New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 16 vulnerabilities #40

Open

jeremylorino wants to merge 1 commit into master from snyk-fix-9bbd34e31c87e70b867165b582911ca8

Owner

jeremylorino commented Nov 27, 2023

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
- package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	616/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.9	Server-Side Request Forgery (SSRF) SNYK-JS-AXIOS-1038255	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-AXIOS-1579269	Yes	Proof of Concept
	676/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.1	Cross-site Request Forgery (CSRF) SNYK-JS-AXIOS-6032459	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Information Exposure SNYK-JS-FOLLOWREDIRECTS-2332181	Yes	Proof of Concept
	344/1000 Why? Has a fix available, CVSS 2.6	Information Exposure SNYK-JS-FOLLOWREDIRECTS-2396346	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-JSONBIGINT-608659	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Open Redirect SNYK-JS-NODEFORGE-2330875	Yes	Proof of Concept
	529/1000 Why? Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-NODEFORGE-2331908	Yes	No Known Exploit
	494/1000 Why? Has a fix available, CVSS 5.6	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430337	Yes	No Known Exploit
	579/1000 Why? Has a fix available, CVSS 7.3	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430339	Yes	No Known Exploit
	494/1000 Why? Has a fix available, CVSS 5.6	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430341	Yes	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @google-cloud/logging-winston

The new version differs by 112 commits.

8305c92 chore: release 1.0.0 (#326)
a46f385 chore: remove root and samples package-lock.json (#338)
fc87d65 fix(deps): bump minimum required dependencies (#336)
2d72bc1 chore: update @ google-cloud/common to 2.x (#331)
d55c939 build: remove verbose logging from test scripts (#332)
2214438 build: ignore proto files in test coverage (#330)
9afc5e0 chore: clean up dev dependencies (#327)
c83050b build: add configuration for automated doc deployment (#328)
059c2a1 fix(deps): update dependency @ google-cloud/logging to v5 (#324)
b3d666e build: updated kokoro config for coverage and release-please (#321)
6260654 build: add new kokoro config for coverage and release-please (#320)
450295f fix: use immutable winston level (#319)
6182968 fix(deps): update dependency google-auth-library to v4 (#317)
c7ab418 chore(deps): update dependency @ google-cloud/common to v1 (#318)
27b41e4 chore(chore): upgrade to gts 1.0.0 (#310)
d466a45 build: only pipe to codecov if tests run on Node 10
a61911b build: allow Node 10 on presubmit to push to codecov (#316)
7418f77 build: allow Node 10 to push to codecov (#315)
1f3e345 build: patch Windows container, fixing Node 10 (#314)
7010ee5 chore: do not run CI on grpc-js (#311)
7ff405c chore(deps): update dependency eslint-plugin-node to v9 (#312)
c777689 build!: upgrade engines field to >=8.10.0 (#308)
08631b7 chore!: drop node 6 support (#307)
f762657 chore: removing node6 CI (#309)

See the full diff

Package name: @google-cloud/pubsub

The new version differs by 250 commits.

bb26010 chore: release 0.29.0 (#609)
c72491f refactor(subscriber): message stream retry logic (#607)
46c75a2 chore(deps): update dependency jsdoc to v3.6.2 (#606)
ef45af3 refactor: use core grpc (#608)
6415e7c fix(deps): update dependency google-gax to v1 (#604)
2e669a1 fix(deps): update dependency @ google-cloud/precise-date to v1 (#603)
baf9d39 fix(deps): update dependency google-auth-library to v4 (#601)
1ae8db9 fix: DEADLINE_EXCEEDED retry code is idempotent (#605)
a72df8a test: fix snapshot fixture creation (#602)
39b1dac fix: DEADLINE_EXCEEDED no longer treated as idempotent and retried
22dc668 build: update build config and doc comments (#593)
181553a fix(deps): update dependency @ google-cloud/paginator to v1 (#592)
76f5c7b build: allow Node 10 on presubmit to push to codecov (#598)
bbc59fa build: allow Node 10 to push to codecov (#597)
397f876 build: patch Windows container, fixing Node 10 (#596)
a9dd7f1 chore: do not run CI on grpc-js (#586)
fb76bf4 chore(deps): update dependency eslint-plugin-node to v9 (#587)
d01d010 fix(deps): update dependency @ google-cloud/projectify to v1 (#588)
dad7530 fix(deps): update dependency @ google-cloud/promisify to v1 (#589)
6ef6260 chore(deps): update dependency gts to v1 (#579)
2116474 build!: upgrade engines field to >=8.10.0 (#584)
2004351 chore: removing node6 CI (#585)
4214a4f fix(deps): update dependency google-gax to ^0.26.0 (#583)
b5f8df2 chore: update formatting for generated code (#580)

See the full diff

Package name: @google-cloud/storage

The new version differs by 222 commits.

f1ef9c6 Release v2.4.3 (#628)
b80ee22 fix(deps): update dependency @ google-cloud/pubsub to ^0.28.0
813ecca tests: fix assertion syntax (#629)
e24f2d1 fix(deps): update dependency @ google-cloud/paginator to ^0.2.0
72a57ab build: Add docuploader credentials to node publish jobs (#624)
58d4ea5 fix(deps): update dependency gcs-resumable-upload to v1 (#619)
23a3cf0 build: use node10 to run samples-test, system-test etc (#623)
a5ea8ab fix(deps): update dependency @ google-cloud/pubsub to ^0.27.0 (#620)
0a6c134 build: update release configuration
5dcb36c fix(deps): update dependency @ google-cloud/pubsub to ^0.26.0 (#618)
c09f7c2 fix: handle errors from file#createReadStream (#615)
d10c120 fix(deps): update dependency @ google-cloud/pubsub to ^0.25.0 (#616)
1c3bd03 fix: getSigned(Policy|Url) throws if expiration is invalid Date (#614)
f6acc87 chore(deps): update dependency mocha to v6 (#611)
c3f3a8e build: use linkinator for docs test (#607)
86246f9 docs: update links in contrib guide (#610)
e29512f fix(deps): update dependency @ google-cloud/promisify to ^0.4.0 (#609)
e229d60 chore(deps): update dependency @ types/tmp to v0.0.34 (#608)
30a2c5d fix(deps): update dependency yargs to v13 (#606)
7e32925 build: create docs test npm scripts (#605)
4cfa23c build: test using @ grpc/grpc-js in CI (#604)
7526624 docs: update contributing path in README (#603)
c3e1da2 chore: move CONTRIBUTING.md to root (#601)
1f8bacf chore: remove console.log in system test (#599)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Server-Side Request Forgery (SSRF)
🦉 Cross-site Request Forgery (CSRF)
🦉 More lessons are available in Snyk Learn


          fix: package.json & package-lock.json to reduce vulnerabilities

24e3b96

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908
- https://snyk.io/vuln/SNYK-JS-AXIOS-1038255
- https://snyk.io/vuln/SNYK-JS-AXIOS-1579269
- https://snyk.io/vuln/SNYK-JS-AXIOS-6032459
- https://snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-2332181
- https://snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-2396346
- https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905
- https://snyk.io/vuln/SNYK-JS-JSONBIGINT-608659
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-2330875
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-2331908
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-2430337
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-2430339
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-2430341
- https://snyk.io/vuln/SNYK-JS-REQUEST-3361831
- https://snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873
- https://snyk.io/vuln/SNYK-JS-UNSETVALUE-2400660

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet