Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Fix for 16 vulnerabilities #47

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

ebarahona
Copy link
Owner

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5
Regular Expression Denial of Service (ReDoS)
SNYK-JS-ANSIREGEX-1583908
Yes Proof of Concept
high severity 630/1000
Why? Has a fix available, CVSS 8.1
Internal Property Tampering
SNYK-JS-BSON-561052
Yes No Known Exploit
high severity 630/1000
Why? Has a fix available, CVSS 8.1
Internal Property Tampering
SNYK-JS-BSON-6056525
Yes No Known Exploit
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3
Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-1018905
Yes Proof of Concept
high severity 681/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.2
Command Injection
SNYK-JS-LODASH-1040724
Yes Proof of Concept
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3
Prototype Pollution
SNYK-JS-LODASH-450202
Yes Proof of Concept
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3
Prototype Pollution
SNYK-JS-LODASH-608086
Yes Proof of Concept
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3
Prototype Pollution
SNYK-JS-LODASH-73638
Yes Proof of Concept
medium severity 541/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 4.4
Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-73639
Yes Proof of Concept
low severity 506/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 3.7
Prototype Pollution
SNYK-JS-MINIMIST-2429795
Yes Proof of Concept
medium severity 601/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.6
Prototype Pollution
SNYK-JS-MINIMIST-559764
Yes Proof of Concept
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5
Regular Expression Denial of Service (ReDoS)
SNYK-JS-TRIM-1017038
No Proof of Concept
medium severity 596/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.5
Arbitrary Code Injection
SNYK-JS-UNDERSCORE-1080984
Yes Proof of Concept
high severity 589/1000
Why? Has a fix available, CVSS 7.5
Prototype Pollution
SNYK-JS-UNSETVALUE-2400660
Yes No Known Exploit
medium severity 636/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.3
Prototype Pollution
npm:lodash:20180130
Yes Proof of Concept
low severity 324/1000
Why? Has a fix available, CVSS 2.2
Uninitialized Memory Exposure
npm:utile:20180614
No No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: nodemailer The new version differs by 4 commits.
  • eaef3b5 Merge pull request #719 from nodemailer/v3.0.0
  • de5b6f6 updated license
  • 652ad8e Do not use PRO in name
  • 6218b8d Setup files for EUPL licensed v3.0.0

See the full diff

Package name: pm2 The new version differs by 250 commits.

See the full diff

Package name: sails-disk The new version differs by 85 commits.
  • 15faa44 1.0.0
  • a2b7ee6 1.0.0-12
  • 9d7118c Only set footprint keys for uniqueness violations.
  • a2c2261 Add some assertions.
  • a222824 Update gitignore and scripts
  • 3b3c334 1.0.0-11
  • cef95b4 Support updating the primary key value, as long as it's not using _id as the column.
  • aad2a15 Set _id column to value of primary key when creating records.
  • 333e2d1 1.0.0-10
  • c8a26c5 Add shim to replicate MongoDB's behavior w/ `{ $ne: null }` and empty arrays.
  • bf92cb8 1.0.0-9
  • af97943 Workaround issue with projections including only `_id`
  • b5b985b Relax restrictions on using `_id` column in sails disk.
  • f4adfd7 Add an entry in the `refCols` dictionary for every model, so we don't have to short-circuit checks for it later
  • b494fd9 In `find`, deserialize Buffer objects into `ref` attributes where possible.
  • 7aaaaa4 Merge pull request #58 from balderdashy/expose-lib
  • 70ead96 (whoops) Add back 0.10 and 0.12 in appveyor.yml
  • beabe7a Merge pull request [Snyk] Security upgrade mocha from 3.5.3 to 11.0.1 #57 from balderdashy/expose-lib
  • 9c80187 1.0.0-8
  • f7a349d Actually, don't expose the static lib. (No reason to do so, and better to not introduce something experimental if there's any chance it could make an app dependent on random stuff in a dev-only adapter)
  • 2d4d97e 1.0.0-7
  • f2dd761 Rename afterwards function to avoid perceived scope conflict (whether or not it'd ever actually be a big deal, this avoids any potential future scope issues from refactoring, etc).
  • 4051e5e 1.0.0-6
  • 250c32e Handle stray error (and a couple of other trivial changes just from when I was reading through the code)

See the full diff

Package name: sails-mongo The new version differs by 250 commits.
  • 995c476 2.0.0
  • 54f03b2 Merge pull request #491 from balderdashy/pr/483
  • 5fce6ff Revert "Remove .jshint"
  • 72b38d1 Revert a change to a comment
  • 82e1fa7 Remove links from "license" section (moved to sails docs)
  • a9177b0 Remove documentation from README and link to relevant doc pages (made a separate PR to the docs adding that content)
  • a9c5b35 Remove `Roadmap` section from README and move configuration options into `Compatibility` section
  • 045b092 Revert "Revert "Merge pull request #489 from luislobo/patch-2""
  • 6f02ce2 Revert "Temporarily revert merged PR #483"
  • 4d0d2bb Merge branch 'master' into pr/483
  • 384758b Temporarily revert merged PR #483
  • 88b3f78 Revert "Merge pull request #489 from luislobo/patch-2"
  • f2aad81 Merge pull request #489 from luislobo/patch-2
  • 8c74bc1 Update CHANGELOG version
  • 2b3eb9e 2.0.0-0
  • d6ea6cd Merge pull request #483 from Josebaseba/master
  • 6c7189d 2.0.0-0
  • f78f9fc Remove comment that seems out-of-date now
  • 5c06944 Merge branch 'master' into master
  • 69d0cdf Update config-whitelist.constant.js
  • 0df9191 Merge pull request #486 from luislobo/fix-changelog-author-links
  • 7d2c991 Merge pull request [Snyk Update] New fixes for 1 vulnerable dependency path #1 from luislobo/upgrade-mongodb-drivers
  • 2a638df Updates changelog and readme
  • d0b14f6 Updates mongodb version, and makes version 1.3.0 for more safety

See the full diff

Package name: sails-mysql The new version differs by 202 commits.
  • e9ca5d0 1.0.0
  • 1c8eba9 1.0.0-17
  • 2384285 Same as 2cc4850eb0fc3ff58eeaef044c2b14379af1be32 but for 2 other occurrences.
  • 2cc4850 Apply fix from eslint to properly pass through compileStatement() errors
  • ba40d9a Update eslint
  • ed86ee1 1.0.0-16
  • 227e9ba Bump versions of mariadb tests-- and explicitly test node 8
  • 917db33 Use mp-mysql@3 (see https://github.com/Memory leak balderdashy/sails#4264#issuecomment-353152823)
  • 5e8ed7e Follow-up to 075d7590dfb5fc51ee7c3084df87261b46ea5356
  • 075d759 Update machine runner to v15. (refs https://github.com/Memory leak balderdashy/sails#4264)
  • 0d0503c Even better
  • 6186297 Update language in config errors
  • d1f0791 1.0.0-15
  • d511f24 Allow `ref` type attributes to represent any object, not just Buffers.
  • 3a62cf5 1.0.0-14
  • b8c74aa Merge pull request #349 from balderdashy/revert-utf8mb4-default
  • b98a2f0 Revert code that defaults to the `utf8mb4` character set.
  • 987f467 Merge pull request #346 from balderdashy/support-emojis
  • 3adc445 1.0.0-13
  • 65aa28f lint fix
  • 9fd09c9 1.0.0-12
  • e9cbd78 Change default charset to support emojis. This also adds some comments and notes for the future.
  • 6efdddc 1.0.0-11
  • 056b12b use LONGTEXT by default because mysql truncates data silently

See the full diff

Package name: sails-postgresql The new version differs by 250 commits.
  • e9728fe 1.0.0
  • 3ee54ac 1.0.0-13
  • a2b0da4 Bump mp-postgresql version
  • 0266a58 Update `.exec({...})` to `.switch({...})`
  • 50a8e22 Update helpers to work w/ new machine runner
  • cf3a294 Bypass `bigint` validation for auto timestamps
  • b9352bd If invalid model definitions are detected, just return an error message _without_ a stack trace.
  • 296f538 Coerce empty string to zero when bigint column type is in use
  • 6dea61c Throw an error if `type: 'number'` is used with `columnType: 'bigint'`
  • 24164da Update language in config errors
  • 67aa86b 1.0.0-12
  • cae9019 Stringify strings before using them as values for JSON attributes
  • beb7415 1.0.0-11
  • 2691491 Allow `ref` type attributes to represent any object, not just Buffers.
  • bdf2b7d 1.0.0-10
  • 1b34e1f use column name when parsing values
  • b004869 1.0.0-9
  • a4c8d2c Merge pull request #270 from balderdashy/fixes
  • 8765654 bump min wl-util version
  • 913cad6 key orm by identity rather than table name
  • a0ae8a2 add depth validation to pre-process
  • 1196975 make sure to process each record when no child statements are needed
  • 2c894d2 pass true to process each record deep to show it uses column names
  • 5822b3d include strategy type when building the query cache

See the full diff

Package name: sails-redis The new version differs by 37 commits.
  • 1f165fa 1.0.0
  • f32fae9 remove outdated options (also it would have to be `pass` and `db` anyway)
  • 0093bfb 1.0.0-0
  • ed20643 Update example (.datastore() => .getDatastore())
  • 266a3eb Tweak usage info.
  • 957b88c Expose 'datastores' property on adapter (for use by sails-hook-orm).
  • 8f9d0fc registerConnection() => registerDatastore()
  • 904a73b Update metadata files, tests, and supported features/interfaces.
  • 116c415 One squid is probably sufficient. (This commit also removes some awkward royal we's, adds acknowledgements, and a few other minor tweaks)
  • cb18bf2 fix punctuation typo and add clarification in opening paragraph to explain why there was a change
  • e72ca43 Merge pull request #105 from treelinehq/master
  • d51701e Merge branch 'master' into master
  • 9231fe8 Add note about how this is for v0.12 and earlier
  • 3f6c29f ..actually, will wait until checking with Ryan on that
  • e70e714 Update readme and remove tests. Change package name to sails-redis-lite
  • 62cdf29 Deps.
  • f44df1d Remove some stuff
  • 5b890bb Merge branch 'master' of https://github.com/treelinehq/sails-redis
  • 01041c7 setup for sails v1
  • 4b841c9 Updated Readme closes #98
  • 59a976a Just fixed up an issue where it wouldn't return the correct criteria
  • 27a9f05 Fixed up the scheme not getting passed through
  • 8c28173 Just fixed up the script
  • 1491600 Just removed the database from the tests

See the full diff

Package name: sails-sqlserver The new version differs by 21 commits.

See the full diff

Package name: waterline The new version differs by 250 commits.

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Arbitrary Code Injection

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants