Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Fix for 1 vulnerabilities #22

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

snyk-bot
Copy link

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • deps/npm/package.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
medium severity 658/1000
Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 5.3
Regular Expression Denial of Service (ReDoS)
SNYK-JS-HOSTEDGITINFO-1088355
Yes Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: hosted-git-info The new version differs by 28 commits.
  • a810463 chore(release): 3.0.8
  • bede0dc fix: simplify the regular expression for shortcut matching
  • afe2808 chore(release): 3.0.7
  • eb5bd5a fix: correctly filter out urls for tarballs in gitlab
  • d30f96e chore(release): 3.0.6
  • c067102 fix: support to github gist legacy hash length
  • c53c6ab chore(release): 3.0.5
  • 167cef2 chore: properly advertise version support
  • 47c931e update lru-cache to latest
  • 8e0b0ec chore(release): 3.0.4
  • 0835306 fix: Do not pass scp-style URLs to the WhatWG url.URL
  • 6f39e93 chore(release): 3.0.3
  • 31140a7 Ensure passwords in hosted Git URLs are correctly escaped
  • 4636ac9 chore(release): 3.0.2
  • 3e5fbec fix: do not encodeURIComponent the domain
  • 97c8caa chore(release): 3.0.1
  • e3e3054 fix: update pathmatch for gitlab
  • af4835c test: added script to get coverage report
  • d04239b test: removed unused testing structure
  • 4693b9c test: moved all github url tests together
  • a03d51e test: added refactered tests for bitbucket
  • 0aea712 test: added ignore; for 100% testing (this seems wonky)
  • b473c55 test: added basic test for ._fill() method
  • fa87af7 fix: updated pathmatch for gitlab

See the full diff

Package name: init-package-json The new version differs by 21 commits.

See the full diff

Package name: libnpmaccess The new version differs by 28 commits.
  • 9652c2f 4.0.0
  • 3dcfb4f chore: updated CHANGELOG
  • e04c455 chore: removed standard-version as a dep; updated scripts for version/publishing
  • 1732154 fix: pull-request feedback; read full commit message
  • df9cf82 chore: added return types to function docs in README
  • 1f266cb chore: updated README
  • 61398e7 chore: updated test, made case more clear
  • 867137c fix: refactored 'pwrap' function out of code base; use native promises
  • 511f2cf chore: updated package scripts; update CI workflow
  • 4ef719f chore: renamed test/util/ to test/fixture/; tap will ignore now
  • 53b208e chore: linted test file; made tap usage 'better'
  • feb1972 docs: removed opts.Promise from docs; no longer in use
  • da71971 chore: removed travis badge, added github actions badge
  • 113ea98 chore: updated gitignore; includes coverage folder
  • 15a46b8 fix: added default values to params for API functions (with tests)
  • d3d5596 deps: standard-version@7.1.0 (audit fix)
  • 0a596f7 deps: nock@12.0.1 (audit fix)
  • 2d4f909 fix: update return value; add tests
  • c8e7bef deps: npm-registry-fetch@8.0.0
  • 2970999 deps: tap@14.10.6
  • 6ad0662 feat: replace get-stream with minipass
  • df54f9c chore: rename opts.mapJson to opts.mapJSON
  • c4616d9 chore: basic project updates
  • 2894cd2 fix: remove figgy-pudding

See the full diff

Package name: libnpmhook The new version differs by 4 commits.

See the full diff

Package name: libnpmorg The new version differs by 15 commits.
  • 33e705e 2.0.0
  • 38716c0 chore: updated auto publish; removed stanard-version as dep
  • 65ce432 docs: updated CHANGELOG for v2.0.0
  • 5c9643f chore: added files property to package.json
  • 54620fb fix: remove unneed promises; [PR feedback]
  • 36c5330 chore: updated README with GHA badge
  • 4559df9 fix: updated promise return logic; makes code a little easier to grok/read
  • 3aaab1d fix: fixed function return type; added tests to catch a change like this
  • 58081b5 chore: small linting change
  • 8c4ac7f ci: updated GHA workflow; added supporting script to package.json
  • b25d703 chore: basic project updates
  • 79b9c46 fix: remove figgy-pudding
  • d9ca35d chore: remove pr template
  • bb107d0 chore: cleanup badges + contributing
  • 48a8a38 travis: only test on supported node versions

See the full diff

Package name: libnpmsearch The new version differs by 5 commits.

See the full diff

Package name: libnpmteam The new version differs by 28 commits.
  • ad3b0e6 2.0.0
  • ef44cce docs: updated CHNAGELOG for v2.0.0
  • cfbf750 chore: updates package.json scripts; mostly for publishing
  • 68342f8 fix: remove unnecessary promises [PR feedback]
  • 25fd13f ci: update scripts and ci.yml to handle coverage better
  • a3d9380 docs: updated README with publish instructions
  • 938c8a4 feat: removed 'standard-version' dependency; updated publish scripts
  • ea19e24 test: added tests; 100% code coverage ✅💯
  • 9e95457 deps: nock@12.0.1
  • 09f241b chore: updated .gitignore; added coverage/
  • 603fc62 fix: refactored out 'pwrap' function
  • 5e6b41e fix: removed get-streams as a dependency
  • 0c51827 deps: npm-registry-fetch@8.0.0
  • 529f6ed feat: removed figgy-pudding as a dependency
  • 57b0cb8 chore: added engines field in package.json
  • c3f93b8 chore: updates due to dependency changes
  • bf416e2 chore: fixed failing linting; because of dep update
  • 7e5696c deps: standard@14.3.1
  • 1bb38d1 deps: tap@14.10.6
  • 04ce7e8 chore: update author field; standardize into string
  • b27599b deps: removed weall* deps; removed referencing scripts
  • a7b3f59 docs: updated README; removed opts.Promise, will be removing
  • 53c1a58 ci: removed travis and appveyor
  • a8caae6 chore: add GH settings; extend from boilerplate

See the full diff

Package name: normalize-package-data The new version differs by 10 commits.

See the full diff

Package name: npm-package-arg The new version differs by 3 commits.

See the full diff

Package name: npm-pick-manifest The new version differs by 2 commits.
  • 405d00b chore(release): 4.0.0
  • 42c76d8 deps: bump npm-package-arg to v7

See the full diff

Package name: npm-registry-fetch The new version differs by 13 commits.
  • 622afb4 chore(release): 5.0.1
  • 7aa14fd deps: update all deps
  • 5764c15 deps: npm-package-arg@7
  • 786f092 chore(release): 5.0.0
  • 41ff216 chore: update travis config
  • 39e5cfe doc: fix badge url
  • 97c1208 chore: update tap, improve offline/prefer-offline tests
  • 82abf26 chore: Add missing tests and clean up dead code
  • 90ac7b1 fix: prefer const in getAuth function
  • e64702e fix: use minizlib instead of core zlib
  • 5cfe30b test: add string query example to test
  • e7286f7 fix!: Use native Promises
  • bb37f20 feat: refactor to use Minipass streams

See the full diff

Package name: pacote The new version differs by 83 commits.
  • ed57e5c 10.1.2
  • d9bce22 git: resolved should be a git+ssh:// url, not just ssh://
  • 84535a3 git: Fall back from tgz to ssh on HTTP errors
  • 7ee23c3 git: make 'from' and 'resolved' consistent and useful
  • 10ff45f update deps to pull in newer hosted-git-info
  • 88beaab Return the requested spec as the 'from' value
  • e5b84f2 test: fix git configs for git 2.23 and above
  • 5a3bfbd typo in bin usage text
  • 04a0f0c Keep home dir out of snapshots
  • ae7c912 10.1.1
  • cb31be8 filter out .swp files from package
  • 43e239d 10.1.0
  • 3d4012a add pacote CLI
  • 99a3f21 update tap
  • dc10617 test: node 13 made errno a number again
  • e516f96 add repository field to package
  • 37f24b3 10.0.0
  • ad72e94 test: use t.testdir() instead of manually creating test dirs
  • a79846e fresh update all deps
  • 2e4482a Improve integrity consistency and handling
  • 9964c7b update tap and minipass-fetch
  • 6460b02 Remove spurious top-level dep on make-fetch-happen
  • 1f4473a Pack and unpack preserving exec perms on all package bins
  • 347c563 Cache manifest as fetcher.package

See the full diff

Package name: read-package-json The new version differs by 8 commits.
  • 9f7049d chore(release): 3.0.0
  • 19d9fbe fix: check-in updated lockfile
  • eef46fa chore: add engines definition
  • 36b7ef7 chore: remove old .travis.yml envs
  • b3a8831 globa@7.1.6
  • fb3ceae json-parse-even-better-errors@2.3.1
  • 78add03 npm-normalize-package-bin@1.0.1
  • 7595d70 normalize-package-data@3.0.0

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant