[Snyk] Fix for 13 vulnerabilities #5016

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Open

nwmac wants to merge 1 commit into master from snyk-fix-c4fcce3f7a19d778d68747f6602eff71

Contributor

nwmac commented Sep 29, 2022

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
- package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	409/1000 Why? Has a fix available, CVSS 3.9	Cross-site Scripting (XSS) SNYK-JS-ANGULARCORE-1070902	Yes	No Known Exploit
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-IMMER-1540542	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	No	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	No	Proof of Concept
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASHES-2434283	No	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASHES-2434284	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASHES-2434285	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASHES-2434289	No	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-1070800	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-2342073	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-2342082	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Directory Traversal SNYK-JS-MOMENT-2440688	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOMENT-2944238	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: immer

The new version differs by 68 commits.

fa671e5 fix(security): Follow up on CVE-2020-28477 where `path: [["__proto__"], "x"]` could still pollute the prototype
2e0aa95 Create SECURITY.md
050522d chore: fix CI. maybe.
1195510 docs: Update example-setstate.mdx (HSC-1235 - Change user permissions to space/org permissions #833)
648d39b docs: fixing link to RFC-6902 & fixing typo (HSC-1077: Include gulp files and e2e tests in lint check #830)
bc890f7 docs: Update example-setstate.mdx (HSC-1218 - HTML in the interpolate scope for toasts is escaped #829)
16a3d0f chore(deps): bump prismjs from 1.23.0 to 1.24.0 in /website (HSC-1292 - Resurrecting e2e concourse pipeline #822)
847492c docs: Extended / updated documenation (HSC-1205: Restrict assign-users search to username column #824)
7f41483 chore: [workflows] don't release from forks
3f9a94e chore: let's test before publish
bfb8dec fix: release missing dist/ folder
b314b19 chore: fix cpx usage
a607d6c chore: Remove old shizzle
6fd5329 chore: fixes for deploy preview
144f886 chore: fix docs deployment attempt 3
38964fa chore: semantic-release + GH actions
06c6741 chore: fix docs deploy
ad23da9 chore: fix test job
b6d92f4 chore: publish docs automatically
c59576a chore: setup GH action for test
dc3f66c fix: Ensure we refresh an organization's spaces after update #807 new undefined properties should end up in result object
5412c9f fix: HSC-1216 - Use localized date format #791 return 'nothing' should produce undefined patch
58b74a6 chore(deps): bump ssri from 6.0.1 to 6.0.2 in /website (Remove toasts during e2e tests to speed things up #818)
c9deb48 chore(deps): bump color-string from 1.5.4 to 1.5.5 in /website (HSC-1287: App Wall: show number of filtered out of total Apps #817)

See the full diff

Package name: lodash

The new version differs by 1 commits.

c6e281b Bump to v4.17.21

See the full diff

Package name: marked

The new version differs by 250 commits.

ae01170 chore(release): 4.0.10 [skip ci]
fceda57 🗜️ build [skip ci]
8f80657 fix(security): fix redos vulnerabilities
c4a3ccd Merge pull request from GHSA-rrrm-qjm4-v8hf
d7212a6 chore(deps-dev): Bump jasmine from 4.0.0 to 4.0.1 (Validate mem and disk on edit app #2352)
5a84db5 chore(deps-dev): Bump rollup from 2.62.0 to 2.63.0 (Can't run start-prod #2350)
2bc67a5 chore(deps-dev): Bump markdown-it from 12.3.0 to 12.3.2 (Deploy info card shows both file and folder info #2351)
98996b8 chore(deps-dev): Bump @ babel/preset-env from 7.16.5 to 7.16.7 (Disable buttons on app view rather than hide #2353)
ebc2c95 chore(deps-dev): Bump highlight.js from 11.3.1 to 11.4.0 (Alignment/rendering issues on github tab #2354)
e5171a9 chore(release): 4.0.9 [skip ci]
41990a5 🗜️ build [skip ci]
a9696e2 fix: retain line breaks in tokens properly (Throttle stats calls on app walls with lots of started apps #2341)
6aacd13 chore(deps-dev): Bump jasmine from 3.10.0 to 4.0.0 (Create Route - path must start with a / #2343)
55e5df9 chore(deps-dev): Bump @ babel/core from 7.16.5 to 7.16.7 (Can not create TCP Route #2344)
4f4cab4 chore(deps-dev): Bump eslint-plugin-import from 2.25.3 to 2.25.4 (Ensure we don't overwrite internal scopes with endpoint scopes #2345)
97ea9f2 chore(deps-dev): Bump eslint from 8.5.0 to 8.6.0 (Add search, filtering and pause/resume to log viewer #2346)
4c3b853 chore(deps-dev): Bump rollup-plugin-license from 2.6.0 to 2.6.1 (App Service Instances: Modal appears off screen #2347)
9396896 chore(deps-dev): Bump rollup from 2.61.1 to 2.62.0 (Tables should not show text filter if there are no results #2338)
103a56c chore(deps-dev): Bump @ babel/preset-env from 7.16.4 to 7.16.5 (Use more specific messages on tables when there are no entities #2333)
be771c9 chore(deps-dev): Bump eslint from 8.4.1 to 8.5.0 (SSL checkbox is cropped on register endpoint page #2334)
67d5a65 chore(deps-dev): Bump @ babel/core from 7.16.0 to 7.16.5 (Connect dialog loading bar sticks for a bit #2335)
991493a chore(deps-dev): Bump eslint-plugin-promise from 5.2.0 to 6.0.0 (Ensure we have list views for all card views #2336)
59375fb chore(release): 4.0.8 [skip ci]
4734c82 🗜️ build [skip ci]

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Directory Traversal
🦉 Regular Expression Denial of Service (ReDoS)
🦉 More lessons are available in Snyk Learn


          fix: package.json & package-lock.json to reduce vulnerabilities

2bd5c03

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-ANGULARCORE-1070902
- https://snyk.io/vuln/SNYK-JS-IMMER-1540542
- https://snyk.io/vuln/SNYK-JS-LODASH-1018905
- https://snyk.io/vuln/SNYK-JS-LODASH-1040724
- https://snyk.io/vuln/SNYK-JS-LODASHES-2434283
- https://snyk.io/vuln/SNYK-JS-LODASHES-2434284
- https://snyk.io/vuln/SNYK-JS-LODASHES-2434285
- https://snyk.io/vuln/SNYK-JS-LODASHES-2434289
- https://snyk.io/vuln/SNYK-JS-MARKED-1070800
- https://snyk.io/vuln/SNYK-JS-MARKED-2342073
- https://snyk.io/vuln/SNYK-JS-MARKED-2342082
- https://snyk.io/vuln/SNYK-JS-MOMENT-2440688
- https://snyk.io/vuln/SNYK-JS-MOMENT-2944238

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet