[Snyk] Fix for 6 vulnerabilities #61

snyk-bot · 2021-07-05T22:29:07Z

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- src/ProjectTemplates/Web.Spa.ProjectTemplates/content/Angular-CSharp/ClientApp/package.json
- src/ProjectTemplates/Web.Spa.ProjectTemplates/content/Angular-CSharp/ClientApp/package-lock.json
- src/ProjectTemplates/Web.Spa.ProjectTemplates/content/Angular-CSharp/ClientApp/.snyk

Vulnerabilities that will be fixed

With an upgrade:

Priority Score (*)	Issue	Breaking Change	Exploit Maturity
715/1000 Why? Has a fix available, CVSS 9.8	Use After Free SNYK-JS-NODESASS-535497	No	No Known Exploit
509/1000 Why? Has a fix available, CVSS 5.9	Denial of Service (DoS) SNYK-JS-NODESASS-542662	No	No Known Exploit
589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-TRIMNEWLINES-1298042	Yes	No Known Exploit
506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:jasmine-core:20180216	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: node-sass

The new version differs by 107 commits.

c167004 6.0.1
911d4db remove mkdirp dep (Add ANCM InProcess tests to WebSockets dotnet/aspnetcore#3108)
30a52f7 build(deps): bump meow from 3.7.0 to 9.0.0
7e08463 build(deps-dev): bump mocha from 8.4.0 to 9.0.1
cfcbb2c chore: Use default Apline version from docker-node (CORS not working with OPTIONS dotnet/aspnetcore#3121)
886319b chore: Drop Node 10 support
c908f4f fix: Bump OSX minimum to 10.11
8ab02da fix: Remove old compiler gyp settings
3d7b9d0 chore: Add Node 16 support
4115e9d build(deps): bump actions/setup-node from v2.1.4 to v2.1.5
06f3ab4 Update TROUBLESHOOTING.md
c1cb367 build(deps): bump actions/setup-node from v2.1.3 to v2.1.4
769f3a6 build(deps): bump actions/setup-node from v2.1.2 to v2.1.3
a2a3a78 chore: Bump dependabot limit
7105b0a 5.0.0 (Error! After Installation of AspNetCore and dotnet core the IIS Handler Mappings - aspNetCore is not installed dotnet/aspnetcore#3015)
0648b5a chore: Add Node 15 support (Undo breaking change for OptionsWrapper<T>.Remove(string) and Add(string, TOptions) dotnet/aspnetcore#2983)
e2391c2 Add a deprecation message to the readme (Preventing a scoped dependency from being disposed dotnet/aspnetcore#3011)
6a33e53 chore: Don't upload artifacts on PRs
d763506 chore: Only run coverage on main repo
d4ebe72 build(deps): update actions/setup-node requirement to v2.1.2
2bebe05 build(deps-dev): bump rimraf from 2.7.1 to 3.0.2
f877689 chore: Don't double build DependaBot PRs
b48fac4 chore: Add weekly DependaBot updates
91c40a0 Remove deprecated process.sass API

See the full diff

Package name: protractor

The new version differs by 63 commits.

5d8da04 chore(release): version bump to 6.0.0 and update the changelog
d777738 chore(tests): circleci - chrome 69 requires chromdriver to 2.44 (Provide hooks to allow for integration with other JavaScript frameworks dotnet/aspnetcore#5182)
3d50b68 chore(deps): update based on npm audit
e478ba8 chore(release): bump version to 6.0.1-beta
7054827 chore(types): fix types to use not @ types/selenium-webdriver (Add health checks routing extensions dotnet/aspnetcore#5127)
2e5c2e6 chore(jasmine): prevent random execution order in jasmine 3 (converting asp.net to asp.net core issue on onredirecttoidentityprovider dotnet/aspnetcore#5126)
8afc4e2 chore(release): release 6.0.0-beta and update the changelog
5fd711c chore(webdriver-manager): use webdriver-manager@13.0.0-beta
96ae17c deps(jasmine): upgrade jasmine 3.3 (Razor Sdk 3.0 migration docs dotnet/aspnetcore#5102)
68491dd chore(expectedConditions): update generic Function typings (Add a test verifying 3.0 SDK is compatible with 2.2 targeting project dotnet/aspnetcore#5101)
cf43651 chore(debugprint): convert debugprint to TypeScript (#5074)
d213aa9 deps(selenium): upgrade to selenium 4 (DocumentSnapshot system needs to understands imports better dotnet/aspnetcore#5095)
4672265 chore(browser): remove timing issues with restart and fork (Razor Language Service does not appear to work with cshtml files in fsproj project dotnet/aspnetcore#5085)
b4dbcc2 chore(elementexplorer): remove explorer bin file (Review and update dependencies in vsixmanifest dotnet/aspnetcore#5094)
7de6d85 docs(api): update examples to use async/await (ManualServerShutdown_NoPipeName_ShutsDownServer hangs on linux VSTS dotnet/aspnetcore#5081)
1b2036e typings(selenium): try out new version of typings (Directive usage errors need to appear in runtime too dotnet/aspnetcore#5084)
befb457 chore(bin): update webdriver-manager require to use the cli ([Tracking] Parser improvements feedback dotnet/aspnetcore#5093)
509f1b2 deps(latest): upgrade to the gulp and typescript (Make the debugging experience of the new syntax tree better dotnet/aspnetcore#5089)
2def202 deps(webdriver-manager): use replacement (Add unit tests for the new syntax infrastructure dotnet/aspnetcore#5088)
9d510db chore(test): remove jasmine addMatcher test (Allow Core Razor editor to work in non-project scenarios. dotnet/aspnetcore#5072)
6522e40 chore(cleanup): clean up imports and wdpromises (Implement DocumentSnapshot tracking in VS 4 Mac dotnet/aspnetcore#5073)
3b8f263 chore(ignoreSynchornization): clean up to use waitForAngularEnabled (Syntax for writing a dictionary of attributes onto an element dotnet/aspnetcore#5071)
ffa3519 chore(debugger): remove debugger and explore methods (Make it easier to use static assets that are part of a RCL project dotnet/aspnetcore#5070)
0f7a38a chore(test): error tests fixed (Referenced RCL project is built even though there are no recent changes to it dotnet/aspnetcore#5069)

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	626/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.1	Man-in-the-Middle (MitM) SNYK-JS-HTTPSPROXYAGENT-469131	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-LODASH-567746	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the effected dependencies could be upgraded.

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

…harp/ClientApp/package.json, src/ProjectTemplates/Web.Spa.ProjectTemplates/content/Angular-CSharp/ClientApp/package-lock.json & src/ProjectTemplates/Web.Spa.ProjectTemplates/content/Angular-CSharp/ClientApp/.snyk to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-NODESASS-535497 - https://snyk.io/vuln/SNYK-JS-NODESASS-542662 - https://snyk.io/vuln/SNYK-JS-TRIMNEWLINES-1298042 - https://snyk.io/vuln/npm:jasmine-core:20180216 The following vulnerabilities are fixed with a Snyk patch: - https://snyk.io/vuln/SNYK-JS-HTTPSPROXYAGENT-469131 - https://snyk.io/vuln/SNYK-JS-LODASH-567746

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Snyk] Fix for 6 vulnerabilities #61

[Snyk] Fix for 6 vulnerabilities #61

snyk-bot commented Jul 5, 2021

[Snyk] Fix for 6 vulnerabilities #61

Are you sure you want to change the base?

[Snyk] Fix for 6 vulnerabilities #61

Conversation

snyk-bot commented Jul 5, 2021

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Vulnerabilities that will be fixed

With an upgrade:

With a Snyk patch: