Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Fix for 2 vulnerabilities #22

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

ahmed-medhat-tawfiq
Copy link
Owner

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
medium severity 658/1000
Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 5.3
Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-1018905
Yes Proof of Concept
high severity 753/1000
Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 7.2
Command Injection
SNYK-JS-LODASH-1040724
Yes Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: captains-log The new version differs by 12 commits.
  • 6e14204 1.0.2
  • 6f528e9 Update boilerplate.
  • 56ea7f4 Better error msg for 'Unsupported logger override' (custom logger) -- and also upgrade Lodash dep to 3.10.2.
  • dd400a9 Add boilerplate.
  • ee75b69 Add experimental _dontAccessErrorStacks option (refs https://github.com/balderdashy/captains-log/issues/17)
  • e3cdc89 1.0.1
  • 277cc49 travis.yml
  • d9f4a59 Switch from 'colors' to chalk, with handrolled rainbows derived from Marak's (https://snyk.io/redirect/github/Marak/colors.js/blob/dfb15b55382772ba4fd34fc21922a2d83e9d34d3/lib/maps/rainbow.js).
  • 40b1758 Trivial.
  • 607fb91 A few minor normalizations.
  • 8017c80 Bump rc dep and mocha devDep
  • b30c915 Add more details about what custom loggers are useful for

See the full diff

Package name: machine The new version differs by 250 commits.

See the full diff

Package name: machine-as-action The new version differs by 38 commits.
  • 8b71584 10.1.0
  • 4663ae7 Revert "10.0.0"
  • a4e83a3 10.0.0
  • a5d2348 Attach toJSON() method to requestables.
  • fa71ddc 10.0.0-7
  • c421b16 Force bump machine dep SVR to avoid compat. problems for prerelease users.
  • 63ee781 10.0.0-6
  • cff524b Tweak error msg
  • d8988e9 Use gentler error negotiation when improving stack traces of internal errors from inside actions.
  • 1072654 Initial implementation of parsing E_FROM_WITHIN errors (though it will need to be changed)
  • 343e17b Trivial (> to !== for consistency with general approach to pluralization)
  • 9f860bc Add note about pulling this into Sails core.
  • ddbe5bd 10.0.0-5
  • 4cc74eb Update expected output in test.
  • efc23bc Remove warning from test output by including missing skipAssets
  • aa5ee60 Normalize where files are located, and fix all but one test.
  • f0038aa 10.0.0-4
  • fce5fff Handle any errors emitted by the download stream.
  • 031ecd0 Tolerate querystring-encoded empty string provided for a numeric input by simply ignoring it altogether.
  • c95b202 10.0.0-3
  • 2a682e1 Force-bump machine runner dep
  • 834ce70 Remove temmporarily more-aggressive result validation.
  • ef43fa4 Remove '===' exit output casting in favor of the originally proposed, more-involved solution (this allows new kinds of more aggressive result validation tactics to be effective)
  • 18cea13 If a querystring-encoded parameter value comes in as '' (empty string), and the corresponding input definition is clearly expecting a boolean, then use common sense to interpret the incoming request as having this argin set to the boolean true.

See the full diff

Package name: machinepack-process The new version differs by 52 commits.

See the full diff

Package name: machinepack-redis The new version differs by 8 commits.

See the full diff

Package name: sort-route-addresses The new version differs by 11 commits.

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants