Skip to content
This repository has been archived by the owner on Jul 22, 2024. It is now read-only.

[Snyk] Fix for 1 vulnerabilities #34

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

madztheo
Copy link
Owner

@madztheo madztheo commented Dec 4, 2022

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

As this is a private repository, Snyk-bot does not have access. Therefore, this PR has been created automatically, but appears to have been created by a real user.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json
    • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 768/1000
Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 7.5
Prototype Pollution
SNYK-JS-QS-3153490
Yes Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: body-parser The new version differs by 177 commits.

See the full diff

Package name: express The new version differs by 193 commits.
  • 3d7fce5 4.17.3
  • f906371 build: update example dependencies
  • 6381bc6 deps: qs@6.9.7
  • a007863 deps: body-parser@1.19.2
  • e98f584 Revert "build: use minimatch@3.0.4 for Node.js < 4"
  • a659137 tests: use strict mode
  • a39e409 tests: prevent leaking changes to NODE_ENV
  • 82de4de examples: fix path traversal in downloads example
  • 12310c5 build: use nyc for test coverage
  • 884657d examples: remove bitwise syntax for includes check
  • 7511d08 build: use minimatch@3.0.4 for Node.js < 4
  • 2585f20 tests: fix test missing assertion
  • 9d09762 build: supertest@6.2.2
  • 43cc56e build: clean up gitignore
  • 1c7bbcc build: Node.js@14.19
  • 9cbbc8a deps: cookie@0.4.2
  • 6fbc269 pref: remove unnecessary regexp for trust proxy
  • 2bc734a deps: accepts@~1.3.8
  • 89bb531 docs: fix typo in res.download jsdoc
  • 744564f tests: add test for multiple ips in "trust proxy"
  • da6cb0e tests: add range tests to res.download
  • 00ad5be tests: add more tests for app.request & app.response
  • 141914e tests: fix tests that did not bubble errors
  • bd4fdfe tests: remove global dependency on should

See the full diff

Package name: parse-server The new version differs by 250 commits.
  • 12e174b chore(release): 5.3.0 [skip ci]
  • 2549540 build: release (#8263)
  • 50409aa Merge branch 'release' into build-release
  • 8011b2f chore(release): 5.2.8 [skip ci]
  • 4c1befa fix: server crashes when receiving file download request with invalid byte range; this fixes a security vulnerability that allows an attacker to impact the availability of the server instance; the fix improves parsing of the range parameter to properly handle invalid range requests ([GHSA-h423-w6qv-2wj3](https://snyk.io/redirect/github/parse-community/parse-server/security/advisories/GHSA-h423-w6qv-2wj3)) [skip release] (#8237)
  • 066f296 fix: server crashes when receiving file download request with invalid byte range; this fixes a security vulnerability that allows an attacker to impact the availability of the server instance; the fix improves parsing of the range parameter to properly handle invalid range requests ([GHSA-h423-w6qv-2wj3](https://snyk.io/redirect/github/parse-community/parse-server/security/advisories/GHSA-h423-w6qv-2wj3)) (#8235)
  • 1a2b1b9 fix: authentication adapter app ID validation may be circumvented; this fixes a vulnerability that affects configurations which allow users to authenticate using the Parse Server authentication adapter for *Facebook* or *Spotify* and where the server-side authentication adapter configuration `appIds` is set as a string (e.g. `abc`) instead of an array of strings (e.g. `["abc"]`) ([GHSA-r657-33vp-gp22](https://snyk.io/redirect/github/parse-community/parse-server/security/advisories/GHSA-r657-33vp-gp22)) [skip release] (#8188)
  • e6dc487 chore(release): 5.2.7 [skip ci]
  • ecf0814 fix: authentication adapter app ID validation may be circumvented; this fixes a vulnerability that affects configurations which allow users to authenticate using the Parse Server authentication adapter for *Facebook* or *Spotify* and where the server-side authentication adapter configuration `appIds` is set as a string (e.g. `abc`) instead of an array of strings (e.g. `["abc"]`) ([GHSA-r657-33vp-gp22](https://snyk.io/redirect/github/parse-community/parse-server/security/advisories/GHSA-r657-33vp-gp22)) (#8185)
  • 83cdc89 fix: session object properties can be updated by foreign user; this fixes a security vulnerability in which a foreign user can write to the session object of another user if the session object ID is known; the fix prevents writing to foreign session objects ([GHSA-6w4q-23cf-j9jp](https://snyk.io/redirect/github/parse-community/parse-server/security/advisories/GHSA-6w4q-23cf-j9jp)) [skip release] (#8181)
  • 7aac70c chore(release): 5.2.6 [skip ci]
  • 6d0b2f5 fix: session object properties can be updated by foreign user; this fixes a security vulnerability in which a foreign user can write to the session object of another user if the session object ID is known; the fix prevents writing to foreign session objects ([GHSA-6w4q-23cf-j9jp](https://snyk.io/redirect/github/parse-community/parse-server/security/advisories/GHSA-6w4q-23cf-j9jp)) (#8182)
  • f0db4ca fix: brute force guessing of user sensitive data via search patterns (GHSA-2m6g-crv8-p3c6) (#8145) [skip release]
  • 83fd16c chore(release): 5.2.5 [skip ci]
  • e39d51b fix: brute force guessing of user sensitive data via search patterns; this fixes a security vulnerability in which internal and protected fields may be used as query constraints to guess the value of these fields and obtain sensitive data (GHSA-2m6g-crv8-p3c6) (#8144)
  • 636d16e fix: protected fields exposed via LiveQuery (GHSA-crrq-vr9j-fxxh) [skip release] (#8075)
  • e42be5c chore(release): 5.2.4 [skip ci]
  • 309f64c fix: protected fields exposed via LiveQuery; this removes protected fields from the client response; this may be a breaking change if your app is currently expecting to receive these protected fields ([GHSA-crrq-vr9j-fxxh](https://snyk.io/redirect/github/parse-community/parse-server/security/advisories/GHSA-crrq-vr9j-fxxh)) (https://snyk.io/redirect/github/fix: protected fields exposed via LiveQuery (GHSA-crrq-vr9j-fxxh) parse-community/parse-server#8074) (#8073)
  • 1a04a34 fix: invalid file request not properly handled [skip release] (#8061)
  • eb2952f chore(release): 5.2.3 [skip ci]
  • 5be375d fix: invalid file request not properly handled; this fixes a security vulnerability in which an invalid file request can crash the server ([GHSA-xw6g-jjvf-wwf9](https://snyk.io/redirect/github/parse-community/parse-server/security/advisories/GHSA-xw6g-jjvf-wwf9)) (#8060)
  • 4c2aa63 fix: certificate in Apple Game Center auth adapter not validated [skip release] (#8055)
  • ed0baa8 chore(release): 5.2.2 [skip ci]
  • ba2b0a9 fix: certificate in Apple Game Center auth adapter not validated; this fixes a security vulnerability in which authentication could be bypassed using a fake certificate; if you are using the Apple Gamer Center auth adapter it is your responsibility to keep its root certificate up-to-date and we advice you read the security advisory ([GHSA-rh9j-f5f8-rvgc](https://snyk.io/redirect/github/parse-community/parse-server/security/advisories/GHSA-rh9j-f5f8-rvgc))

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants