This repository was archived by the owner on May 29, 2025. It is now read-only.

[Snyk] Fix for 7 vulnerabilities #24

Open

snyk-bot wants to merge 1 commit into master from snyk-fix-7523fdd5bd9aaec72bb064161578f8d2

snyk-bot commented Aug 31, 2022

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
- package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-TRIM-1017038	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Improper Input Validation SNYK-JS-URLPARSE-1078283	No	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Open Redirect SNYK-JS-URLPARSE-1533425	No	Proof of Concept
	641/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.4	Access Restriction Bypass SNYK-JS-URLPARSE-2401205	No	Proof of Concept
	641/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.4	Authorization Bypass SNYK-JS-URLPARSE-2407759	No	Proof of Concept
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Improper Input Validation SNYK-JS-URLPARSE-2407770	No	Proof of Concept
	631/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.2	Authorization Bypass Through User-Controlled Key SNYK-JS-URLPARSE-2412697	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: react-markdown

The new version differs by 39 commits.

45b9977 5.0.0
eeea3c2 Update `changelog.md`
5d6c9f1 Refactor scripts
d29478f Add type tests
4f5dbe2 Add note
7a5e3a1 Add `allowDangerousHtml`, preferred over `escapeHtml`
2675ae2 Remove docs on `source`
34b0883 Change default branch to `main`
22a5e49 Refactor and test for 100% coverage
b3aa6e0 Rewrite readme for unified, more examples
a9f163d Move demo to `website` branch
4f1a407 Change to clean project, update, refactor scripts
ebebf51 Upgrade remark to version 8, unified to version 9
e400f6f Upgrade to remark-parse@6
3260f57 Run tests on node 12
6eff8d1 Pass AST node to all non-tag/non-fragment renderers as prop
ca25be1 Fix link to demo in readme
9b4eb84 Updated remark-parse github link (#447)
2d991aa 4.3.1
34eff54 Update CHANGELOG
311e2f8 Fix typescript declaration (#378)
b274e76 4.3.0
a608d83 Rebuilt demo
063b30e Update CHANGELOG

See the full diff

Package name: url-parse

The new version differs by 59 commits.

ad23357 1.5.9
0e3fb54 [fix] Strip all control characters from the beginning of the URL
61864a8 [security] Add credits for CVE-2022-0686
bb0104d 1.5.8
d5c6479 [fix] Handle the case where the port is specified but empty
4f2ae67 [security] Add credits for CVE-2022-0639
8b3f5f2 1.5.7
ef45a13 [fix] Readd the empty userinfo to `url.href` (#226)
88df234 [doc] Add soft deprecation notice
78e9f2f [security] Fix nits
e6fa434 [security] Add credits for incorrect handling of userinfo vulnerability
4c9fa23 1.5.6
7b0b8a6 Merge pull request #223 from unshiftio/fix/at-sign-handling-in-userinfo
e4a5807 1.5.5
193b44b [minor] Simplify whitespace regex
319851b [fix] Remove CR, HT, and LF
4e53a8c [doc] Document that the returned hostname might be invalid
9be7ee8 [fix] Correctly handle userinfo containing the at sign
f7774f6 [security] Fix typos in SECURITY.md
82c4908 [dist] 1.5.4
e324874 [doc] Remove dependency status badge
5e8a444 [ci] Test on node 17
a72a5c6 [doc] Remove "made by" and IRC badges
e9a8353 [ci] Update coverallsapp/github-action action to version 1.1.3

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Open Redirect


          fix: package.json & package-lock.json to reduce vulnerabilities

f7fa7de

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-TRIM-1017038
- https://snyk.io/vuln/SNYK-JS-URLPARSE-1078283
- https://snyk.io/vuln/SNYK-JS-URLPARSE-1533425
- https://snyk.io/vuln/SNYK-JS-URLPARSE-2401205
- https://snyk.io/vuln/SNYK-JS-URLPARSE-2407759
- https://snyk.io/vuln/SNYK-JS-URLPARSE-2407770
- https://snyk.io/vuln/SNYK-JS-URLPARSE-2412697

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet