[Snyk] Fix for 13 vulnerabilities #80

matthewjablack · 2023-11-27T14:23:08Z

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
- package-lock.json
Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Priority Score (*)	Issue	Breaking Change	Exploit Maturity
589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-AMMO-548920	Yes	No Known Exploit
636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Arbitrary File Write via Archive Extraction (Zip Slip) SNYK-JS-DECOMPRESSTAR-559095	No	Proof of Concept
589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-HAPI-548911	Yes	No Known Exploit
506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	No	Proof of Concept
601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	No	Proof of Concept
646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-SUBTEXT-467257	Yes	No Known Exploit
579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-SUBTEXT-548913	Yes	No Known Exploit
589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-SUBTEXT-548915	Yes	No Known Exploit
646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
379/1000 Why? Has a fix available, CVSS 3.3	Insecure Credential Storage SNYK-JS-WEB3-174533	No	No Known Exploit
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @truffle/hdwallet-provider

The new version differs by 250 commits.

4468ee2 Publish
e9efaa0 Merge pull request #3203 from trufflesuite/patch-init
3976147 Ensure test dir is tracked by git and fix path error
a8baab2 Merge pull request #3201 from trufflesuite/provider-check-backoff
ee07f94 Merge pull request #3199 from trufflesuite/prune-method
be5ae9a Merge pull request #2987 from trufflesuite/swap-library
ee13758 execute async func within setTimeout
2a1dcf9 implement provider check w/ exponential backoff using recursive setTimeout pattern
20adc2f Update some tests
e91bd3d Move url normalization into box
5032e6a Promisify call to download repo
fed162f Remove unused method getCommitFromVersion
6964fa4 Merge pull request #3197 from trufflesuite/bind-hijacker
007a80c Add more test cases for unbox tests
55a7e93 Add one more supported format for unbox test
e4b2d5d Handle rewriting full urls in format for download-git-repo and delete some obsolete tests
ddbb894 Add destination argument to the help for unbox and init
b07e7b6 Get rid of : syntax for unboxing to a destination
6c62952 Correct capitalization error in subscriber
4d2da62 Update parsing method, update a test, and regenerate yarn.lock
31fa5ea Add some methods for sanitizing/validating the url and implement new github downloading library
5728daa Swap out github download library for another
f2d4c7e Merge pull request #3196 from trufflesuite/prettier-defaults
1781014 Bind rejectHijacker to the PromiEvent

See the full diff

Package name: agendash

The new version differs by 115 commits.

b92bc90 2.0.0
323bd5d Merge pull request #150 from agenda/prepublish-readiness
b547a1e Preparing for publishing of v2
64cc80e Merge pull request #149 from agenda/various-bugfixes
d4eaa48 Add $BASE_PATH to Dockerfile
98125ba Add --path to Agendash CLI. Via #125
d7b1e5b Add fix for crash from [Snyk] Fix for 1 vulnerabilities #68 (take two, don't mutate mongoose)
1e2a34c Add fix for crash from [Snyk] Fix for 1 vulnerabilities #68
a4465f7 Add docs how to run Agendash in a docker container. Incorporates #103 PR
cb6ed1c Incorporate changes from [Snyk] Fix for 1 vulnerabilities #89 PR
1e3d890 Upgrade supertest from v3 to latest v6
6a7eefa Run Koa tests in Node 10. Fix "All Jobs" not rendering. Mitigate Vue@3 upcoming breaking changes. Upgrade Axios.
c14aaef Merge pull request #148 from agenda/add-koa-support
a01e802 Merge branch 'master' into add-koa-support
fc26a08 Add Koa support
363dc71 Merge pull request #145 from agenda/remove-hapi-from-prod-deps
a1ca29d Merge branch 'master' into remove-hapi-from-prod-deps
47dcb20 Merge pull request #144 from agenda/fix-last-v2-test
6dfeecf Moving Hapi to devDependencies
e8f0360 fixing xo another breaking change in the minor version change.
9c4637c Fix last test
a5b580d Merge pull request #142 from agenda/renovate/node-8.x
822050c 14.15.4
d942791 v14

See the full diff

Package name: gh-release

The new version differs by 42 commits.

33e7dc4 4.0.2
7006731 CHANGELOG
378fc7a Fix bad import
7ff16a1 4.0.1
1c5d45f CHANGELOG
5ee0772 Merge pull request #104 from hypermodules/deps
830245d Switch back to ghauth 5
51b9c8e Update to gh-release-assets 2
59c366c Merge pull request #101 from hypermodules/yargs
00e442e Merge pull request [Snyk] Security upgrade bitcoinjs-lib from 5.1.2 to 6.0.0 #100 from hypermodules/roll-back-guage
c17f409 Merge pull request #102 from hypermodules/simple-get
6a9e6ac Merge pull request #103 from hypermodules/gh-actions
0a7efe4 Switch to github actions instead of travis
1cb0196 replace request with simple-get
0e0debd Your weekly yargs breaking change
9604f95 Use old gauge
dc6e2b2 4.0.0
53036b7 CHANGELOG.md
09abb70 Merge pull request [Snyk] Fix for 1 vulnerabilities #93 from hypermodules/deps-refresh
1a61d26 Improve error messaging around bad org permissions
7a828e8 Install fork of ghauth
afffc17 remove depreciated package
20c2121 Use fork of ghauth while we wait for upstream
725b859 chore: update ghauth to support device flow

See the full diff

Package name: truffle

The new version differs by 250 commits.

90c9f7e Publish
8f135ce Update yarn.lock
17b997c Merge pull request #3152 from trufflesuite/gwei
53f037e Merge pull request #3146 from trufflesuite/update-mocha
7113313 Update highlightjs-solidity
6db3b6a Merge pull request #3150 from trufflesuite/cruz/trufflesuite/web3-provider-engine-15.0.0-2
4c81358 Upgrade dependency: @ trufflesuite/web3-provider-engine@15.0.0-2
c78e34c Merge pull request #3149 from trufflesuite/more-yul-jump-handling
9944cc8 Update debugger tests to 0.6.11
6714cc8 Fix interaction of phantom guard and jumps into unmapped code
e5db488 Better format locations with missing source path
078ea1e Accept colors as a mocha config field
21aa179 Correct typo with color property
56feea0 Add color option to the mocha config
22f4cdc Leave the debugger package using an older version of Mocha to bump later
afba441 Remove useColors option for mocha
1f5ac1f Remove node 8 from github actions tasks
3f19f30 Update travis config
6fbd31d Remove call in logger for tests
3e55bc7 Update Mocha
008497b Merge pull request #3145 from trufflesuite/bug/ethpm-method
32fe89a Update @ public to @ external to comply with changes to vyper in version 0.2.0
df44f8b Add space in vyper command
9628aa3 Increase test timeout