Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 42 vulnerabilities #84

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

[Snyk] Fix for 42 vulnerabilities #84

wants to merge 1 commit into from

Conversation

ludralph
Copy link
Owner

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

    • package.json
    • package-lock.json

  • Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
    Find out more.

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Insecure Encryption
SNYK-JS-BCRYPT-572911		 Yes No Known Exploit
medium severity 616/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.9		 Cryptographic Issues
SNYK-JS-BCRYPT-575033		 Yes Proof of Concept
medium severity 534/1000
Why? Has a fix available, CVSS 6.4		 Improper Authentication
SNYK-JS-JSONWEBTOKEN-3180022		 Yes No Known Exploit
medium severity 539/1000
Why? Has a fix available, CVSS 6.5		 Improper Restriction of Security Token Assignment
SNYK-JS-JSONWEBTOKEN-3180024		 Yes No Known Exploit
medium severity 554/1000
Why? Has a fix available, CVSS 6.8		 Use of a Broken or Risky Cryptographic Algorithm
SNYK-JS-JSONWEBTOKEN-3180026		 Yes No Known Exploit
medium severity 479/1000
Why? Has a fix available, CVSS 5.3		 Signature Verification Bypass
SNYK-JS-JWTSIMPLE-174523		 No No Known Exploit
medium severity 539/1000
Why? Has a fix available, CVSS 6.5		 Information Exposure
SNYK-JS-NODEFETCH-2342118		 Yes No Known Exploit
medium severity 520/1000
Why? Has a fix available, CVSS 5.9		 Denial of Service
SNYK-JS-NODEFETCH-674311		 Yes No Known Exploit
high severity 726/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 8.1		 Out-of-bounds Read
SNYK-JS-NODESASS-535501		 No Proof of Concept
medium severity 646/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.5		 Resource Exhaustion
SNYK-JS-NODESASS-535504		 No Proof of Concept
high severity 761/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 8.8		 NULL Pointer Dereference
SNYK-JS-NODESASS-535505		 No Proof of Concept
medium severity 646/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.5		 Denial of Service (DoS)
SNYK-JS-NODESASS-540982		 No Proof of Concept
medium severity 509/1000
Why? Has a fix available, CVSS 5.9		 Denial of Service (DoS)
SNYK-JS-NODESASS-542662		 No No Known Exploit
medium severity 454/1000
Why? Has a fix available, CVSS 4.8		 Session Fixation
SNYK-JS-PASSPORT-2840631		 No No Known Exploit
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5		 Prototype Poisoning
SNYK-JS-QS-3153490		 No Proof of Concept
medium severity 479/1000
Why? Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-SCSSTOKENIZER-2339884		 Yes No Known Exploit
critical severity 791/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 9.4		 SQL Injection
SNYK-JS-SEQUELIZE-2932027		 Yes Proof of Concept
high severity 564/1000
Why? Has a fix available, CVSS 7		 SQL Injection
SNYK-JS-SEQUELIZE-2959225		 Yes No Known Exploit
high severity 629/1000
Why? Has a fix available, CVSS 8.3		 Improper Filtering of Special Elements
SNYK-JS-SEQUELIZE-3324088		 Yes No Known Exploit
medium severity 479/1000
Why? Has a fix available, CVSS 5.3		 Information Exposure
SNYK-JS-SEQUELIZE-3324089		 Yes No Known Exploit
medium severity 529/1000
Why? Has a fix available, CVSS 6.3		 Access of Resource Using Incompatible Type ('Type Confusion')
SNYK-JS-SEQUELIZE-3324090		 Yes No Known Exploit
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3		 SQL Injection
SNYK-JS-SEQUELIZE-450221		 No Proof of Concept
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3		 SQL Injection
SNYK-JS-SEQUELIZE-459751		 No Proof of Concept
medium severity 550/1000
Why? Has a fix available, CVSS 6.5		 Denial of Service (DoS)
SNYK-JS-SEQUELIZE-543029		 No No Known Exploit
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3		 Denial of Service (DoS)
SNYK-JS-SOCKJS-575261		 No Proof of Concept
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-SSRI-1246392		 No Proof of Concept
high severity 624/1000
Why? Has a fix available, CVSS 8.2		 Arbitrary File Overwrite
SNYK-JS-TAR-1536528		 Yes No Known Exploit
high severity 624/1000
Why? Has a fix available, CVSS 8.2		 Arbitrary File Overwrite
SNYK-JS-TAR-1536531		 Yes No Known Exploit
low severity 410/1000
Why? Has a fix available, CVSS 3.7		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-TAR-1536758		 Yes No Known Exploit
high severity 639/1000
Why? Has a fix available, CVSS 8.5		 Arbitrary File Write
SNYK-JS-TAR-1579147		 Yes No Known Exploit
high severity 639/1000
Why? Has a fix available, CVSS 8.5		 Arbitrary File Write
SNYK-JS-TAR-1579152		 Yes No Known Exploit
high severity 639/1000
Why? Has a fix available, CVSS 8.5		 Arbitrary File Write
SNYK-JS-TAR-1579155		 Yes No Known Exploit
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-VALIDATOR-1090599		 Yes Proof of Concept
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-VALIDATOR-1090600		 Yes Proof of Concept
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-VALIDATOR-1090601		 Yes Proof of Concept
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-VALIDATOR-1090602		 Yes Proof of Concept
medium severity 601/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.6		 Prototype Pollution
SNYK-JS-YARGSPARSER-560381		 No Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: bcrypt The new version differs by 141 commits.
  • 61139e6 v5.0.0
  • 1bde62c Update node-pre-gyp to 0.15.0
  • 40770d6 Add NodeJS 14 to appveyor CI
  • 5916a46 Merge pull request #807 from techhead/known_length
  • f28e916 Reword comment
  • ca1e43b Add test for embedded NULs
  • 1a81858 Pass key_len to bcrypt(). Fix for issues #774, #776
  • cf4efd9 Merge pull request #647 from ilatypov/master
  • 15febd1 Allow using an enterprise artifactory.
  • 96c41e2 Mark z/OS compatibility code as such
  • dd32df1 Add z/OS support
  • ac14738 Update CHANGELOG.md
  • d9e54b4 Merge pull request #806 from techhead/2b_overflow
  • 9548df5 Fix overflow bug. See issue #776
  • 4c38d38 Merge pull request #804 from jokester/add-arm64-build
  • 41d9ba2 add linux-arm64 to build matrix
  • bc114fb Update node-addon-api to v3.0.0
  • 61f6308 Use travis to deploy future releases
  • 87c214f v4.0.1
  • 9758e68 Prepare for uploading releases from inside docker
  • 1511821 Define _GNU_SOURCE while compiling for MUSL
  • e01e78a Add alpine-linux to CI
  • bbb6b2d Readme: fix node version for v4.0.0
  • 738e4e2 Update CHANGELOG.md

See the full diff

Package name: body-parser The new version differs by 177 commits.

See the full diff

Package name: express The new version differs by 221 commits.

See the full diff

Package name: jwt-simple The new version differs by 28 commits.

See the full diff

Package name: node-sass The new version differs by 163 commits.
  • 3b556c1 7.0.2
  • c716359 Bump sass-graph@^4.0.1 (#3292)
  • 24741b3 docs(readme): fix docpad plugin link
  • 1523330 feat: Drop Node 12
  • 365d357 update https://registry.npm.taobao.org to https://registry.npmmirror.com
  • 1456114 build(deps): bump actions/upload-artifact from 2 to 3
  • b465b69 chore: bump GitHub Actions to Windows 2019 (#3254)
  • e6194b1 build(deps): bump make-fetch-happen from 9.1.0 to 10.0.4
  • 4edf594 build(deps): bump node-gyp from 8.4.1 to 9.0.0
  • 29e2344 build(deps): bump actions/checkout from 2 to 3
  • 85b0d22 build(deps): bump actions/setup-node from 2 to 3
  • 3bb51da Use make-fetch-happen instead of request (#3193)
  • adc2f8b build(deps): bump true-case-path from 1.0.3 to 2.2.1 (#3000)
  • 77d12f0 chore: disable Apline for Node 16/17 builds
  • 308d533 ci: use Python 3 for Node 12
  • c818907 ci: unpin actions/setup-node to v2
  • 99242d7 7.0.1
  • 77049d1 build(deps): bump sass-graph from 2.2.5 to 4.0.0 (#3224)
  • c929f25 build(deps): bump node-gyp from 7.1.2 to 8.4.1 (#3209)
  • 918dcb3 Lint fix
  • 0a21792 Set rejectUnauthorized to true by default (#3149)
  • e80d4af chore: Drop EOL Node 15 (#3122)
  • d753397 feat: Add Node 17 support (#3195)
  • dcf2e75 build(deps-dev): bump eslint from 7.32.0 to 8.0.0

See the full diff

Package name: passport The new version differs by 160 commits.

See the full diff

Package name: passport-jwt The new version differs by 71 commits.
  • fed94fa 4.0.1 release
  • cfb5566 Merge pull request #248 from mikenicholson/update-minmatch
  • 8e4ad5b Address minmatch vulnerability
  • e9cf2ce Merge pull request #247 from mikenicholson/jsonwebtoken-9
  • bfbc6cc Update jsonwebtoken to 9.0.0
  • a49b43e Update minimist due to prototype pollution vulnerability in previous version
  • a5137c6 Merge pull request #192 from markhoney/patch-1
  • ea824cd Update jsonwebtoken and run npm audit fix
  • 8e57eec Remove older node versions shiping npm without support for "ci"
  • 3ab9305 Add CI workflow in GitHub Actions
  • 96a6e55 Merge pull request #218 from Sambego/patch-1
  • 809cdbf Update Auth0 sponsorship link
  • ec35fa4 Add nodejs 13 & 14 to CI
  • 2cab4dd Update mocha to resolve vulnerabilities
  • b196eb8 Use nyc for coverage
  • ddafcd2 Fix typo
  • 6b92631 Merge pull request #176 from epicfaace/patch-1
  • 154af70 Stop building for Node v5 and earlier
  • d311551 Add newer node versions to Travis CI build
  • 0e39a48 Update dependencies to resolve vulnerabilities.
  • d488147 Update URLs to reference new GitHub username
  • 89152d5 Rename extrators-test.js to extractors-test.js
  • 0bb68bf Clarify use of custom extractor function.
  • 499bd4a Add js formatting to extractor example in README.

See the full diff

Package name: prop-types The new version differs by 23 commits.
  • fa6fbb7 15.6.2
  • 5115f5c Merge pull request #180 from jaller94/master
  • 2ac742c Merge pull request #171 from barrymichaeldoyle/master
  • a7a5a64 Merge pull request #194 from facebook/no-fbjs
  • d6c9c5c Preserve "Invariant Violation" name
  • 07d1b47 Remove fbjs dependency
  • 3c99d57 Remove trailing spaces
  • a36cda8 Move explanation of `isRequired` and show it in `PropTypes.shape`
  • ba3da12 Show that shapes can have required properties
  • 2bde8eb Add example for `PropTypes.exact`
  • d65f80e Updated vars to consts and lets in PropTypesProductionStandalone-test.js
  • c10c93f Updated vars to consts and lets in PropTypesDevelopmentStandalone-test.js
  • 8e2b34e Updated vars to consts and lets in PropTypesDevelopmentReact15.js
  • c5527c8 Updated vars with consts and lets in PropTypesProductionReact15-test.js
  • 7cc8c81 Add 15.6.1 to CHANGELOG
  • 5df7296 15.6.1
  • b7d03ce Point readme to correct docs for production builds (#153)
  • a94243f Update the repository location (#148)
  • 77c62a7 Fix failing tests (#129)
  • 644844c Merge pull request #140 from flarnie/master
  • 0b5db12 Add `CODE_OF_CONDUCT`
  • a6900f0 Add CONTRIBUTING.md
  • 492e230 Update README.md with improved importing for CDNs (#104)

See the full diff

Package name: sequelize The new version differs by 250 commits.
  • d3f5b5a feat: throw an error if attribute includes parentheses (fixes CVE-2023-22578) (#15710)
  • 53bd9b7 meta: fix null test getWhereConditions (#15705)
  • 13f2e89 fix: accept undefined in where (#15703)
  • d9e0728 fix: throw if where receives an invalid value (#15699)
  • 48d6193 fix: update moment-timezone version (#15685)
  • fd4afa6 feat(types): use retry-as-promised types for retry options to match documentation (#15484)
  • 1247c01 feat: add support for bigints (backport of #14485) (#15413)
  • 94beace feat(postgres): add support for lock_timeout [#15345] (#15355)
  • 7885000 fix(oracle): remove hardcoded maxRows value (#15323)
  • bc39fd6 fix: fix parameters not being replaced when after $$ strings (#15307)
  • a205765 fix(postgres): invalidate connection after client-side timeout (#15283)
  • 67e69cd fix: remove options.model overwrite on bulkUpdate (#15252)
  • 00c6da3 fix(types): add instance.dataValues property to model.d.ts (#15240)
  • bf98d7c meta: swap Slack links (#15159)
  • 7990095 fix: don't treat \ as escape in standard strings, support E-strings, support vars after ->> operator, treat lowercase e as valid e-string prefix (#15139)
  • 851daaf fix(types): fix TS 4.9 excessive depth error on `InferAttributes` (v6) (#15135)
  • 9dd93b8 fix(types): expose legacy "types" folder in export alias ( #15123)
  • 06ad05d feat(oracle): add support for `dialectOptions.connectString` (#15042)
  • a44772e feat(snowflake): Add support for `QueryGenerator#tableExistsQuery` (#15087)
  • 55051d0 docs: add missing ssl options for sequelize instance (v6) (#15049)
  • 5c88734 docs(model): Added paranoid option for Model.BelongsToMany.through (#15065)
  • 7203b66 fix(postgres): add custom order direction to subQuery ordering with minified alias (#15056)
  • 5f621d7 fix(oracle): add support for Oracle DB 18c CI (#15016)
  • 3468378 feat(types): add typescript 4.8 compatibility (#14990)

See the full diff

Package name: validator The new version differs by 250 commits.
  • 47ee5ad 13.7.0
  • 496fc8b fix(rtrim): remove regex to prevent ReDOS attack (#1738)
  • 45901ec Merge pull request #1851 from validatorjs/chore/fix-merge-conflicts
  • 83cb7f8 chore: merge conflict clean-up
  • f17e220 feat(isMobilePhone): add El Salvador es-SV locale
  • 5b06703 feat(isMobilePhone): add Palestine ar-PS locale
  • a3faa83 feat(isMobilePhone): add Botswana en-BW locale
  • 26605f9 feat(isMobilePhone): add Turkmenistan tk-TM
  • 0e5d5d4 feat(isMobilePhone): add Guyana en-GY locale
  • f7ff349 feat(isMobilePhone): add Frech Polynesia fr-PF locale
  • 8627e48 feat(isMobilePhone): add Kiribati en-KI locale
  • ed60123 feat(isMobilePhone): add Tajikistan tg-TJ locale (#1846)
  • c96d805 feat(isMobilePhone): add Maldives dv-MV locale
  • 5c2d69e feat(isMobilePhone): regex for Burkina Faso fr-BF and Namibia en-NA locales
  • fc0fefc feat(isMobilePhone): add Bhutan dz-BT locale (#1770)
  • 01d3da3 feat(isMobilePhone): add Tajikistan tg-TJ locale (#1846)
  • af2b43c feat(isUUID): add support for validation of version v1 and v2 (#1848)
  • 769f6d5 feat(contains): add possibility to check that string contains seed multiple times (#1836)
  • f2381e0 feat: (isMobilePhone): add Cameroon fr-CM locale (#1772)
  • 5773869 feat(isVAT): add dutch NL locale (#1825)
  • de1cb29 fix: Russian passport number regex (#1810)
  • 7bee611 add CDN use option with unpkg (#1844)
  • 57cc14e feat(isIdentityCard): add finnish locale (#1838)
  • 2201869 feat: added finnish locale to isAlpha and isAlphanumeric (#1837)

See the full diff

Package name: webpack The new version differs by 250 commits.
  • 04f90c5 4.26.0
  • e1df721 Merge pull request #8392 from vkrol/cherry-pick-terser-to-webpack-4
  • a818def fix for changed API in terser plugin warningsFilter
  • b39abf4 Rename test directories too
  • 311a728 Switch from uglifyjs-webpack-plugin to terser-webpack-plugin
  • a230148 Merge pull request #8351 from DeTeam/chunk-jsdoc-typo
  • 7a0af76 Fix a typo in Chunk#split jsdoc comment
  • 2361995 4.25.1
  • e2a2016 Merge pull request #8338 from webpack/bugfix/issue-8293
  • babe736 replace prefix/postfix even when equal for wrapped context
  • dcd0d59 test for #8293
  • af123a8 Merge pull request #8334 from webpack/bugfix/lint
  • 36eb0bb move azure specific commands to azure-pipelines.yml
  • 290094e 4.25.0
  • 355590e Merge pull request #8250 from Aladdin-ADD/patch-3
  • 0293c3a Merge pull request #8279 from smelukov/support-entry-progress
  • 1ea411b Merge pull request #8139 from NaviMarella/FormatManifest
  • 4b72635 exclude watch test cases
  • e35d084 increase test timeout
  • 6be1411 move schema into definitions
  • 3d74504 add missing hooks to progress
  • 56d8a8f prevent writing the same message multiple times to stderr
  • 64e3826 use flags to show different parts of the progress message
  • 8c5e74f Merge branch 'master' into support-entry-progress

See the full diff

Package name: webpack-dev-server The new version differs by 250 commits.
  • 4ab1f21 chore(release): 3.11.0
  • 0e51fb1 fix: invalidate route (#2584)
  • f857c40 chore: deps and tests
  • 41d1d0c fix(deps): security vulnerability in yargs-parser (#2566)
  • 375ab23 ci: add node@14 (#2530)
  • 776e7d4 chore(deps): update dependency html-entities to ^1.3.1 (master) (#2513)
  • 984536c chore: update lint-staged config (#2524)
  • 89ffb86 feat: add invalidate endpoint (#2493)
  • 0e9bffb chore(deps): update all patch dependencies (#2508)

@snyk-bot
fix: package.json, package-lock.json & .snyk to reduce vulnerabilities
753e74a 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-BCRYPT-572911
- https://snyk.io/vuln/SNYK-JS-BCRYPT-575033
- https://snyk.io/vuln/SNYK-JS-JSONWEBTOKEN-3180022
- https://snyk.io/vuln/SNYK-JS-JSONWEBTOKEN-3180024
- https://snyk.io/vuln/SNYK-JS-JSONWEBTOKEN-3180026
- https://snyk.io/vuln/SNYK-JS-JWTSIMPLE-174523
- https://snyk.io/vuln/SNYK-JS-NODEFETCH-2342118
- https://snyk.io/vuln/SNYK-JS-NODEFETCH-674311
- https://snyk.io/vuln/SNYK-JS-NODESASS-535501
- https://snyk.io/vuln/SNYK-JS-NODESASS-535504
- https://snyk.io/vuln/SNYK-JS-NODESASS-535505
- https://snyk.io/vuln/SNYK-JS-NODESASS-540982
- https://snyk.io/vuln/SNYK-JS-NODESASS-542662
- https://snyk.io/vuln/SNYK-JS-PASSPORT-2840631
- https://snyk.io/vuln/SNYK-JS-QS-3153490
- https://snyk.io/vuln/SNYK-JS-SCSSTOKENIZER-2339884
- https://snyk.io/vuln/SNYK-JS-SEQUELIZE-2932027
- https://snyk.io/vuln/SNYK-JS-SEQUELIZE-2959225
- https://snyk.io/vuln/SNYK-JS-SEQUELIZE-3324088
- https://snyk.io/vuln/SNYK-JS-SEQUELIZE-3324089
- https://snyk.io/vuln/SNYK-JS-SEQUELIZE-3324090
- https://snyk.io/vuln/SNYK-JS-SEQUELIZE-450221
- https://snyk.io/vuln/SNYK-JS-SEQUELIZE-459751
- https://snyk.io/vuln/SNYK-JS-SEQUELIZE-543029
- https://snyk.io/vuln/SNYK-JS-SOCKJS-575261
- https://snyk.io/vuln/SNYK-JS-SSRI-1246392
- https://snyk.io/vuln/SNYK-JS-TAR-1536528
- https://snyk.io/vuln/SNYK-JS-TAR-1536531
- https://snyk.io/vuln/SNYK-JS-TAR-1536758
- https://snyk.io/vuln/SNYK-JS-TAR-1579147
- https://snyk.io/vuln/SNYK-JS-TAR-1579152
- https://snyk.io/vuln/SNYK-JS-TAR-1579155
- https://snyk.io/vuln/SNYK-JS-VALIDATOR-1090599
- https://snyk.io/vuln/SNYK-JS-VALIDATOR-1090600
- https://snyk.io/vuln/SNYK-JS-VALIDATOR-1090601
- https://snyk.io/vuln/SNYK-JS-VALIDATOR-1090602
- https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381


The following vulnerabilities are fixed with a Snyk patch:
- https://snyk.io/vuln/npm:debug:20170905
- https://snyk.io/vuln/npm:extend:20180424
- https://snyk.io/vuln/npm:hoek:20180212
- https://snyk.io/vuln/npm:stringstream:20180511
- https://snyk.io/vuln/npm:tough-cookie:20170905
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ludralph @snyk-bot