New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Fix for 18 vulnerabilities #12

Open

snyk-bot wants to merge 1 commit into main from snyk-fix-47622b0fc2aa1e3b4056ef45dc512289

snyk-bot commented Aug 19, 2022

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
Find out more.

⚠️

Warning

Failed to update the package-lock.json, please update manually before merging.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	584/1000 Why? Has a fix available, CVSS 7.4	Directory Traversal SNYK-JS-ADMZIP-1065796	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-ASYNC-2441827	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	No	Proof of Concept
	484/1000 Why? Has a fix available, CVSS 5.4	Open Redirect SNYK-JS-GOT-2932019	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Denial of Service (DoS) SNYK-JS-JSZIP-1251497	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Open Redirect SNYK-JS-NODEFORGE-2330875	Yes	Proof of Concept
	529/1000 Why? Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-NODEFORGE-2331908	Yes	No Known Exploit
	494/1000 Why? Has a fix available, CVSS 5.6	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430337	Yes	No Known Exploit
	579/1000 Why? Has a fix available, CVSS 7.3	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430339	Yes	No Known Exploit
	494/1000 Why? Has a fix available, CVSS 5.6	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430341	Yes	No Known Exploit
	494/1000 Why? Has a fix available, CVSS 5.6	Command Injection SNYK-JS-NODENOTIFIER-1035794	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-POSTCSS-1090595	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-POSTCSS-1255640	Yes	Proof of Concept
	619/1000 Why? Has a fix available, CVSS 8.1	Remote Code Execution (RCE) SNYK-JS-SHELLQUOTE-1766506	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-TRIMNEWLINES-1298042	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: chrome-webstore-upload-cli

The new version differs by 14 commits.

5b715f8 2.0.0
3c1990d Improve errors (Bump xo from 0.38.2 to 0.53.1 MarcelRaschke/isometric-contributions#55)
71f6a26 Use async functions (Bump xo from 0.38.2 to 0.53.0 MarcelRaschke/isometric-contributions#54)
45fd16b Rename CLI command from `webstore` to `chrome-webstore-upload` (Bump minimatch and recursive-readdir MarcelRaschke/isometric-contributions#53)
51eddc7 `clientSecret` is not required if token is for "Chrome App" (Bump web-ext-submit from 5.5.0 to 7.3.1 MarcelRaschke/isometric-contributions#52)
1829794 Turn into ES Module + update all dependencies (Bump web-ext-submit from 5.5.0 to 7.3.0 MarcelRaschke/isometric-contributions#51)
41f8a0c Lint
ab45eda Add more information to the readme
8eb5157 Run CI on Node 12, 14, 16
55d2d6c Upgrade `ava` and `meow` (Bump jszip from 2.6.1 to 2.7.0 MarcelRaschke/isometric-contributions#49)
281faac 1.2.2
c86232c Meta updates and enable GitHub Actions (Bump xo from 0.38.2 to 0.52.3 MarcelRaschke/isometric-contributions#48)
3b176ec Upgrade meow dependency to v5.0.0 (Bump xo from 0.38.2 to 0.52.2 MarcelRaschke/isometric-contributions#47)
a65728a Readme: Add FACEIT Enhancer to the extensions using it (Bump web-ext-submit from 5.5.0 to 7.1.1 MarcelRaschke/isometric-contributions#42)

See the full diff

Package name: web-ext-submit

The new version differs by 14 commits.

04dc976 7.0.0
233ff23 6.8.0
b65e69b 6.7.0
b995abb 6.6.0
ea96f82 6.5.0
9bfa8a4 6.4.0
41fc022 6.3.0
870df55 6.2.0
301ef4c Update `engines` field
9c7c639 6.1.0
646cce3 6.0.1
b7205ff Allow publishing local hotfixes
a5f35c8 Update minimum engines
8c443f5 6.0.0

See the full diff

Package name: xo

The new version differs by 36 commits.

ab16df2 0.42.0
de55a03 Upgrade dependencies
34800b7 Upgrade `globby` (#574)
f81e933 Re-enable `import/newline-after-import` rule
47af93e 0.41.0
af93e79 Upgrade dependencies
0733cc5 Fix code style (#570)
ab17a3c Lint `.cjs` files in codebase (#569)
0a752c7 Update dependencies (#568)
41c8f39 Convert project to module (#566)
b3c5e15 Fix typo (#567)
2ef9f22 Prevent the `useEslintrc` option from being used (#565)
41f0484 0.40.3
374dd73 Support `xo.config.cjs` and `.xo-config.cjs` (#561)
3e7b77c Remove some needless imports (#560)
6adf459 Remove `update-notifier`
b6389ef 0.40.2
7ace6e5 Fix handling of `parserOptions` for TypeScript (#557)
7629ce0 0.40.1
d2c5750 Properly resolve base config (#545)
e9c96a1 Properly handle `parserOptions` (#544)
8e1801c Avoid destructuring and just build the expected object once (#538)
4cfdc72 Fix CI
56be018 0.40.0

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Directory Traversal
🦉 Prototype Pollution
🦉 Open Redirect
🦉 More lessons are available in Snyk Learn


fix: package.json & .snyk to reduce vulnerabilities

0a0ad2b

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-ADMZIP-1065796
- https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908
- https://snyk.io/vuln/SNYK-JS-ASYNC-2441827
- https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905
- https://snyk.io/vuln/SNYK-JS-GOT-2932019
- https://snyk.io/vuln/SNYK-JS-JSZIP-1251497
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-2330875
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-2331908
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-2430337
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-2430339
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-2430341
- https://snyk.io/vuln/SNYK-JS-NODENOTIFIER-1035794
- https://snyk.io/vuln/SNYK-JS-POSTCSS-1090595
- https://snyk.io/vuln/SNYK-JS-POSTCSS-1255640
- https://snyk.io/vuln/SNYK-JS-SHELLQUOTE-1766506
- https://snyk.io/vuln/SNYK-JS-TRIMNEWLINES-1298042
- https://snyk.io/vuln/SNYK-JS-WS-1296835


The following vulnerabilities are fixed with a Snyk patch:
- https://snyk.io/vuln/SNYK-JS-LODASH-567746

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment