Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Fix for 21 vulnerabilities #1533

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

filiptronicek
Copy link
Member

snyk-top-banner

Snyk has created this PR to fix 21 vulnerabilities in the yarn dependencies of this project.

Snyk changed the following file(s):

  • package.json
  • yarn.lock

Note for zero-installs users

If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the .yarn/cache/ directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to run yarn to update the contents of the ./yarn/cache directory.
If you are not using zero-install you can ignore this as your flow should likely be unchanged.

Vulnerabilities that will be fixed with an upgrade:

Issue Score
critical severity Improper Verification of Cryptographic Signature
SNYK-JS-ELLIPTIC-7577916
  776  
critical severity Improper Verification of Cryptographic Signature
SNYK-JS-ELLIPTIC-7577917
  776  
critical severity Improper Verification of Cryptographic Signature
SNYK-JS-ELLIPTIC-7577918
  776  
high severity Server-side Request Forgery (SSRF)
SNYK-JS-IP-6240864
  751  
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-ANSIREGEX-1583908
  696  
high severity Denial of Service (DoS)
SNYK-JS-DECODEURICOMPONENT-3149970
  696  
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-ES5EXT-6095076
  696  
high severity Prototype Poisoning
SNYK-JS-QS-3153490
  696  
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-SEMVER-3247795
  696  
high severity Denial of Service (DoS)
SNYK-JS-WS-7266574
  696  
medium severity Server-Side Request Forgery (SSRF)
SNYK-JS-IP-7148531
  646  
high severity Improper Handling of Exceptional Conditions
SNYK-JS-OCTOKITWEBHOOKS-6129527
  624  
high severity Improper Verification of Cryptographic Signature
SNYK-JS-BROWSERIFYSIGN-6037026
  589  
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-COOKIEJAR-3149984
  586  
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-HTTPCACHESEMANTICS-3248783
  586  
medium severity Use of a Broken or Risky Cryptographic Algorithm
SNYK-JS-JSONWEBTOKEN-3180026
  554  
medium severity Improper Restriction of Security Token Assignment
SNYK-JS-JSONWEBTOKEN-3180024
  539  
medium severity Improper Authentication
SNYK-JS-JSONWEBTOKEN-3180022
  534  
medium severity Open Redirect
SNYK-JS-EXPRESS-6474509
  519  
medium severity Open Redirect
SNYK-JS-GOT-2932019
  484  
medium severity Resource Exhaustion
SNYK-JS-JOSE-6419224
  479  

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Open Redirect
🦉 Server-side Request Forgery (SSRF)
🦉 More lessons are available in Snyk Learn

Copy link

github-actions bot commented Sep 6, 2024

yarn.lock changes

Summary

Status Count
ADDED 61
UPDATED 101
DOWNGRADED 3
REMOVED 230
Click to toggle table visibility
Name Status Previous Current
@adraffy/ens-normalize ADDED - 1.10.1
@babel/runtime UPDATED 7.17.9 7.25.6
@emnapi/runtime ADDED - 1.2.0
@ethereumjs/common REMOVED 2.6.0 -
@ethereumjs/rlp ADDED - 5.0.2
@ethereumjs/tx REMOVED 3.4.0 -
@img/sharp-darwin-arm64 ADDED - 0.33.5
@img/sharp-darwin-x64 ADDED - 0.33.5
@img/sharp-libvips-darwin-arm64 ADDED - 1.0.4
@img/sharp-libvips-darwin-x64 ADDED - 1.0.4
@img/sharp-libvips-linux-arm ADDED - 1.0.5
@img/sharp-libvips-linux-arm64 ADDED - 1.0.4
@img/sharp-libvips-linux-s390x ADDED - 1.0.4
@img/sharp-libvips-linux-x64 ADDED - 1.0.4
@img/sharp-libvips-linuxmusl-arm64 ADDED - 1.0.4
@img/sharp-libvips-linuxmusl-x64 ADDED - 1.0.4
@img/sharp-linux-arm ADDED - 0.33.5
@img/sharp-linux-arm64 ADDED - 0.33.5
@img/sharp-linux-s390x ADDED - 0.33.5
@img/sharp-linux-x64 ADDED - 0.33.5
@img/sharp-linuxmusl-arm64 ADDED - 0.33.5
@img/sharp-linuxmusl-x64 ADDED - 0.33.5
@img/sharp-wasm32 ADDED - 0.33.5
@img/sharp-win32-ia32 ADDED - 0.33.5
@img/sharp-win32-x64 ADDED - 0.33.5
@noble/curves ADDED - 1.4.2
@noble/hashes ADDED - 1.4.0
@octokit/app UPDATED 12.0.5 15.1.0
@octokit/auth-app UPDATED 3.6.1 7.1.1
@octokit/auth-oauth-app UPDATED 4.3.0 8.1.1
@octokit/auth-oauth-device UPDATED 3.1.2 7.1.1
@octokit/auth-oauth-user UPDATED 1.3.0 5.1.1
@octokit/auth-token UPDATED 2.5.0 5.1.1
@octokit/auth-unauthenticated UPDATED 2.1.0 6.1.0
@octokit/core UPDATED 3.5.1 6.1.2
@octokit/endpoint UPDATED 6.0.12 10.1.1
@octokit/graphql UPDATED 4.8.0 8.1.1
@octokit/oauth-app UPDATED 3.6.0 7.1.3
@octokit/oauth-authorization-url UPDATED 4.3.3 7.1.1
@octokit/oauth-methods UPDATED 1.2.6 5.1.2
@octokit/openapi-types UPDATED 12.1.0 22.2.0
@octokit/openapi-webhooks-types ADDED - 8.3.0
@octokit/plugin-paginate-graphql ADDED - 5.2.2
@octokit/plugin-paginate-rest UPDATED 2.18.0 11.3.3
@octokit/plugin-rest-endpoint-methods UPDATED 5.14.0 13.2.4
@octokit/plugin-retry UPDATED 3.0.9 7.1.1
@octokit/plugin-throttling UPDATED 3.5.2 9.3.1
@octokit/request UPDATED 5.6.3 9.1.3
@octokit/request-error UPDATED 2.1.0 6.1.4
@octokit/types UPDATED 6.35.0 13.5.0
@octokit/webhooks UPDATED 9.22.0 13.3.0
@octokit/webhooks-methods UPDATED 2.0.0 5.1.0
@octokit/webhooks-types REMOVED 5.2.0 -
@panva/hkdf UPDATED 1.0.1 1.2.1
@scure/base ADDED - 1.1.8
@scure/bip32 ADDED - 1.4.0
@scure/bip39 ADDED - 1.3.0
@silentbot1/nat-api ADDED - 0.4.7
@sindresorhus/is REMOVED 0.14.0 -
@szmarczak/http-timer REMOVED 1.1.2 -
@thaunknown/simple-peer ADDED - 10.0.10
@thaunknown/simple-websocket ADDED - 9.1.3
@thaunknown/thirty-two ADDED - 1.0.5
@types/bn.js DOWNGRADED 5.1.0 4.11.6
@types/btoa-lite REMOVED 1.0.0 -
@types/jsonwebtoken REMOVED 8.5.8 -
@types/ws ADDED - 8.5.3
abitype ADDED - 0.7.1
accepts REMOVED 1.3.7 -
addr-to-ip-port UPDATED 1.5.4 2.0.0
aggregate-error REMOVED 3.1.0 -
aproba REMOVED 1.2.0 -
are-we-there-yet REMOVED 1.1.7 -
array-flatten REMOVED 1.1.1 -
asn1 REMOVED 0.2.6 -
asn1.js REMOVED 5.4.1 -
assert-plus REMOVED 1.0.0 -
async-limiter REMOVED 1.0.1 -
aws-sign2 REMOVED 0.7.0 -
aws4 REMOVED 1.11.0 -
b4a UPDATED 1.6.1 1.6.6
bare-events ADDED - 2.4.2
bare-fs ADDED - 2.3.3
bare-os ADDED - 2.4.2
bare-path ADDED - 2.1.3
bare-stream ADDED - 2.2.1
base64-arraybuffer ADDED - 1.0.2
bcrypt-pbkdf REMOVED 1.0.2 -
before-after-hook UPDATED 2.2.2 3.0.2
bencode UPDATED 2.0.3 4.0.0
bep53-range UPDATED 1.1.1 2.0.0
bignumber.js REMOVED 9.0.2 -
binary-search REMOVED 1.3.6 -
bitfield UPDATED 4.1.0 4.2.0
bittorrent-dht UPDATED 10.0.6 11.0.7
bittorrent-lsd UPDATED 1.1.1 2.0.0
bittorrent-peerid UPDATED 1.3.4 1.3.6
bittorrent-protocol UPDATED 3.5.5 4.1.14
bittorrent-tracker UPDATED 9.19.0 11.1.2
blob-to-buffer REMOVED 1.2.9 -
block-iterator ADDED - 1.1.1
block-stream2 REMOVED 2.1.0 -
bluebird REMOVED 3.7.2 -
body-parser REMOVED 1.19.1 -
browserify-cipher REMOVED 1.0.1 -
browserify-des REMOVED 1.0.2 -
browserify-package-json REMOVED 1.0.1 -
browserify-rsa REMOVED 4.1.0 -
browserify-sign REMOVED 4.2.1 -
btoa-lite REMOVED 1.0.0 -
buffer-alloc REMOVED 1.2.0 -
buffer-alloc-unsafe REMOVED 1.1.0 -
buffer-equal-constant-time REMOVED 1.0.1 -
buffer-fill REMOVED 1.0.0 -
buffer-to-arraybuffer REMOVED 0.0.5 -
bufferutil UPDATED 4.0.5 4.0.8
bytes REMOVED 3.1.1 -
cacheable-request REMOVED 6.1.0 -
caseless REMOVED 0.12.0 -
chunk-store-iterator ADDED - 1.0.3
chunk-store-stream REMOVED 4.3.0 -
cids REMOVED 0.7.5 -
clean-stack REMOVED 2.2.0 -
clone REMOVED 2.1.2 -
clone-response REMOVED 1.0.2 -
code-point-at REMOVED 1.1.0 -
console-control-strings REMOVED 1.1.0 -
content-disposition REMOVED 0.5.4 -
content-hash REMOVED 2.5.2 -
content-type REMOVED 1.0.4 -
cookie-signature REMOVED 1.0.6 -
cookiejar REMOVED 2.1.3 -
core-util-is REMOVED 1.0.2 -
cors REMOVED 2.8.5 -
crc-32 UPDATED 1.2.0 1.2.2
create-ecdh REMOVED 4.0.4 -
create-torrent UPDATED 5.0.6 6.0.18
cross-fetch UPDATED 3.1.5 4.0.0
cross-fetch-ponyfill ADDED - 1.0.3
crypto-browserify REMOVED 3.12.0 -
d REMOVED 1.0.1 -
dashdash REMOVED 1.14.1 -
data-uri-to-buffer UPDATED 3.0.1 4.0.1
debug UPDATED 4.3.4 4.3.7
decode-uri-component REMOVED 0.2.0 -
default-gateway ADDED - 6.0.3
defer-to-connect REMOVED 1.1.3 -
delegates REMOVED 1.0.0 -
depd REMOVED 1.1.2 -
deprecation REMOVED 2.3.1 -
des.js REMOVED 1.0.1 -
destroy REMOVED 1.0.4 -
detect-libc UPDATED 2.0.1 2.0.3
diffie-hellman REMOVED 5.0.3 -
dom-walk REMOVED 0.1.2 -
duplexer3 REMOVED 0.1.4 -
ecc-jsbn REMOVED 0.1.2 -
ecdsa-sig-formatter REMOVED 1.0.11 -
ee-first REMOVED 1.1.1 -
encodeurl REMOVED 1.0.2 -
es5-ext REMOVED 0.10.53 -
es6-iterator REMOVED 2.0.3 -
es6-symbol REMOVED 3.1.3 -
etag REMOVED 1.8.1 -
eth-ens-namehash REMOVED 2.0.8 -
eth-lib REMOVED 0.2.8 -
ethereum-bloom-filters REMOVED 1.0.10 -
ethereum-cryptography UPDATED 0.1.3 2.2.1
ethereumjs-util DOWNGRADED 7.1.3 6.2.1
ethjs-unit REMOVED 0.1.6 -
eventemitter3 UPDATED 4.0.4 5.0.1
exit-on-epipe REMOVED 1.0.1 -
express REMOVED 4.17.2 -
ext REMOVED 1.6.0 -
extend REMOVED 3.0.2 -
extsprintf REMOVED 1.3.0 -
fast-blob-stream REMOVED 1.1.1 -
fast-fifo UPDATED 1.0.0 1.3.2
fast-readable-async-iterator UPDATED 1.1.1 2.0.0
filename-reserved-regex ADDED - 3.0.0
finalhandler REMOVED 1.1.2 -
forever-agent REMOVED 0.6.1 -
formdata-polyfill ADDED - 4.0.10
forwarded REMOVED 0.2.0 -
fresh REMOVED 0.5.2 -
fromentries REMOVED 1.3.2 -
fs-chunk-store UPDATED 2.0.5 4.1.0
fs-minipass REMOVED 1.2.7 -
fs-native-extensions ADDED - 1.2.7
fsa-chunk-store ADDED - 1.3.0
gauge REMOVED 2.7.4 -
get-browser-rtc REMOVED 1.1.0 -
get-stdin UPDATED 8.0.0 9.0.0
getpass REMOVED 0.1.7 -
global REMOVED 4.4.0 -
got REMOVED 9.6.0 -
har-schema REMOVED 2.0.0 -
har-validator REMOVED 5.1.5 -
has-symbol-support-x REMOVED 1.4.2 -
has-to-string-tag-x REMOVED 1.4.1 -
has-unicode REMOVED 2.0.1 -
http-cache-semantics REMOVED 4.1.0 -
http-errors REMOVED 1.8.1 -
http-https REMOVED 1.0.0 -
http-signature REMOVED 1.2.0 -
idna-uts46-hx REMOVED 2.3.1 -
ip UPDATED 1.1.5 2.0.1
ip-address ADDED - 9.0.5
is-ascii REMOVED 1.0.0 -
is-function REMOVED 1.0.2 -
is-object REMOVED 1.0.2 -
is-plain-object REMOVED 5.0.0 -
is-retry-allowed REMOVED 1.2.0 -
is-typedarray REMOVED 1.0.0 -
isomorphic-ws ADDED - 5.0.0
isstream REMOVED 0.1.2 -
isurl REMOVED 1.0.0 -
jose UPDATED 4.10.3 4.15.9
jsbn UPDATED 0.1.1 1.1.0
json-buffer REMOVED 3.0.0 -
json-stringify-safe REMOVED 5.0.1 -
jsonwebtoken REMOVED 8.5.1 -
jsprim REMOVED 1.4.2 -
junk UPDATED 3.1.0 4.0.1
jwa REMOVED 1.4.1 -
jws REMOVED 3.2.2 -
keyv REMOVED 3.1.0 -
load-ip-set UPDATED 2.2.1 3.0.1
lodash.includes REMOVED 4.3.0 -
lodash.isboolean REMOVED 3.0.3 -
lodash.isinteger REMOVED 4.0.4 -
lodash.isnumber REMOVED 3.0.3 -
lodash.isplainobject REMOVED 4.0.6 -
lodash.isstring REMOVED 4.0.1 -
lodash.once REMOVED 4.1.1 -
lowercase-keys REMOVED 2.0.0 -
lru-cache UPDATED 7.14.1 10.4.3
lt_donthave UPDATED 1.0.1 2.0.2
magnet-uri UPDATED 6.2.0 7.0.5
media-typer REMOVED 0.3.0 -
mediasource REMOVED 2.4.0 -
merge-descriptors REMOVED 1.0.1 -
methods REMOVED 1.1.2 -
miller-rabin REMOVED 4.0.1 -
min-document REMOVED 2.19.0 -
minimist UPDATED 1.2.6 1.2.8
minipass REMOVED 2.9.0 -
minizlib REMOVED 1.3.3 -
mkdirp REMOVED 0.5.5 -
mkdirp-promise REMOVED 5.0.1 -
mock-fs REMOVED 4.14.0 -
mp4-box-encoding REMOVED 1.4.1 -
mp4-stream REMOVED 3.1.3 -
multibase REMOVED 0.7.0 -
multicodec REMOVED 1.0.4 -
multihashes REMOVED 0.4.21 -
nano-json-stream-parser REMOVED 0.1.2 -
negotiator REMOVED 0.6.2 -
next-auth UPDATED 4.14.0 4.24.7
next-event REMOVED 1.0.0 -
next-tick REMOVED 1.0.0 -
node-addon-api DOWNGRADED 5.0.0 2.0.2
node-datachannel ADDED - 0.10.1
node-domexception UPDATED 1.0.0 2.0.1
normalize-url REMOVED 4.5.1 -
npmlog REMOVED 4.1.2 -
number-is-nan REMOVED 1.0.1 -
number-to-bn REMOVED 1.7.0 -
oauth-sign REMOVED 0.9.0 -
oboe REMOVED 2.1.5 -
octokit UPDATED 1.8.0 4.0.2
oidc-token-hash UPDATED 5.0.1 5.0.3
on-finished REMOVED 2.3.0 -
openid-client UPDATED 5.1.1 5.6.5
p-cancelable REMOVED 1.1.0 -
p-finally REMOVED 1.0.0 -
p-timeout REMOVED 1.2.1 -
package-json-versionify REMOVED 1.0.4 -
parse-asn1 REMOVED 5.1.6 -
parse-headers REMOVED 2.0.4 -
parse-torrent UPDATED 9.1.5 11.0.17
parseurl REMOVED 1.3.3 -
path-to-regexp REMOVED 0.1.7 -
performance-now REMOVED 2.1.0 -
prebuild-install UPDATED 7.1.0 7.1.2
prepend-http REMOVED 2.0.0 -
printj REMOVED 1.1.2 -
process REMOVED 0.11.10 -
process-nextick-args REMOVED 2.0.1 -
proxy-addr REMOVED 2.0.7 -
public-encrypt REMOVED 4.0.3 -
qs REMOVED 6.9.6 -
query-string REMOVED 5.1.1 -
queue-tick UPDATED 1.0.0 1.0.1
random-access-file UPDATED 2.2.0 4.0.7
random-access-storage UPDATED 1.4.2 3.0.2
randomfill REMOVED 1.0.4 -
range-slice-stream REMOVED 2.0.0 -
raw-body REMOVED 2.4.2 -
regenerator-runtime UPDATED 0.13.9 0.14.1
render-media REMOVED 4.1.0 -
request REMOVED 2.88.2 -
responselike REMOVED 1.0.2 -
rusha REMOVED 0.8.14 -
semver UPDATED 7.3.7 7.6.3
send REMOVED 0.17.2 -
serve-static REMOVED 1.14.2 -
servify REMOVED 0.1.12 -
set-blocking REMOVED 2.0.0 -
setprototypeof REMOVED 1.2.0 -
sharp UPDATED 0.30.6 0.33.5
simple-peer REMOVED 9.11.1 -
simple-sha1 REMOVED 3.1.0 -
simple-websocket REMOVED 9.1.0 -
socks UPDATED 2.6.1 2.8.3
speedometer REMOVED 1.1.0 -
sprintf-js UPDATED 1.0.3 1.1.3
sshpk REMOVED 1.17.0 -
statuses REMOVED 1.5.0 -
stream-to-blob REMOVED 2.0.1 -
stream-to-blob-url REMOVED 3.0.2 -
stream-with-known-length-to-buffer REMOVED 1.0.4 -
streamx UPDATED 2.12.5 2.20.0
strict-uri-encode REMOVED 1.1.0 -
string_decoder UPDATED 1.1.1 1.3.0
string2compact UPDATED 1.3.2 2.0.1
swarm-js REMOVED 0.1.40 -
tar REMOVED 4.4.19 -
text-decoder ADDED - 1.1.1
thirty-two REMOVED 1.0.2 -
timed-out REMOVED 4.0.1 -
to-arraybuffer REMOVED 1.0.1 -
to-readable-stream REMOVED 1.0.0 -
toidentifier REMOVED 1.0.1 -
torrent-discovery UPDATED 9.4.14 11.0.9
torrent-piece UPDATED 2.0.1 3.0.0
type REMOVED 2.5.0 -
type-is REMOVED 1.6.18 -
typedarray-to-buffer REMOVED 3.1.5 -
uint64be REMOVED 2.0.2 -
uint8-util ADDED - 2.2.5
ultron REMOVED 1.1.1 -
universal-github-app-jwt UPDATED 1.1.0 2.2.0
universal-user-agent UPDATED 6.0.0 7.0.2
unpipe REMOVED 1.0.0 -
url-parse-lax REMOVED 3.0.0 -
url-set-query REMOVED 1.0.0 -
url-to-options REMOVED 1.0.1 -
ut_metadata UPDATED 3.5.2 4.0.3
ut_pex UPDATED 3.0.2 4.0.4
utf-8-validate UPDATED 5.0.7 6.0.4
utf8 REMOVED 3.0.0 -
utils-merge REMOVED 1.0.1 -
vary REMOVED 1.1.2 -
verror REMOVED 1.10.0 -
videostream REMOVED 3.2.2 -
web3 UPDATED 1.7.3 4.12.1
web3-bzz REMOVED 1.7.3 -
web3-core UPDATED 1.7.3 4.5.1
web3-core-helpers REMOVED 1.7.3 -
web3-core-method REMOVED 1.7.3 -
web3-core-promievent REMOVED 1.7.3 -
web3-core-requestmanager REMOVED 1.7.3 -
web3-core-subscriptions REMOVED 1.7.3 -
web3-errors ADDED - 1.3.0
web3-eth UPDATED 1.7.3 4.8.2
web3-eth-abi UPDATED 1.7.3 4.2.3
web3-eth-accounts UPDATED 1.7.3 4.2.1
web3-eth-contract UPDATED 1.7.3 4.7.0
web3-eth-ens UPDATED 1.7.3 4.4.0
web3-eth-iban UPDATED 1.7.3 4.0.7
web3-eth-personal UPDATED 1.7.3 4.0.8
web3-net UPDATED 1.7.3 4.1.0
web3-providers-http UPDATED 1.7.3 4.2.0
web3-providers-ipc UPDATED 1.7.3 4.0.7
web3-providers-ws UPDATED 1.7.3 4.0.8
web3-rpc-methods ADDED - 1.3.0
web3-rpc-providers ADDED - 1.0.0-rc.2
web3-shh REMOVED 1.7.3 -
web3-types ADDED - 1.7.0
web3-utils UPDATED 1.7.3 4.3.1
web3-validator ADDED - 2.0.6
webrtc-polyfill ADDED - 1.1.8
websocket REMOVED 1.0.34 -
webtorrent UPDATED 1.8.32 2.5.0
wide-align REMOVED 1.1.5 -
ws UPDATED 8.9.0 8.18.0
xhr REMOVED 2.6.0 -
xhr-request REMOVED 1.1.0 -
xhr-request-promise REMOVED 0.1.3 -
xhr2-cookies REMOVED 1.1.0 -
xml2js UPDATED 0.4.19 0.6.2
xmlbuilder UPDATED 9.0.7 11.0.1
yaeti REMOVED 0.0.6 -
zod ADDED - 3.23.8

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants