Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 17 vulnerabilities #50

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Fix for 17 vulnerabilities #50

wants to merge 1 commit into from
+1,788 −7,506

Conversation

jeremylorino
Copy link
Owner

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json
    • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-ANSIREGEX-1583908		 Yes Proof of Concept
medium severity 616/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.9		 Server-Side Request Forgery (SSRF)
SNYK-JS-AXIOS-1038255		 No Proof of Concept
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-AXIOS-1579269		 No Proof of Concept
high severity 676/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.1		 Cross-site Request Forgery (CSRF)
SNYK-JS-AXIOS-6032459		 No Proof of Concept
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3		 Information Exposure
SNYK-JS-FOLLOWREDIRECTS-2332181		 No Proof of Concept
low severity 344/1000
Why? Has a fix available, CVSS 2.6		 Information Exposure
SNYK-JS-FOLLOWREDIRECTS-2396346		 No No Known Exploit
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-GLOBPARENT-1016905		 No Proof of Concept
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5		 Prototype Pollution
SNYK-JS-JSONBIGINT-608659		 Yes Proof of Concept
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3		 Prototype Pollution
SNYK-JS-LODASHSET-1320032		 No Proof of Concept
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3		 Open Redirect
SNYK-JS-NODEFORGE-2330875		 Yes Proof of Concept
medium severity 529/1000
Why? Has a fix available, CVSS 6.3		 Prototype Pollution
SNYK-JS-NODEFORGE-2331908		 Yes No Known Exploit
medium severity 494/1000
Why? Has a fix available, CVSS 5.6		 Improper Verification of Cryptographic Signature
SNYK-JS-NODEFORGE-2430337		 Yes No Known Exploit
high severity 579/1000
Why? Has a fix available, CVSS 7.3		 Improper Verification of Cryptographic Signature
SNYK-JS-NODEFORGE-2430339		 Yes No Known Exploit
medium severity 494/1000
Why? Has a fix available, CVSS 5.6		 Improper Verification of Cryptographic Signature
SNYK-JS-NODEFORGE-2430341		 Yes No Known Exploit
medium severity 646/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.5		 Server-side Request Forgery (SSRF)
SNYK-JS-REQUEST-3361831		 No Proof of Concept
medium severity 646/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.5		 Prototype Pollution
SNYK-JS-TOUGHCOOKIE-5672873		 No Proof of Concept
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Prototype Pollution
SNYK-JS-UNSETVALUE-2400660		 No No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: @google-cloud/logging-winston The new version differs by 103 commits.
  • 8305c92 chore: release 1.0.0 (#326)
  • a46f385 chore: remove root and samples package-lock.json (#338)
  • fc87d65 fix(deps): bump minimum required dependencies (#336)
  • 2d72bc1 chore: update @ google-cloud/common to 2.x (#331)
  • d55c939 build: remove verbose logging from test scripts (#332)
  • 2214438 build: ignore proto files in test coverage (#330)
  • 9afc5e0 chore: clean up dev dependencies (#327)
  • c83050b build: add configuration for automated doc deployment (#328)
  • 059c2a1 fix(deps): update dependency @ google-cloud/logging to v5 (#324)
  • b3d666e build: updated kokoro config for coverage and release-please (#321)
  • 6260654 build: add new kokoro config for coverage and release-please (#320)
  • 450295f fix: use immutable winston level (#319)
  • 6182968 fix(deps): update dependency google-auth-library to v4 (#317)
  • c7ab418 chore(deps): update dependency @ google-cloud/common to v1 (#318)
  • 27b41e4 chore(chore): upgrade to gts 1.0.0 (#310)
  • d466a45 build: only pipe to codecov if tests run on Node 10
  • a61911b build: allow Node 10 on presubmit to push to codecov (#316)
  • 7418f77 build: allow Node 10 to push to codecov (#315)
  • 1f3e345 build: patch Windows container, fixing Node 10 (#314)
  • 7010ee5 chore: do not run CI on grpc-js (#311)
  • 7ff405c chore(deps): update dependency eslint-plugin-node to v9 (#312)
  • c777689 build!: upgrade engines field to >=8.10.0 (#308)
  • 08631b7 chore!: drop node 6 support (#307)
  • f762657 chore: removing node6 CI (#309)

See the full diff

Package name: @google-cloud/pubsub The new version differs by 250 commits.
  • bb26010 chore: release 0.29.0 (#609)
  • c72491f refactor(subscriber): message stream retry logic (#607)
  • 46c75a2 chore(deps): update dependency jsdoc to v3.6.2 (#606)
  • ef45af3 refactor: use core grpc (#608)
  • 6415e7c fix(deps): update dependency google-gax to v1 (#604)
  • 2e669a1 fix(deps): update dependency @ google-cloud/precise-date to v1 (#603)
  • baf9d39 fix(deps): update dependency google-auth-library to v4 (#601)
  • 1ae8db9 fix: DEADLINE_EXCEEDED retry code is idempotent (#605)
  • a72df8a test: fix snapshot fixture creation (#602)
  • 39b1dac fix: DEADLINE_EXCEEDED no longer treated as idempotent and retried
  • 22dc668 build: update build config and doc comments (#593)
  • 181553a fix(deps): update dependency @ google-cloud/paginator to v1 (#592)
  • 76f5c7b build: allow Node 10 on presubmit to push to codecov (#598)
  • bbc59fa build: allow Node 10 to push to codecov (#597)
  • 397f876 build: patch Windows container, fixing Node 10 (#596)
  • a9dd7f1 chore: do not run CI on grpc-js (#586)
  • fb76bf4 chore(deps): update dependency eslint-plugin-node to v9 (#587)
  • d01d010 fix(deps): update dependency @ google-cloud/projectify to v1 (#588)
  • dad7530 fix(deps): update dependency @ google-cloud/promisify to v1 (#589)
  • 6ef6260 chore(deps): update dependency gts to v1 (#579)
  • 2116474 build!: upgrade engines field to >=8.10.0 (#584)
  • 2004351 chore: removing node6 CI (#585)
  • 4214a4f fix(deps): update dependency google-gax to ^0.26.0 (#583)
  • b5f8df2 chore: update formatting for generated code (#580)

See the full diff

Package name: snyk The new version differs by 137 commits.
  • 4cc1a94 Merge pull request #2105 from snyk/feat/webpack
  • 7737f75 Merge pull request #2181 from snyk/test/migrate-old-snyk-format
  • 418e6ad Merge pull request #2180 from snyk/test/migrate-is-docker
  • 95631e7 test: migrate is-docker to jest
  • babe22a test: migrate old-snyk-format to jest
  • e22e94f feat: Snyk CLI is bundled with Webpack
  • dd46c19 Merge pull request #2175 from snyk/fix/snyk-protect-multiple
  • e7c314f Merge pull request #2178 from snyk/test/server-close
  • 5e824c0 fix(protect): skip previously patched files
  • ca2177a fix(protect): catch and log unexpected errors
  • c9ddb44 chore(protect): move api url warnings to stderr
  • e8fed38 refactor(protect): move stdout logs to top level
  • 55e88f9 Merge pull request #2177 from snyk/test/set-jest-acceptance-timeout
  • 1522c5f test: server.close uses callbacks, not promises
  • 13dce51 test: increase timeout for slow oauth test
  • 65c35be Merge pull request #2172 from snyk/chore/no-run-test-on-master
  • a1e3992 chore: don't run tests on master
  • 20feb67 Merge pull request #2165 from snyk/chore/dont-wait-for-regression-tests
  • f50bca7 Merge pull request #2167 from snyk/refactor/replace-cc-parser-with-split-functions
  • 1ed7d11 refactor: replace cc parser with split functions
  • 707801d Merge pull request #2166 from snyk/fix/support_quotes_in_poetry_toml
  • dc6b784 Merge pull request #2163 from snyk/chore/remove-store-test-results
  • 7973015 fix: support quoted keys in inline tables
  • 18f0d2a Merge pull request #2164 from snyk/chore/upgrade-snyk-nuget-plugin

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Server-Side Request Forgery (SSRF)
🦉 Cross-site Request Forgery (CSRF)
🦉 More lessons are available in Snyk Learn

@snyk-bot
fix: package.json & package-lock.json to reduce vulnerabilities
411db43 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908
- https://snyk.io/vuln/SNYK-JS-AXIOS-1038255
- https://snyk.io/vuln/SNYK-JS-AXIOS-1579269
- https://snyk.io/vuln/SNYK-JS-AXIOS-6032459
- https://snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-2332181
- https://snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-2396346
- https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905
- https://snyk.io/vuln/SNYK-JS-JSONBIGINT-608659
- https://snyk.io/vuln/SNYK-JS-LODASHSET-1320032
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-2330875
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-2331908
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-2430337
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-2430339
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-2430341
- https://snyk.io/vuln/SNYK-JS-REQUEST-3361831
- https://snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873
- https://snyk.io/vuln/SNYK-JS-UNSETVALUE-2400660
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jeremylorino @snyk-bot