Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Upgrade: argon2, better-sqlite3, clamscan, dompurify, express, express-rate-limit, express-session, image-size, jsdom #27

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[Snyk] Upgrade: argon2, better-sqlite3, clamscan, dompurify, express, express-rate-limit, express-session, image-size, jsdom #27

wants to merge 1 commit into from

Conversation

BiraruYT
Copy link
Owner

@BiraruYT BiraruYT commented Sep 8, 2024

snyk-top-banner

Snyk has created this PR to upgrade multiple dependencies.

👯 The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name Versions Released on

argon2
from 0.31.2 to 0.40.3 | 6 versions ahead of your current version | 3 months ago
on 2024-05-25
better-sqlite3
from 9.2.2 to 9.6.0 | 9 versions ahead of your current version | 4 months ago
on 2024-04-26
clamscan
from 2.1.2 to 2.3.1 | 6 versions ahead of your current version | 2 months ago
on 2024-07-23
dompurify
from 3.0.6 to 3.1.6 | 12 versions ahead of your current version | 2 months ago
on 2024-07-05
express
from 4.18.2 to 4.19.2 | 4 versions ahead of your current version | 5 months ago
on 2024-03-25
express-rate-limit
from 7.1.5 to 7.4.0 | 4 versions ahead of your current version | 2 months ago
on 2024-07-23
express-session
from 1.17.3 to 1.18.0 | 1 version ahead of your current version | 7 months ago
on 2024-01-28
image-size
from 1.0.2 to 1.1.1 | 2 versions ahead of your current version | 8 months ago
on 2024-01-02
jsdom
from 23.0.1 to 23.2.0 | 2 versions ahead of your current version | 8 months ago
on 2024-01-07

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
high severity Denial of Service (DoS)
SNYK-JS-WS-7266574		 586 Proof of Concept
medium severity Template Injection
SNYK-JS-DOMPURIFY-6474511		 586 Proof of Concept
medium severity Open Redirect
SNYK-JS-EXPRESS-6474509		 586 No Known Exploit
medium severity Uncontrolled Resource Consumption ('Resource Exhaustion')
SNYK-JS-TAR-6476909		 586 Proof of Concept
medium severity Missing Release of Resource after Effective Lifetime
SNYK-JS-INFLIGHT-6095116		 586 Proof of Concept
Release notes
Package name: argon2
  • 0.40.3 - 2024-05-25
  • 0.40.2 - 2024-05-25

    Fix issue with publishing tags starting with v

  • 0.40.1 - 2024-02-22
  • 0.40.0-alpha.3 - 2024-01-10
  • 0.40.0-alpha.2 - 2023-12-30
  • 0.40.0-alpha.1 - 2023-12-20
  • 0.31.2 - 2023-11-04

    Note: this is the last version that will support Node 16 since it's support has ended on 2023-09-11. Please upgrade to 18 or preferably 20 as soon as possible.

    What's Changed

    New Contributors

    Full Changelog: v0.31.1...v0.31.2

from argon2 GitHub release notes
Package name: better-sqlite3 from better-sqlite3 GitHub release notes
Package name: clamscan
  • 2.3.1 - 2024-07-23

    Bug Fixes

    • ACTUALLY fixed OS-agnostic recursive file discovery (previous commit had the relevant lines removed during clean up). File discovery now happens entirely using Node APIs.
  • 2.3.0 - 2024-07-23

    Bug Fixes

    • scanDir (and others) was unnecessarily stripping multiple spaces in a file name. Fixes #126
    • On Windows, when scanning files, files were not able to be found due to using a unix command find. This was fixed by using a pure JS method of finding files in a directory recursively (and not). Fixes #126
    • Scanning files recursively was somewhat broken and this has now been fixed.

    Enhancements

    • scanDir now provides additional feedback in the form of numGoodFiles. This is a compromise created in lieu of the potentially dangerous alternative of providing all clean files scanned (which could be millions in some cases). This value is available in callback and promise-style APIs.
    • When scanning a directory of TCP or local socket, scanning no longer stops when a virus is found when not using multiscan... Before, single-threaded scanning was using the SCAN command; now it's using the CONTSCAN command so that all files are scanned.

    Other

    • Updated to latest 3rd-party dependencies where possible
    • Updated API docs
    • New tests written and some updated

    Full Changelog: v2.2.3...v2.3.0

  • 2.2.3 - 2024-07-22

    Bug Fixes

    • Fixed bug where filenames with consecutive spaces were being replaced with a single space (#125)
    • Fixed bug where, in some instances, the socket would close before finishing when scanning using scanStream (#127).
  • 2.2.2 - 2024-07-03

    Bug Fixes

    • Added ability to connect with a port only (localhost is presumed) - Fixes #123
  • 2.2.1 - 2024-03-18

    Fixes

    Other

    • Set some default value for testing on Macs
  • 2.2.0 - 2024-03-18

    Merges:

    Other

    • Updated to latest versions of dependencies
    • Fixed CI tests

    Thanks to all that reported issues and contributed fixes!

  • 2.1.2 - 2022-03-18

    Fixes Vulnerabilities

    • Updated development packages that were flagged as having vulnerabilities to versions that were clean.
from clamscan GitHub release notes
Package name: dompurify
  • 3.1.6 - 2024-07-05
    • Fixed an issue with the execution logic of attribute hooks to prevent bypasses, thanks @ kevin-mizu
    • Fixed an issue with element removal leading to uncaught errors through DOM Clobbering, thanks @ realansgar
    • Fixed a minor problem with the bower file pointing to the wrong dist path
    • Fixed several minor typos in docs, comments and comment blocks, thanks @ Rotzbua
    • Updated several development dependencies
  • 3.1.5 - 2024-05-31
    • Fixed a minor issue with the dist paths in bower.js, thanks @ HakumenNC
    • Fixed a minor issue with sanitizing HTML coming from copy&paste Word content, thanks @ kakao-bishop-cho
  • 3.1.4 - 2024-05-20
    • Fixed an issue with the recently implemented isNaN checks, thanks @ tulach
    • Added several new popover attributes to allow-list, thanks @ Gigabyte5671
    • Fixed the tests and adjusted the test runner to cover all branches
  • 3.1.3 - 2024-05-11
    • Fixed several mXSS variations found by and thanks to @ kevin-mizu & @ Ry0taK
    • Added better configurability for comment scrubbing default behavior
    • Added better hardening against Prototype Pollution attacks, thanks @ kevin-mizu
    • Added better handling and readability of the nodeType property, thanks @ ssi02014
    • Fixed some smaller issues in README and other documentation
  • 3.1.2 - 2024-04-30
    • Addressed and fixed a mXSS variation found by @ kevin-mizu
    • Addressed and fixed a mXSS variation found by Adam Kues of Assetnote
    • Updated tests for older Safari and Chrome versions
  • 3.1.1 - 2024-04-26
  • 3.1.0 - 2024-04-07
  • 3.0.11 - 2024-03-21
  • 3.0.10 - 2024-03-19
  • 3.0.9 - 2024-02-20
  • 3.0.8 - 2024-01-05
  • 3.0.7 - 2024-01-04
  • 3.0.6 - 2023-09-28
from dompurify GitHub release notes
Package name: express from express GitHub release notes
Package name: express-rate-limit
  • 7.4.0 - 2024-07-23

    You can view the changelog here.

  • 7.3.1 - 2024-06-07

    Fixed

    • Changed error displayed for the creationStack validation check when a store
      with localKeys set to false is used.
    • Improved documentation for the creationStack check.

    You can view the full changelog here.

  • 7.3.0 - 2024-06-01

    Added

    • Added a new unsharedStore validation check that identifies cases where a
      single store instance is shared across multiple limiters.

    You can view the full changelog here.

  • 7.2.0 - 2024-03-02

    Added

    • Added a new creationStack validation check that looks for instances created
      in a request handler.

    You can view the full changelog here.

  • 7.1.5 - 2023-11-27

    Fixed

    • Enable async requestWasSuccessful methods to work as documented.

    You can view the full changelog here.

from express-rate-limit GitHub release notes
Package name: express-session
  • 1.18.0 - 2024-01-28
    • Add debug log for pathname mismatch
    • Add partitioned to cookie options
    • Add priority to cookie options
    • Fix handling errors from setting cookie
    • Support any type in secret that crypto.createHmac supports
    • deps: cookie@0.6.0
      • Fix expires option to reject invalid dates
      • perf: improve default decode speed
      • perf: remove slow string split in parse
    • deps: cookie-signature@1.0.7
  • 1.17.3 - 2022-05-11
    • Fix resaving already-saved new session at end of request
    • deps: cookie@0.4.2
from express-session GitHub release notes
Package name: image-size from image-size GitHub release notes
Package name: jsdom
  • 23.2.0 - 2024-01-07

    This release switches our CSS selector engine from nwsapi to @ asamuzakjp/dom-selector. The new engine is more actively maintained, and supports many new selectors: see the package's documentation for the full list. It also works better with shadow trees.

    There is a potential of a performance regression due to this change. In our stress test benchmark, which runs most of these 273 selectors against this 128 KiB document, the new engine completes the benchmark only 0.25x as fast. However, we're hopeful that in more moderate usage this will not be a significant issue. Any help speeding up @ asamuzakjp/dom-selector is appreciated, and feel free to open an issue if this has had a significant impact on your project.

  • 23.1.0 - 2024-01-05
    • Added an initial implementation of ElementInternals, including the shadowRoot getter and the string-valued ARIA properties. (zjffun)
    • Added the string-valued ARIA attribute-reflecting properties to Element.
    • Fixed history.pushState() and history.replaceState() to follow the latest specification, notably with regards to how they handle empty string inputs and what new URLs are possible.
    • Fixed the input.valueAsANumber setter to handle NaN correctly. ...

@snyk-bot
fix: upgrade multiple dependencies with Snyk
1bff17a 
Snyk has created this PR to upgrade:
  - argon2 from 0.31.2 to 0.40.3.
    See this package in npm: https://www.npmjs.com/package/argon2
  - better-sqlite3 from 9.2.2 to 9.6.0.
    See this package in npm: https://www.npmjs.com/package/better-sqlite3
  - clamscan from 2.1.2 to 2.3.1.
    See this package in npm: https://www.npmjs.com/package/clamscan
  - dompurify from 3.0.6 to 3.1.6.
    See this package in npm: https://www.npmjs.com/package/dompurify
  - express from 4.18.2 to 4.19.2.
    See this package in npm: https://www.npmjs.com/package/express
  - express-rate-limit from 7.1.5 to 7.4.0.
    See this package in npm: https://www.npmjs.com/package/express-rate-limit
  - express-session from 1.17.3 to 1.18.0.
    See this package in npm: https://www.npmjs.com/package/express-session
  - image-size from 1.0.2 to 1.1.1.
    See this package in npm: https://www.npmjs.com/package/image-size
  - jsdom from 23.0.1 to 23.2.0.
    See this package in npm: https://www.npmjs.com/package/jsdom

See this project in Snyk:
https://app.snyk.io/org/cheapplayz/project/349e36f2-a0e3-4652-999f-3778d4d97df2?utm_source=github&utm_medium=referral&page=upgrade-pr
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Path issues - Ubuntu Server 20.04 + bad support for Windows Support port only connection
2 participants
@BiraruYT @snyk-bot