[Snyk] Fix for 6 vulnerabilities #14

snyk-bot · 2021-04-06T16:27:42Z

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
- package-lock.json
Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Priority Score (*)	Issue	Breaking Change	Exploit Maturity
715/1000 Why? Has a fix available, CVSS 9.8	DLL Injection SNYK-JS-KERBEROS-568900	No	No Known Exploit
821/1000 Why? Proof of Concept exploit, Has a fix available, High severity	Prototype Pollution SNYK-JS-LODASH-567746	No	Proof of Concept
899/1000 Why? Mature exploit, Has a fix available, CVSS 9.4	Arbitrary File Write via Archive Extraction (Zip Slip) npm:adm-zip:20180415	No	Mature
644/1000 Why? Has a fix available, CVSS 8.6	Code Injection npm:dustjs-linkedin:20160819	No	No Known Exploit
589/1000 Why? Has a fix available, CVSS 7.5	Cross-site Scripting (XSS) npm:marked:20170112	No	No Known Exploit
821/1000 Why? Proof of Concept exploit, Has a fix available, High severity	Directory Traversal npm:st:20140206	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: adm-zip

The new version differs by 50 commits.

80d259f Version bump
3f00a03 Fixed [Snyk Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#176
650e752 Fixed wrong date on files (issue [Snyk-dev Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#203)
d01fa8c Fixed bugs introduced with 0.4.9
c0cc85d Merge pull request [Snyk Update] New fixes for 2 vulnerable dependency paths snyk-labs/nodejs-goof#219 from jontore/master
39c83a2 Merge pull request [Snyk Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#209 from poshta1900/fix
b94c5dd Merge pull request [Snyk Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#227 from hhaidar/master
c95c553 Merge pull request [Snyk Update] New fixes for 16 vulnerable dependency paths snyk-labs/nodejs-goof#228 from jmcollin78/patch-1
cda668c Fix issue [Snyk Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#218
0f2cb41 Fix octal literals so they work in strict mode
888931d To support strict mode use 0o prefix to octal numbers
89b6f67 Update package.json
9592298 Update README.md
ce59e5a Merge pull request [Snyk Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#215 from grnd/master
38cb4a4 fix: resolve both target and entry path
18c3d31 Update package.json
666adec Update package.json
499d59b Update package.json
62f6400 Merge pull request [Snyk Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#212 from aviadatsnyk/master
6f4dfeb fix: prevent extracting archived files outside of target path
ef0abe6 add try-catch around fs.writeSync
e116bc1 Merge pull request [Snyk Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#208 from pmuens/patch-1
12d2099 Fix data accessing example in README
032566b Merge pull request [Snyk-dev Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#204 from BridgeAR/master

See the full diff

Package name: marked

The new version differs by 13 commits.

2a92083 Release 0.3.7
753a7bd 0.3.7
635e45c Merge pull request feat: add open redirect and xss vulns in code snyk-labs/nodejs-goof#960 from chjj/github-templates
d24427e Add issue template
8f9d0b7 Merge pull request [Snyk-dev] Security upgrade npmconf from 0.0.24 to 1.0.1 snyk-labs/nodejs-goof#844 from chjj/data_link_fix
cd2f6f5 added data: link fix to prevent xss
38f1727 Merge pull request [Snyk-local] Fix for 3 vulnerabilities snyk-labs/nodejs-goof#728 from nehero/patch-1
eddec20 v0.3.6
fd0d1a2 Merge pull request [Snyk] Fix for 3 vulnerable dependencies snyk-labs/nodejs-goof#592 from matt-/xss_html_entities
0fa05b6 Merge pull request [Snyk] Security upgrade mongoose from 4.2.4 to 5.12.2 #1 from rsp/fix/xss_html_entities_semicolon
31c7799 add optional semicolon in html entities regex
6470e8b Update readme example to reflect defaults
2cff859 added explicit matching for HTML entities to prevent XSS

See the full diff

Package name: mongoose

The new version differs by 35 commits.

de88912 release 4.2.5
fae7c94 fix; correctly handle changes in update hook (Fix #3549)
5e58d83 repro; #3549
68e394d fix; dont flatten empty arrays in updateValidators (Fix #3554)
f0b0f61 repro; #3554
73de49c fix; proper support for .update(doc) (Fix #3221)
b5329a1 repro; #3221
932cdbe upgrade; node driver -> 2.0.48 (re: #3544)
6ff39ef fix; unhandled rejection using Query.then() (Fix #3543)
8cccafb Merge pull request #3548 from ChristianMurphy/node-5
2ff09cc Merge pull request #3547 from ChristianMurphy/eslint-update
6d0df2f Test against Node 4 LTS and Node 5 Stable
fc3f645 update ESLint and add a lint script to the package.json
aac346a Update README examples to comma last style
352d80d fix; ability to use mongos for standalones (Fix #3537)
043c958 repro; #3537
4023f12 docs; fix bad connection string example
a55fba7 fix; allow undefined for min/max validators (Fix #3539)
cfc3194 repro; #3539
a2a3b8b fix; issue with fix for #3535
171e694 docs; deep populate docs (Fix #3528)
0922d78 fix; call toObject() when setting single embedded schema to doc (Fix #3535)
ce11be0 repro; #3535
b3472ac fix; apply methods to single embedded schemas (Fix #3534)

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	821/1000 Why? Proof of Concept exploit, Has a fix available, High severity	Prototype Pollution SNYK-JS-LODASH-567746	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-KERBEROS-568900 - https://snyk.io/vuln/SNYK-JS-LODASH-567746 - https://snyk.io/vuln/npm:adm-zip:20180415 - https://snyk.io/vuln/npm:dustjs-linkedin:20160819 - https://snyk.io/vuln/npm:marked:20170112 - https://snyk.io/vuln/npm:st:20140206 The following vulnerabilities are fixed with a Snyk patch: - https://snyk.io/vuln/SNYK-JS-LODASH-567746

metalstormbass closed this Jun 11, 2021

metalstormbass deleted the snyk-fix-924108c70c22dd40298535dc12d099f6 branch August 3, 2021 14:45

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Snyk] Fix for 6 vulnerabilities #14

[Snyk] Fix for 6 vulnerabilities #14

snyk-bot commented Apr 6, 2021

[Snyk] Fix for 6 vulnerabilities #14

[Snyk] Fix for 6 vulnerabilities #14

Conversation

snyk-bot commented Apr 6, 2021

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Vulnerabilities that will be fixed

With an upgrade:

With a Snyk patch: