Skip to content
This repository has been archived by the owner on Nov 10, 2023. It is now read-only.

[Snyk] Fix for 15 vulnerabilities #285

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Fix for 15 vulnerabilities #285

wants to merge 1 commit into from

Conversation

sanderaernouts
Copy link
Owner

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

    • package.json
    • package-lock.json

  • Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
    Find out more.

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-ANSIREGEX-1583908		 No Proof of Concept
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3		 Denial of Service (DoS)
SNYK-JS-JSZIP-1251497		 No Proof of Concept
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3		 Prototype Pollution
SNYK-JS-NCONF-2395478		 No Proof of Concept
high severity 706/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.7		 Server-side Request Forgery (SSRF)
SNYK-JS-NETMASK-1089716		 No Proof of Concept
high severity 726/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 8.1		 Remote Code Execution (RCE)
SNYK-JS-PACRESOLVER-1564857		 No Proof of Concept
medium severity 718/1000
Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 6.5		 Server-side Request Forgery (SSRF)
SNYK-JS-PARSEURL-3023021		 No Proof of Concept
medium severity 643/1000
Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 5		 Improper Input Validation
SNYK-JS-PARSEURL-3024398		 No Proof of Concept
high severity 676/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.1		 Improper Privilege Management
SNYK-JS-SHELLJS-2332187		 No Proof of Concept
medium severity 596/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.5		 Arbitrary Code Injection
SNYK-JS-UNDERSCORE-1080984		 No Proof of Concept
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-VALIDATOR-1090599		 No Proof of Concept
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-VALIDATOR-1090600		 No Proof of Concept
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-VALIDATOR-1090601		 No Proof of Concept
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-VALIDATOR-1090602		 No Proof of Concept
medium severity 479/1000
Why? Has a fix available, CVSS 5.3		 Buffer Overflow
npm:validator:20160218		 No No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: snyk The new version differs by 250 commits.
  • 8987918 Merge pull request #1781 from snyk/fix/replace-proxy
  • eec11b7 test: raise timeout for snyk protect tests hitting real Snyk API
  • 8045ceb test: update proxy tests for the new proxy global-agent
  • 0d0c76a feat: support lowercase http_proxy envvars
  • e597846 test(proxy): acceptance test for Proxy envvar settings
  • 6d67579 fix: replace vulnerable proxy dependency
  • 1449c57 Merge pull request #1707 from snyk/feat/snyk-fix
  • 3d872fb test: assert exact errors for unsupported
  • 5ebd685 Merge pull request #1777 from snyk/feat/fix-with-version-provenance
  • 17e3431 Merge pull request #1778 from snyk/feat/dont-force-https
  • fdd7f1a docs: update SNYK_HTTP_PROTOCOL_UPGRADE description
  • 165b4b9 feat: introduce envvar to control HTTP-HTTPS upgrade behavior
  • 77e6665 chore: lerna release with exact version
  • f14819f Merge pull request #1760 from snyk/feat/support-critical-in-sarif
  • b286418 feat: v1 support for previously fixed reqs.txt
  • 0384020 feat: basic pip fix -r support
  • f94c558 feat: include pins optionally
  • 66ca77a feat: do not skip files with -r directive
  • bc44f9a refactor: fix individual reqs manifest
  • 6e84322 feat: fix individual file with provenance
  • 9ed99f3 Merge pull request #1764 from snyk/feat/update-code-client
  • c92599b Merge pull request #1774 from snyk/refactor/change-binaries-release-script
  • ca508ac test: smoke test for `snyk fix`
  • c68c7da feat: add @ snyk/fix as a dep

See the full diff

Package name: tfx-cli The new version differs by 50 commits.
  • 30ffb29 Resolve vulnerabilities (#401)
  • d49fb32 Update dependencies (#398)
  • e9efa2b Bumped package version (#390)
  • 0cf8832 Enable use of --override and --overrides-file when --manifest-js is specified (#375)
  • d49e19c Added action - to add tickets to the team's planning board (#387)
  • 2dbd6ff delete wrong video-links (#386)
  • 3e95e11 Bump version to 0.9.2.
  • 00029a1 Merge pull request #374 from bworline/manifestjs-param-bug
  • 7b25b8d Fix cmd line parsing bug for the --manifest-js parameter
  • 113e3b3 Bump version to 0.9.1
  • 16728c5 Merge pull request #342 from bworline/manifest-js
  • 32aa8e0 change --manifestJs arg type in a 2nd place
  • b084b37 Change arg type of --manifestJs from String to ReadableFilePathsArgument
  • b8d1ef8 Bump version to 0.9.0.
  • 6260399 Fix extension init command for non Windows users
  • 2efcf96 Remove tfx extension publisher command. (#368)
  • 92d471c Merge branch 'master' of https://github.com/microsoft/tfs-cli into manifest-js
  • 72c0158 Merge pull request #359 from xinyi-joffre/fix-rev-version
  • f62ac13 Fix --rev-version bug
  • 28dfb8b Merge pull request #354 from microsoft/users/jtpetty/bug-1769158
  • 404398f updated package version
  • f6a76b2 updates from pr feedback
  • e0f5e99 Fixed issue where additional package paths would add duplicate files
  • ba377af Merge pull request #351 from microsoft/users/brwillis/fix-extension-publishing

See the full diff

With a Snyk patch:
Severity Priority Score (*) Issue Exploit Maturity
high severity 731/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 8.2		 Prototype Pollution
SNYK-JS-LODASH-567746		 Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Buffer Overflow
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Regular Expression Denial of Service (ReDoS)
🦉 More lessons are available in Snyk Learn

@snyk-bot
fix: package.json, package-lock.json & .snyk to reduce vulnerabilities
1995e1c 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908
- https://snyk.io/vuln/SNYK-JS-JSZIP-1251497
- https://snyk.io/vuln/SNYK-JS-NCONF-2395478
- https://snyk.io/vuln/SNYK-JS-NETMASK-1089716
- https://snyk.io/vuln/SNYK-JS-PACRESOLVER-1564857
- https://snyk.io/vuln/SNYK-JS-PARSEURL-3023021
- https://snyk.io/vuln/SNYK-JS-PARSEURL-3024398
- https://snyk.io/vuln/SNYK-JS-SHELLJS-2332187
- https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984
- https://snyk.io/vuln/SNYK-JS-VALIDATOR-1090599
- https://snyk.io/vuln/SNYK-JS-VALIDATOR-1090600
- https://snyk.io/vuln/SNYK-JS-VALIDATOR-1090601
- https://snyk.io/vuln/SNYK-JS-VALIDATOR-1090602
- https://snyk.io/vuln/npm:validator:20160218


The following vulnerabilities are fixed with a Snyk patch:
- https://snyk.io/vuln/SNYK-JS-LODASH-567746
@sanderaernouts sanderaernouts force-pushed the master branch 7 times, most recently from 1a3318e to cab3ab3 Compare November 10, 2023 10:27
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sanderaernouts @snyk-bot