New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Fix for 8 vulnerabilities #29

Open

amonxnye wants to merge 1 commit into master from snyk-fix-46ebe169b8c2ebbae93eed9b57348bb5

amonxnye commented Nov 27, 2023

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
- package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-ASYNCVALIDATOR-2311201	Yes	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Information Exposure SNYK-JS-NODEFETCH-2342118	Yes	No Known Exploit
	520/1000 Why? Has a fix available, CVSS 5.9	Denial of Service SNYK-JS-NODEFETCH-674311	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-SOCKETIOPARSER-1056752	Yes	Proof of Concept
	704/1000 Why? Has a fix available, CVSS 9.8	Improper Input Validation SNYK-JS-SOCKETIOPARSER-3091012	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Yes	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:parsejson:20170908	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: antd

The new version differs by 250 commits.

5a60d48 docs: 4.0.0 changelog (#21652)
181ef7f Merge remote-tracking branch 'origin/feature'
8e367cc chore: 🆙 upgrade rc-pagination to 2.0 (#21650)
b64e6b0 Update CHANGELOG.zh-CN.md
464c108 docs: Adjust QR code to use https instead
28e8e1b site: 💄 tweak header more arrow style
d86c14b docs: fix link in ConfigProvider (#21647)
566c379 chore(deps): bump rc-virtual-list from 0.0.0 to 1.0.0 (#21646)
ba78905 docs: Fix site fixed nav overflow style
de0d609 docs: Adjust site (#21642)
12761e8 fix: Breadcrumb 默认使用path作为唯一key (#21583)
afedb41 docs: Site with single paging (#21360)
2620801 Update verbiage in sample to match the property value (#21628)
e259449 chore: Update rc component version
3c6faa6 🎬 Improve Grid demo style (#21625)
928ff9a 📝 Add issuehunt badge
3269d8c feat: Timeline.Item support label (#21560)
9d04915 docs: 🔗 update demo links
e3fbb0d chore: replace legacy context and use PureComponent (#21597)
0f5dc22 docs: fix wrong link
0154154 🐛 Table filter menu should have max-height (#21602)
b617b41 fix typos in messages (#21594)
4584a62 style: optimization calendar year content (#21598)
50087b2 📦 Remove DatePicker legacy cell className (#21589)

See the full diff

Package name: socket.io

The new version differs by 42 commits.

3367eaa [chore] Release 2.0.0
6c0705f [docs] Add an example of custom parser (Bump symfony/symfony from 5.3.10 to 5.3.12 coopcycle/coopcycle-web#2929)
1980fb4 [chore] Merge history of 1.7.x and 0.9.x branches (Tests mocking time using Carbon should not contain timezone offsets coopcycle/coopcycle-web#2930)
0d07c47 [chore] Added backers and sponsors on the README (Bump antd from 4.16.13 to 4.17.2 coopcycle/coopcycle-web#2933)
a086588 [chore] Bump dependencies (Bump ws from 7.5.4 to 7.5.6 coopcycle/coopcycle-web#2926)
87b06ad [feat] Move binary detection to the parser (Bump react-i18next from 11.14.2 to 11.14.3 coopcycle/coopcycle-web#2923)
199eec6 [docs] Replace non-breaking space with proper whitespace (#2913)
f1b39a6 [docs] Update emit cheatsheet (Bump react-phone-number-input from 3.1.38 to 3.1.41 coopcycle/coopcycle-web#2906)
240b154 [docs] Explicitly document that Server extends EventEmitter (Improve UX to enter address book props (name, telephone, contact name) coopcycle/coopcycle-web#2874)
c5b7738 [docs] Add server.engine.generateId attribute (Bump @stripe/stripe-js from 1.19.0 to 1.21.1 coopcycle/coopcycle-web#2880)
03f3bc9 [docs] Fix wrong space character in README (Bump martin-georgiev/postgresql-for-doctrine from 1.5.2 to 1.6.0 coopcycle/coopcycle-web#2900)
e40accf [docs] Fix documentation for 'connect' event (Bump gedmo/doctrine-extensions from 3.1.0 to 3.3.0 coopcycle/coopcycle-web#2898)
01a4623 [feat] Allow to join several rooms at once (Bump react-phone-number-input from 3.1.31 to 3.1.38 coopcycle/coopcycle-web#2879)
2d5b002 [docs] Add webpack build example (Bump rector/rector from 0.11.56 to 0.11.57 coopcycle/coopcycle-web#2828)
5ae06e6 [chore] Bump socket.io-adapter to version 1.0.0 (Bump centrifuge from 2.8.2 to 2.8.3 coopcycle/coopcycle-web#2867)
4d8f68c [chore] Bump engine.io to version 2.0.2 (Bump rector/rector from 0.11.57 to 0.11.60 coopcycle/coopcycle-web#2864)
5b79ab1 [docs] Update the wording to match the code example (Bump spatie/opening-hours from 2.10.1 to 2.11.0 coopcycle/coopcycle-web#2853)
54ff591 [feature] Merge Engine.IO and Socket.IO handshake packets (Bump react-phone-number-input from 3.1.31 to 3.1.33 coopcycle/coopcycle-web#2833)
e1facd5 [docs] Small addition to the Express Readme Part (Bump rector/rector from 0.11.57 to 0.11.58 coopcycle/coopcycle-web#2846)
3b92cc2 [feature] Allow the use of custom parsers (Bump @stripe/react-stripe-js from 1.5.0 to 1.6.0 coopcycle/coopcycle-web#2829)
3d695c6 [chore] Bump engine.io to version 2.0.0 (Bump twilio/sdk from 6.28.3 to 6.29.0 coopcycle/coopcycle-web#2832)
3b5f433 [fix] Use path.resolve by default and require.resolve as a fallback (Bump @stripe/react-stripe-js from 1.4.1 to 1.5.0 coopcycle/coopcycle-web#2797)
23c9dd3 [docs] Add a 'Features' section in the README (Bump @reduxjs/toolkit from 1.6.1 to 1.6.2 coopcycle/coopcycle-web#2824)
e28b475 [docs] Add httpd cluster example (In order to have better comprehension of the delivery i will take, As a messenger, I want to be able to see the package and the weight of the delivery coopcycle/coopcycle-web#2819)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Improper Input Validation


fix: package.json & package-lock.json to reduce vulnerabilities

5cdcd91

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-ASYNCVALIDATOR-2311201
- https://snyk.io/vuln/SNYK-JS-NODEFETCH-2342118
- https://snyk.io/vuln/SNYK-JS-NODEFETCH-674311
- https://snyk.io/vuln/SNYK-JS-SOCKETIOPARSER-1056752
- https://snyk.io/vuln/SNYK-JS-SOCKETIOPARSER-3091012
- https://snyk.io/vuln/npm:debug:20170905
- https://snyk.io/vuln/npm:ms:20170412
- https://snyk.io/vuln/npm:parsejson:20170908

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment