59f5ba chore: Change note about Node 12 support

See the full diff

Package name: postcss-cli The new version differs by 103 commits.

See the full diff

Package name: rc The new version differs by 6 commits.

See the full diff

Package name: request The new version differs by 41 commits.
  • 6420240 2.88.0
  • bd22e21 fix: massive dependency upgrade, fixes all production vulnerabilities
  • 925849a Merge pull request #2996 from kwonoj/fix-uuid
  • 7b68551 fix(uuid): import versioned uuid
  • 5797963 Merge pull request #2994 from dlecocq/oauth-sign-0.9.0
  • 628ff5e Update to oauth-sign 0.9.0
  • 10987ef Merge pull request #2993 from simov/fix-header-tests
  • cd848af These are not going to fail if there is a server listening on those ports
  • a92e138 #515, #2894 Strip port suffix from Host header if the protocol is known. (#2904)
  • 45ffc4b Improve AWS SigV4 support. (#2791)
  • a121270 Merge pull request #2977 from simov/update-cert
  • bd16414 Update test certificates
  • 536f0e7 2.87.1
  • 02fc5b1 Update changelog
  • de1ed5a 2.87.0
  • a6741d4 Replace hawk dependency with a local implemenation (#2943)
  • a7f0a36 2.86.1
  • 8f2fd4d Update changelog
  • 386c7d8 2.86.0
  • 76a6e5b Merge pull request #2885 from ChALkeR/patch-1
  • db76838 Merge branch 'patch-1' of github.com:ChALkeR/request
  • fb7aeb3 Merge pull request #2942 from simov/fix-tests
  • e47ce95 Add Node v10 build target explicitly
  • 0c5db42 Skip status code 105 on Node > v10

See the full diff

Package name: standard The new version differs by 111 commits.
  • ff1a156 authors
  • 17727fc 12.0.0
  • bdbd248 changelog
  • 3db3a62 https
  • cf1802c eslint-plugin-standard ~4.0.0
  • 7d779b8 eslint-plugin-import ~2.14.0
  • 66f676b eslint ~5.4.0
  • 3933c6b Use npm versions of eslint shared configs
  • c00dc66 Use ~ for eslint dep
  • 588d5ab Add links to French README translation!
  • aee57b4 ESLint 5
  • c89d5c7 Merge pull request #1145 from theo4u/patch-1
  • 6477dbf Merge pull request #1184 from standard/greenkeeper/babel-eslint-9.0.0
  • 8792b9b Merge pull request #1180 from standard/greenkeeper/eslint-plugin-promise-4.0.0
  • ff070b8 Merge branch 'master' into greenkeeper/eslint-plugin-promise-4.0.0
  • df1b7c4 Merge pull request #1187 from standard/greenkeeper/eslint-plugin-react-7.11.1
  • 3e65b08 Merge pull request #1164 from standard/greenkeeper/eslint-plugin-node-7.0.0
  • b340216 Merge pull request #1162 from charliegerard/master
  • cb2de87 Update package.json
  • 2f36650 chore(package): update babel-eslint to version 9.0.0
  • 82780e5 fix(package): update eslint-plugin-promise to version 4.0.0
  • 506ac11 fix(package): update eslint-plugin-react to version 7.11.1
  • b6919b4 Merge pull request #1178 from brodybits/patch-1
  • 4db4dbf README.md add standardx

See the full diff

Package name: uglifyify The new version differs by 9 commits.

See the full diff

Package name: watchify The new version differs by 13 commits.

See the full diff

With a Snyk patch:
Severity Priority Score (*) Issue Exploit Maturity
medium severity 636/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.3		 Prototype Pollution
SNYK-JS-LODASH-567746		 Proof of Concept
low severity 399/1000
Why? Has a fix available, CVSS 3.7		 Regular Expression Denial of Service (ReDoS)
npm:debug:20170905		 No Known Exploit
high severity 579/1000
Why? Has a fix available, CVSS 7.3		 Prototype Pollution
npm:extend:20180424		 No Known Exploit
medium severity 529/1000
Why? Has a fix available, CVSS 6.3		 Prototype Pollution
npm:hoek:20180212		 No Known Exploit
medium severity 646/1000
Why? Mature exploit, Has a fix available, CVSS 5.2		 Uninitialized Memory Exposure
npm:stringstream:20180511		 Mature
medium severity 509/1000
Why? Has a fix available, CVSS 5.9		 Regular Expression Denial of Service (ReDoS)
npm:tough-cookie:20170905		 No Known Exploit
medium severity 576/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.1		 Uninitialized Memory Exposure
npm:tunnel-agent:20170305		 Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

@snyk-bot
fix: package.json, package-lock.json & .snyk to reduce vulnerabilities
c9e0d42 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-AJV-584908
- https://snyk.io/vuln/SNYK-JS-HTTPSPROXYAGENT-469131
- https://snyk.io/vuln/SNYK-JS-NODESASS-535500
- https://snyk.io/vuln/SNYK-JS-NODESASS-535501
- https://snyk.io/vuln/SNYK-JS-NODESASS-535503
- https://snyk.io/vuln/SNYK-JS-NODESASS-535504
- https://snyk.io/vuln/SNYK-JS-NODESASS-535505
- https://snyk.io/vuln/SNYK-JS-NODESASS-540982
- https://snyk.io/vuln/SNYK-JS-NODESASS-542662
- https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381
- https://snyk.io/vuln/npm:braces:20180219
- https://snyk.io/vuln/npm:deep-extend:20180409
- https://snyk.io/vuln/npm:extend:20180424
- https://snyk.io/vuln/npm:hoek:20180212
- https://snyk.io/vuln/npm:https-proxy-agent:20180402
- https://snyk.io/vuln/npm:mem:20180117
- https://snyk.io/vuln/npm:tunnel-agent:20170305


The following vulnerabilities are fixed with a Snyk patch:
- https://snyk.io/vuln/SNYK-JS-LODASH-567746
- https://snyk.io/vuln/npm:debug:20170905
- https://snyk.io/vuln/npm:extend:20180424
- https://snyk.io/vuln/npm:hoek:20180212
- https://snyk.io/vuln/npm:stringstream:20180511
- https://snyk.io/vuln/npm:tough-cookie:20170905
- https://snyk.io/vuln/npm:tunnel-agent:20170305
This was referenced Mar 7, 2021
Open
Open
@snyk-bot snyk-bot mentioned this pull request Aug 8, 2021
Open
@snyk-bot snyk-bot mentioned this pull request Aug 15, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@snyk-bot