Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 7 vulnerabilities #570

Open
wants to merge 45 commits into
base: main
Choose a base branch
from
Open

[Snyk] Fix for 7 vulnerabilities #570

wants to merge 45 commits into from

Conversation

MarcelRaschke
Copy link
Owner

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • examples/apps/view-framework-sampler/package.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-ANSIREGEX-1583908		 Yes Proof of Concept
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-GLOBPARENT-1016905		 Yes Proof of Concept
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3		 Open Redirect
SNYK-JS-NODEFORGE-2330875		 Yes Proof of Concept
medium severity 529/1000
Why? Has a fix available, CVSS 6.3		 Prototype Pollution
SNYK-JS-NODEFORGE-2331908		 Yes No Known Exploit
medium severity 494/1000
Why? Has a fix available, CVSS 5.6		 Improper Verification of Cryptographic Signature
SNYK-JS-NODEFORGE-2430337		 Yes No Known Exploit
high severity 579/1000
Why? Has a fix available, CVSS 7.3		 Improper Verification of Cryptographic Signature
SNYK-JS-NODEFORGE-2430339		 Yes No Known Exploit
medium severity 494/1000
Why? Has a fix available, CVSS 5.6		 Improper Verification of Cryptographic Signature
SNYK-JS-NODEFORGE-2430341		 Yes No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: html-webpack-plugin The new version differs by 93 commits.
  • 873d75b chore(release): 5.5.0
  • ddeb774 chore: update examples
  • 1e42625 feat: Support type=module via scriptLoading option
  • 7d3645b Bump pretty-error to 4.0.0 to fix transitive vuln for ansi-regex CVE-2021-3807
  • 79be779 [chore] changes actions to run on pull_requests
  • b7e5859 [chore] fixes CI to avoid race conditions
  • 48131d3 chore(release): 5.4.0
  • 16a841a [chore] rebuild examples
  • 3bb7c17 Update index.js
  • e38ac97 Update index.js
  • f08bd02 [chore] updates fixtures
  • d62a10f [chore] upgrades html-minifier-terser@5.0.0 -> 6.0.2
  • 2f5de7a Remove archived plugin
  • 8f8f7c5 chore(release): 5.3.2
  • 053c6e6 chore: update snapshot tests for webpack 5.4.0
  • 9c7fba0 Fix security vulnerabilities
  • b98fbeb Fix security vulnerabilities
  • 25cdfc7 Added inject-body-webpack-plugin to readme
  • 0e4c1fb Update README to document actual behavior
  • 0a6568d chore(release): 5.3.1
  • 82d0ee8 fix: remove loader-utils from plugin core
  • 6f39192 chore(release): 5.3.0
  • d654f5b feat: allow to modify the interpolation options in webpack config
  • 41d7a50 feat: drop loader-utils dependency

See the full diff

Package name: webpack-dev-server The new version differs by 250 commits.

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Open Redirect
🦉 Prototype Pollution

snyk-bot and others added 30 commits April 18, 2022 20:21
@snyk-bot
fix: server/gitrest/Dockerfile to reduce vulnerabilities
fc12342 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-DEBIAN9-OPENSSL-1569399
- https://snyk.io/vuln/SNYK-DEBIAN9-OPENSSL-2426305
- https://snyk.io/vuln/SNYK-DEBIAN9-PYTHON27-1063180
- https://snyk.io/vuln/SNYK-DEBIAN9-PYTHON35-1063181
- https://snyk.io/vuln/SNYK-DEBIAN9-PYTHON35-1570179
@snyk-bot
fix: server/routerlicious/packages/lambdas-driver/package.json to red…
669a86b 
…uce vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-ASYNC-2441827
@MarcelRaschke
Merge pull request #376 from MarcelRaschke/snyk-fix-26527be55298fe319…
23beb8a 
…2398bbbda0acf54
@snyk-bot
fix: server/routerlicious/Dockerfile to reduce vulnerabilities
9b687af 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-DEBIAN9-LIBGCRYPT20-1582895
- https://snyk.io/vuln/SNYK-DEBIAN9-LZ4-1277599
- https://snyk.io/vuln/SNYK-DEBIAN9-SHADOW-306269
- https://snyk.io/vuln/SNYK-DEBIAN9-SHADOW-306269
- https://snyk.io/vuln/SNYK-DEBIAN9-TAR-312293
@MarcelRaschke
Merge pull request #375 from MarcelRaschke/snyk-fix-389a2b9249fa1ff98…
cb45784 
…0d201d1987679c3
@snyk-bot
fix: server/auspkn/Dockerfile to reduce vulnerabilities
99de6b8 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-ALPINE311-APKTOOLS-1534687
- https://snyk.io/vuln/SNYK-ALPINE311-OPENSSL-1089242
- https://snyk.io/vuln/SNYK-ALPINE311-OPENSSL-1569447
- https://snyk.io/vuln/SNYK-ALPINE311-OPENSSL-1569451
- https://snyk.io/vuln/SNYK-ALPINE311-OPENSSL-1569451
@snyk-bot
fix: server/headless-agent/Dockerfile to reduce vulnerabilities
f82f4aa 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-DEBIAN9-CURL-466505
- https://snyk.io/vuln/SNYK-DEBIAN9-CURL-466508
- https://snyk.io/vuln/SNYK-DEBIAN9-OPENSSL-1075328
- https://snyk.io/vuln/SNYK-DEBIAN9-OPENSSL-1569399
- https://snyk.io/vuln/SNYK-DEBIAN9-OPENSSL-2426305
@MarcelRaschke
Merge pull request #398 from MarcelRaschke/snyk-fix-04a2211d23c90419e…
c7914cd 
…19d898463e6601f

[Snyk] Security upgrade node from 10.16.0-slim to 10.23.2-slim
@MarcelRaschke
Merge pull request #397 from MarcelRaschke/snyk-fix-57eae7f5301126230…
9c0cf09 
…8a2a69cc617742c

[Snyk] Security upgrade node from 12.16.3-alpine to 12-alpine
@MarcelRaschke
Merge pull request #392 from MarcelRaschke/snyk-fix-53c876438b110e2c6…
bb44044 
…bb5daf316bc56b2

[Snyk] Security upgrade node from 12.20.1-slim to 12.22.5-slims
@snyk-bot
fix: server/headless-agent/Dockerfile to reduce vulnerabilities
7e94b11 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-DEBIAN9-LIBGCRYPT20-1582895
- https://snyk.io/vuln/SNYK-DEBIAN9-LZ4-1277599
- https://snyk.io/vuln/SNYK-DEBIAN9-SHADOW-306269
- https://snyk.io/vuln/SNYK-DEBIAN9-SHADOW-306269
- https://snyk.io/vuln/SNYK-DEBIAN9-TAR-312293
@MarcelRaschke
Merge pull request #403 from MarcelRaschke/snyk-fix-5406ea93256beebdc…
4651c14 
…323e51657c35682
@snyk-bot
fix: server/historian/Dockerfile to reduce vulnerabilities
d9753e6 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-DEBIAN9-LIBGCRYPT20-1582895
- https://snyk.io/vuln/SNYK-DEBIAN9-SHADOW-306269
- https://snyk.io/vuln/SNYK-DEBIAN9-SHADOW-306269
- https://snyk.io/vuln/SNYK-DEBIAN9-TAR-312293
- https://snyk.io/vuln/SNYK-DEBIAN9-ZLIB-2433935
@snyk-bot
fix: server/routerlicious/Dockerfile to reduce vulnerabilities
db31888 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-DEBIAN9-DPKG-2847943
- https://snyk.io/vuln/SNYK-DEBIAN9-SYSTEMD-546478
- https://snyk.io/vuln/SNYK-DEBIAN9-SYSTEMD-546478
- https://snyk.io/vuln/SNYK-DEBIAN9-TAR-312293
- https://snyk.io/vuln/SNYK-DEBIAN9-ZLIB-2433935
@MarcelRaschke
Merge pull request #416 from MarcelRaschke/snyk-fix-b588ba7c00a511109…
9b726b1 
…394abf529e2ccb8
@MarcelRaschke
Merge pull request #411 from MarcelRaschke/snyk-fix-2180e61df0ab2b350…
78acf90 
…2ae99b2fe3a03c7
@snyk-bot
fix: server/service-monitor/package.json & server/service-monitor/pac…
87ce08a 
…kage-lock.json to reduce vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-URLPARSE-2407770
@MarcelRaschke
Merge pull request #421 from MarcelRaschke/snyk-fix-95c458c5469b3d863…
2f70af8 
…c2b3d49b9af9b1c

[Snyk] Security upgrade @fluidframework/server-services from 0.1012.2 to 0.1025.0
@dependabot
Bump async from 2.6.3 to 2.6.4 in /tools/generator-fluid
5716524 
Bumps [async](https://github.com/caolan/async) from 2.6.3 to 2.6.4.
- [Release notes](https://github.com/caolan/async/releases)
- [Changelog](https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md)
- [Commits](caolan/async@v2.6.3...v2.6.4)

---
updated-dependencies:
- dependency-name: async
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@MarcelRaschke
Merge pull request #423 from MarcelRaschke/dependabot/npm_and_yarn/to…
6eb66cf 
…ols/generator-fluid/async-2.6.4

Bump async from 2.6.3 to 2.6.4 in /tools/generator-fluid
@snyk-bot
fix: server/headless-agent/package.json & server/headless-agent/packa…
167ffa5 
…ge-lock.json to reduce vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-URLPARSE-2407770
@MarcelRaschke
Merge pull request #425 from MarcelRaschke/snyk-fix-5ae6624a7c39b81f0…
7f23320 
…a6f9238f71f1791

[Snyk] Security upgrade @fluidframework/server-services from 0.1012.2 to 0.1025.0
@snyk-bot
fix: server/historian/packages/historian-base/package.json to reduce …
808d4d6 
…vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-URLPARSE-2407770
@MarcelRaschke
Merge pull request #426 from MarcelRaschke/snyk-fix-3fb626009b82a271a…
c5722cf 
…f02838bee4b0375

[Snyk] Security upgrade @fluidframework/server-services from 0.1019.0 to 0.1025.0
@snyk-bot
fix: docs/themes/thxvscode/assets/js/package.json & docs/themes/thxvs…
f9ff4cb 
…code/assets/js/yarn.lock to reduce vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-JQUERY-567880
@MarcelRaschke
Merge pull request #428 from MarcelRaschke/snyk-fix-db0bbe786eb5cadab…
8d32260 
…541b7e58ba6b846

[Snyk] Security upgrade jquery from 2.2.4 to 3.5.0
@snyk-bot
feat: upgrade @fluid-experimental/get-container from 0.37.4 to 1.2.0
d3412b8 
Snyk has created this PR to upgrade @fluid-experimental/get-container from 0.37.4 to 1.2.0.

See this package in npm:
https://www.npmjs.com/package/@fluid-experimental/get-container

See this project in Snyk:
https://app.snyk.io/org/marcelraschke/project/50c6f3a2-09ce-47f2-9837-9c253a13a437?utm_source=github&utm_medium=referral&page=upgrade-pr
@snyk-bot
fix: upgrade @fluidframework/protocol-definitions from 0.1021.0 to 0.…
b8fe757 
…1028.2000

Snyk has created this PR to upgrade @fluidframework/protocol-definitions from 0.1021.0 to 0.1028.2000.

See this package in npm:
https://www.npmjs.com/package/@fluidframework/protocol-definitions

See this project in Snyk:
https://app.snyk.io/org/marcelraschke/project/469c9422-75d2-4b99-bd32-52dfa4324e8b?utm_source=github&utm_medium=referral&page=upgrade-pr
@snyk-bot
fix: upgrade @fluidframework/common-utils from 0.28.0 to 0.32.1
d1f13f4 
Snyk has created this PR to upgrade @fluidframework/common-utils from 0.28.0 to 0.32.1.

See this package in npm:
https://www.npmjs.com/package/@fluidframework/common-utils

See this project in Snyk:
https://app.snyk.io/org/marcelraschke/project/469c9422-75d2-4b99-bd32-52dfa4324e8b?utm_source=github&utm_medium=referral&page=upgrade-pr
@snyk-bot
feat: upgrade jwt-decode from 2.2.0 to 3.1.2
b693d48 
Snyk has created this PR to upgrade jwt-decode from 2.2.0 to 3.1.2.

See this package in npm:
https://www.npmjs.com/package/jwt-decode

See this project in Snyk:
https://app.snyk.io/org/marcelraschke/project/469c9422-75d2-4b99-bd32-52dfa4324e8b?utm_source=github&utm_medium=referral&page=upgrade-pr
MarcelRaschke and others added 15 commits August 11, 2022 21:02
@MarcelRaschke
Merge pull request #455 from MarcelRaschke/snyk-upgrade-5024f92cabc23…
03fe938 
…54b3e15cd19638527da
@MarcelRaschke
Merge pull request #454 from MarcelRaschke/snyk-upgrade-22fa689dd09c5…
d07aca9 
…f56f1ffb227c9ccd520
@dependabot
Bump moment from 2.25.3 to 2.29.4 in /tools/getkeys
0512490 
Bumps [moment](https://github.com/moment/moment) from 2.25.3 to 2.29.4.
- [Release notes](https://github.com/moment/moment/releases)
- [Changelog](https://github.com/moment/moment/blob/develop/CHANGELOG.md)
- [Commits](moment/moment@2.25.3...2.29.4)

---
updated-dependencies:
- dependency-name: moment
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@MarcelRaschke
Merge pull request #453 from MarcelRaschke/snyk-upgrade-8729f355a78fb…
130bce6 
…e3c4062dc881eef25d7
@MarcelRaschke
Merge pull request #456 from MarcelRaschke/dependabot/npm_and_yarn/to…
c4d1049 
…ols/getkeys/moment-2.29.4

Bump moment from 2.25.3 to 2.29.4 in /tools/getkeys
@MarcelRaschke
Merge pull request #443 from MarcelRaschke/snyk-upgrade-68a7b51eaf58b…
9a21790 
…756618387a9e73ec24b

[Snyk] Upgrade @fluid-experimental/get-container from 0.37.4 to 1.2.0
@snyk-bot
fix: tools/generator-fluid/app/templates/package.json to reduce vulne…
5f82315 
…rabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908
- https://snyk.io/vuln/SNYK-JS-AXIOS-1038255
- https://snyk.io/vuln/SNYK-JS-AXIOS-1579269
- https://snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-2332181
- https://snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-2396346
- https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905
- https://snyk.io/vuln/SNYK-JS-NCONF-2395478
- https://snyk.io/vuln/SNYK-JS-NODEFETCH-2342118
- https://snyk.io/vuln/SNYK-JS-NODEFETCH-674311
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-2330875
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-2331908
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-2430337
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-2430339
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-2430341
- https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381
@snyk-bot
fix: server/historian/packages/historian-base/package.json to reduce …
999f417 
…vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-NANOID-2332193
@snyk-bot
fix: packages/dds/ink/package.json to reduce vulnerabilities
ac58adc 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-NANOID-2332193
@snyk-bot
fix: packages/hosts/base-host/package.json to reduce vulnerabilities
be38b75 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-EJS-1049328
- https://snyk.io/vuln/SNYK-JS-EJS-2803307
- https://snyk.io/vuln/SNYK-JS-NANOID-2332193
@MarcelRaschke
Merge pull request #510 from MarcelRaschke/snyk-fix-4c8c59a7a4c58124b…
8f040d8 
…8c0e1dcf17961fd
@MarcelRaschke
Merge pull request #509 from MarcelRaschke/snyk-fix-b2ce38f9ce14e4bd1…
f438539 
…9f9c001a813ab2c
@MarcelRaschke
Merge pull request #508 from MarcelRaschke/snyk-fix-575ebb1cea5b7f1f8…
5100bee 
…d5a102e7bbb37d9
@MarcelRaschke
Merge pull request #507 from MarcelRaschke/snyk-fix-fe981c5384d9219cf…
005f77d 
…c00aee25b6a85a9
@snyk-bot
fix: examples/apps/view-framework-sampler/package.json to reduce vuln…
4526019 
…erabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908
- https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-2330875
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-2331908
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-2430337
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-2430339
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-2430341
@snyk-bot snyk-bot mentioned this pull request Oct 18, 2022
Open
@MarcelRaschke MarcelRaschke mentioned this pull request Nov 6, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@MarcelRaschke @snyk-bot