Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 22 vulnerabilities #70

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Fix for 22 vulnerabilities #70

wants to merge 1 commit into from

Conversation

simha95
Copy link
Owner

@simha95 simha95 commented Nov 28, 2023

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-ANSIREGEX-1583908		 Yes Proof of Concept
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-1018905		 Yes Proof of Concept
high severity 681/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.2		 Command Injection
SNYK-JS-LODASH-1040724		 Yes Proof of Concept
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3		 Prototype Pollution
SNYK-JS-LODASH-450202		 Yes Proof of Concept
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3		 Prototype Pollution
SNYK-JS-LODASH-608086		 Yes Proof of Concept
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3		 Prototype Pollution
SNYK-JS-LODASH-73638		 Yes Proof of Concept
medium severity 541/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 4.4		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-73639		 Yes Proof of Concept
low severity 506/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 3.7		 Prototype Pollution
SNYK-JS-MINIMIST-2429795		 Yes Proof of Concept
medium severity 601/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.6		 Prototype Pollution
SNYK-JS-MINIMIST-559764		 Yes Proof of Concept
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5		 Prototype Poisoning
SNYK-JS-QS-3153490		 No Proof of Concept
medium severity 646/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.5		 Server-side Request Forgery (SSRF)
SNYK-JS-REQUEST-3361831		 Yes Proof of Concept
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5		 Denial of Service (DoS)
SNYK-JS-SOCKETIOPARSER-1056752		 Yes Proof of Concept
critical severity 704/1000
Why? Has a fix available, CVSS 9.8		 Improper Input Validation
SNYK-JS-SOCKETIOPARSER-3091012		 Yes No Known Exploit
medium severity 646/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.5		 Prototype Pollution
SNYK-JS-TOUGHCOOKIE-5672873		 Yes Proof of Concept
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-TRIM-1017038		 Yes Proof of Concept
medium severity 596/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.5		 Arbitrary Code Injection
SNYK-JS-UNDERSCORE-1080984		 Yes Proof of Concept
low severity 506/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 3.7		 Regular Expression Denial of Service (ReDoS)
npm:debug:20170905		 Yes Proof of Concept
medium severity 636/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.3		 Prototype Pollution
npm:lodash:20180130		 Yes Proof of Concept
low severity 399/1000
Why? Has a fix available, CVSS 3.7		 Regular Expression Denial of Service (ReDoS)
npm:ms:20170412		 Yes No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Regular Expression Denial of Service (ReDoS)
npm:parsejson:20170908		 Yes No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Prototype Override Protection Bypass
npm:qs:20170213		 No No Known Exploit
low severity 324/1000
Why? Has a fix available, CVSS 2.2		 Uninitialized Memory Exposure
npm:utile:20180614		 Yes No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: anchor The new version differs by 39 commits.
  • 819083a 0.11.4
  • 9eae256 Bump deps
  • 2566882 0.11.3
  • 4b6d85a Update error message created in errorFactory
  • af50852 Add note about the behavior of require('validator').isNull([]) and 'required' validation checks.
  • cbbc3a5 0.11.2
  • 8c2fc2d remove one of the worse npm options i've ever seen
  • c820ad0 Code conventions.
  • e80f0dd Remove undocumented rule 'len'
  • 1a12163 0.11.1
  • 24a7761 Merge branch 'master' of github.com:balderdashy/anchor
  • 63fe5af Take errors thrown from inside of validation rules and concatenate them onto the generated default error message.
  • 0ff4c61 clean out old stuff from package.json
  • 4c37226 0.11.0
  • b294231 use break instead of return
  • c470c77 ignore validations that are set to "false"
  • 40aa514 normalize booleans
  • e7fbec2 update and lock down dependency versions
  • ee132ef update mocha version
  • 212328c normalize old files to spaces over tabs and 2 over 4
  • c42db8b cleanup whitespace
  • 11ca413 add semicolon
  • 9cdad08 fix tests
  • 9abea11 don't pass the flag value to the validations

See the full diff

Package name: grunt-contrib-less The new version differs by 49 commits.

See the full diff

Package name: grunt-contrib-uglify The new version differs by 162 commits.

See the full diff

Package name: grunt-contrib-watch The new version differs by 20 commits.

See the full diff

Package name: prompt The new version differs by 79 commits.

See the full diff

Package name: sails-disk The new version differs by 85 commits.
  • 15faa44 1.0.0
  • a2b7ee6 1.0.0-12
  • 9d7118c Only set footprint keys for uniqueness violations.
  • a2c2261 Add some assertions.
  • a222824 Update gitignore and scripts
  • 3b3c334 1.0.0-11
  • cef95b4 Support updating the primary key value, as long as it's not using _id as the column.
  • aad2a15 Set _id column to value of primary key when creating records.
  • 333e2d1 1.0.0-10
  • c8a26c5 Add shim to replicate MongoDB's behavior w/ `{ $ne: null }` and empty arrays.
  • bf92cb8 1.0.0-9
  • af97943 Workaround issue with projections including only `_id`
  • b5b985b Relax restrictions on using `_id` column in sails disk.
  • f4adfd7 Add an entry in the `refCols` dictionary for every model, so we don't have to short-circuit checks for it later
  • b494fd9 In `find`, deserialize Buffer objects into `ref` attributes where possible.
  • 7aaaaa4 Merge pull request [Snyk] Fix for 1 vulnerabilities #58 from balderdashy/expose-lib
  • 70ead96 (whoops) Add back 0.10 and 0.12 in appveyor.yml
  • beabe7a Merge pull request [Snyk] Security upgrade grunt from 0.4.5 to 1.5.3 #57 from balderdashy/expose-lib
  • 9c80187 1.0.0-8
  • f7a349d Actually, don't expose the static lib. (No reason to do so, and better to not introduce something experimental if there's any chance it could make an app dependent on random stuff in a dev-only adapter)
  • 2d4d97e 1.0.0-7
  • f2dd761 Rename afterwards function to avoid perceived scope conflict (whether or not it'd ever actually be a big deal, this avoids any potential future scope issues from refactoring, etc).
  • 4051e5e 1.0.0-6
  • 250c32e Handle stray error (and a couple of other trivial changes just from when I was reading through the code)

See the full diff

Package name: sails-generate The new version differs by 86 commits.
  • 3677e7c 1.1.0
  • 339f8ad {Object} => {Dictionary}
  • ee251bd moduleName => packageName
  • b3ab834 Finished up bringing in sails-generate-helper, did some tweaks to action generator to match, and finished pulling out license to top-level.
  • dd90ad5 Finished up actions2 generator. Everything but helpers now.
  • 21ae363 Brought in sails-generate-action to support generating actions2 controller actions. Added special 'view' prefix inference... thing.
  • bbbe0c9 Updates to adapter generator, and brought in generator generator.
  • da1d489 Fix up hook generator, and deal with lingering issue in template builtin (scope._ which was injected by CLI opts/serial args parsing in rc / sails core was overriding lodash within templates.)
  • b95b471 Fixes in adapter generator, and brought in initial import of sails-generate-hook
  • 567c58e Get rid of unnecssary extra wrapper folder for adapter templates.
  • 84dc359 BRought in adapter generator, did updates. Also a few unrelated fixes to view templates.
  • 28c07e4 Add in and test sg-api, sg-controller, and sg-model.
  • 6c40205 Set up support for loading from lib/core-generators/ -- and then inline sails-generate-new impl (see also http://github.com/balderdashy/sails-generate-new/tree/denormalized.)
  • a294fe8 sails-generate-new's deps.
  • 7e55e72 Remove all core generators from package.json.
  • d4b1d49 Remove logs that I forgot to wipe in the previous commit.
  • 5aeb8b9 Fix issue where templatesDirectory was accidentally getting squashed w/ inline generator defs.
  • 5915bc2 Add assertions to template builtin
  • 64ea15b More docs about load order.
  • 2d4bab2 Fix missing require and bad varname. Also expand documentation of each require that sails-generate will attempt before giving up.
  • 534abde Finish up first complete pass generateTarget() that implements 'overridable'.
  • c34a444 Intermediate...
  • bc7ccce Change varname of iteratee cb for clarity.
  • 1f1ea31 Add headings.

See the full diff

Package name: sails-hook-orm The new version differs by 250 commits.

See the full diff

Package name: sails-hook-sockets The new version differs by 143 commits.
  • ce17551 1.5.0
  • 8e47df6 All good things...
  • 3517886 Remove `socket.io-client` from dependencies, move back to devDeps
  • 62d255c Update version of mp-http to allow tests to continue passing in earlier Node versions
  • 5b81e46 Upgrade socket.io, socket.io-client and socket.io-redis versions.
  • d436e41 Merge branch 'lmg-git-master'
  • d514c73 Add req.ip tests
  • 4f7bc3e update compatibility message (and made it version agnostic)
  • 337cbf6 Added proxy-addr to the dependencies
  • 7256484 Changed to use proxy-addr similarly to express
  • 29cc92a Prevent an error if exception
  • b0cd2ad Forgot to add the socket address to the ips Array
  • 9eebb5e Added back the 'x-forwarded-for' header and added req.ips support
  • b36fb33 Removed the 'x-forwarded-for' handling
  • c31d6b8 Updated req.ip and req.port for socket requests
  • 17963e0 Don't log connection errors when custom `onRedisDisconnect()` / `onRedisReconnect()` methods are specified.
  • 42bb0a5 Add support for ES7 async afterDisconnect functions
  • dbd33fd Fix issue in tests that was giving false positives
  • a392d00 Only run mocha on top level of `/test` folder.
  • 08a5577 Add support for ES7 async beforeConnect functions
  • 9830e17 Remove erroneous comment
  • 1b3c9c4 1.4.3
  • 69048b9 1.4.3-0
  • 41a9137 Better cordova compat.

See the full diff

Package name: waterline The new version differs by 250 commits.

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Prototype Override Protection Bypass
🦉 More lessons are available in Snyk Learn

@snyk-bot
fix: package.json to reduce vulnerabilities
c30d5d5 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908
- https://snyk.io/vuln/SNYK-JS-LODASH-1018905
- https://snyk.io/vuln/SNYK-JS-LODASH-1040724
- https://snyk.io/vuln/SNYK-JS-LODASH-450202
- https://snyk.io/vuln/SNYK-JS-LODASH-608086
- https://snyk.io/vuln/SNYK-JS-LODASH-73638
- https://snyk.io/vuln/SNYK-JS-LODASH-73639
- https://snyk.io/vuln/SNYK-JS-MINIMIST-2429795
- https://snyk.io/vuln/SNYK-JS-MINIMIST-559764
- https://snyk.io/vuln/SNYK-JS-QS-3153490
- https://snyk.io/vuln/SNYK-JS-REQUEST-3361831
- https://snyk.io/vuln/SNYK-JS-SOCKETIOPARSER-1056752
- https://snyk.io/vuln/SNYK-JS-SOCKETIOPARSER-3091012
- https://snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873
- https://snyk.io/vuln/SNYK-JS-TRIM-1017038
- https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984
- https://snyk.io/vuln/npm:debug:20170905
- https://snyk.io/vuln/npm:lodash:20180130
- https://snyk.io/vuln/npm:ms:20170412
- https://snyk.io/vuln/npm:parsejson:20170908
- https://snyk.io/vuln/npm:qs:20170213
- https://snyk.io/vuln/npm:utile:20180614
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

DirtyAdapter: make all find queries case insensitive by default
2 participants
@simha95 @snyk-bot