[Snyk] Fix for 2 vulnerabilities #18

Sec32fun32 · 2024-12-06T02:05:39Z

Snyk has created this PR to fix 2 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

package.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Missing Release of Resource after Effective Lifetime SNYK-JS-INFLIGHT-6095116	131
	Uncontrolled Recursion SNYK-JS-SMOLTOML-8400853	44

Important

Check the changes in this PR to ensure they won't cause issues with your project.
Max score is 1000. Note that the real score may have changed since the PR was raised.
This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-INFLIGHT-6095116 - https://snyk.io/vuln/SNYK-JS-SMOLTOML-8400853

socket-security · 2024-12-06T02:06:53Z

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@11ty/eleventy-fetch@4.0.1	environment, filesystem, network	`+9`	617 kB	zachleat
npm/@11ty/eleventy-img@3.1.8	filesystem	`+8`	726 kB	zachleat
npm/@11ty/eleventy-navigation@0.3.5	None	`+1`	57 kB	zachleat
npm/@11ty/eleventy-plugin-rss@1.2.0	Transitive: network	`+14`	513 kB	zachleat
npm/@11ty/eleventy-plugin-syntaxhighlight@5.0.0	None	`0`	72.7 kB	zachleat
npm/@11ty/eleventy@2.0.1	environment, filesystem, unsafe Transitive: eval, network, shell	`+92`	16.3 MB	zachleat
npm/@munter/tap-render@0.2.0	None	`+1`	32 kB	munter
npm/@types/markdown-it@12.2.3	None	`+2`	58.1 kB	types
npm/algoliasearch@4.24.0	Transitive: network	`+15`	612 kB	shortcuts
npm/autoprefixer@10.4.20	environment Transitive: filesystem	`+10`	2.98 MB	ai
npm/cross-env@7.0.3	environment	`0`	29.1 kB	kentcdodds
npm/cssnano@5.1.15	Transitive: environment, filesystem	`+46`	3.79 MB	ludovicofischer
npm/eleventy-plugin-nesting-toc@1.3.0	Transitive: network	`+16`	3.44 MB	jshurmer
npm/github-slugger@1.5.0	None	`0`	13.5 kB	wooorm
npm/hyperlink@5.0.4	network Transitive: environment, eval, filesystem, shell, unsafe	`+85`	12.3 MB	papandreou
npm/imagemin-cli@7.0.0	Transitive: environment, eval, filesystem, network, shell, unsafe	`+180`	7.5 MB	sindresorhus
npm/luxon@2.5.2	None	`0`	3.87 MB	icambron
npm/markdown-it-anchor@8.6.7	None	`0`	154 kB	valeriangalliat
npm/markdown-it-container@3.0.0	None	`0`	17.1 kB	vitaly
npm/markdown-it@12.3.2	None	`+3`	664 kB	vitaly
npm/npm-run-all2@5.0.2	environment Transitive: filesystem	`+15`	359 kB	bret
npm/postcss-cli@10.1.0	environment, filesystem Transitive: unsafe	`+38`	2.4 MB	ryanzim
npm/postcss-html@1.7.0	unsafe Transitive: environment, filesystem, network	`+10`	856 kB	ota-meshi

🚮 Removed packages: npm/@babel/core@7.26.0, npm/@babel/preset-env@7.26.0, npm/@eslint/config-array@0.17.1, npm/@eslint/core@0.2.0, npm/@eslint/js@9.8.0, npm/@eslint/json@0.2.0, npm/@types/node@20.17.9, npm/@wdio/browser-runner@8.40.6, npm/@wdio/cli@8.40.6, npm/@wdio/concise-reporter@8.40.6, npm/@wdio/mocha-framework@8.40.6, npm/babel-loader@8.4.1, npm/c8@7.14.0, npm/chai@4.5.0, npm/cheerio@0.22.0, npm/core-js@3.39.0, npm/eslint-plugin-eslint-plugin@6.3.2, npm/eslint-release@3.3.0, npm/eslint-rule-composer@0.3.0, npm/eslump@3.0.0, npm/fs-teardown@0.1.3, npm/glob@10.4.5, npm/globals@15.13.0, npm/got@11.8.6, npm/is-path-inside@3.0.3, npm/knip@5.39.2, npm/lint-staged@11.2.6, npm/load-perf@0.2.0

View full report↗︎

socket-security · 2024-12-06T02:06:55Z

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	Source	CI
Deprecated	npm/core-js@2.6.12	Reason: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.	Source	⚠︎
Deprecated	npm/abab@2.0.6	Reason: Use your platform's native atob() and btoa() methods instead	`docs/package.json`	⚠︎
Deprecated	npm/har-validator@5.1.5	Reason: this library is no longer supported	Source	⚠︎
Deprecated	npm/@hapi/hoek@8.5.1	Reason: This version has been deprecated and is no longer supported or maintained	Source	⚠︎
Deprecated	npm/@hapi/joi@15.1.1	Reason: Switch to 'npm install joi'	Source	⚠︎
Deprecated	npm/@hapi/topo@3.1.6	Reason: This version has been deprecated and is no longer supported or maintained	Source	⚠︎
Deprecated	npm/@hapi/address@2.1.4	Reason: Moved to 'npm install @sideway/address'	Source	⚠︎
Deprecated	npm/@hapi/bourne@1.3.2	Reason: This version has been deprecated and is no longer supported or maintained	Source	⚠︎
High CVE	npm/cross-spawn@5.1.0	CVE: GHSA-3xgq-45jj-v275 Regular Expression Denial of Service (ReDoS) in cross-spawn (HIGH) Affected versions: < 6.0.6 Patched version: 6.0.6	`docs/package.json`	⚠︎
Deprecated	npm/rimraf@2.7.1	Reason: Rimraf versions prior to v4 are no longer supported	`docs/package.json`	⚠︎
High CVE	npm/lodash.template@4.5.0	CVE: GHSA-35jh-r3h4-6jhm Command Injection in lodash (HIGH) Affected versions: <= 4.5.0 Patched version: No patched versions	Source	⚠︎
Deprecated	npm/domexception@2.0.1	Reason: Use your platform's native DOMException instead	`docs/package.json`	⚠︎
High CVE	npm/http-cache-semantics@3.8.1	CVE: GHSA-rc47-6667-2j5j http-cache-semantics vulnerable to Regular Expression Denial of Service (HIGH) Affected versions: < 4.1.1 Patched version: 4.1.1	`docs/package.json`	⚠︎
High CVE	npm/trim-newlines@1.0.0	CVE: GHSA-7p7h-4mm5-852v Uncontrolled Resource Consumption in trim-newlines (HIGH) Affected versions: < 3.0.1 Patched version: 3.0.1	Source	⚠︎
High CVE	npm/html-minifier@4.0.0	CVE: GHSA-pfq8-rq6v-vf5m kangax html-minifier REDoS vulnerability (HIGH) Affected versions: <= 4.0.0 Patched version: No patched versions	`docs/package.json`	⚠︎
Possible typosquat attack	npm/normalizeurl@1.0.0	Did you mean: normalize-url	`docs/package.json`	⚠︎
Possible typosquat attack	npm/object.assign@4.1.5	Did you mean: object~~.~~-assign	Source	⚠︎
Unpopular package	npm/@munter/tap-render@0.2.0	Location: Package overview	`docs/package.json`	⚠︎
Unpopular package	npm/hyperlink@5.0.4	Location: Package overview	`docs/package.json`	⚠︎
Unpopular package	npm/assetgraph-plugin-sitemap@1.0.0	Location: Package overview	`docs/package.json`	⚠︎
Unpopular package	npm/hreftypes@1.0.1	Location: Package overview	`docs/package.json`	⚠︎
Unstable ownership	npm/parse5-htmlparser2-tree-adapter@7.1.0	Author: 43081j	`docs/package.json`	⚠︎
Unpopular package	npm/@parcel/watcher-linux-arm-musl@2.5.0	Location: Package overview	Source	⚠︎

View full report↗︎

Next steps

What is a deprecated package?

The maintainer of the package marked it as deprecated. This could indicate that a single version should not be used, or that the package is no longer maintained and any new vulnerabilities will not be fixed.

Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution.

What is a CVE?

Contains a high severity Common Vulnerability and Exposure (CVE).

Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

What is a typosquat?

Package name is similar to other popular packages and may not be the package you want.

Use care when consuming similarly named packages and ensure that you did not intend to consume a different package. Malicious packages often publish using similar names as existing popular packages.

What are unpopular packages?

This package is not very popular.

Unpopular packages may have less maintenance and contain other problems.

What is unstable ownership?

A new collaborator has begun publishing package versions. Package stability and security risk may be elevated.

Try to reduce the amount of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

@SocketSecurity ignore npm/core-js@2.6.12
@SocketSecurity ignore npm/abab@2.0.6
@SocketSecurity ignore npm/har-validator@5.1.5
@SocketSecurity ignore npm/@hapi/hoek@8.5.1
@SocketSecurity ignore npm/@hapi/joi@15.1.1
@SocketSecurity ignore npm/@hapi/topo@3.1.6
@SocketSecurity ignore npm/@hapi/address@2.1.4
@SocketSecurity ignore npm/@hapi/bourne@1.3.2
@SocketSecurity ignore npm/cross-spawn@5.1.0
@SocketSecurity ignore npm/rimraf@2.7.1
@SocketSecurity ignore npm/lodash.template@4.5.0
@SocketSecurity ignore npm/domexception@2.0.1
@SocketSecurity ignore npm/http-cache-semantics@3.8.1
@SocketSecurity ignore npm/trim-newlines@1.0.0
@SocketSecurity ignore npm/html-minifier@4.0.0
@SocketSecurity ignore npm/normalizeurl@1.0.0
@SocketSecurity ignore npm/object.assign@4.1.5
@SocketSecurity ignore npm/@munter/tap-render@0.2.0
@SocketSecurity ignore npm/hyperlink@5.0.4
@SocketSecurity ignore npm/assetgraph-plugin-sitemap@1.0.0
@SocketSecurity ignore npm/hreftypes@1.0.1
@SocketSecurity ignore npm/parse5-htmlparser2-tree-adapter@7.1.0
@SocketSecurity ignore npm/@parcel/watcher-linux-arm-musl@2.5.0

github-actions · 2024-12-17T22:39:01Z

Hi everyone, it looks like we lost track of this pull request. Please review and see what the next steps are. This pull request will auto-close in 7 days without an update.

fix: package.json to reduce vulnerabilities

a5d62e5

The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-INFLIGHT-6095116 - https://snyk.io/vuln/SNYK-JS-SMOLTOML-8400853

github-actions bot added the Stale label Dec 17, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Snyk] Fix for 2 vulnerabilities #18

[Snyk] Fix for 2 vulnerabilities #18

Sec32fun32 commented Dec 6, 2024

socket-security bot commented Dec 6, 2024

socket-security bot commented Dec 6, 2024

github-actions bot commented Dec 17, 2024

[Snyk] Fix for 2 vulnerabilities #18

Are you sure you want to change the base?

[Snyk] Fix for 2 vulnerabilities #18

Conversation

Sec32fun32 commented Dec 6, 2024

Snyk has created this PR to fix 2 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

Vulnerabilities that will be fixed with an upgrade:

socket-security bot commented Dec 6, 2024

socket-security bot commented Dec 6, 2024

Next steps

github-actions bot commented Dec 17, 2024