[Snyk] Fix for 16 vulnerabilities#304

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

aliscco wants to merge 1 commit into master from snyk-fix-daf26458c23f40632bb6a29addd1569f

Owner

aliscco commented Apr 28, 2023

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- deps/npm/node_modules/depd/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	619/1000 Why? Has a fix available, CVSS 8.1	Prototype Pollution SNYK-JS-AJV-584908	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-1019388	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOCHA-2863123	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOCHA-561476	Yes	No Known Exploit
	676/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.1	Improper Privilege Management SNYK-JS-SHELLJS-2332187	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-TRIM-1017038	No	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:eslint:20180222	Yes	Proof of Concept
	704/1000 Why? Has a fix available, CVSS 9.8	Arbitrary Code Injection npm:growl:20160721	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:ms:20151024	Yes	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: eslint

The new version differs by 250 commits.

c4fffbc 8.0.0
d51f4cf Build: changelog update for 8.0.0
7d3f7f0 Upgrade: unfrozen @ eslint/eslintrc (fixesassert: use same value equal for deepStrictEqual NaN nodejs/node#15036) (Need Payment IRS SSA Unemployment ASAP nodejs/node#15146)
2174a6f Fix: require-atomic-updates property assignment message (fixesShould overwriting child_process.execFile result in changed behaviour of child_process.exec? nodejs/node#15076) (http2: adjust error types, increase test coverage nodejs/node#15109)
f885fe0 Docs: add note and example for extending the range of fix (refs (node:7596) UnhandledPromiseRejectionWarning: Unhandled promise rejection (rejection id: 1): Error: Something took too long to do. nodejs/node#13706) (test: remove common module from test it thwarts nodejs/node#13748)
3da1509 Docs: Add jsdoc `type` annotation to sample rule (doc: fix comment about http2.createSecureServer nodejs/node#15085)
68a49a9 Docs: Update Rollup Integrations (V0.12.6 release nodejs/node#15142)
d867f81 Docs: Remove a dot from curly link (feature-request - include sqlite3 as builtin module for node v9.x nodejs/node#15128)
9f8b919 Sponsors: Sync README with website
4b08f29 Sponsors: Sync README with website
ebc1ba1 Sponsors: Sync README with website
2d654f1 Docs: add example .eslintrc.json (Should spawn with undefined env value be treated as "undefined" string? nodejs/node#15087)
16034f0 Docs: fix fixable example (doc: update README with SHASUMS256.txt.sig info nodejs/node#15107)
07175b8 8.0.0-rc.0
71faa38 Build: changelog update for 8.0.0-rc.0
67c0074 Update: Suggest missing rule in flat config (fixesdoc, util, console: clarify ambiguous docs nodejs/node#14027) (test: increase Http2ServerResponse test coverage nodejs/node#15074)
cf34e5c Update: space-before-blocks ignore after switch colons (fixeshttp keepAliveTimeout triggers while writing large http responses nodejs/node#15082) (test: split path tests into multiple files nodejs/node#15093)
c9efb5f Fix: preserve formatting when rules are removed from disable directives (timers distribution predictability nodejs/node#15081)
14a4739 Update: `no-new-func` rule catching eval case of `MemberExpression` ((v4.x-backport) zlib: fix crash when initializing failed nodejs/node#14860)
7f2346b Docs: Update release blog post template (doc: remove braces which shouldn't be there nodejs/node#15094)
fabdf8a Chore: Remove `target.all` from `Makefile.js` (n-api: refactor napi_addon_register_func nodejs/node#15088)
e3cd141 Sponsors: Sync README with website
05d7140 Chore: document target global in Makefile.js (tcp socket localPort option does not work nodejs/node#15084)
0a1a850 Update: include `ruleId` in error logs (fixescrypto: fix error of createCipher in wrap mode nodejs/node#15037) (tls: replace forEach with for nodejs/node#15053)

See the full diff

Package name: eslint-plugin-markdown

The new version differs by 83 commits.

89ea838 2.2.0
5083d83 Build: changelog update for 2.2.0
32203f6 Update: Replace Markdown parser (fixes[Snyk] Security upgrade mocha from 7.2.0 to 10.1.0 #125, fixes[Snyk] Security upgrade tap from 2.3.4 to 14.6.8 #186) ([Snyk] Security upgrade mocha from 6.2.3 to 10.1.0 #188)
58729d5 2.1.0
63322a5 Build: changelog update for 2.1.0
f1e153b Update: Upgrade remark-parse to v7 (fixes[Snyk] Security upgrade acorn-private-class-elements from 0.1.1 to 0.2.0 #77, fixes[Snyk] Security upgrade acorn-private-class-elements from 0.1.1 to 0.2.0 #78) ([Snyk] Fix for 9 vulnerabilities #175)
b1d2675 2.0.1
e301eea Build: changelog update for 2.0.1
d23d5f7 Fix: use blocksCache instead of single blocks instance (fixes[Snyk] Security upgrade protobufjs from 6.8.8 to 6.11.3 #181) ([Snyk] Fix for 8 vulnerabilities #183)
a09a645 Chore: add yarn.lock and package-lock.json into .gitignore ([Snyk] Security upgrade tap from 14.11.0 to 15.0.0 #184)
1280ac1 Docs: improve jsdoc, better for typings ([Snyk] Fix for 7 vulnerabilities #182)
79be776 Fix: More reliable comment attachment (fixes[Snyk] Security upgrade acorn-private-class-elements from 0.1.1 to 0.2.0 #76) ([Snyk] Fix for 8 vulnerabilities #177)
610cffd 2.0.0
e2f13a9 Build: changelog update for 2.0.0
53dc0e5 Docs: Remove prerelease README notes ([Snyk] Fix for 7 vulnerabilities #173)
140adf4 2.0.0-rc.2
15d7aa6 Build: changelog update for 2.0.0-rc.2
f6a3fad Fix: overrides pattern for virtual filenames in recommended config ([Snyk] Security upgrade mocha from 8.4.0 to 10.1.0 #169)
390d508 2.0.0-rc.1
e05d6eb Build: changelog update for 2.0.0-rc.1
1dd7089 Fix: npm prepare script on Windows (refs [Snyk] Fix for 3 vulnerabilities #166) ([Snyk] Security upgrade tap from 14.11.0 to 15.0.0 #168)
23ac2b9 Fix: Ignore words in info string after syntax (fixes[Snyk] Fix for 3 vulnerabilities #166) ([Snyk] Security upgrade mocha from 8.4.0 to 10.1.0 #167)
8f729d3 Chore: Switch to main for primary branch (fixes[Snyk] Fix for 6 vulnerabilities #161) ([Snyk] Security upgrade tap from 10.7.3 to 15.0.0 #165)
d30c50f Chore: Automatically install example dependencies ([Snyk] Fix for 43 vulnerabilities #164)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note:You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Improper Privilege Management
🦉 More lessons are available in Snyk Learn

fix: deps/npm/node_modules/depd/package.json to reduce vulnerabilities

f64de14

The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-AJV-584908 - https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908 - https://snyk.io/vuln/SNYK-JS-MINIMATCH-1019388 - https://snyk.io/vuln/SNYK-JS-MINIMATCH-3050818 - https://snyk.io/vuln/SNYK-JS-MINIMIST-2429795 - https://snyk.io/vuln/SNYK-JS-MINIMIST-559764 - https://snyk.io/vuln/SNYK-JS-MOCHA-2863123 - https://snyk.io/vuln/SNYK-JS-MOCHA-561476 - https://snyk.io/vuln/SNYK-JS-SHELLJS-2332187 - https://snyk.io/vuln/SNYK-JS-TRIM-1017038 - https://snyk.io/vuln/npm:debug:20170905 - https://snyk.io/vuln/npm:eslint:20180222 - https://snyk.io/vuln/npm:growl:20160721 - https://snyk.io/vuln/npm:minimatch:20160620 - https://snyk.io/vuln/npm:ms:20151024 - https://snyk.io/vuln/npm:ms:20170412

snyk-bot mentioned this pull request

[Snyk] Security upgrade airtap from 0.0.4 to 4.0.2 #346

Open

aliscco mentioned this pull request

[Snyk] Security upgrade airtap from 0.0.4 to 4.0.2 #1490

Open

Sign up for freeto join this conversation on GitHub. Already have an account? Sign in to comment