Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Security upgrade parse-server from 4.4.0 to 5.3.0 #564

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

hopetambala
Copy link
Owner

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json
    • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5
Prototype Poisoning
SNYK-JS-QS-3153490
Yes Proof of Concept
low severity 506/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 3.7
Regular Expression Denial of Service (ReDoS)
SNYK-JS-WORDWRAP-3149973
Yes Proof of Concept
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3
Regular Expression Denial of Service (ReDoS)
SNYK-JS-WS-1296835
Yes Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: parse-server The new version differs by 250 commits.
  • 12e174b chore(release): 5.3.0 [skip ci]
  • 2549540 build: release (#8263)
  • 50409aa Merge branch 'release' into build-release
  • 8011b2f chore(release): 5.2.8 [skip ci]
  • 4c1befa fix: server crashes when receiving file download request with invalid byte range; this fixes a security vulnerability that allows an attacker to impact the availability of the server instance; the fix improves parsing of the range parameter to properly handle invalid range requests ([GHSA-h423-w6qv-2wj3](https://snyk.io/redirect/github/parse-community/parse-server/security/advisories/GHSA-h423-w6qv-2wj3)) [skip release] (#8237)
  • 066f296 fix: server crashes when receiving file download request with invalid byte range; this fixes a security vulnerability that allows an attacker to impact the availability of the server instance; the fix improves parsing of the range parameter to properly handle invalid range requests ([GHSA-h423-w6qv-2wj3](https://snyk.io/redirect/github/parse-community/parse-server/security/advisories/GHSA-h423-w6qv-2wj3)) (#8235)
  • 1a2b1b9 fix: authentication adapter app ID validation may be circumvented; this fixes a vulnerability that affects configurations which allow users to authenticate using the Parse Server authentication adapter for *Facebook* or *Spotify* and where the server-side authentication adapter configuration `appIds` is set as a string (e.g. `abc`) instead of an array of strings (e.g. `["abc"]`) ([GHSA-r657-33vp-gp22](https://snyk.io/redirect/github/parse-community/parse-server/security/advisories/GHSA-r657-33vp-gp22)) [skip release] (#8188)
  • e6dc487 chore(release): 5.2.7 [skip ci]
  • ecf0814 fix: authentication adapter app ID validation may be circumvented; this fixes a vulnerability that affects configurations which allow users to authenticate using the Parse Server authentication adapter for *Facebook* or *Spotify* and where the server-side authentication adapter configuration `appIds` is set as a string (e.g. `abc`) instead of an array of strings (e.g. `["abc"]`) ([GHSA-r657-33vp-gp22](https://snyk.io/redirect/github/parse-community/parse-server/security/advisories/GHSA-r657-33vp-gp22)) (#8185)
  • 83cdc89 fix: session object properties can be updated by foreign user; this fixes a security vulnerability in which a foreign user can write to the session object of another user if the session object ID is known; the fix prevents writing to foreign session objects ([GHSA-6w4q-23cf-j9jp](https://snyk.io/redirect/github/parse-community/parse-server/security/advisories/GHSA-6w4q-23cf-j9jp)) [skip release] (#8181)
  • 7aac70c chore(release): 5.2.6 [skip ci]
  • 6d0b2f5 fix: session object properties can be updated by foreign user; this fixes a security vulnerability in which a foreign user can write to the session object of another user if the session object ID is known; the fix prevents writing to foreign session objects ([GHSA-6w4q-23cf-j9jp](https://snyk.io/redirect/github/parse-community/parse-server/security/advisories/GHSA-6w4q-23cf-j9jp)) (#8182)
  • f0db4ca fix: brute force guessing of user sensitive data via search patterns (GHSA-2m6g-crv8-p3c6) (#8145) [skip release]
  • 83fd16c chore(release): 5.2.5 [skip ci]
  • e39d51b fix: brute force guessing of user sensitive data via search patterns; this fixes a security vulnerability in which internal and protected fields may be used as query constraints to guess the value of these fields and obtain sensitive data (GHSA-2m6g-crv8-p3c6) (#8144)
  • 636d16e fix: protected fields exposed via LiveQuery (GHSA-crrq-vr9j-fxxh) [skip release] (#8075)
  • e42be5c chore(release): 5.2.4 [skip ci]
  • 309f64c fix: protected fields exposed via LiveQuery; this removes protected fields from the client response; this may be a breaking change if your app is currently expecting to receive these protected fields ([GHSA-crrq-vr9j-fxxh](https://snyk.io/redirect/github/parse-community/parse-server/security/advisories/GHSA-crrq-vr9j-fxxh)) (https://snyk.io/redirect/github/fix: protected fields exposed via LiveQuery (GHSA-crrq-vr9j-fxxh) parse-community/parse-server#8074) (#8073)
  • 1a04a34 fix: invalid file request not properly handled [skip release] (#8061)
  • eb2952f chore(release): 5.2.3 [skip ci]
  • 5be375d fix: invalid file request not properly handled; this fixes a security vulnerability in which an invalid file request can crash the server ([GHSA-xw6g-jjvf-wwf9](https://snyk.io/redirect/github/parse-community/parse-server/security/advisories/GHSA-xw6g-jjvf-wwf9)) (#8060)
  • 4c2aa63 fix: certificate in Apple Game Center auth adapter not validated [skip release] (#8055)
  • ed0baa8 chore(release): 5.2.2 [skip ci]
  • ba2b0a9 fix: certificate in Apple Game Center auth adapter not validated; this fixes a security vulnerability in which authentication could be bypassed using a fake certificate; if you are using the Apple Gamer Center auth adapter it is your responsibility to keep its root certificate up-to-date and we advice you read the security advisory ([GHSA-rh9j-f5f8-rvgc](https://snyk.io/redirect/github/parse-community/parse-server/security/advisories/GHSA-rh9j-f5f8-rvgc))

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Poisoning
🦉 Regular Expression Denial of Service (ReDoS)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants