Skip to content
This repository has been archived by the owner on Jul 22, 2024. It is now read-only.

[Snyk] Security upgrade parse-server from 2.8.1 to 4.5.1 #45

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Security upgrade parse-server from 2.8.1 to 4.5.1 #45

wants to merge 1 commit into from

Conversation

madztheo
Copy link
Owner

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

As this is a private repository, Snyk-bot does not have access. Therefore, this PR has been created automatically, but appears to have been created by a real user.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json
    • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-ANSIREGEX-1583908		 Yes Proof of Concept
high severity 761/1000
Why? Mature exploit, Has a fix available, CVSS 7.5		 Denial of Service (DoS)
SNYK-JS-DICER-2311764		 No Mature
medium severity 534/1000
Why? Has a fix available, CVSS 6.4		 Improper Authentication
SNYK-JS-JSONWEBTOKEN-3180022		 Yes No Known Exploit
medium severity 539/1000
Why? Has a fix available, CVSS 6.5		 Improper Restriction of Security Token Assignment
SNYK-JS-JSONWEBTOKEN-3180024		 Yes No Known Exploit
medium severity 554/1000
Why? Has a fix available, CVSS 6.8		 Use of a Broken or Risky Cryptographic Algorithm
SNYK-JS-JSONWEBTOKEN-3180026		 Yes No Known Exploit
low severity 506/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 3.7		 Prototype Pollution
SNYK-JS-MINIMIST-2429795		 Yes Proof of Concept
medium severity 601/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.6		 Prototype Pollution
SNYK-JS-MINIMIST-559764		 Yes Proof of Concept
high severity 706/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.7		 Server-side Request Forgery (SSRF)
SNYK-JS-NETMASK-1089716		 Yes Proof of Concept
high severity 706/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.7		 Server-side Request Forgery (SSRF)
SNYK-JS-NETMASK-6056519		 Yes Proof of Concept
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3		 Open Redirect
SNYK-JS-NODEFORGE-2330875		 Yes Proof of Concept
medium severity 529/1000
Why? Has a fix available, CVSS 6.3		 Prototype Pollution
SNYK-JS-NODEFORGE-2331908		 Yes No Known Exploit
medium severity 494/1000
Why? Has a fix available, CVSS 5.6		 Improper Verification of Cryptographic Signature
SNYK-JS-NODEFORGE-2430337		 Yes No Known Exploit
high severity 579/1000
Why? Has a fix available, CVSS 7.3		 Improper Verification of Cryptographic Signature
SNYK-JS-NODEFORGE-2430339		 Yes No Known Exploit
medium severity 494/1000
Why? Has a fix available, CVSS 5.6		 Improper Verification of Cryptographic Signature
SNYK-JS-NODEFORGE-2430341		 Yes No Known Exploit
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3		 Prototype Pollution
SNYK-JS-NODEFORGE-598677		 Yes Proof of Concept
high severity 726/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 8.1		 Remote Code Execution (RCE)
SNYK-JS-PACRESOLVER-1564857		 Yes Proof of Concept
medium severity 646/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.5		 Server-side Request Forgery (SSRF)
SNYK-JS-REQUEST-3361831		 Yes Proof of Concept
medium severity 646/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.5		 Prototype Pollution
SNYK-JS-TOUGHCOOKIE-5672873		 Yes Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: parse-server The new version differs by 250 commits.
  • 9d90196 Update package-lock.json (#7499)
  • 1443aae Update package.json (#7498)
  • 366bb06 Merge branch 'master' into v4.5.1
  • 147bd9a Merge pull request from GHSA-23r4-5mxp-c7g5
  • c66a39f Remove quoted argument to fix issue on Windows (#7489)
  • 8fddac3 feat(AggregateRouter): support native mongodb syntax in aggregation pipelines (#7339)
  • 381e9bf bump node (#7487)
  • fda07aa Add deprecation plan (#7485)
  • f8c4f9f chore(deps): bump path-parse from 1.0.6 to 1.0.7 (#7484)
  • ae1edeb Bump CI (#7482)
  • 45d29cc fix: upgrade mongodb from 3.6.9 to 3.6.10 (#7474)
  • cc3cd23 Fix missing password policy definitions (#7225)
  • c8e822b Accept context via header X-Parse-Cloud-Context (#7437)
  • c3b71ba [Snyk] Upgrade ws from 7.4.6 to 7.5.3 (#7457)
  • 39f7c83 fix: upgrade @ apollographql/graphql-playground-html from 1.6.28 to 1.6.29 (#7473)
  • c58bf57 fix: upgrade @ apollographql/graphql-playground-html from 1.6.27 to 1.6.28 (#7411)
  • bbd7ee7 fix: upgrade graphql from 15.5.0 to 15.5.1 (#7462)
  • a95ad89 [Snyk] Security upgrade parse from 3.2.0 to 3.3.0 (#7464)
  • 1fe4708 fix: upgrade apollo-server-express from 2.25.1 to 2.25.2 (#7465)
  • 2b3355c fix: upgrade graphql-tag from 2.12.4 to 2.12.5 (#7466)
  • 9923cd3 fix: upgrade graphql-relay from 0.7.0 to 0.8.0 (#7467)
  • 4703822 Add MongoDB 5.0 support + bump CI env (#7469)
  • 250008d changed twitter API endpoint for oauth test (#7472)
  • 1594afe add runtime deprecation warning (#7451)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Improper Authentication
🦉 Use of a Broken or Risky Cryptographic Algorithm
🦉 More lessons are available in Snyk Learn

@snyk-bot
fix: package.json & package-lock.json to reduce vulnerabilities
c39f6e2 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908
- https://snyk.io/vuln/SNYK-JS-DICER-2311764
- https://snyk.io/vuln/SNYK-JS-JSONWEBTOKEN-3180022
- https://snyk.io/vuln/SNYK-JS-JSONWEBTOKEN-3180024
- https://snyk.io/vuln/SNYK-JS-JSONWEBTOKEN-3180026
- https://snyk.io/vuln/SNYK-JS-MINIMIST-2429795
- https://snyk.io/vuln/SNYK-JS-MINIMIST-559764
- https://snyk.io/vuln/SNYK-JS-NETMASK-1089716
- https://snyk.io/vuln/SNYK-JS-NETMASK-6056519
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-2330875
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-2331908
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-2430337
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-2430339
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-2430341
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-598677
- https://snyk.io/vuln/SNYK-JS-PACRESOLVER-1564857
- https://snyk.io/vuln/SNYK-JS-REQUEST-3361831
- https://snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@madztheo @snyk-bot