[Snyk] Fix for 9 vulnerabilities #330

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Open

aliscco wants to merge 1 commit into master from snyk-fix-fec4ef5d9a37fef326c031fcfdb9b7ee

Owner

aliscco commented Apr 28, 2023

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- deps/npm/node_modules/asn1/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	619/1000 Why? Has a fix available, CVSS 8.1	Prototype Pollution SNYK-JS-AJV-584908	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-1019388	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	No	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	No	Proof of Concept
	676/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.1	Improper Privilege Management SNYK-JS-SHELLJS-2332187	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:eslint:20180222	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: eslint

The new version differs by 250 commits.

c4fffbc 8.0.0
d51f4cf Build: changelog update for 8.0.0
7d3f7f0 Upgrade: unfrozen @ eslint/eslintrc (fixes assert: use same value equal for deepStrictEqual NaN nodejs/node#15036) (Need Payment IRS SSA Unemployment ASAP nodejs/node#15146)
2174a6f Fix: require-atomic-updates property assignment message (fixes Should overwriting child_process.execFile result in changed behaviour of child_process.exec? nodejs/node#15076) (http2: adjust error types, increase test coverage nodejs/node#15109)
f885fe0 Docs: add note and example for extending the range of fix (refs (node:7596) UnhandledPromiseRejectionWarning: Unhandled promise rejection (rejection id: 1): Error: Something took too long to do. nodejs/node#13706) (test: remove common module from test it thwarts nodejs/node#13748)
3da1509 Docs: Add jsdoc `type` annotation to sample rule (doc: fix comment about http2.createSecureServer nodejs/node#15085)
68a49a9 Docs: Update Rollup Integrations (V0.12.6 release nodejs/node#15142)
d867f81 Docs: Remove a dot from curly link (feature-request - include sqlite3 as builtin module for node v9.x nodejs/node#15128)
9f8b919 Sponsors: Sync README with website
4b08f29 Sponsors: Sync README with website
ebc1ba1 Sponsors: Sync README with website
2d654f1 Docs: add example .eslintrc.json (Should spawn with undefined env value be treated as "undefined" string? nodejs/node#15087)
16034f0 Docs: fix fixable example (doc: update README with SHASUMS256.txt.sig info nodejs/node#15107)
07175b8 8.0.0-rc.0
71faa38 Build: changelog update for 8.0.0-rc.0
67c0074 Update: Suggest missing rule in flat config (fixes doc, util, console: clarify ambiguous docs nodejs/node#14027) (test: increase Http2ServerResponse test coverage nodejs/node#15074)
cf34e5c Update: space-before-blocks ignore after switch colons (fixes http keepAliveTimeout triggers while writing large http responses nodejs/node#15082) (test: split path tests into multiple files nodejs/node#15093)
c9efb5f Fix: preserve formatting when rules are removed from disable directives (timers distribution predictability nodejs/node#15081)
14a4739 Update: `no-new-func` rule catching eval case of `MemberExpression` ((v4.x-backport) zlib: fix crash when initializing failed nodejs/node#14860)
7f2346b Docs: Update release blog post template (doc: remove braces which shouldn't be there nodejs/node#15094)
fabdf8a Chore: Remove `target.all` from `Makefile.js` (n-api: refactor napi_addon_register_func nodejs/node#15088)
e3cd141 Sponsors: Sync README with website
05d7140 Chore: document target global in Makefile.js (tcp socket localPort option does not work nodejs/node#15084)
0a1a850 Update: include `ruleId` in error logs (fixes crypto: fix error of createCipher in wrap mode nodejs/node#15037) (tls: replace forEach with for nodejs/node#15053)

See the full diff

Package name: istanbul

The new version differs by 72 commits.

89e338f 0.4.5
7efe4dc update changelog, contributors
da79378 Merge pull request [Snyk] Security upgrade @babel/traverse from 7.14.5 to 7.23.2 #673 from popomore/swap-fileset-for-glob
58f4c90 swap fileset for glob
fef889b Merge pull request [Snyk] Fix for 2 vulnerabilities #657 from djorg83/master
91bb666 log filename when file fails to parse using esprima
5dbd62c 0.4.4
5642fb4 Update changelog, contributors
f4195bb Merge pull request [Snyk] Fix for 1 vulnerabilities #507 from Victorystick/es-modules-support
c521035 Merge pull request [Snyk] Security upgrade jest from 24.9.0 to 27.0.0 #628 from inversion/use-tmp-dir
66fffdc Merge pull request [Snyk] Fix for 1 vulnerabilities #597 from JamesMGreene/patch-1
dfcab10 Merge pull request [Snyk] Security upgrade semantic-release from 17.4.7 to 21.0.2 #627 from a0viedo/patch-1
abec3ae Merge pull request [Snyk] Security upgrade babel-loader from 8.3.0 to 9.1.3 #625 from ChALkeR/tmpdir
a9aaf53 tmp dir setting was being ignored in TmpStore
522f465 link build badge to master branch
0b5e80d use os.tmpdir() instead of os.tmpDir()
5069661 Set "medium" coverage CSS color scheme to yellow
0e8c350 Merge pull request [Snyk] Security upgrade xo from 0.24.0 to 0.53.0 #587 from clickthisnick/chore-remove-trailing-spaces
fc3ba35 0.4.3
b3de106 Update changelog, contributors
bb5b6e1 Merge pull request [Snyk] Security upgrade tap from 14.11.0 to 15.0.0 #579 from jtangelder/fix-colors
0411600 return plain string when an invalid clazz is given
a556a5e Merge pull request [Snyk] Fix for 1 vulnerabilities #552 from abejfehr/patch-1
369ed49 Merge pull request [Snyk] Fix for 1 vulnerabilities #545 from pra85/patch-1

See the full diff

Package name: tape

The new version differs by 4 commits.

99f32f5 4.0.0
cf56a13 Drop 0.8 support
a6bdf9c Expand reporters section into "things that go well with tape"
d6acc1e Update dependencies

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Improper Privilege Management


          fix: deps/npm/node_modules/asn1/package.json to reduce vulnerabilities

a79e866

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-AJV-584908
- https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908
- https://snyk.io/vuln/SNYK-JS-MINIMATCH-1019388
- https://snyk.io/vuln/SNYK-JS-MINIMATCH-3050818
- https://snyk.io/vuln/SNYK-JS-MINIMIST-2429795
- https://snyk.io/vuln/SNYK-JS-MINIMIST-559764
- https://snyk.io/vuln/SNYK-JS-SHELLJS-2332187
- https://snyk.io/vuln/npm:eslint:20180222
- https://snyk.io/vuln/npm:minimatch:20160620

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet