New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Fix for 13 vulnerabilities #103

Open

snyk-bot wants to merge 1 commit into dev from snyk-fix-be1a080dae284101c15cd73da6b4736b

snyk-bot commented Sep 29, 2022

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- dolphinscheduler-ui/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	616/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.9	Server-Side Request Forgery (SSRF) SNYK-JS-AXIOS-1038255	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-AXIOS-1579269	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Denial of Service (DoS) SNYK-JS-AXIOS-174505	No	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Cross-site Scripting (XSS) SNYK-JS-BOOTSTRAP-173700	No	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Cross-site Scripting (XSS) SNYK-JS-BOOTSTRAP-72889	No	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Cross-site Scripting (XSS) SNYK-JS-BOOTSTRAP-72890	No	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-JQUERY-174006	No	Proof of Concept
	701/1000 Why? Mature exploit, Has a fix available, CVSS 6.3	Cross-site Scripting (XSS) SNYK-JS-JQUERY-565129	No	Mature
	711/1000 Why? Mature exploit, Has a fix available, CVSS 6.5	Cross-site Scripting (XSS) SNYK-JS-JQUERY-567880	No	Mature
	484/1000 Why? Has a fix available, CVSS 5.4	XML External Entity (XXE) Injection SNYK-JS-XMLDOM-1084960	Yes	No Known Exploit
	469/1000 Why? Has a fix available, CVSS 5.1	Prototype Pollution SNYK-JS-ZRENDER-1586253	Yes	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Cross-site Scripting (XSS) npm:bootstrap:20160627	No	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Cross-site Scripting (XSS) npm:bootstrap:20180529	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: axios

The new version differs by 250 commits.

e367be5 [Releasing] 0.21.3
83ae383 Correctly add response interceptors to interceptor chain ([Improvement-4012][common/remote] Json util code integration,remove the remote module json util apache/dolphinscheduler#4013)
c0c8761 [Updating] changelog to include links to issues and contributors
619bb46 [Releasing] v0.21.2
82c9455 Create SECURITY.md ([Question] How to transfer dag files from test environment to product environment quickly. apache/dolphinscheduler#3981)
5b45711 Security fix for ReDoS ([Fix-#3958][api] files should not be created successfully in the directory of the authorized file apache/dolphinscheduler#3980)
5bc9ea2 Update ECOSYSTEM.md ([Bug][master] master stop schedule new task apache/dolphinscheduler#3817)
e72813a Fixing README.md (为啥sql查询的邮件必填，服务器是在内网，根本就没有邮件服务器，总提示邮件发送失败。 apache/dolphinscheduler#3818)
e10a027 Fix README typo under Request Config ([Improvement-3767][api] Task instance supports query by process instance name apache/dolphinscheduler#3825)
e091491 Update README.md (Revert "[1.3.3-release][fix-3835][ui] When the tenantName contains "<", the tenant drop-down list is blankadd verify tenant name cannot contain special characters." apache/dolphinscheduler#3936)
b42fbad Removed un-needed bracket
520c8dc Updating CI status badge ([Bug] After the resource folder is authorized, the authorized user cannot create a folder in it apache/dolphinscheduler#3953)
4fbeecb Adding CI on Github Actions. ([CodeClean][DAO]Remove redundant comments apache/dolphinscheduler#3938)
e9965bf Fixing the sauce labs tests ([Question]kerberos Authentication failed apache/dolphinscheduler#3813)
dbc634c Remove charset in tests (定时器模块-定时调度时每7秒|每7分钟|每2天这种定时，不能够跨分钟，跨小时，跨月 apache/dolphinscheduler#3807)
3958e9f Add explanation of cancel token ([fixBug-3792][ui]Click on the sidebar to adapt the width of the pie c… apache/dolphinscheduler#3803)
69949a6 Adding custom return type support to interceptor ([Bug][API] save work group apache/dolphinscheduler#3783)
49509f6 Create FUNDING.yml ([Question] A code question about getting yarn task state apache/dolphinscheduler#3796)
199c8aa Adding parseInt to config.timeout ([Fix-3707][ui]cherry pick The batch delete function in the workflow definition and workflow ins… apache/dolphinscheduler#3781)
94fc4ea Adding isAxiosError typeguard documentation ([Improvement][api] Task instance supports query by workflow instance name apache/dolphinscheduler#3767)
0ece97c Fixing quadratic runtime when setting a maxContentLength (sql task, can you add a semicolon and write multiple statements? apache/dolphinscheduler#3738)
a18a0ec Updating `lib/core/README.md` about Dispatching requests ([Fix-#3238][docker]Fix that can not create folder in docker with standalone mode apache/dolphinscheduler#3772)
59fa614 [Updated] follow-redirects to the latest version (Merge pull request #1 from apache/dev apache/dolphinscheduler#3771)
7821ed2 Feat/json improvements ([fix-3553][ui]cherry pick repair click workflow connection, select the entire path apache/dolphinscheduler#3763)

See the full diff

Package name: bootstrap

The new version differs by 153 commits.

68b0d23 Dist
2ccfa57 handle # selector for dropdown
a43077d Bump version to 3.4.1.
d821de2 Backport sanitize docs from v4.
5cd9ef4 Add wdm gem for Windows.
d6b8501 ES5 fixes.
2c8abb9 Add sanitize for tooltips and popovers html content.
d4129df Bump year.
0d64d6a less/modals.less: Add missing semicolon.
48c5d7b Use https.
b23e213 Update devDependencies and gems.
695c541 Fix redirects.
9206e46 Make meaning of tooltip's 'selector' option more clear in Bootstrap 3
b285ea3 Add a few redirects.
3e1b894 Fix broken link in nav version dropdown.
3e519c3 Support nuget contentFiles, used for some project types (#27856)
4c547f2 Dist.
0f1c6b0 Move the whole autoprefixer config to configBridge.json.
9332f3c Add polyfills for older browsers.
dd71b40 docs: Concat the IE files with the rest.
4a5c7f2 Update devDependencies, gems and lots of cleanup/build fixes.
7a2cdfb Center skippy.
3b82587 Restore `cursor: help` for `abbr`.
bf69f1f Backport the `abbr` fix from the updated normalize.css.

See the full diff

Package name: canvg

The new version differs by 153 commits.

98a12cb Merge pull request Add unit tests for cn.escheduler.common.utils.JSONUtils apache/dolphinscheduler#712 from canvg/2.0.0
9eb51a5 rm beta
435d906 npm audit
4b9dee3 build
088abbe wip
d04bb60 Merge pull request only write core dependency in Proposal doc apache/dolphinscheduler#710 from IronGeek/issue_709
c2b43c6 fix build
67e33ec Merge pull request flink task support(flink 任务支持) apache/dolphinscheduler#711 from canvg/fix_build
4a9c313 lock node version
4eb5337 Parse number with scientific notation
fbebf8e Merge pull request remove category x what can we not include in an asf project apache/dolphinscheduler#707 from fargyriou/702-font-parsing
55d67f0 Issue 702: Fixed font parsing when defined as "font" and not through font properties
cef40f0 Merge pull request bug fix #688，a user generated multiple ip session, the query error apache/dolphinscheduler#689 from canvg/2.0.0-beta.1
aa8e62e 2.0.0-beta.1
4497122 Merge pull request [Ask a question]master port is occupied（master端口被占用) apache/dolphinscheduler#684 from bz2/browser_optional
2d75e00 Update docs for 2.0 dependency changes
a98c42d Support browser dist without canvas dependency
f79c146 Merge pull request refactor zk client (#692) apache/dolphinscheduler#687 from canvg/dgorbash_master
d9a772e adding test
fe49c3b Merge branch 'textPath_support'
fecc100 Backport upstream/master, minor code format fix
79c85e5 Sync master with upstream
f236319 Merge pull request make the edit button of the properties file clickable apache/dolphinscheduler#678 from canvg/beta_readme
b9c9223 spacing

See the full diff

Package name: echarts

The new version differs by 250 commits.

1c70026 Merge pull request [Improvement-15744][parameter] project parameter add update time and update user id apache/dolphinscheduler#15745 from apache/release-dev
21d6317 release 5.2.1
5ff6216 Merge pull request [CI] Frontend ci require passed before merge apache/dolphinscheduler#15735 from apache/series-type-register
a11d9af feat(type): provide ability to extend series option
b29726d Merge pull request [CI] Fix ui build error apache/dolphinscheduler#15732 from apache/master
6384acf Merge pull request [Bug] [preferences] Project Preferences is enabled, but when manual start workflow, worker group and tenant still is default. apache/dolphinscheduler#15731 from apache/fix-line-animation
4824ada fix(line): fix animation is not stopped when direct update points.
26e9a95 Merge pull request [Improvement-15719] Remove the useless methods in ProcessUtils apache/dolphinscheduler#15720 from apache/fix-legend-symbol-keep-aspect
5d667ec Merge pull request [Question] Javac not found in Java task apache/dolphinscheduler#15722 from williamorim/ptBRlang
add3f76 chaging double quotes for single quotes
b98affc Adding pt-BR lang file
6641951 Merge pull request [Bug] Using the subprocess node, after the sub-node ends, the task will not be executed backwards apache/dolphinscheduler#15683 from apache/fix-tooltip
35e3511 fix(legend): add back symbolKeepAspect. optimize code logic.
233d2a1 Merge pull request [Bug] [Plugins] the readme.md of pulgins module exist world spell error apache/dolphinscheduler#15715 from apache/fix-test
3bea75a test: optimize test cases for visual regression test
bdafcbc Merge pull request [Bug] [service] built-in parameters like '$[yyyy-MM-dd]' defined in shell task scripts do not work when the task does not set any parameters apache/dolphinscheduler#15711 from apache/fix-line-gradient
fde66ec Merge pull request [Improvement][Spark] Support Local Spark Cluster apache/dolphinscheduler#15589 from apache/fix-polar
fc507c0 test(polar): update test case
d88f7cb Merge pull request [Improvement-15707][Master] Work out the issue that the workflow with a task dependency couldn't work well. apache/dolphinscheduler#15712 from apache/axis-hide-overlap
7dbf36c fix(time): add `axisLabel.hideOverlap`
344b648 fix(line): soft clipping gradient.
01bf5f1 Merge pull request [Bug][dolphinScheduler-task-seatunnel] Script suffixes can be .conf or .json apache/dolphinscheduler#15706 from apache/fix-sunburst
dd1890b fix(sunburst): improve code
c5fcf82 fix(sunburst): radius in levels

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 XML External Entity (XXE) Injection
🦉 Cross-site Scripting (XSS)
🦉 More lessons are available in Snyk Learn


fix: dolphinscheduler-ui/package.json to reduce vulnerabilities

5264dfc

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-AXIOS-1038255
- https://snyk.io/vuln/SNYK-JS-AXIOS-1579269
- https://snyk.io/vuln/SNYK-JS-AXIOS-174505
- https://snyk.io/vuln/SNYK-JS-BOOTSTRAP-173700
- https://snyk.io/vuln/SNYK-JS-BOOTSTRAP-72889
- https://snyk.io/vuln/SNYK-JS-BOOTSTRAP-72890
- https://snyk.io/vuln/SNYK-JS-JQUERY-174006
- https://snyk.io/vuln/SNYK-JS-JQUERY-565129
- https://snyk.io/vuln/SNYK-JS-JQUERY-567880
- https://snyk.io/vuln/SNYK-JS-XMLDOM-1084960
- https://snyk.io/vuln/SNYK-JS-ZRENDER-1586253
- https://snyk.io/vuln/npm:bootstrap:20160627
- https://snyk.io/vuln/npm:bootstrap:20180529

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment