Skip to content
This repository has been archived by the owner on Jul 22, 2024. It is now read-only.

[Snyk] Security upgrade parse-server from 2.8.1 to 5.5.0 #39

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Security upgrade parse-server from 2.8.1 to 5.5.0 #39

wants to merge 1 commit into from

Conversation

madztheo
Copy link
Owner

@madztheo madztheo commented Jun 1, 2023

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

As this is a private repository, Snyk-bot does not have access. Therefore, this PR has been created automatically, but appears to have been created by a real user.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json
    • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
medium severity 601/1000
Why? Recently disclosed, Has a fix available, CVSS 6.3		 Arbitrary File Upload
SNYK-JS-PARSESERVER-5661794		 Yes No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: parse-server The new version differs by 250 commits.
  • ac90cb8 chore(release): 5.5.0 [skip ci]
  • 196e05f feat: Add new Parse Server option `fileUpload.fileExtensions` to restrict file upload by file extension; this fixes a security vulnerability in which a phishing attack could be performed using an uploaded HTML file; by default the new option only allows file extensions matching the regex pattern `^[^hH][^tT][^mM][^lL]?$`, which excludes HTML files; this fix is released as a patch version given the severity of this vulnerability, however, if your app currently depends on uploading files with HTML file extensions then this may be a breaking change and you could allow HTML file upload by setting the option to `['.*']` (#8537)
  • e9ae435 chore(release): 5.4.3 [skip ci]
  • 4f0f0ec fix: Unable to create new role if `beforeSave` hook exists (#8474)
  • 0ec9239 refactor: Upgrade @ graphql-tools/merge from 8.3.6 to 8.3.17 (#8437)
  • b905137 chore(release): 5.4.2 [skip ci]
  • 2c19c2e fix: Security upgrade jsonwebtoken to 9.0.0 (#8431)
  • 30576f1 chore(release): 5.4.1 [skip ci]
  • e016d81 fix: The client IP address may be determined incorrectly in some cases; it is now required to set the Parse Server option `trustProxy` accordingly if Parse Server runs behind a proxy server, see the express framework's [trust proxy](https://expressjs.com/en/guide/behind-proxies.html) setting; this fixes a security vulnerability in which the Parse Server option `masterKeyIps` may be circumvented, see [GHSA-vm5r-c87r-pf6x](https://snyk.io/redirect/github/parse-community/parse-server/security/advisories/GHSA-vm5r-c87r-pf6x) (#8369)
  • c8bc200 ci: Add LTS branches to CI workflow
  • 09d04b0 ci: update auto-release workflow
  • 38f64be ci: update auto-release for LTS
  • 9b34b02 chore(release): 5.4.0 [skip ci]
  • e373f09 build: Release (#8324)
  • a9a9772 Merge branch 'release' into beta
  • 735669a refactor: Prototype pollution via Cloud Code Webhooks; fixes security vulnerability [GHSA-93vw-8fm5-p2jf](https://snyk.io/redirect/github/parse-community/parse-server/security/advisories/GHSA-93vw-8fm5-p2jf) (#8307)
  • fd8a11b chore(release): 5.3.3 [skip ci]
  • 60c5a73 fix: Prototype pollution via Cloud Code Webhooks; fixes security vulnerability [GHSA-93vw-8fm5-p2jf](https://snyk.io/redirect/github/parse-community/parse-server/security/advisories/GHSA-93vw-8fm5-p2jf) (#8305)
  • 3e983c4 chore(release): 5.3.2 [skip ci]
  • d9c3c02 refactor: Parse Server option `requestKeywordDenylist` can be bypassed via Cloud Code Webhooks or Triggers; fixes security vulnerability [GHSA-xprv-wvh7-qqqx](https://snyk.io/redirect/github/parse-community/parse-server/security/advisories/GHSA-xprv-wvh7-qqqx) (#8303)
  • 6728da1 fix: Parse Server option `requestKeywordDenylist` can be bypassed via Cloud Code Webhooks or Triggers; fixes security vulnerability [GHSA-xprv-wvh7-qqqx](https://snyk.io/redirect/github/parse-community/parse-server/security/advisories/GHSA-xprv-wvh7-qqqx) (#8302)
  • 46dbecd refactor: Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability [GHSA-prm5-8g2m-24gg](https://snyk.io/redirect/github/parse-community/parse-server/security/advisories/GHSA-prm5-8g2m-24gg) (#8298)
  • 2458a8c chore(release): 5.3.1 [skip ci]
  • 50eed3c fix: Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability [GHSA-prm5-8g2m-24gg](https://snyk.io/redirect/github/parse-community/parse-server/security/advisories/GHSA-prm5-8g2m-24gg) (#8295)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@madztheo @snyk-bot