[Snyk] Fix for 2 vulnerabilities #12

officialmofabs · 2024-10-18T23:39:41Z

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- ui/package.json
- ui/package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	703/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 6.2	Cross-site Scripting (XSS) SNYK-JS-DOMPURIFY-8184974	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-WS-7266574	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @prefecthq/prefect-design

The new version differs by 107 commits.

8ac8eb1 2.10.0 (Add PIN 11 PrefectHQ/prefect#1284)
87813dc Merge pull request Update python-dateutil requirement from ~=2.7 to ~=2.8 PrefectHQ/prefect#1273 from PrefectHQ/nicholas/chore/plugin-and-ts-2024-05-02
a5e73b7 Merge pull request Add CircleCI job for testing lower bound dependencies PrefectHQ/prefect#1282 from PrefectHQ/dependabot/npm_and_yarn/dompurify-3.1.3
57b211f Merge pull request Create new SideCar Environment PrefectHQ/prefect#1281 from PrefectHQ/dependabot/npm_and_yarn/types/node-20.12.11
2c2e03e Merge pull request Update pre-commit requirement from ~=1.12 to ~=1.17 PrefectHQ/prefect#1278 from PrefectHQ/dependabot/npm_and_yarn/vite-5.2.11
f542eb8 Merge branch 'main' of https://github.com/PrefectHQ/prefect-design into nicholas/chore/plugin-and-ts-2024-05-02
28f0a24 2.9.0 (Checkpointing PrefectHQ/prefect#1283)
937cbfc Bump dompurify from 3.1.0 to 3.1.3
a9f2867 Bump @ types/node from 20.12.7 to 20.12.11
6cb7312 Merge pull request Update pytest-xdist requirement from ~=1.23 to ~=1.29 PrefectHQ/prefect#1279 from PrefectHQ/tabs
f5c6482 Update Tab.vue
c03eda6 Update Tab.vue
bfbec72 Update index.ts
2c9104d Update index.ts
6e0898d Create PTabsContent.vue
6a46d09 Create PTabsList.vue
3dba802 Create PTabsRoot.vue
c55b42e add ring, muted, foreground
83a7208 Merge pull request Update typing-extensions requirement from ~=3.6 to ~=3.7 PrefectHQ/prefect#1274 from PrefectHQ/remove-sidebar-section-dividers
db690a1 Bump vite from 5.2.10 to 5.2.11
a07e46f Update PNavigationBar.vue
b4fb706 Update PContextSidebar.vue
50f369f Merge branch 'main' of https://github.com/PrefectHQ/prefect-design into nicholas/chore/plugin-and-ts-2024-05-02
69ba0a6 Use relateive import in tailwind config

See the full diff

Package name: @prefecthq/vue-compositions

The new version differs by 107 commits.

769b212 1.11.5 (A PAUSED task will run if another FlowRun starts that attempts to run it PrefectHQ/prefect#498)
a639b96 Merge pull request Mark test as xfail PrefectHQ/prefect#497 from PrefectHQ/storage-stop-immediate-set
0a8341e Use a watch rather than a watchEffect
8f6ef50 Merge pull request Remove return_failed... add return_failed state handler PrefectHQ/prefect#496 from PrefectHQ/dependabot/npm_and_yarn/typescript-5.6.3
f9c8213 Merge pull request Docs unit tests fail if an input argument has newlines PrefectHQ/prefect#495 from PrefectHQ/dependabot/npm_and_yarn/vitest-2.1.3
1649fc9 Merge pull request FIX: state_handlers not always called by the TaskRunner PrefectHQ/prefect#494 from PrefectHQ/dependabot/npm_and_yarn/vite-5.4.9
76f0a0d Bump typescript from 5.6.2 to 5.6.3
9c91685 Bump vitest from 2.1.1 to 2.1.3
7b1fd2a Bump vite from 5.4.8 to 5.4.9
3962ea5 Merge pull request RFC: remove return_failed kwarg from FlowRunner.run()? PrefectHQ/prefect#493 from PrefectHQ/jamiezieziula-patch-2
3e91109 Merge pull request Clean up multiple config settings in SynchronousExecutor PrefectHQ/prefect#492 from PrefectHQ/jamiezieziula-patch-1
b1e448b Update .github/workflows/npm_update_latest_prefect.yaml
526f4e2 Update .github/workflows/release.yml
89b238b Update npm_update_latest_prefect.yaml
4836fff Update release.yml
5290658 Merge pull request Re-enable xfail tests PrefectHQ/prefect#490 from PrefectHQ/dependabot/npm_and_yarn/vite-5.4.8
91ee822 Merge pull request Improve engine config options / behavior PrefectHQ/prefect#487 from PrefectHQ/dependabot/npm_and_yarn/jsdom-25.0.1
8a38fe9 Merge pull request Distributed 1.25.2 causes OOM errors in CI PrefectHQ/prefect#488 from PrefectHQ/dependabot/npm_and_yarn/typescript-5.6.2
7f989c8 Merge pull request Fix for running with Distributed 1.25.2 PrefectHQ/prefect#489 from PrefectHQ/dependabot/npm_and_yarn/rollup-4.22.4
cb08062 Bump vite from 5.4.6 to 5.4.8
8a28edb Bump rollup from 4.21.0 to 4.22.4
90be570 Bump typescript from 5.5.4 to 5.6.2
969f591 Bump jsdom from 25.0.0 to 25.0.1
0df3f52 Merge pull request FIX: set_nested wouldn't overwrite an existing key PrefectHQ/prefect#479 from PrefectHQ/dependabot/npm_and_yarn/eslint-8.57.1

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Cross-site Scripting (XSS)
🦉 Denial of Service (DoS)

The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-DOMPURIFY-8184974 - https://snyk.io/vuln/SNYK-JS-WS-7266574

socket-security · 2024-10-18T23:41:02Z

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@prefecthq/prefect-design@2.10.0	Transitive: environment, filesystem, network	`+39`	15.7 MB	znicholasbrown
npm/@prefecthq/vue-compositions@1.11.5	eval Transitive: environment, filesystem, network	`+39`	11.9 MB	znicholasbrown
pypi/aiosqlite@0.20.0	filesystem, network	`0`	71.8 kB	amyreese
pypi/alembic@1.13.3	environment, eval, filesystem, network, shell	`0`	8.46 MB	CaselIT
pypi/apprise@1.9.0	environment, eval, filesystem, network, shell, unsafe	`+2`	6.48 MB	caronc
pypi/asgi-lifespan@2.1.0	None	`0`	57.8 kB	florimondmanca
pypi/asyncpg@0.29.0	environment, eval, filesystem, network, shell, unsafe	`+2`	17.3 MB	Elvis.Pranskevichus, edgedb-ci, magicstack-ci, ...1 more
pypi/cachetools@5.5.0	unsafe	`0`	142 kB	tkem
pypi/cairosvg@2.7.1	environment, filesystem, network Transitive: eval	`+4`	13.1 MB	SimonSapin, gentooboontoo, liZe
pypi/click@8.1.7	environment, eval, filesystem, network, shell	`+2`	1.12 MB
pypi/cloudpickle@3.1.0	None	`0`	0 B
pypi/codespell@2.3.0	environment, filesystem, shell	`0`	1.62 MB	Eric89GXL, lucasdemarchi
pypi/coolname@2.2.0	environment, filesystem, shell	`0`	198 kB	alexanderlukanin13
pypi/croniter@3.0.3	None	`0`	251 kB	kiorky, taichino
pypi/cryptography@43.0.3	environment, eval, filesystem, network, shell, unsafe	`0`	19.5 MB	reaperhulk
pypi/dateparser@1.2.0	environment, eval, filesystem, network, unsafe Transitive: shell	`+4`	2.29 MB	asadurski, dangra, eljunior, ...3 more

🚮 Removed packages: npm/@prefecthq/prefect-design@2.7.16, npm/@prefecthq/vue-compositions@1.11.4, pypi/dbt-core@1.8.7, pypi/dbt-postgres@1.8.2, pypi/dbt-snowflake@1.8.4, pypi/distributed@2022.2.0, pypi/distributed@2024.10.0, pypi/docker@7.1.0, pypi/flake8@7.1.1, pypi/google-api-python-client@2.149.0, pypi/google-cloud-aiplatform@1.70.0, pypi/google-cloud-bigquery-storage@2.26.0, pypi/google-cloud-bigquery@3.26.0, pypi/google-cloud-secret-manager@2.20.2, pypi/google-cloud-storage@2.18.2, pypi/interrogate@1.7.0, pypi/isort@5.13.1, pypi/mkdocs-gen-files@0.5.0, pypi/mkdocs-material@9.5.41, pypi/mkdocs@1.6.1, pypi/mkdocstrings-python-legacy@0.2.4, pypi/mkdocstrings@0.26.2, pypi/mock@5.1.0, pypi/moto@5.0.17, pypi/mypy-boto3-s3@1.35.42, pypi/mypy-boto3-secretsmanager@1.35.0, pypi/mypy@1.12.0, pypi/pandas@2.2.3, pypi/pillow@11.0.0, pypi/pre-commit@4.0.1, pypi/prefect-gcp@0.6.1, pypi/prefect-shell@0.3.0, pypi/prefect-snowflake@0.28.0, pypi/prefect-sqlalchemy@0.5.1, pypi/prefect@3.0.10, pypi/pyarrow@17.0.0, pypi/pyparsing@3.2.0, pypi/pytest-asyncio@0.24.0, pypi/pytest-cov@5.0.0, pypi/pytest-xdist@3.3.1, pypi/pytest-xdist@3.6.1, pypi/pytest@8.3.3, pypi/python-slugify@8.0.3, pypi/respx@0.21.1, pypi/setuptools-scm@8.1.0, pypi/setuptools@75.2.0, pypi/sgqlc@16.4, pypi/tenacity@9.0.0, pypi/types-boto3@1.0.2, pypi/wheel@0.44.0

View full report↗︎

fix: ui/package.json & ui/package-lock.json to reduce vulnerabilities

a0dc6cf

The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-DOMPURIFY-8184974 - https://snyk.io/vuln/SNYK-JS-WS-7266574

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Snyk] Fix for 2 vulnerabilities #12

[Snyk] Fix for 2 vulnerabilities #12

officialmofabs commented Oct 18, 2024

socket-security bot commented Oct 18, 2024

[Snyk] Fix for 2 vulnerabilities #12

Are you sure you want to change the base?

[Snyk] Fix for 2 vulnerabilities #12

Conversation

officialmofabs commented Oct 18, 2024

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Vulnerabilities that will be fixed

With an upgrade:

socket-security bot commented Oct 18, 2024