From 958325668c11bb89061f054dbedf72ac26960634 Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Fri, 1 Sep 2023 18:44:07 +0000 Subject: [PATCH] fix: goof-yarn/package.json, goof-yarn/yarn.lock & goof-yarn/.snyk to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-KERBEROS-568900 The following vulnerabilities are fixed with a Snyk patch: - https://snyk.io/vuln/npm:hawk:20160119 - https://snyk.io/vuln/npm:http-signature:20150122 - https://snyk.io/vuln/npm:mime:20170907 --- goof-yarn/.snyk | 20 ++++++++++++++++++ goof-yarn/package.json | 12 +++++++---- goof-yarn/yarn.lock | 47 +++++++++++++++++------------------------- 3 files changed, 47 insertions(+), 32 deletions(-) create mode 100644 goof-yarn/.snyk diff --git a/goof-yarn/.snyk b/goof-yarn/.snyk new file mode 100644 index 000000000..c2dd6a2e3 --- /dev/null +++ b/goof-yarn/.snyk @@ -0,0 +1,20 @@ +# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities. +version: v1.25.1 +ignore: {} +# patches apply the minimum changes required to fix a vulnerability +patch: + 'npm:hawk:20160119': + - tap > codecov.io > request > hawk: + patched: '2023-09-01T18:43:51.608Z' + id: 'npm:hawk:20160119' + path: tap > codecov.io > request > hawk + 'npm:http-signature:20150122': + - tap > codecov.io > request > http-signature: + patched: '2023-09-01T18:43:51.608Z' + id: 'npm:http-signature:20150122' + path: tap > codecov.io > request > http-signature + 'npm:mime:20170907': + - tap > codecov.io > request > form-data > mime: + patched: '2023-09-01T18:43:51.608Z' + id: 'npm:mime:20170907' + path: tap > codecov.io > request > form-data > mime diff --git a/goof-yarn/package.json b/goof-yarn/package.json index 2300e7e8a..aa1f56646 100644 --- a/goof-yarn/package.json +++ b/goof-yarn/package.json @@ -10,7 +10,9 @@ "scripts": { "start": "node app.js", "build": "browserify -r jquery > public/js/bundle.js", - "cleanup": "mongo express-todo --eval 'db.todos.remove({});'" + "cleanup": "mongo express-todo --eval 'db.todos.remove({});'", + "prepare": "yarn run snyk-protect", + "snyk-protect": "snyk-protect" }, "engines": { "node": "6.14.1" @@ -32,7 +34,7 @@ "marked": "0.3.5", "method-override": "latest", "moment": "2.15.1", - "mongoose": "4.2.4", + "mongoose": "4.2.5", "morgan": "latest", "ms": "^0.7.1", "npmconf": "0.0.24", @@ -41,9 +43,11 @@ "stream-buffers": "^3.0.1", "tap": "^5.7.0", "adm-zip": "0.4.7", - "file-type": "^8.1.0" + "file-type": "^8.1.0", + "@snyk/protect": "latest" }, "devDependencies": { "browserify": "^13.1.1" - } + }, + "snyk": true } diff --git a/goof-yarn/yarn.lock b/goof-yarn/yarn.lock index 0d71fe809..cf0007d99 100644 --- a/goof-yarn/yarn.lock +++ b/goof-yarn/yarn.lock @@ -2,6 +2,11 @@ # yarn lockfile v1 +"@snyk/protect@^1.1209.0": + version "1.1209.0" + resolved "https://registry.yarnpkg.com/@snyk/protect/-/protect-1.1209.0.tgz#9e938362cf684576ead289916274cf8bd5f4e0ce" + integrity sha512-E370Imyh7tnkgaYJdjL+Skb7thgcPcSiIISbUhA6/ZtjKGzGLveLXGAjID9nQlizoO+P+D3UfssnE16GJZjWPw== + JSONStream@^1.0.3: version "1.3.5" resolved "https://registry.yarnpkg.com/JSONStream/-/JSONStream-1.3.5.tgz#3208c1f08d3a4d99261ab64f92302bc15e111ca0" @@ -1905,13 +1910,6 @@ kareem@1.0.1: resolved "https://registry.yarnpkg.com/kareem/-/kareem-1.0.1.tgz#7805d215bb53214ec3af969a1d0b1f17e3e7b95c" integrity sha1-eAXSFbtTIU7Dr5aaHQsfF+PnuVw= -kerberos@~0.0: - version "0.0.24" - resolved "https://registry.yarnpkg.com/kerberos/-/kerberos-0.0.24.tgz#67e5fe0f0dbe240a505eb45de411d6031e7b381b" - integrity sha512-QO6bFq9eETHB5zcA0OJiQtw137TH45OuUcGtI+QGg2ZJQIPCvwXL2kjCqZZMColcIdbPhj4X40EY5f3oOiBfiw== - dependencies: - nan "~2.10.0" - kind-of@^3.0.2: version "3.2.2" resolved "https://registry.yarnpkg.com/kind-of/-/kind-of-3.2.2.tgz#31ea21a734bab9bbb0f32466d893aea51e4a3c64" @@ -2189,34 +2187,32 @@ moment@2.15.1: resolved "https://registry.yarnpkg.com/moment/-/moment-2.15.1.tgz#e979c2a29e22888e60f396f2220a6118f85cd94c" integrity sha1-6XnCop4iiI5g85byIgphGPhc2Uw= -mongodb-core@1.2.19: - version "1.2.19" - resolved "https://registry.yarnpkg.com/mongodb-core/-/mongodb-core-1.2.19.tgz#fcb35f6b6abc5c3de1f1a4a5db526b9e306f3eb7" - integrity sha1-/LNfa2q8XD3h8aSl21JrnjBvPrc= +mongodb-core@1.2.21: + version "1.2.21" + resolved "https://registry.yarnpkg.com/mongodb-core/-/mongodb-core-1.2.21.tgz#3bcbccd31147b8cf0134c0da52675f121b1ea3fb" + integrity sha512-BoUwbWKWgVO58WoVwsdDmVcxvRU5ss1MlVvfzzVARzPkRbe7bV1pKLvHzJPfrJdXL9Vrikq6gS0OxY1gaVUnVA== dependencies: bson "~0.4.19" - optionalDependencies: - kerberos "~0.0" -mongodb@2.0.46: - version "2.0.46" - resolved "https://registry.yarnpkg.com/mongodb/-/mongodb-2.0.46.tgz#b1b857465e45e259b1e0e033698341a64cb93559" - integrity sha1-sbhXRl5F4lmx4OAzaYNBpky5NVk= +mongodb@2.0.48: + version "2.0.48" + resolved "https://registry.yarnpkg.com/mongodb/-/mongodb-2.0.48.tgz#f0eee445e8f2241c4b96658b8697e17ddabb9da3" + integrity sha512-v9WAjHBXg9kfICEzdS4wbQbCjZnbCEWtEETbe44Tj6W5i3gULiyW2piYAAVwzWSRHblJhssvpHlpeDjeTsh8Ug== dependencies: es6-promise "2.1.1" - mongodb-core "1.2.19" + mongodb-core "1.2.21" readable-stream "1.0.31" -mongoose@4.2.4: - version "4.2.4" - resolved "https://registry.yarnpkg.com/mongoose/-/mongoose-4.2.4.tgz#e2f8c007dd838f6633b4f6c965ba92a232ac9317" - integrity sha1-4vjAB92Dj2YztPbJZbqSojKskxc= +mongoose@4.2.5: + version "4.2.5" + resolved "https://registry.yarnpkg.com/mongoose/-/mongoose-4.2.5.tgz#563a3d5b8e90fb107eb15f95471c70630638fb7e" + integrity sha512-Q8c5bgfO8Gr6nYOiGKZdboFYFZ6vHntfsVHWCTgUpdbQxfCcYvH8DQRiMxGzZEB2yjj6pWobK8khsELG0qvYAA== dependencies: async "0.9.0" bson "~0.4.18" hooks-fixed "1.1.0" kareem "1.0.1" - mongodb "2.0.46" + mongodb "2.0.48" mpath "0.1.1" mpromise "0.5.4" mquery "1.6.3" @@ -2281,11 +2277,6 @@ muri@1.0.0: resolved "https://registry.yarnpkg.com/muri/-/muri-1.0.0.tgz#de3bf6bd71d67eae71d76689b950d2de118695c6" integrity sha1-3jv2vXHWfq5x12aJuVDS3hGGlcY= -nan@~2.10.0: - version "2.10.0" - resolved "https://registry.yarnpkg.com/nan/-/nan-2.10.0.tgz#96d0cd610ebd58d4b4de9cc0c6828cda99c7548f" - integrity sha512-bAdJv7fBLhWC+/Bls0Oza+mvTaNQtP+1RyhhhvD95pgUJz6XM5IzgmxOkItJ9tkoCiplvAnXI1tNmmUD/eScyA== - negotiator@0.4.9: version "0.4.9" resolved "https://registry.yarnpkg.com/negotiator/-/negotiator-0.4.9.tgz#92e46b6db53c7e421ed64a2bc94f08be7630df3f"