[Snyk] Fix for 33 vulnerabilities #14

DA7OUD · 2022-10-04T15:45:39Z

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Priority Score (*)	Issue	Breaking Change	Exploit Maturity
526/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.1	Arbitrary Code Injection SNYK-JS-EJS-1049328	Yes	Proof of Concept
726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Remote Code Execution (RCE) SNYK-JS-EJS-2803307	Yes	Proof of Concept
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-ENGINEIO-1056749	Yes	Proof of Concept
506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	No	Proof of Concept
601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	No	Proof of Concept
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Insecure Defaults SNYK-JS-SOCKETIO-1024859	Yes	Proof of Concept
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-SOCKETIOPARSER-1056752	Yes	Proof of Concept
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	Yes	Proof of Concept
711/1000 Why? Mature exploit, Has a fix available, CVSS 6.5	Uninitialized Memory Exposure npm:atob:20180429	No	Mature
529/1000 Why? Has a fix available, CVSS 6.3	Non-Constant Time String Comparison npm:cookie-signature:20160804	No	No Known Exploit
399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	No	No Known Exploit
619/1000 Why? Has a fix available, CVSS 8.1	Arbitrary Code Execution npm:ejs:20161128	Yes	No Known Exploit
509/1000 Why? Has a fix available, CVSS 5.9	Cross-site Scripting (XSS) npm:ejs:20161130	Yes	No Known Exploit
509/1000 Why? Has a fix available, CVSS 5.9	Denial of Service (DoS) npm:ejs:20161130-1	Yes	No Known Exploit
619/1000 Why? Has a fix available, CVSS 8.1	Insecure Defaults npm:engine.io-client:20160426	No	No Known Exploit
484/1000 Why? Has a fix available, CVSS 5.4	Cross-site Scripting (XSS) npm:express:20140912	No	No Known Exploit
589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:fresh:20170908	No	No Known Exploit
469/1000 Why? Has a fix available, CVSS 5.1	Uninitialized Memory Exposure npm:ip:20170304	Yes	No Known Exploit
399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	No	No Known Exploit
479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:ms:20151024	No	No Known Exploit
399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	No	No Known Exploit
589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:negotiator:20160616	No	No Known Exploit
424/1000 Why? Has a fix available, CVSS 4.2	Insecure Randomness npm:node-uuid:20160328	No	No Known Exploit
589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) npm:qs:20140806	No	No Known Exploit
539/1000 Why? Has a fix available, CVSS 6.5	Denial of Service (DoS) npm:qs:20140806-1	No	No Known Exploit
589/1000 Why? Has a fix available, CVSS 7.5	Prototype Override Protection Bypass npm:qs:20170213	No	No Known Exploit
429/1000 Why? Has a fix available, CVSS 4.3	Directory Traversal npm:send:20140912	No	No Known Exploit
479/1000 Why? Has a fix available, CVSS 5.3	Root Path Disclosure npm:send:20151103	No	No Known Exploit
369/1000 Why? Has a fix available, CVSS 3.1	Open Redirect npm:serve-static:20150113	No	No Known Exploit
539/1000 Why? Has a fix available, CVSS 6.5	Remote Memory Exposure npm:ws:20160104	No	No Known Exploit
589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) npm:ws:20160624	No	No Known Exploit
479/1000 Why? Has a fix available, CVSS 5.3	Insecure Randomness npm:ws:20160920	No	No Known Exploit
761/1000 Why? Mature exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) npm:ws:20171108	No	Mature

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: compression

The new version differs by 192 commits.

93586e7 1.7.1
bd3fa8a deps: bytes@3.0.0
e1ce980 deps: vary@~1.1.2
d0f7eab deps: debug@2.6.9
931c346 build: Node.js@8.4
8c8e36a deps: compressible@~2.0.11
8a5e773 deps: accepts@~1.3.4
7b4a7e2 build: eslint-plugin-node@5.1.1
de30e3a build: mocha@2.5.3
8c3f7ea 1.7.0
c27dc0f build: support Node.js 8.x
d886306 build: eslint-config-standard@10.2.1
598d876 Use safe-buffer for improved Buffer API
47fca12 build: eslint-plugin-markdown@1.0.0-beta.6
3c78e39 build: Node.js@6.11
6c4c539 deps: debug@2.6.8
6d2de08 deps: compressible@~2.0.10
ac13bc4 deps: bytes@2.5.0
527907c deps: debug@2.6.4
6488fc2 build: Node.js@7.10
55532e1 build: Node.js@6.10
0e4ad01 build: Node.js@4.8
be58132 deps: compressible@~2.0.10
4d5238e deps: vary@~1.1.1

See the full diff

Package name: css

The new version differs by 29 commits.

438bd11 2.2.2
e91bb74 upgrade source-map-resolve (Use uniform endpoint for websockets w3c/Mobile-Checker#112)
0f5ad51 Merge pull request Code coverage w3c/Mobile-Checker#86 from dominicbarnes/master
a70d6aa include optional source on returned stylesheet object (fixes Where does the effective-domain-name-parser live? w3c/Mobile-Checker#85)
dd81540 Update History.md
e38b6f1 2.2.1
254dc30 Simplify regexp
5916733 Add test for don't fail on unavailable css w3c/Mobile-Checker#75
fbfe170 Merge pull request Add a Gitter chat badge to README.md w3c/Mobile-Checker#76 from DenVdmj/patch-1
ba83311 Fix for parsing quoted values in selector
dc8ae04 Merge pull request update readme and contribute markdown file w3c/Mobile-Checker#73 from paulclark/master
205b834 fix typo
1605bda Merge pull request various language improvements in issue reports w3c/Mobile-Checker#69 from iamdustan/link-to-ast-explorer
735d8e4 Link to the reworkcss AST explorer
cd8b2b7 Correct date in History.md
321111c 2.2.0
40c55f5 Update History.md
30a8a2f Merge pull request favicon issue not responsive w3c/Mobile-Checker#64 from gmetais/listErrors
0b4b2c3 List errors in the result obj when parsing in silent mode
4640aaa Merge pull request Add links for more info on fixes w3c/Mobile-Checker#58 from reworkcss/at-rule-linebreak
7a9c329 Document the `indent` option of `stringify`
1158607 Merge pull request Alpha release w3c/Mobile-Checker#62 from phistuck/patch-1
6785938 Allowed new lines between @ keyframes and its name
703fdf1 Update history

See the full diff

Package name: mobile-web-browser-emulator

The new version differs by 32 commits.

bb219a5 0.0.6
32e30c0 Automatic formatting
f793094 Merge pull request [Snyk] Security upgrade socket.io from 1.0.4 to 3.0.0 #15 from qwertychouskie/patch-1
fcda9b2 Update browser-emulator-tests.js
69e5a50 Update browser-emulator-tests.js
62f00f0 Clean up .gitignore
8bcec2f Create .gitignore
1a8956c Update browser-emulator-tests.js
7ed8690 Update browser-emulator-tests.js
fbfd40a Update .travis.yml
7152e62 Oops
76638ce Update package.json
4c8b5d3 Update package.json
68b4f0c Update package.json
43cc2a3 Did I do this right?
d1c7461 Update browser-emulator.js
453ea95 Update browser-emulator-tests.js
caec97b Update browser-emulator-tests.js
6cae870 Update package.json
90c4145 Update browser-emulator-tests.js
8e94ccc Update browser-emulator-tests.js
95c56de Update .travis.yml
b0731b4 Update .travis.yml
f02c911 Update browser-emulator-tests.js