New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 4 vulnerabilities #120

Open

snyk-bot wants to merge 1 commit into master from snyk-fix-54612c2dbc67f1391005c058f445a87d

snyk-bot commented Jul 17, 2020

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
- package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Issue	Breaking Change	Exploit Maturity
	Prototype Pollution SNYK-JS-AJV-584908	Yes	No Known Exploit
	Denial of Service (DoS) SNYK-JS-HTTPPROXY-569139	No	Proof of Concept
	Prototype Pollution SNYK-JS-YARGSPARSER-560381	No	Proof of Concept
	Regular Expression Denial of Service (ReDoS) npm:ua-parser-js:20180227	No	Proof of Concept

Commit messages

Package name: browser-sync

The new version differs by 147 commits.

2b55728 v2.26.9
2bf8812 v2.26.8
0f3cc0b fix: npm audit fixes (root)
ba1f09f fix: npm audit fixes
d89252a Merge pull request #1749 from ProLoser/securityFix
df81272 Merge pull request #1771 from tolulawson/master
64f87b9 Merge pull request #1768 from fozzleberry/bump-http-proxy-1.18.1
43dc459 Merge pull request #1725 from nitinbansal1989/master
894d031 -- Corrected codesync tagline
0667104 used correct syntax on bump
938e611 bumped node engines to >= 8.0.0
20a0334 bumped http proxy to >=1.18.1
c103029 Security fix for #1649
864c9f1 upgrade chokidar version
2191369 v2.26.7
53f9b36 docs: readme
0b3d98b v2.26.6
fdfc681 tests: add e2e tests to package.json
c56cfd9 Merge pull request #1698 from emeitch/fix_deprecated_header
2fd598f Merge pull request #1690 from XhmikosR/xmr-ci
841ccd5 Merge pull request #1694 from coliff/patch-1
209c9c1 Merge pull request #1697 from gaards/update-localtunnel
87bee4b Use getHeaders or _headers
77abfd3 Update localtunnel

See the full diff

Package name: gulp-less

The new version differs by 4 commits.

7d9df97 4.0.0
cde149b Update accord to support [email protected] - closes Version 10 of node.js has been released Gottwik/Enduro#269
453625a 3.5.0
d706f87 fix(deps): update accord to version 0.28 (Can't reopen existing project Gottwik/Enduro#281)

See the full diff

Package name: npm

The new version differs by 225 commits.

c62d0ea 5.10.0
9edd48e docs: update changelog for [email protected]
e33bc08 audit: Timeout audit requests eventually
9cb9102 5.10.0-next.1
dab8d6d update AUTHORS
ba6f620 doc: update changelog for [email protected]
be01b7d test: Change bad url in test in anticipation of aliasing
74bcdb8 update: Add parens to clarify order of operations when defaulting where
3232699 deps: Fix regexp used to cleanup from fields
fb99f75 travis: Add node v10
d6187a9 mailmap: Update with real names
1822379 audit: Only report audit as being unsupported on 404 and >= 500
35de046 docs: describe what colors in outdated mean
e0235eb docs: add from field back into git dependencies
fb7efac makefile: call cache clean with --force
cf09066 audit: Refuse to run in global mode
bc3fc55 audit: Verify lockfile integrity before running
7d43ddf audit: Exit with non-zero when vulnerabilities are found
113e1a3 inflate-shrinkwrap: Infer versions from tarballs to self heal
36f9984 shrinkwrap: Prefer computed resolved from dep tree
aadbf3f audit: Include session and scope in requests
f9804b1 cmd-list: How else am I supposed to deploy my urns?
dac6f9b cmd-list: sit booboo, cit
a6e2f12 audit: Make sure we hide stream errors on background audit submissions

See the full diff

Package name: request

The new version differs by 41 commits.

6420240 2.88.0
bd22e21 fix: massive dependency upgrade, fixes all production vulnerabilities
925849a Merge pull request #2996 from kwonoj/fix-uuid
7b68551 fix(uuid): import versioned uuid
5797963 Merge pull request #2994 from dlecocq/oauth-sign-0.9.0
628ff5e Update to oauth-sign 0.9.0
10987ef Merge pull request #2993 from simov/fix-header-tests
cd848af These are not going to fail if there is a server listening on those ports
a92e138 #515, #2894 Strip port suffix from Host header if the protocol is known. (#2904)
45ffc4b Improve AWS SigV4 support. (#2791)
a121270 Merge pull request #2977 from simov/update-cert
bd16414 Update test certificates
536f0e7 2.87.1
02fc5b1 Update changelog
de1ed5a 2.87.0
a6741d4 Replace hawk dependency with a local implemenation (#2943)
a7f0a36 2.86.1
8f2fd4d Update changelog
386c7d8 2.86.0
76a6e5b Merge pull request #2885 from ChALkeR/patch-1
db76838 Merge branch 'patch-1' of github.com:ChALkeR/request
fb7aeb3 Merge pull request #2942 from simov/fix-tests
e47ce95 Add Node v10 build target explicitly
0c5db42 Skip status code 105 on Node > v10

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic


          fix: package.json & package-lock.json to reduce vulnerabilities

c52879e

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-AJV-584908
- https://snyk.io/vuln/SNYK-JS-HTTPPROXY-569139
- https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381
- https://snyk.io/vuln/npm:ua-parser-js:20180227

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet