New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 7 vulnerabilities #13

Open

Chadzzz1 wants to merge 1 commit into master from snyk-fix-19bcde6becc36e0bfd3ea2841fe43876

Owner

Chadzzz1 commented Dec 5, 2023

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
- package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-ENGINEIO-3136336	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Uncaught Exception SNYK-JS-ENGINEIO-5496331	No	No Known Exploit
	661/1000 Why? Recently disclosed, Has a fix available, CVSS 7.5	Missing Release of Resource after Effective Lifetime SNYK-JS-INFLIGHT-6095116	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Poisoning SNYK-JS-QS-3153490	No	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-SOCKETIOPARSER-5596892	No	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-UAPARSERJS-3244450	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: body-parser

The new version differs by 101 commits.

424dadd 1.19.2
11248a2 deps: raw-body@2.4.3
7a088eb build: Node.js@14.19
ecedf31 build: Node.js@16.14
b6bfabd build: Node.js@17.5
badd6b2 build: fix code coverage aggregate upload
96b448a build: Node.js@17.4
70560b1 build: mocha@9.2.0
548a06f build: supertest@6.2.2
3b00678 deps: bytes@3.1.2
d5acb61 build: mocha@9.1.4
82c8a7c tests: add limit + inflate tests
b356758 deps: qs@6.9.7
c631b58 build: supertest@6.2.1
c81a8e2 build: eslint-plugin-import@2.25.4
3c4dcb8 build: Node.js@17.3
d0a214b 1.19.1
fb172d4 build: eslint-plugin-promise@5.2.0
c5e63cb build: Node.js@17.2
c6d43bd build: eslint-plugin-import@2.25.3
313ed6d build: eslint-plugin-promise@5.1.1
8389b51 deps: bytes@3.1.1
aae94b2 deps: http-errors@1.8.1
7f84d4f deps: raw-body@2.4.2

See the full diff

Package name: glob

The new version differs by 118 commits.

a68703e 9.0.0
58159ca test: cwd can be a url
a547a9c more docs
42a3ac7 link to bash manual for Pattern Matching
474172d update readme with cwd URL support
ad3904d update readme with posix class support
b22fc7d minimatch@7.3.0
cdd1627 update all the things, remove unused mkdirp types
75c6416 Merge branch 'v9'
fa0cd77 cwd can be a file:// url
d03ed0a typedoc github action
9a5a45a put bench results in readme
20b2f88 docs, fix benchmark script
4829c88 upgrade ci actions
5cbacdd minimatch@7.2.0
210310b omit symlinks on windows
d34c8d5 full test coverage, clean up signals and remove extranous code
5f21b46 adding lots of tests, clean up types
b12e6ba slashes on nodir test
75f74b0 more windows test slashes
3aa1abd more windows test affordances
3e68a7b some windows test affordances
8c2e082 feature complete and tests passing
c3be35a correct ** vs ./** behavior

See the full diff

Package name: minimatch

The new version differs by 4 commits.

707e1b2 3.0.5
a8763f4 Improve redos protection, add many tests
bafa295 Use master branch for travis badge
013d64d update travis

See the full diff

Package name: rimraf

The new version differs by 40 commits.

3b6b098 4.0.0
e0cffea ci: reduce workload even more
0e6646d ci: remove unnecessary lint filter
546e017 update action versions
6d88a65 tone down benchmark intensity
842a8d2 fix benchmark workflow yaml
1b91697 chore: add copyright year to license
08bbb06 rewrite in TS, export hybrid, update changelog, docs
1b3f46e drop support for node versions below 14
2e1f003 gh actions workflow for benchmarks
52f9370 tests for retry-busy behavior
188e3ed don't test on very old node versions
d1d5495 test for fix-eperm
e7501cd prettier formatting
40f64ec windows: only fall back to move-remove when absolutely necessary
b6f7819 update tap
99496cd test: run posix test on windows, why not?
51d43c1 benchmarks
6b8aa29 doc: correct os.tmp default
4b228c9 do not ever actually try to rmdir /
2442655 consolidate all the spellings of 'opt' into one
d4eec2e add cli script
0c82d74 accept strings, arrays of strings, and no other types
ad4f2db Do not rimraf /, override with preserveRoot:false

See the full diff

Package name: socket.io

The new version differs by 60 commits.

a2e5d1f chore(release): 4.6.0
d8143cc refactor: do not persist session if connection state recovery if disabled
b2dd7cf chore: bump engine.io to version 6.4.0
3734b74 revert: feat: expose current offset to allow deduplication
8aa9499 feat: add description to the disconnecting and disconnect events (#4622)
4e64123 feat: expose current offset to allow deduplication
115a981 refactor: do not include the pid by default
0c0eb00 fix: add timeout method to remote socket (#4558)
f8640d9 refactor: export DisconnectReason type
93d446a refactor: add charset when serving the bundle files
184f3cf feat: add promise-based acknowledgements
5d9220b feat: add the ability to clean up empty child namespaces (#4602)
1298839 test: add test with onAnyOutgoing() and binary attachments
6c27b8b test: add test with socket.disconnect(true)
f3ada7d fix(typings): properly type emits with timeout
a21ad88 docs(changelog): add note about maxHttpBufferSize default value (#4596)
54d5ee0 feat: implement connection state recovery
da2b542 perf: precompute the WebSocket frames when broadcasting
b7d54db docs: add Rust client implementation (#4592)
d4a9b2c refactor(typings): add types for io.engine (#4591)
547c541 chore: add security policy
3b7ced7 chore(release): 4.5.4
c00bb95 chore: bump engine.io to version 6.2.1
57e5f25 chore: bump socket.io-parser to version 4.2.1

See the full diff

Package name: ua-parser-js

The new version differs by 60 commits.

f2d0db0 Bump version 0.7.33
a6140a1 Remove unsafe regex in trim() function
a886604 Fix Karma doesnt respects the capture timeout for IE karma-runner/karma#605 - Identify Macintosh as Apple device
b814bcd Merge pull request Karma not executing my tests with require karma-runner/karma#606 from rileyjshaw/patch-1
7f71024 Fix documentation
c239ac5 Merge pull request Changing the config syntax again ;-) karma-runner/karma#604 from obecerra3/master
8d3c2d3 Add new browser: Cobalt
d11fc47 Bump version 0.7.32
b490110 Merge branch 'develop' of github.com:faisalman/ua-parser-js
cb5da5e Merge pull request Error: Script Error from requireJS karma-runner/karma#600 from moekm/develop
b2d685d improved documentation
8d21e34 Merge pull request random DISCONNECTED messages from PhantomJS karma-runner/karma#598 from kNoAPP/knoapp-tab-s8
48d930f Add test case
55b5b40 Fix ReferenceError: MOCHA is not defined karma-runner/karma#596 - Detect Galaxy Tab S8 as tablet
d141915 Merge branch 'develop'
8483ac0 Refine small redundancy
896bdd0 Merge branch 'master' of github.com:faisalman/ua-parser-js
25fff62 Fix chore: fixed jshint errors in init-dev-env.js karma-runner/karma#502 /0.8/config/configuration_file.html missing on github page karma-runner/karma#580 : Add notice for desktop device type
ea04d01 Merge pull request Request ownership of Safari launcher karma-runner/karma#589 from choo737/master
29b613d Merge pull request The backslash character is not escaped when using html2js (angular) karma-runner/karma#583 from varunsh-coder/token-perms
238391a Merge pull request Reload config file when it changes karma-runner/karma#595 from nabetama/master
384f780 Merge pull request Ability to add files and preprocessors programmatically karma-runner/karma#571 from XhmikosR/patch-1
75e5852 Safari and Mobile Safari began to include commas in the minor version numbers.
ebb32d1 fixed sony bravia smart tv, added sharp AQUOS TV

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Denial of Service (DoS)
🦉 Uncaught Exception
🦉 Prototype Poisoning


          fix: package.json & package-lock.json to reduce vulnerabilities

02181ad

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-ENGINEIO-3136336
- https://snyk.io/vuln/SNYK-JS-ENGINEIO-5496331
- https://snyk.io/vuln/SNYK-JS-INFLIGHT-6095116
- https://snyk.io/vuln/SNYK-JS-MINIMATCH-3050818
- https://snyk.io/vuln/SNYK-JS-QS-3153490
- https://snyk.io/vuln/SNYK-JS-SOCKETIOPARSER-5596892
- https://snyk.io/vuln/SNYK-JS-UAPARSERJS-3244450

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet