Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Fix for 13 vulnerabilities #67

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

snyk-bot
Copy link
Contributor

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

    • package.json
    • package-lock.json
  • Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
    Find out more.

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5
Regular Expression Denial of Service (ReDoS)
SNYK-JS-ANSIREGEX-1583908
No Proof of Concept
high severity 589/1000
Why? Has a fix available, CVSS 7.5
Prototype Pollution
SNYK-JS-GETOBJECT-1054932
No No Known Exploit
medium severity 484/1000
Why? Has a fix available, CVSS 5.4
Open Redirect
SNYK-JS-GOT-2932019
No No Known Exploit
medium severity 636/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.3
Directory Traversal
SNYK-JS-GRUNT-2635969
No Proof of Concept
medium severity 646/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.5
Race Condition
SNYK-JS-GRUNT-2813632
No Proof of Concept
high severity 569/1000
Why? Has a fix available, CVSS 7.1
Arbitrary Code Execution
SNYK-JS-GRUNT-597546
No No Known Exploit
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3
Prototype Pollution
SNYK-JS-NCONF-2395478
No Proof of Concept
high severity 706/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.7
Server-side Request Forgery (SSRF)
SNYK-JS-NETMASK-1089716
No Proof of Concept
high severity 726/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 8.1
Remote Code Execution (RCE)
SNYK-JS-PACRESOLVER-1564857
No Proof of Concept
medium severity 718/1000
Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 6.5
Server-side Request Forgery (SSRF)
SNYK-JS-PARSEURL-3023021
No Proof of Concept
medium severity 643/1000
Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 5
Improper Input Validation
SNYK-JS-PARSEURL-3024398
No Proof of Concept
medium severity 479/1000
Why? Has a fix available, CVSS 5.3
Regular Expression Denial of Service (ReDoS)
SNYK-JS-UGLIFYJS-1727251
Yes No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: grunt The new version differs by 75 commits.
  • 82d79b8 1.5.3
  • 572d79b Merge pull request #1745 from gruntjs/fix-copy-op
  • 58016ff Patch up race condition in symlink copying.
  • 0749e1d Merge pull request #1746 from JamieSlome/patch-1
  • 69b7c50 Create SECURITY.md
  • ac667b2 1.5.2
  • 7f15fd5 Update Changelog
  • b0ec6e1 Merge pull request #1743 from gruntjs/cleanup-link
  • 433f91b Clean up link handling
  • d5969ec 1.5.1
  • ad22608 Merge pull request #1742 from gruntjs/update-symlink-test
  • 0652305 Fix symlink test
  • a7ab0a8 1.5.0
  • b2b2c2b Updated changelog
  • 3eda6ae Merge pull request #1740 from gruntjs/update-deps-22-10
  • 47d32de Update testing matrix
  • 2e9161c More updates
  • 04b960e Remove console log
  • aad3d45 Update dependencies, tests...
  • fdc7056 Merge pull request #1736 from justlep/main
  • e35fe54 support .cjs extension
  • ee722d1 1.4.1
  • e7625e5 Update Changelog
  • 5d67e34 Merge pull request #1731 from gruntjs/update-options

See the full diff

Package name: snyk The new version differs by 250 commits.
  • 8987918 Merge pull request #1781 from snyk/fix/replace-proxy
  • eec11b7 test: raise timeout for snyk protect tests hitting real Snyk API
  • 8045ceb test: update proxy tests for the new proxy global-agent
  • 0d0c76a feat: support lowercase http_proxy envvars
  • e597846 test(proxy): acceptance test for Proxy envvar settings
  • 6d67579 fix: replace vulnerable proxy dependency
  • 1449c57 Merge pull request #1707 from snyk/feat/snyk-fix
  • 3d872fb test: assert exact errors for unsupported
  • 5ebd685 Merge pull request #1777 from snyk/feat/fix-with-version-provenance
  • 17e3431 Merge pull request #1778 from snyk/feat/dont-force-https
  • fdd7f1a docs: update SNYK_HTTP_PROTOCOL_UPGRADE description
  • 165b4b9 feat: introduce envvar to control HTTP-HTTPS upgrade behavior
  • 77e6665 chore: lerna release with exact version
  • f14819f Merge pull request #1760 from snyk/feat/support-critical-in-sarif
  • b286418 feat: v1 support for previously fixed reqs.txt
  • 0384020 feat: basic pip fix -r support
  • f94c558 feat: include pins optionally
  • 66ca77a feat: do not skip files with -r directive
  • bc44f9a refactor: fix individual reqs manifest
  • 6e84322 feat: fix individual file with provenance
  • 9ed99f3 Merge pull request #1764 from snyk/feat/update-code-client
  • c92599b Merge pull request #1774 from snyk/refactor/change-binaries-release-script
  • ca508ac test: smoke test for `snyk fix`
  • c68c7da feat: add @ snyk/fix as a dep

See the full diff

With a Snyk patch:
Severity Priority Score (*) Issue Exploit Maturity
high severity 731/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 8.2
Prototype Pollution
SNYK-JS-LODASH-567746
Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Server-side Request Forgery (SSRF)
🦉 More lessons are available in Snyk Learn

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant