[Snyk] Fix for 7 vulnerabilities #147

urvi-occ · 2024-10-10T04:43:25Z

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
- package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Priority Score (*)	Issue	Breaking Change	Exploit Maturity
624/1000 Why? Has a fix available, CVSS 8.2	Asymmetric Resource Consumption (Amplification) SNYK-JS-BODYPARSER-7926860	No	No Known Exploit
601/1000 Why? Recently disclosed, Has a fix available, CVSS 6.3	Cross-site Scripting (XSS) SNYK-JS-COOKIE-8163060	Yes	No Known Exploit
519/1000 Why? Has a fix available, CVSS 6.1	Open Redirect SNYK-JS-EXPRESS-6474509	No	No Known Exploit
469/1000 Why? Has a fix available, CVSS 5.1	Cross-site Scripting SNYK-JS-EXPRESS-7926867	No	No Known Exploit
666/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.9	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHTOREGEXP-7925106	No	Proof of Concept
319/1000 Why? Has a fix available, CVSS 2.1	Cross-site Scripting SNYK-JS-SEND-7926862	No	No Known Exploit
319/1000 Why? Has a fix available, CVSS 2.1	Cross-site Scripting SNYK-JS-SERVESTATIC-7926865	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @gen3/guppy

The new version differs by 100 commits.

f4c6b43 (PPS-1564 PPS-1567 PPS-1585): update body-parser and package lock file to use newer dependencies (PXD-606 ⁃ Cursor location mismatched in submitting editor box uc-cdis/data-portal#285)
c9c2ae1 Update integration_tests.yaml (PXD-600 ⁃ fix titles for all the commons uc-cdis/data-portal#284)
3ed8b37 fix: package.json & package-lock.json to reduce vulnerabilities (PXD-331 ⁃ Provide appropriate dictionary items uc-cdis/data-portal#280)
c715904 Fix param ordering in server.js (PXD-330 ⁃ allow {domain}/qa.html to use js at qa-{commons}.planx-pla.net uc-cdis/data-portal#277)
a43e002 fix apply hide number resolver to as text agg results (PXD-347 ⁃ handle Commons that doesn't have availability_type uc-cdis/data-portal#274)
8aabbdd chore(deps-dev): bump ws from 6.2.2 to 6.2.3 (Feat/logo uc-cdis/data-portal#272)
59d77ca chore(deps): bump braces from 3.0.2 to 3.0.3 (PXD-346 ⁃ Gen3 -> Implement new design for Login Page and Profile page uc-cdis/data-portal#271)
f5bb705 fix: upgrade @ apollo/server from 4.10.2 to 4.10.3 (Gen3 -> Redesign Profile Page uc-cdis/data-portal#270)
a5fecc0 fix: upgrade loglevel from 1.9.0 to 1.9.1 (Gen3 -> Redesign Login Page uc-cdis/data-portal#269)
180311e fix: upgrade @ apollo/server from 4.9.5 to 4.10.2 (Feat/analysis uc-cdis/data-portal#267)
9aba1fa fix: package.json & package-lock.json to reduce vulnerabilities (PXD-343 ⁃ create stylesheet hierachy uc-cdis/data-portal#260)
bfb99e9 fix: upgrade loglevel from 1.8.1 to 1.9.0 (Create Elastic Search uc-cdis/data-portal#255)
6560437 fix: upgrade @ apollo/server from 4.9.4 to 4.9.5 (fix(code): check for 401 too uc-cdis/data-portal#249)
58436b6 fix: upgrade graphql-tools from 9.0.0 to 9.0.1 (feat(session): support sliding session uc-cdis/data-portal#257)
df89437 chore(deps): bump protobufjs from 7.2.4 to 7.2.6 (PXD-345 ⁃ Exploration Page (The Next Iteration) uc-cdis/data-portal#263)
c339907 chore(deps-dev): bump ejs from 3.1.9 to 3.1.10 (feat(ibdgc): add ibdgc configuration uc-cdis/data-portal#265)
eb6c0f6 changes for guppy integration yaml file (feat(homepage): new homepage uc-cdis/data-portal#266)
228792b Add GH action workflow for integration tests (PXD-344 ⁃ Home/Index Page QC uc-cdis/data-portal#262)
0e2ac93 chore(deps): bump express from 4.18.2 to 4.19.2 (create submission page uc-cdis/data-portal#261)
be0b6b0 chore(deps-dev): bump webpack-dev-middleware from 5.3.3 to 5.3.4 (Fix/internal uc-cdis/data-portal#259)
1867aae chore(deps-dev): bump ip from 2.0.0 to 2.0.1 (Feat/download uc-cdis/data-portal#256)
182ddee chore(logging): add time to graphql log (feat(expires): Add expires_in for data links uc-cdis/data-portal#258)
c5e551b PXP-11248 PXP-11258 using POST auth/mapping instead of GET to support client credentials authentication (Dev: Homepage/Index Page uc-cdis/data-portal#254)
b3a7106 Fix/search fields csrf (Cannot close variable view uc-cdis/data-portal#252)

See the full diff

Package name: @gen3/ui-component

The new version differs by 34 commits.

236fe1b update all dependencies and resolve all warnings and security vulnerabilities ([Snyk] Security upgrade graphiql from 1.4.7 to 1.7.1 #151)
609b6a9 fix: upgrade stylelint from 15.6.3 to 15.7.0 ([Snyk] Fix for 1 vulnerabilities #150)
bc25dd7 fix: upgrade babel-loader from 9.0.0 to 9.1.2 ([Snyk] Fix for 3 vulnerabilities #149)
d237e2d fix: package.json & package-lock.json to reduce vulnerabilities ([Snyk] Fix for 7 vulnerabilities #147)
d0fd73c fix: upgrade stylelint from 15.6.2 to 15.6.3 ([Snyk] Fix for 2 vulnerabilities #148)
2ce55c7 fix: upgrade multiple dependencies with Snyk ([Snyk] Fix for 7 vulnerabilities #146)
de2548b fix: upgrade multiple dependencies with Snyk ([Snyk] Fix for 2 vulnerabilities #144)
4614769 fix: upgrade postcss from 8.4.23 to 8.4.24 ([Snyk] Fix for 4 vulnerabilities #145)
8e1b16c upgrade storybook and run eslint ([Snyk] Fix for 62 vulnerabilities #143)
019c218 release 0.11.3 security fixes ([Snyk] Fix for 62 vulnerabilities #142)
4647a39 [Snyk] Upgrade antd from 4.24.7 to 4.24.9 ([Snyk] Fix for 1 vulnerabilities #141)
bb9ad5d fix: upgrade stylelint from 15.0.0 to 15.6.0 ([Snyk] Fix for 1 vulnerabilities #140)
277ce93 [Snyk] Upgrade react-select-async-paginate from 0.4.1 to 0.7.2 ([Snyk] Fix for 3 vulnerabilities #135)
0502aae fix: upgrade postcss-loader from 7.1.0 to 7.3.0 ([Snyk] Security upgrade @gen3/guppy from 0.14.3 to 0.17.0 #139)
805f522 fix: upgrade eslint-plugin-import from 2.26.0 to 2.27.5 ([Snyk] Fix for 1 vulnerabilities #138)
54bbe28 fix: upgrade recharts from 2.3.0 to 2.5.0 ([Snyk] Fix for 1 vulnerabilities #137)
08b9349 fix: upgrade multiple dependencies with Snyk ([Snyk] Fix for 1 vulnerabilities #136)
d5fdebf [Snyk] Fix for 1 vulnerabilities ([Snyk] Fix for 3 vulnerabilities #134)
1b16ca7 fix: package.json & package-lock.json to reduce vulnerabilities ([Snyk] Fix for 2 vulnerabilities #133)
67c547d fix: package.json & package-lock.json to reduce vulnerabilities ([Snyk] Fix for 1 vulnerabilities #132)
9fa574a fix: upgrade postcss-preset-env from 7.3.1 to 7.8.3 ([Snyk] Fix for 1 vulnerabilities #126)
6411b5c fix: upgrade stylelint from 14.6.1 to 14.15.0 ([Snyk] Fix for 1 vulnerabilities #125)
80017c5 fix: upgrade eslint-plugin-react from 7.28.0 to 7.31.11 ([Snyk] Fix for 31 vulnerabilities #124)
fc556a4 [Snyk] Upgrade: @ babel/core, @ babel/preset-env, @ babel/preset-react ([Snyk] Fix for 1 vulnerabilities #123)

See the full diff

Package name: @storybook/react

The new version differs by 250 commits.

829c72e v6.2.0
f8bfee0 Update root, peer deps, version.ts/json to 6.2.0
2814acc CLI: Don't update versions.json on CLI prepare
637daa1 Update 6.2 changelog
c760793 6.2 release
5595b1e Merge pull request #14348 from gabiseabra/fix/issue_13771
a686a99 6.2.0-rc.13 next.json version file
6be8b92 Update git head to 6.2.0-rc.13
c1dfd5b v6.2.0-rc.13
4ef7b5a Update root, peer deps, version.ts/json to 6.2.0-rc.13
d954d50 6.2.0-rc.13 changelog
1913c92 Merge pull request #14390 from YozhEzhi/patch-1
ee98e0e Merge branch 'next' of github.com:storybookjs/storybook into next
a8aadc4 Update CHANGELOG.md
44eca58 Merge pull request #14392 from storybookjs/fix-raw-toggle
f10ef90 Merge pull request #14391 from YozhEzhi/patch-3
b1ee5e9 Prevent invalid initial color to be accepted as preset
2c6b796 Color picker can't deal with 'transparent' keyword
6951762 Don't show RAW toggle when data isn't representable by REJT
259b12a Update my-component-story-use-globaltype.js.mdx
a8a846b Update my-component-story-use-globaltype.mdx.mdx
57fc3cd 6.2.0-rc.12 next.json version file
ba0f535 Fix changelog
6ec5750 Update git head to 6.2.0-rc.12

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Cross-site Scripting (XSS)
🦉 Open Redirect
🦉 Regular Expression Denial of Service (ReDoS)

The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-BODYPARSER-7926860 - https://snyk.io/vuln/SNYK-JS-COOKIE-8163060 - https://snyk.io/vuln/SNYK-JS-EXPRESS-6474509 - https://snyk.io/vuln/SNYK-JS-EXPRESS-7926867 - https://snyk.io/vuln/SNYK-JS-PATHTOREGEXP-7925106 - https://snyk.io/vuln/SNYK-JS-SEND-7926862 - https://snyk.io/vuln/SNYK-JS-SERVESTATIC-7926865

pmartinov mentioned this pull request Oct 14, 2024

[Snyk] Fix for 2 vulnerabilities #148

Open

urvi-occ mentioned this pull request Oct 17, 2024

[Snyk] Fix for 3 vulnerabilities #149

Open

pmartinov mentioned this pull request Oct 22, 2024

[Snyk] Fix for 1 vulnerabilities #150

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Snyk] Fix for 7 vulnerabilities #147

[Snyk] Fix for 7 vulnerabilities #147

urvi-occ commented Oct 10, 2024

[Snyk] Fix for 7 vulnerabilities #147

Are you sure you want to change the base?

[Snyk] Fix for 7 vulnerabilities #147

Conversation

urvi-occ commented Oct 10, 2024

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Vulnerabilities that will be fixed

With an upgrade: