Skip to content

[Snyk] Fix for 73 vulnerabilities #51

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
elOtta1223 wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Fix for 73 vulnerabilities #51

elOtta1223 wants to merge 1 commit into from

Conversation

@elOtta1223
Copy link
Owner

@elOtta1223 elOtta1223 commented Oct 6, 2022

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

    • package.json

  • Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
    Find out more.

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-ANSIREGEX-1583908		 No Proof of Concept
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-BROWSERSLIST-1090194		 No Proof of Concept
medium severity 636/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.3		 Arbitrary File Write via Archive Extraction (Zip Slip)
SNYK-JS-DECOMPRESS-557358		 No Proof of Concept
medium severity 526/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 4.1		 Arbitrary Code Injection
SNYK-JS-EJS-1049328		 No Proof of Concept
high severity 726/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 8.1		 Remote Code Execution (RCE)
SNYK-JS-EJS-2803307		 No Proof of Concept
medium severity 509/1000
Why? Has a fix available, CVSS 5.9		 Information Exposure
SNYK-JS-HARP-174149		 No No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Unauthorized File Access
SNYK-JS-HARP-174346		 No No Known Exploit
high severity 600/1000
Why? Has a fix available, CVSS 7.5		 Unauthorised File Access
SNYK-JS-HARP-544928		 No No Known Exploit
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-1018905		 No Proof of Concept
high severity 681/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.2		 Command Injection
SNYK-JS-LODASH-1040724		 No Proof of Concept
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3		 Prototype Pollution
SNYK-JS-LODASH-450202		 No Proof of Concept
high severity 731/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 8.2		 Prototype Pollution
SNYK-JS-LODASH-567746		 No Proof of Concept
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3		 Prototype Pollution
SNYK-JS-LODASH-608086		 No Proof of Concept
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3		 Prototype Pollution
SNYK-JS-LODASH-73638		 No Proof of Concept
medium severity 541/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 4.4		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-73639		 No Proof of Concept
medium severity 479/1000
Why? Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-MARKED-174116		 No No Known Exploit
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-MARKED-2342073		 No Proof of Concept
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-MARKED-2342082		 No Proof of Concept
medium severity 479/1000
Why? Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-MARKED-451540		 No No Known Exploit
medium severity 520/1000
Why? Has a fix available, CVSS 5.9		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-MARKED-584281		 No No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-MINIMATCH-1019388		 No No Known Exploit
medium severity 479/1000
Why? Has a fix available, CVSS 5.3		 Improper Certificate Validation
SNYK-JS-NODESASS-1059081		 No No Known Exploit
medium severity 550/1000
Why? Has a fix available, CVSS 6.5		 Out-of-bounds Read
SNYK-JS-NODESASS-535499		 No No Known Exploit
high severity 726/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 8.1		 Out-of-bounds Read
SNYK-JS-NODESASS-535501		 No Proof of Concept
medium severity 646/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.5		 NULL Pointer Dereference
SNYK-JS-NODESASS-535502		 No Proof of Concept
high severity 600/1000
Why? Has a fix available, CVSS 7.5		 Uncontrolled Recursion
SNYK-JS-NODESASS-535503		 No No Known Exploit
medium severity 646/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.5		 Resource Exhaustion
SNYK-JS-NODESASS-535504		 No Proof of Concept
high severity 761/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 8.8		 NULL Pointer Dereference
SNYK-JS-NODESASS-535505		 No Proof of Concept
high severity 726/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 8.1		 Out-of-bounds Read
SNYK-JS-NODESASS-540956		 No Proof of Concept
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Uncontrolled Recursion
SNYK-JS-NODESASS-540960		 No No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Out-of-bounds Read
SNYK-JS-NODESASS-540962		 No No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Improper Input Validation
SNYK-JS-NODESASS-540966		 No No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Improper Input Validation
SNYK-JS-NODESASS-540968		 No No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Uncontrolled Recursion
SNYK-JS-NODESASS-540970		 No No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Out-of-bounds Read
SNYK-JS-NODESASS-540972		 No No Known Exploit
high severity 761/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 8.8		 NULL Pointer Dereference
SNYK-JS-NODESASS-540974		 No Proof of Concept
medium severity 646/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.5		 Denial of Service (DoS)
SNYK-JS-NODESASS-540980		 No Proof of Concept
medium severity 646/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.5		 Denial of Service (DoS)
SNYK-JS-NODESASS-540982		 No Proof of Concept
medium severity 539/1000
Why? Has a fix available, CVSS 6.5		 Out-of-bounds Read
SNYK-JS-NODESASS-540984		 No No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Out-of-bounds Read
SNYK-JS-NODESASS-540986		 No No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Denial of Service (DoS)
SNYK-JS-NODESASS-540988		 No No Known Exploit
medium severity 646/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.5		 Out-of-bounds Read
SNYK-JS-NODESASS-540990		 No Proof of Concept
medium severity 539/1000
Why? Has a fix available, CVSS 6.5		 NULL Pointer Dereference
SNYK-JS-NODESASS-540994		 No No Known Exploit
high severity 726/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 8.1		 Out-of-bounds Read
SNYK-JS-NODESASS-540996		 No Proof of Concept
medium severity 509/1000
Why? Has a fix available, CVSS 5.9		 Denial of Service (DoS)
SNYK-JS-NODESASS-542662		 No No Known Exploit
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-POSTCSS-1255640		 No Proof of Concept
medium severity 479/1000
Why? Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-SCSSTOKENIZER-2339884		 No No Known Exploit
high severity 624/1000
Why? Has a fix available, CVSS 8.2		 Arbitrary File Overwrite
SNYK-JS-TAR-1536528		 No No Known Exploit
high severity 624/1000
Why? Has a fix available, CVSS 8.2		 Arbitrary File Overwrite
SNYK-JS-TAR-1536531		 No No Known Exploit
low severity 410/1000
Why? Has a fix available, CVSS 3.7		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-TAR-1536758		 No No Known Exploit
high severity 639/1000
Why? Has a fix available, CVSS 8.5		 Arbitrary File Write
SNYK-JS-TAR-1579147		 No No Known Exploit
high severity 639/1000
Why? Has a fix available, CVSS 8.5		 Arbitrary File Write
SNYK-JS-TAR-1579152		 No No Known Exploit
high severity 639/1000
Why? Has a fix available, CVSS 8.5		 Arbitrary File Write
SNYK-JS-TAR-1579155		 No No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Denial of Service (DoS)
SNYK-JS-TRIMNEWLINES-1298042		 No No Known Exploit
low severity 399/1000
Why? Has a fix available, CVSS 3.7		 Regular Expression Denial of Service (ReDoS)
npm:debug:20170905		 No No Known Exploit
high severity 619/1000
Why? Has a fix available, CVSS 8.1		 Arbitrary Code Execution
npm:ejs:20161128		 No No Known Exploit
medium severity 509/1000
Why? Has a fix available, CVSS 5.9		 Cross-site Scripting (XSS)
npm:ejs:20161130		 No No Known Exploit
medium severity 509/1000
Why? Has a fix available, CVSS 5.9		 Denial of Service (DoS)
npm:ejs:20161130-1		 No No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Regular Expression Denial of Service (ReDoS)
npm:fresh:20170908		 No No Known Exploit
low severity 506/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 3.7		 Regular Expression Denial of Service (ReDoS)
npm:github-url-to-object:20180226		 Yes Proof of Concept
medium severity 636/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.3		 Prototype Pollution
npm:lodash:20180130		 No Proof of Concept
high severity 654/1000
Why? Has a fix available, CVSS 8.8		 Cross-site Scripting (XSS)
npm:marked:20150520		 No No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Cross-site Scripting (XSS)
npm:marked:20170112		 No No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Cross-site Scripting (XSS)
npm:marked:20170815		 No No Known Exploit
medium severity 454/1000
Why? Has a fix available, CVSS 4.8		 Cross-site Scripting (XSS)
npm:marked:20170815-1		 No No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Regular Expression Denial of Service (ReDoS)
npm:marked:20170907		 No No Known Exploit
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5		 Regular Expression Denial of Service (ReDoS)
npm:marked:20180225		 No Proof of Concept
low severity 399/1000
Why? Has a fix available, CVSS 3.7		 Regular Expression Denial of Service (ReDoS)
npm:mime:20170907		 No No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Regular Expression Denial of Service (ReDoS)
npm:minimatch:20160620		 No No Known Exploit
low severity 399/1000
Why? Has a fix available, CVSS 3.7		 Regular Expression Denial of Service (ReDoS)
npm:ms:20170412		 No No Known Exploit
medium severity 479/1000
Why? Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
npm:uglify-js:20151024		 No No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: harp The new version differs by 82 commits.
  • 48956a6 verison bump v0.40.3
  • 426d68a return 403 on symlink when deny-symlinks flag set. #646 #659
  • 5b6af45 Moves symlink deny into its own middleware. #646 #659
  • 28611cb Merge pull request #659 from 418sec/master
  • fbc638f bumps version to v0.40.2
  • 1ec790b Resolves serving private file via encoded underscore. #646
  • d3f7ba2 Merge branch 'master' of github.com:sintaxi/harp
  • 6547336 adds failing test to ensure files and directories that start with underscore are not served.
  • e206a47 Merge pull request #666 from Prinzhorn/patch-1
  • 71af1c1 Removed outdated harp.io link
  • fd49cbc upgrades dependencies
  • dccfa6d removes unused deps
  • d97cae1 removes unused meta files
  • d50f7b3 new CLI and bumps terraform.
  • f25cf86 updates README.md
  • 2893a06 removes tests for deprecated processors
  • 456754f updates deps
  • 055c254 version bump v0.40.0
  • cd58cf5 new CLI design
  • c84759b removes unused deps
  • 7240a1d adds cascading 200 file support
  • 20d7db1 rename default files
  • 135d10a got compiling working with esbuild
  • d6725cc initial implementation of jsx

See the full diff

Package name: marky-markdown The new version differs by 175 commits.
  • e5bf70d chore(release): 10.1.4
  • 93b17a6 fix(test): explicitly test for falsy repository.url in package
  • 5d1e1e4 chore(release): 10.1.3
  • a66ed66 fix: allow link titles to be delimited by parentheses
  • 0d6ce69 chore(release): 10.1.2
  • 4233011 chore: upgrade to newest version of standard-version
  • 033ed7d chore: add build step using standard-version's new lifecycle scripts (#383)
  • 1e4b838 fix: infinite loop caused by abstemious HTML plugin (#382)
  • 80b4bf7 chore(release): 10.1.1
  • 3b16ea9 fix: convert ES6 template string to ES5; gets the browserify bundle working
  • a46a552 chore(release): 10.1.0
  • 4d790a0 chore: added standard-version for managing releases
  • f7a0883 feat: classes attached to anchor and svg in headings can now be configured
  • 93ac376 10.0.1
  • 6ffad37 docs: update changelog for 10.0.1
  • 5f52d9e chore: Change ES6 object shorthand to ES5 so browserify bundle will work in more browsers
  • 2aa2b5e chore: use version rather than postversion for bumping marky.json so it gets updated in the tagged commit
  • 7738c8e chore: use node 8 on travis CI
  • 9f39109 10.0.0
  • 09e672a chore: update marky.json with new version
  • 0fdf30e docs: add more release changes for 10.0
  • 20f91ae docs: Add 9.0.2 & 9.0.3 changes to the changelog
  • 8e4dad0 docs: editing nit
  • 48088dd chore: add more entries to changelog

See the full diff

With a Snyk patch:
Severity Priority Score (*) Issue Exploit Maturity
low severity 399/1000
Why? Has a fix available, CVSS 3.7		 Regular Expression Denial of Service (ReDoS)
npm:debug:20170905		 No Known Exploit
low severity 399/1000
Why? Has a fix available, CVSS 3.7		 Regular Expression Denial of Service (ReDoS)
npm:mime:20170907		 No Known Exploit
low severity 399/1000
Why? Has a fix available, CVSS 3.7		 Regular Expression Denial of Service (ReDoS)
npm:ms:20170412		 No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Regular Expression Denial of Service (ReDoS)
npm:negotiator:20160616		 No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Symlink File Overwrite
npm:tar:20151103		 No Known Exploit
medium severity 479/1000
Why? Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
npm:uglify-js:20151024		 No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Arbitrary Code Injection
🦉 More lessons are available in Snyk Learn

@snyk-bot
fix: package.json & .snyk to reduce vulnerabilities
30f4f50 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908
- https://snyk.io/vuln/SNYK-JS-BROWSERSLIST-1090194
- https://snyk.io/vuln/SNYK-JS-DECOMPRESS-557358
- https://snyk.io/vuln/SNYK-JS-EJS-1049328
- https://snyk.io/vuln/SNYK-JS-EJS-2803307
- https://snyk.io/vuln/SNYK-JS-HARP-174149
- https://snyk.io/vuln/SNYK-JS-HARP-174346
- https://snyk.io/vuln/SNYK-JS-HARP-544928
- https://snyk.io/vuln/SNYK-JS-LODASH-1018905
- https://snyk.io/vuln/SNYK-JS-LODASH-1040724
- https://snyk.io/vuln/SNYK-JS-LODASH-450202
- https://snyk.io/vuln/SNYK-JS-LODASH-567746
- https://snyk.io/vuln/SNYK-JS-LODASH-608086
- https://snyk.io/vuln/SNYK-JS-LODASH-73638
- https://snyk.io/vuln/SNYK-JS-LODASH-73639
- https://snyk.io/vuln/SNYK-JS-MARKED-174116
- https://snyk.io/vuln/SNYK-JS-MARKED-2342073
- https://snyk.io/vuln/SNYK-JS-MARKED-2342082
- https://snyk.io/vuln/SNYK-JS-MARKED-451540
- https://snyk.io/vuln/SNYK-JS-MARKED-584281
- https://snyk.io/vuln/SNYK-JS-MINIMATCH-1019388
- https://snyk.io/vuln/SNYK-JS-NODESASS-1059081
- https://snyk.io/vuln/SNYK-JS-NODESASS-535499
- https://snyk.io/vuln/SNYK-JS-NODESASS-535501
- https://snyk.io/vuln/SNYK-JS-NODESASS-535502
- https://snyk.io/vuln/SNYK-JS-NODESASS-535503
- https://snyk.io/vuln/SNYK-JS-NODESASS-535504
- https://snyk.io/vuln/SNYK-JS-NODESASS-535505
- https://snyk.io/vuln/SNYK-JS-NODESASS-540956
- https://snyk.io/vuln/SNYK-JS-NODESASS-540960
- https://snyk.io/vuln/SNYK-JS-NODESASS-540962
- https://snyk.io/vuln/SNYK-JS-NODESASS-540966
- https://snyk.io/vuln/SNYK-JS-NODESASS-540968
- https://snyk.io/vuln/SNYK-JS-NODESASS-540970
- https://snyk.io/vuln/SNYK-JS-NODESASS-540972
- https://snyk.io/vuln/SNYK-JS-NODESASS-540974
- https://snyk.io/vuln/SNYK-JS-NODESASS-540980
- https://snyk.io/vuln/SNYK-JS-NODESASS-540982
- https://snyk.io/vuln/SNYK-JS-NODESASS-540984
- https://snyk.io/vuln/SNYK-JS-NODESASS-540986
- https://snyk.io/vuln/SNYK-JS-NODESASS-540988
- https://snyk.io/vuln/SNYK-JS-NODESASS-540990
- https://snyk.io/vuln/SNYK-JS-NODESASS-540994
- https://snyk.io/vuln/SNYK-JS-NODESASS-540996
- https://snyk.io/vuln/SNYK-JS-NODESASS-542662
- https://snyk.io/vuln/SNYK-JS-POSTCSS-1255640
- https://snyk.io/vuln/SNYK-JS-SCSSTOKENIZER-2339884
- https://snyk.io/vuln/SNYK-JS-TAR-1536528
- https://snyk.io/vuln/SNYK-JS-TAR-1536531
- https://snyk.io/vuln/SNYK-JS-TAR-1536758
- https://snyk.io/vuln/SNYK-JS-TAR-1579147
- https://snyk.io/vuln/SNYK-JS-TAR-1579152
- https://snyk.io/vuln/SNYK-JS-TAR-1579155
- https://snyk.io/vuln/SNYK-JS-TRIMNEWLINES-1298042
- https://snyk.io/vuln/npm:debug:20170905
- https://snyk.io/vuln/npm:ejs:20161128
- https://snyk.io/vuln/npm:ejs:20161130
- https://snyk.io/vuln/npm:ejs:20161130-1
- https://snyk.io/vuln/npm:fresh:20170908
- https://snyk.io/vuln/npm:github-url-to-object:20180226
- https://snyk.io/vuln/npm:lodash:20180130
- https://snyk.io/vuln/npm:marked:20150520
- https://snyk.io/vuln/npm:marked:20170112
- https://snyk.io/vuln/npm:marked:20170815
- https://snyk.io/vuln/npm:marked:20170815-1
- https://snyk.io/vuln/npm:marked:20170907
- https://snyk.io/vuln/npm:marked:20180225
- https://snyk.io/vuln/npm:mime:20170907
- https://snyk.io/vuln/npm:minimatch:20160620
- https://snyk.io/vuln/npm:ms:20170412
- https://snyk.io/vuln/npm:uglify-js:20151024


The following vulnerabilities are fixed with a Snyk patch:
- https://snyk.io/vuln/npm:debug:20170905
- https://snyk.io/vuln/npm:mime:20170907
- https://snyk.io/vuln/npm:ms:20170412
- https://snyk.io/vuln/npm:negotiator:20160616
- https://snyk.io/vuln/npm:tar:20151103
- https://snyk.io/vuln/npm:uglify-js:20151024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@elOtta1223 @snyk-bot