[Snyk] Fix for 31 vulnerabilities #1139

aliscco · 2023-04-28T15:41:44Z

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- test/fixtures/qs-package/node_modules/url/package.json
- test/fixtures/qs-package/node_modules/url/.snyk

Vulnerabilities that will be fixed

With an upgrade:

Priority Score (*)	Issue	Breaking Change	Exploit Maturity
685/1000 Why? Mature exploit, Recently disclosed, Has a fix available, CVSS 3.7	Exposure of Resource to Wrong Sphere SNYK-JS-FSEVENTS-5487987	No	Mature
671/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7	Remote Code Execution (RCE) SNYK-JS-HANDLEBARS-1056767	No	Proof of Concept
601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-HANDLEBARS-1279029	No	Proof of Concept
579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-HANDLEBARS-173692	No	No Known Exploit
579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-HANDLEBARS-469063	No	No Known Exploit
726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Arbitrary Code Execution SNYK-JS-HANDLEBARS-534478	No	Proof of Concept
704/1000 Why? Has a fix available, CVSS 9.8	Prototype Pollution SNYK-JS-HANDLEBARS-534988	No	No Known Exploit
646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-HANDLEBARS-567742	No	Proof of Concept
589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-1019388	Yes	No Known Exploit
479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	Yes	No Known Exploit
589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOCHA-2863123	Yes	No Known Exploit
589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOCHA-561476	Yes	No Known Exploit
619/1000 Why? Has a fix available, CVSS 8.1	Remote Code Execution (RCE) SNYK-JS-SHELLQUOTE-1766506	No	No Known Exploit
479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-UGLIFYJS-1727251	No	No Known Exploit
704/1000 Why? Has a fix available, CVSS 9.8	Arbitrary Code Injection npm:growl:20160721	Yes	No Known Exploit
479/1000 Why? Has a fix available, CVSS 5.3	Cross-site Scripting (XSS) npm:handlebars:20151207	No	No Known Exploit
589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	Yes	No Known Exploit
589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) npm:qs:20140806	No	No Known Exploit
539/1000 Why? Has a fix available, CVSS 6.5	Denial of Service (DoS) npm:qs:20140806-1	No	No Known Exploit
741/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.4	Command Injection npm:shell-quote:20160621	No	Proof of Concept
629/1000 Why? Has a fix available, CVSS 8.3	Improper minification of non-boolean comparisons npm:uglify-js:20150824	No	No Known Exploit
479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:uglify-js:20151024	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: zuul

The new version differs by 98 commits.

56e2128 3.12.0
79693fa Merge pull request [Snyk] Security upgrade django from 1.6.1 to 1.6.3 #323 from vweevers/custom-loopback-hostname
060d991 Disambiguate with other projects named zuul ([Snyk] Fix for 1 vulnerabilities #324)
4c5d666 refactor: function for local url building
542b122 don't instantiate tunnel if opt.tunnel is false
e8a1965 test: support custom loopback hostname
4d4abe3 support custom loopback hostname
8f8adf0 Merge pull request [Snyk] Security upgrade tap from 11.1.3 to 12.6.2 #317 from defunctzombie/vvo-patch-1
a0b10d0 Merge pull request [Snyk] Fix for 1 vulnerabilities #318 from Haroenv/patch-1
c7ac9c7 nit(package.json): update github repository
cd036ed Stop using http tarball for stacktrace-js
0c91153 upgrade phantomjs to 2.1.13
54c7556 Add --no-instrument option. ([Snyk] Security upgrade tap from 5.8.0 to 9.0.0 #310)
f07d842 Merge pull request [Snyk] Security upgrade actionpack from 4.2.5 to 4.2.5.2 #308 from mcollina/master
7b3d032 Bumped yamljs dependency to v0.2.8.
f021cf3 3.11.1
519c66a Merge pull request [Snyk] Security upgrade sinatra from 1.3.2 to 2.2.0 #306 from defunctzombie/fix-305
0b8d4c2 Support new 'electron' package (electron-prebuilt is deprecated)
326ddce add .npmrc with save-exact = true
2e34c5d v3.11.0
482238e update history
f7d185d saucebrowser: use an environment variable to specify the appium version ([Snyk] Security upgrade Newtonsoft.Json from 10.0.3 to 13.0.1 #300)
05133bc v3.10.3
b775921 Merge pull request [Snyk] Security upgrade python from 3.6-slim to 3.8-slim #297 from JamesKyburz/electron-1.2.0-fix

See the full diff

With a Snyk patch:

Priority Score (*)	Issue	Exploit Maturity
506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Proof of Concept
399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:hawk:20160119	No Known Exploit
539/1000 Why? Has a fix available, CVSS 6.5	Timing Attack npm:http-signature:20150122	No Known Exploit
399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	No Known Exploit
589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	No Known Exploit
479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:ms:20151024	No Known Exploit
399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	No Known Exploit
589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:negotiator:20160616	No Known Exploit
539/1000 Why? Has a fix available, CVSS 6.5	Denial of Service (DoS) npm:qs:20140806-1	No Known Exploit
469/1000 Why? Has a fix available, CVSS 5.1	Remote Memory Exposure npm:request:20160119	No Known Exploit
576/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.1	Uninitialized Memory Exposure npm:tunnel-agent:20170305	Proof of Concept
479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:uglify-js:20151024	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Remote Code Execution (RCE)
🦉 Prototype Pollution
🦉 Cross-site Scripting (XSS)
🦉 More lessons are available in Snyk Learn

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Snyk] Fix for 31 vulnerabilities #1139

[Snyk] Fix for 31 vulnerabilities #1139

aliscco commented Apr 28, 2023

[Snyk] Fix for 31 vulnerabilities #1139

Are you sure you want to change the base?

[Snyk] Fix for 31 vulnerabilities #1139

Conversation

aliscco commented Apr 28, 2023

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Vulnerabilities that will be fixed

With an upgrade:

With a Snyk patch: