Skip to content

[Snyk] Fix for 11 vulnerabilities #113

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

[Snyk] Fix for 11 vulnerabilities #113

wants to merge 1 commit into from
+17 −5

Conversation

snyk-bot
Copy link

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

    • package.json

  • Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
    Find out more.

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-1018905		 Yes Proof of Concept
high severity 681/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.2		 Command Injection
SNYK-JS-LODASH-1040724		 Yes Proof of Concept
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3		 Prototype Pollution
SNYK-JS-LODASH-450202		 Yes Proof of Concept
medium severity 636/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.3		 Prototype Pollution
SNYK-JS-LODASH-567746		 Yes Proof of Concept
critical severity 704/1000
Why? Has a fix available, CVSS 9.8		 Prototype Pollution
SNYK-JS-LODASH-590103		 Yes No Known Exploit
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3		 Prototype Pollution
SNYK-JS-LODASH-608086		 Yes Proof of Concept
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3		 Prototype Pollution
SNYK-JS-LODASH-73638		 Yes Proof of Concept
medium severity 541/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 4.4		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-73639		 Yes Proof of Concept
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-MINIMATCH-1019388		 Yes No Known Exploit
medium severity 636/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.3		 Prototype Pollution
npm:lodash:20180130		 Yes Proof of Concept
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Regular Expression Denial of Service (ReDoS)
npm:minimatch:20160620		 Yes No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: jscs The new version differs by 250 commits.
  • 7a85716 2.5.0
  • 0eaaf8f Prepare for version 2.5.0
  • 214cf9f Misc: update dependencies
  • cdb0af4 Misc: fix code style violations
  • 2481d63 Configuration: allow default preset override
  • 5047150 Preset: use wikimedia preset as dependency
  • cf60723 Fix: Sparse arrays in rules with spacing and commas
  • 1788d59 Update: `requireCurlyBraces`: make rule more flexible
  • 9469688 Misc: fix code style issues
  • 706495b Update: `{ allExcept: ['trailing'] }` for "requireSpaceAfterComma"
  • 8eb92b6 Configuration: correct config dir detection
  • 5eb8fbd Docs: Fixed missing markdown codeblock closing
  • ec55656 Docs: fixed CHANGELOG.md links to some rules
  • f418a5c Misc: `requireSpacesInGenerator` refactor
  • ad82a43 New Rule: requireSpacesInGenerator
  • 3d0ae58 Docs: Added hzoo and chat room
  • 37fc3fe Misc: optimize lint execution in package.scripts
  • 8eb05e2 Misc: update 2.4.0 changelog with bug fix
  • 65f6df1 2.4.0
  • 9ef33c3 Misc: Prepare for version 2.4.0
  • 98812c4 Fix: block statements rules - account for bare blocks
  • 2c8d58e New rule: requireAlignedMultilineParams:
  • 077c2f6 Fix: rename "requireCapitalizedComments" option
  • 5ee3120 Tests: fix merge artefact

See the full diff

Package name: waterline-adapter-tests The new version differs by 169 commits.
  • 944f2b7 1.0.0
  • 0eb219f 1.0.0-13
  • 26f2034 Fix misconfigured many-to-many association
  • 354007d Remove errant log
  • aaa500c 1.0.0-12
  • cf24518 Add tests for `omit`
  • 8770d6e Add `archiveModelIdentity: false` where necessary to avoid errors re: Archive model in tests.
  • f03938d 1.0.0-11
  • 9e76b38 Test "json" attribute creation against all valid JSON types
  • 795da10 Test that `replaceCollection` doesn't allow > 1 parent record IDs when operating on a one-to-many relationship
  • d9371e4 1.0.0-10
  • 23f2fb9 Test that child records aren't processed > 1 time and aren't attached by reference
  • f101d92 Use correct fixtures for `belongsTo` find+populate tests
  • 066d6d9 Add json attribute to `belongsTo` parent fixture
  • 561141d 1.0.0-9
  • 875c6d9 Add test for correctly removing unnecessary conjuncts/disjuncts
  • e389d1a Don't set `id` in the "update unique to the same value" test
  • 2e77032 Whitespace
  • a4017f9 Fix test added in https://github.com/balderdashy/waterline-adapter-tests//commit/9bad9416f19040feeb1880b410e760dece4f921e to not expect the taxi ID to always be 1
  • 9bad941 Add test to ensure that child criteria are disambiguated in many-to-many joins
  • 19dbf70 Add a couple of tests that check that values aren't over-escaped.
  • a8f1dac 1.0.0-8
  • 4d6b45e Don't run "update PK" test on sails-disk.
  • 402bd89 Use roadstead versions

See the full diff

With a Snyk patch:
Severity Priority Score (*) Issue Exploit Maturity
medium severity 636/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.3		 Prototype Pollution
npm:lodash:20180130		 Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

@snyk-bot
fix: package.json & .snyk to reduce vulnerabilities

Unverified

This user has not yet uploaded their public signing key.
GPG key ID: 09541BBFF0C4C795
Learn about vigilant mode
d4e1bf7 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-LODASH-1018905
- https://snyk.io/vuln/SNYK-JS-LODASH-1040724
- https://snyk.io/vuln/SNYK-JS-LODASH-450202
- https://snyk.io/vuln/SNYK-JS-LODASH-567746
- https://snyk.io/vuln/SNYK-JS-LODASH-590103
- https://snyk.io/vuln/SNYK-JS-LODASH-608086
- https://snyk.io/vuln/SNYK-JS-LODASH-73638
- https://snyk.io/vuln/SNYK-JS-LODASH-73639
- https://snyk.io/vuln/SNYK-JS-MINIMATCH-1019388
- https://snyk.io/vuln/npm:lodash:20180130
- https://snyk.io/vuln/npm:minimatch:20160620


The following vulnerabilities are fixed with a Snyk patch:
- https://snyk.io/vuln/npm:lodash:20180130
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@snyk-bot