Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 18 vulnerabilities #2

Merged
merged 1 commit into from
Jan 14, 2020
Merged

[Snyk] Fix for 18 vulnerabilities #2

merged 1 commit into from
Jan 14, 2020

Conversation

snyk-bot
Copy link

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

    • package.json

  • Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
    Find out more.

Vulnerabilities that will be fixed

With an upgrade:
Severity Issue Breaking Change
high severity Prototype Pollution
SNYK-JS-LODASH-450202		 Yes
high severity Prototype Pollution
SNYK-JS-LODASH-73638		 Yes
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-73639		 Yes
high severity Command Injection
SNYK-JS-TREEKILL-536781		 Yes
medium severity Prototype Pollution
npm:lodash:20180130		 Yes
medium severity Regular Expression Denial of Service (ReDoS)
npm:mimer:20180210		 Yes
medium severity Content Injection due to quoteless attributes
npm:mustache:20151207		 Yes
high severity Prototype Override Protection Bypass
npm:qs:20170213		 Yes
medium severity Regular Expression Denial of Service (ReDoS)
npm:slug:20170907		 No
Commit messages
Package name: cheerio The new version differs by 162 commits.
  • c3ec1cd Release 0.20.0
  • ef848ca Add coveralls badge, remove link to old report
  • dbcbe90 Merge pull request #808 from leifhanack/lodash4
  • c04ead1 Merge pull request #668 from rwaldin/prop-method
  • b5531bb Merge pull request #671 from twolfson/dev/fallback.select.content.sqwished
  • 9d98bd7 Merge pull request #704 from Rycochet/master
  • 1b9c5c9 Merge pull request #797 from Delgan/641-appendTo_prependTo
  • b12cbe8 Update lodash dependeny to 4.1.0
  • 8c9b2e0 Merge pull request #796 from Delgan/fix_780
  • b09db31 Fix PR #726 adding 'appendTo()' and 'prependTo()'
  • ce8829d Added appendTo and prependTo with tests #641
  • 4779762 Fix #780 by changing options context in '.find()'
  • 8dc1cc9 Add an unit test checking the query of child
  • b27bed6 fix #667: attr({foo: null}) removes attribute foo, like attr('foo', null)
  • 70c5608 Include reference to dedicated "Loading" section
  • fa70a84 Added load method to $
  • 4e8483a update css-select to 1.2.0
  • 5f2777a Merge pull request #732 from jugglinmike/reinstate-toarray
  • 106e42a Merge pull request #776 from dYale/master
  • 97149d3 Fixing Grammatical Error
  • a1367ee Merge pull request #739 from TrySound/npm-files
  • 6c73b7a Merge pull request #773 from JaKXz/patch-1
  • 48bb22d Test against node v0.12 --> v4.2
  • ec2414d Correct output in example

See the full diff

Package name: stripe The new version differs by 134 commits.

See the full diff

Package name: tree-kill The new version differs by 32 commits.

See the full diff

With a Snyk patch:
Severity Issue
low severity Regular Expression Denial of Service (ReDoS)
npm:debug:20170905
medium severity Timing Attack
npm:http-signature:20150122
low severity Regular Expression Denial of Service (ReDoS)
npm:mime:20170907
medium severity Regular Expression Denial of Service (ReDoS)
npm:ms:20151024
low severity Regular Expression Denial of Service (ReDoS)
npm:ms:20170412
high severity Regular Expression Denial of Service (DoS)
npm:negotiator:20160616
medium severity Denial of Service (Event Loop Blocking)
npm:qs:20140806-1
medium severity Remote Memory Exposure
npm:request:20160119
medium severity Insecure Randomness
npm:ws:20160920

Note that some vulnerabilities couldn鈥檛 be fully fixed, and so will still fail the Snyk test report.

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:

馃 View latest project report

馃洜 Adjust project settings

馃摎 Read more about Snyk's upgrade and patch logic

@snyk-bot
fix: package.json & .snyk to reduce vulnerabilities
3adde49 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-LODASH-450202
- https://snyk.io/vuln/SNYK-JS-LODASH-73638
- https://snyk.io/vuln/SNYK-JS-LODASH-73639
- https://snyk.io/vuln/SNYK-JS-TREEKILL-536781
- https://snyk.io/vuln/npm:lodash:20180130
- https://snyk.io/vuln/npm:mimer:20180210
- https://snyk.io/vuln/npm:mustache:20151207
- https://snyk.io/vuln/npm:qs:20170213
- https://snyk.io/vuln/npm:slug:20170907


The following vulnerabilities are fixed with a Snyk patch:
- https://snyk.io/vuln/npm:debug:20170905
- https://snyk.io/vuln/npm:http-signature:20150122
- https://snyk.io/vuln/npm:mime:20170907
- https://snyk.io/vuln/npm:ms:20151024
- https://snyk.io/vuln/npm:ms:20170412
- https://snyk.io/vuln/npm:negotiator:20160616
- https://snyk.io/vuln/npm:qs:20140806-1
- https://snyk.io/vuln/npm:request:20160119
- https://snyk.io/vuln/npm:ws:20160920
@l1kw1d l1kw1d merged commit 97d2af6 into master Jan 14, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@snyk-bot @l1kw1d