[Snyk] Fix for 14 vulnerabilities

[baby636]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • packages/ipfs/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-DOTPROP-543489	Yes	Proof of Concept
	484/1000 Why? Has a fix available, CVSS 5.4	Open Redirect SNYK-JS-GOT-2932019	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-HTTPCACHESEMANTICS-3248783	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASHTEMPLATE-1088054	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Open Redirect SNYK-JS-NODEFORGE-2330875	No	Proof of Concept
	529/1000 Why? Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-NODEFORGE-2331908	No	No Known Exploit
	494/1000 Why? Has a fix available, CVSS 5.6	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430337	No	No Known Exploit
	579/1000 Why? Has a fix available, CVSS 7.3	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430339	No	No Known Exploit
	494/1000 Why? Has a fix available, CVSS 5.6	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430341	No	No Known Exploit
	536/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVERREGEX-1047770	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVERREGEX-1584358	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVERREGEX-1585624	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVERREGEX-2824151	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-TRIMNEWLINES-1298042	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: aegir

The new version differs by 116 commits.

• 5d448e7 chore(release): 37.0.0 [skip ci]
• bc62524 chore: add missing dep
• e3a4b45 feat: update build and release commands (benchmark.js.ipfs.io ipfs/js-ipfs#946)
• 585b004 chore(release): 36.2.3 [skip ci]
• a4123d5 chore(deps): bump simple-git from 2.37.0 to 3.3.0 (Intermittent "ipfs-pubsub-room/v1" not supported ipfs/js-ipfs#944)
• 045ee8a chore(release): 36.2.2 [skip ci]
• cdd0ad1 chore: fix linting
• 677efd7 chore: slow ci is slow
• 2f88c95 fix: restore typesversions for ts config file
• 512e594 chore(release): 36.2.1 [skip ci]
• d03bb03 fix: types for test utils
• 539f597 fix: update config
• a849765 fix: publish utils dir
• 9b45b4b chore(release): 36.2.0 [skip ci]
• 3defb4f chore: add auto-release
• 3fec2e3 chore: remove unused dep
• dcb5be6 chore: add path dep
• feeeb54 fix: tsc receives forward args (files.cat stream doesn't auto resume .on('data') ipfs/js-ipfs#939)
• d3dc7cd fix: cache types dir
• 6136719 chore: add install browser deps action
• d8111a2 fix: remove playwright
• 7f83b6c fix: run playwright install-deps
• 40a49f6 fix: cache playwright browsers
• ad2f33b chore: change if clause

See the full diff

Package name: interface-ipfs-core

The new version differs by 250 commits.

• 38e78cc chore: release master (chore: release master ipfs/js-ipfs#4099)
• 919b27a chore: update deps
• 4e93dd5 fix: update to latest libp2p interfaces (fix: update to latest libp2p interfaces ipfs/js-ipfs#4111)
• 7165bf7 docs: add upgrade guide for ESM release (docs: add upgrade guide for ESM release ipfs/js-ipfs#4098)
• 74aee8b feat: update to libp2p 0.37.x (feat: update to libp2p 0.37.x ipfs/js-ipfs#4092)
• 361dab6 chore: release master (chore: release master ipfs/js-ipfs#4078)
• 8f7ce23 fix: upgrade dep of ipfs-utils ^9.0.2->^9.0.6 (fix: upgrade dep of ipfs-utils ^9.0.2->^9.0.6 ipfs/js-ipfs#4086)
• c367840 fix: update car dependency for CARv2 read support (fix: update car dependency for CARv2 read support ipfs/js-ipfs#4085)
• e90b8f1 fix: BWOptions.interval accepts number|string (fix: BWOptions.interval accepts number|string ipfs/js-ipfs#4061)
• 6c3cb73 fix: exclude fs from bundle (fix: exclude fs from bundle ipfs/js-ipfs#4076)
• 1a73160 fix(rmlink): fix rmlink to match docs (fix(rmlink): fix rmlink to match docs ipfs/js-ipfs#4073)
• c51b160 chore: release master (chore: release master ipfs/js-ipfs#4057)
• df1bd1b fix: add deps used in ipfs-core-types (fix: add deps used in ipfs-core-types ipfs/js-ipfs#4058)
• 125d42b fix: missing files on publish (fix: missing files on publish ipfs/js-ipfs#4056)
• 1082fce chore: fix links to config defaults (chore: fix links to config defaults ipfs/js-ipfs#4049)
• e7f8531 chore: release master (chore: release master ipfs/js-ipfs#4041)
• 709831f fix: override hashing algorithm when importing files (fix: override hashing algorithm when importing files ipfs/js-ipfs#4042)
• 383dc07 chore: fix broken links and help text (chore: fix broken links and help text ipfs/js-ipfs#4043)
• 3a74c11 docs: fixed link to examples (docs: fixed link to js-ipfs-examples ipfs/js-ipfs#4037)
• 596b1f4 fix(dag): replace custom dag walk with multiformats/traversal (fix(dag): replace custom dag walk with multiformats/traversal ipfs/js-ipfs#3950)
• 2c8ec08 chore: re-enable examples (chore: re-enable examples ipfs/js-ipfs#4036)
• 8d26021 chore: re-enable build
• b01b06b chore: release master (chore: release master ipfs/js-ipfs#4034)
• cca6e32 chore: override last release

See the full diff

Package name: ipfs-cli

The new version differs by 63 commits.

• 7f24131 chore: publish
• 93b81f9 chore: update contributors
• 33fa734 feat: ed25519 keys by default (feat: ed25519 keys by default ipfs/js-ipfs#3693)
• 2886134 chore: upgrade go-ipfs to 0.9.x (chore: upgrade go-ipfs to 0.9.x ipfs/js-ipfs#3805)
• 2f3df7a fix: return rate in/out as number (fix: return rate in/out as number ipfs/js-ipfs#3798)
• 4f532a5 fix: do not write blocks we already have (fix: do not write blocks we already have ipfs/js-ipfs#3801)
• db302d0 chore: revert "chore(deps-dev): bump go-ipfs from 0.8.0 to 0.9.1" (chore: revert "chore(deps-dev): bump go-ipfs from 0.8.0 to 0.9.1" ipfs/js-ipfs#3803)
• 4c7ac57 chore(deps-dev): bump go-ipfs from 0.8.0 to 0.9.1 (chore(deps-dev): bump go-ipfs from 0.8.0 to 0.9.1 ipfs/js-ipfs#3765)
• 746a54c fix: fix up examples (fix: fix up examples ipfs/js-ipfs#3799)
• b7fc9e8 docs: update files.rm example (docs: update files.rm example ipfs/js-ipfs#3797)
• 1ad6001 feat: make ipfs.get output tarballs (feat: make ipfs.get output tarballs ipfs/js-ipfs#3785)
• 79f661e fix: typescript errors (fix: typescript errors ipfs/js-ipfs#3781)
• 7fdba64 docs: update remote pinning docs (docs: update remote pinning docs ipfs/js-ipfs#3786)
• fdc03ab chore: updated example dependencies
• dde3d28 chore: publish
• 8178225 chore: update contributors
• 1bf35f8 fix: typo in 'multiformats' type defs (fix: typo in 'multiformats' type defs ipfs/js-ipfs#3778)
• 8380d71 fix: restore default level-js options (fix: restore default level-js options ipfs/js-ipfs#3779)
• bf23e48 docs: update ipld/multiformats docs (docs: update ipld/multiformats docs ipfs/js-ipfs#3771)
• 349cbd0 chore: use multiformats sha3 impl (chore: use multiformats sha3 impl ipfs/js-ipfs#3772)
• bb6113a chore: only run example tests if code has changed (chore: only run example tests if code has changed ipfs/js-ipfs#3773)
• d4090e0 chore: restore git and eth graph traversal examples (chore: restore git and eth graph traversal examples ipfs/js-ipfs#3770)
• 4b79dcb chore: updated example dependencies
• ef41f92 chore: publish

See the full diff

Package name: ipfs-core

The new version differs by 74 commits.

• f9099fd chore: publish
• 479e09e fix: use correct datastores (fix: use correct datastores ipfs/js-ipfs#3820)
• 1343708 fix: throw error on missing input to add/addAll (fix: throw error on missing input to add/addAll ipfs/js-ipfs#3818)
• a201a3d chore: update libp2p-noise (chore: update libp2p-noise ipfs/js-ipfs#3819)
• e7d5509 feat: pubsub over gRPC (feat: pubsub over gRPC ipfs/js-ipfs#3813)
• 5ab3ced chore: revert "fix: pin nanoid version" (chore: revert "fix: pin nanoid version" ipfs/js-ipfs#3812)
• 4a8de24 docs: add rpc addr docs (docs: add rpc addr docs ipfs/js-ipfs#3809)
• 7a920d8 fix: detect ed25519 keys in ws test (fix: detect ed25519 keys in ws test ipfs/js-ipfs#3808)
• 5c8da9a fix: pass correct types to libp2p dht methods (fix: pass correct types to libp2p dht methods ipfs/js-ipfs#3806)
• 474523a fix: pin nanoid version (fix: pin nanoid version ipfs/js-ipfs#3807)
• 6a2c710 chore: updated example dependencies
• 7f24131 chore: publish
• 93b81f9 chore: update contributors
• 33fa734 feat: ed25519 keys by default (feat: ed25519 keys by default ipfs/js-ipfs#3693)
• 2886134 chore: upgrade go-ipfs to 0.9.x (chore: upgrade go-ipfs to 0.9.x ipfs/js-ipfs#3805)
• 2f3df7a fix: return rate in/out as number (fix: return rate in/out as number ipfs/js-ipfs#3798)
• 4f532a5 fix: do not write blocks we already have (fix: do not write blocks we already have ipfs/js-ipfs#3801)
• db302d0 chore: revert "chore(deps-dev): bump go-ipfs from 0.8.0 to 0.9.1" (chore: revert "chore(deps-dev): bump go-ipfs from 0.8.0 to 0.9.1" ipfs/js-ipfs#3803)
• 4c7ac57 chore(deps-dev): bump go-ipfs from 0.8.0 to 0.9.1 (chore(deps-dev): bump go-ipfs from 0.8.0 to 0.9.1 ipfs/js-ipfs#3765)
• 746a54c fix: fix up examples (fix: fix up examples ipfs/js-ipfs#3799)
• b7fc9e8 docs: update files.rm example (docs: update files.rm example ipfs/js-ipfs#3797)
• 1ad6001 feat: make ipfs.get output tarballs (feat: make ipfs.get output tarballs ipfs/js-ipfs#3785)
• 79f661e fix: typescript errors (fix: typescript errors ipfs/js-ipfs#3781)
• 7fdba64 docs: update remote pinning docs (docs: update remote pinning docs ipfs/js-ipfs#3786)

See the full diff

Package name: ipfs-interop

The new version differs by 77 commits.

• 81e4063 chore(release): 9.0.0 [skip ci]
• 56f3370 fix: remove randomness from get directory tests ([Snyk] Security upgrade electron from 12.2.3 to 20.3.9 #497)
• b006606 feat!: upgrade to esm libp2p/ipfs ([Snyk] Security upgrade parcel from 2.0.0-beta.2 to 2.0.0 #462)
• 03132ac chore(release): 8.0.11 [skip ci]
• f0cf7d8 fix: use os.arch() when arch is undefined ([Snyk] Fix for 1 vulnerabilities #488)
• 2288d77 chore: Update .github/workflows/stale.yml [skip ci]
• 33079ad Update .github/workflows/stale.yml
• 12cb352 Add .github/workflows/stale.yml
• 45fa7ef chore(release): 8.0.10 [skip ci]
• bda96fc fix: when hole punching is enabled by default ([Snyk] Fix for 1 vulnerabilities #443)
• 3e07e24 chore(release): 8.0.9 [skip ci]
• 3ade340 fix: add fs and go-ipfs to browser ignores ([Snyk] Security upgrade electron from 12.2.3 to 19.1.5 #451)
• 119aa62 docs: add breaking change interop release process ([Snyk] Security upgrade aegir from 33.2.4 to 37.2.0 #395)
• 18649a6 chore(deps): bump aegir from 36.1.3 to 36.2.3 ([Snyk] Security upgrade aegir from 33.2.4 to 36.2.3 #445)
• 4826e1a chore(release): 8.0.8 [skip ci]
• e0736b4 fix: add missing files
• cd4e167 chore(release): 8.0.7 [skip ci]
• e434af2 chore: release after build
• d6abdfd chore: fix linting
• df76d8c chore(release): 8.0.6 [skip ci]
• 8844f86 chore: fix paths and packages
• 2119650 chore(release): 8.0.5 [skip ci]
• 8558775 chore: another esm module
• 002bcbe chore(release): 8.0.4 [skip ci]

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Open Redirect
🦉 Regular Expression Denial of Service (ReDoS)