Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Fix for 8 vulnerabilities #873

Merged
merged 1 commit into from
Oct 16, 2020

Conversation

snyk-bot
Copy link
Contributor

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

✨ Snyk has automatically assigned this pull request, set who gets assigned.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json
    • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 619/1000
Why? Has a fix available, CVSS 8.1
Prototype Pollution
SNYK-JS-AJV-584908
Yes No Known Exploit
medium severity 540/1000
Why? Has a fix available, CVSS 6.3
Cross-site Scripting (XSS)
SNYK-JS-JQUERY-565129
No No Known Exploit
medium severity 550/1000
Why? Has a fix available, CVSS 6.5
Cross-site Scripting (XSS)
SNYK-JS-JQUERY-567880
No No Known Exploit
medium severity 519/1000
Why? Has a fix available, CVSS 6.1
Cross-site Scripting (XSS)
SNYK-JS-SELECT2-456562
No No Known Exploit
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3
Denial of Service (DoS)
SNYK-JS-SOCKJS-575261
Yes Proof of Concept
high severity 589/1000
Why? Has a fix available, CVSS 7.5
Information Exposure
SNYK-JS-WEBPACKDEVSERVER-72405
Yes No Known Exploit
medium severity 601/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.6
Prototype Pollution
SNYK-JS-YARGSPARSER-560381
Yes Proof of Concept
medium severity 469/1000
Why? Has a fix available, CVSS 5.1
Denial of Service (DoS)
npm:mem:20180117
Yes No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: laravel-mix The new version differs by 246 commits.
  • 89d1cdb 5.0.5
  • 399ddcd Bump dependency
  • 8c19e10 Fix tests
  • 8f1a87e adds optional --hmr-port argument (#2308) (#2309)
  • d4679d3 Fix prod css/sass sourcemaps (Bump express from 4.18.1 to 4.19.2 #1793) (#2282)
  • a96f24f Updates docs link to v5.0. (#2334)
  • d1b4fc7 implement mix.when() (#2330)
  • 06ca909 Merge branch 'fix/styles-missing-file' of https://github.com/paullaffitte/laravel-mix into paullaffitte-fix/styles-missing-file
  • ee9d457 Use sync test instead of callback (#2348)
  • be67b97 5.0.4
  • 1683b95 Remove shrinkwrap
  • 09d21d5 5.0.3
  • 675e817 Fix failing test
  • 4fbbbd7 Add test for FileCollection.merge should throw if file not found
  • 6eef224 Replace async/await by promises to pass eslint checks
  • f783c6b Throw an error when .css is not found with mix.styles() (#2289)
  • b0c2960 Remove notification timeout, fixes #2161 (#2179)
  • ddd3834 Browsersync snippet regex for lookbehinds (#2227)
  • 0a31b17 Update CssPurifier to laravel resources structure (#2180)
  • 21efecb Update travis.yml to supported Node.js versions (#2248)
  • 46afaa2 Pass options to ts-loader using a third argument (#2287)
  • ab97c17 5.0.1
  • 218d34d Fix audit issues
  • 97b714e Revert "Update dependency to avoid security flawness (#2291)"

See the full diff

Package name: select2 The new version differs by 122 commits.
  • a389a6d Merge pull request #5578 from select2/develop
  • eeefa1e Merge pull request #5577 from select2/release/4.0.8
  • 5005c56 Update changelog for 4.0.8
  • 8b55e47 Recompile dist for 4.0.8
  • 6fbe132 Bump versions for 4.0.8 release
  • bbd320d Convert source and tests to unix newlines
  • 1b5a962 Revert change to focusing behaviour in 4.0.6 (#5576)
  • d926025 Fix infinite scroll when the scrollbar is not visible (#5575)
  • 8a5aeab Remove deprecated jQuery shorthand (#5564)
  • 9c4f0c8 Fix typos (#5574)
  • bd7ac9d Results respect disabled state of `<option>` (#5560)
  • b5f136f Add `computedstyle` option for calculating the width (#5559)
  • f9decd6 Fix tag creation being broken in 4.0.7 (#5558)
  • 9491e1a Test against jQuery 3.4.1 (#5531)
  • d66e55d removed select2-selection__placeholder from _multiple.scss (#5508)
  • 5d2fdd7 Update grunt-contrib-qunit to latest version (#5530)
  • 70ca392 Update dev dependencies (#5529)
  • 36b226d Improve French Translation (#5521)
  • d53958a Clean up docs (#5528)
  • 0a612f9 Automatically deploy to NPM (#5527)
  • 04fce55 Merge pull request #5507 from select2/develop
  • f8193c6 Merge pull request #5506 from select2/release/4.0.7
  • 5285eef Recompile dist for 4.0.7
  • 20ffd12 Bump versions for 4.0.7 release

See the full diff

Package name: webpack The new version differs by 250 commits.
  • 213226e 4.0.0
  • fde0183 Merge pull request #6081 from webpack/formating/prettier
  • b6396e7 update stats
  • f32bd41 fix linting
  • 5238159 run prettier on existing code
  • 518d1e0 replace js-beautify with prettier
  • 4c25bfb 4.0.0-beta.3
  • dd93716 Merge pull request #6296 from shellscape/fix/hmr-before-node-stuff
  • 7a07901 Merge pull request #6563 from webpack/performance/assign-depth
  • c7eb895 Merge pull request #6452 from webpack/update_acorn
  • 9179980 Merge pull request #6551 from nveenjain/fix/templatemd
  • e52f323 optimize performance of assignDepth
  • 6bf5df5 Fixed template.md
  • 90ab23a Merge branch 'master' into fix/hmr-before-node-stuff
  • b0949cb add integration test for spread operator
  • 39438c7 unittest now also walks the ast
  • 15ab027 Merge pull request #6536 from jevan0307/sideEffects-selectors
  • 1611ce1 Merge pull request #6561 from joshunger/patch-1
  • 6e175bc Merge pull request #6549 from webpack/md4_hash
  • 0637531 Add a hyperlink to create a new issue
  • 0e1f9c6 Merge pull request #6554 from webpack/deps/end-of-beta
  • 72477f4 upgrade versions to stable versions
  • ed30285 Merge pull request #6546 from webpack/bot/review-permission
  • 40ee8c7 Use MD4 for hashing

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

👩‍💻 Set who automatically gets assigned

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

@nabeelio nabeelio added the bug label Oct 16, 2020
@nabeelio nabeelio added this to the 7.0.0 milestone Oct 16, 2020
@nabeelio nabeelio self-requested a review October 16, 2020 14:52
@nabeelio nabeelio merged commit ca220f1 into dev Oct 16, 2020
@nabeelio nabeelio deleted the snyk-fix-f40436588fafabc6c9ec4e015a4816da branch October 16, 2020 15:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants