Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 5 vulnerabilities #3937

Closed
wants to merge 1 commit into from
Closed

[Snyk] Fix for 5 vulnerabilities #3937

wants to merge 1 commit into from

Conversation

snyk-bot
Copy link
Contributor

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • test/fixtures/qs-package/node_modules/snyk/node_modules/request/package.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-ANSIREGEX-1583908		 Yes Proof of Concept
high severity 706/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.7		 Remote Memory Exposure
SNYK-JS-BL-608877		 No Proof of Concept
high severity 584/1000
Why? Has a fix available, CVSS 7.4		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-HAWK-2808852		 Yes No Known Exploit
medium severity 636/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.3		 Prototype Pollution
npm:hoek:20180212		 Yes Proof of Concept
medium severity 576/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.1		 Uninitialized Memory Exposure
npm:tunnel-agent:20170305		 No Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: bl The new version differs by 35 commits.
  • d69edfd 1.2.3
  • 847473a test all branches
  • 0bd87ec Fix unintialized memory access
  • dc097f3 test newer versions of Node
  • feaaa4c Bumped v1.2.2.
  • 307da45 Merge pull request #51 from rvagg/safe-buffeer
  • cf6b00e Removed node 7 from .travis.yml
  • 4b8f524 Added safe-buffer and updated dependencies
  • 4acbe24 Merge pull request #45 from EdwardBetts/spelling
  • 52ed96c correct spelling mistake
  • d71a2a0 Bumped v1.2.1.
  • 391fd88 Merge pull request #44 from yuri-kilochek/master
  • d4e4e1c Fixed incorrect `.shallowSlice` within single buffer when `start` offset does not fall on buffer boundary.
  • 199e5c1 1.2.0
  • 8a6879f Nits.
  • fa707af Updated license year.
  • 4272d19 Bumped tape dep.
  • 26eb8e9 Added recent node versions to travis.
  • ecc7bda Merge branch 'shallow-slice' of https://github.com/geloescht/bl into v1.2-dev
  • f0e421d Merge branch 'fix-1' of https://github.com/nicolashenry/bl into v1.2-dev
  • b9deb27 Merge branch 'perf-offset' of https://github.com/Nibbler999/bl into v1.2-dev
  • 6afca3b Merge branch 'perf-concat' of https://github.com/Nibbler999/bl into v1.2-dev
  • 771365e Merge branch 'perf-typechecks' of https://github.com/Nibbler999/bl into v1.2-dev
  • 99b4d1e Switch to caret range.

See the full diff

Package name: har-validator The new version differs by 51 commits.
  • 9b372bd feat(cli): remove CLI in favor of using har-cli package
  • ed15905 fix(Error): Error.name should be HARError
  • 89b6486 feat(validator): change validator to the superior AJV
  • 95f9fea test(promises): clean up tests
  • 5858097 feat(node4): better organize the lib directory
  • ddba552 feat(exports): browser object
  • e9512ab docs(README): require example
  • a16db5a feat(module): include header() query() exports
  • ccd70cf Merge pull request #67 from ahmadnassri/greenkeeper/babel-preset-env-0.0.9
  • 40b9d1d chore(package): update babel-preset-env to version 0.0.9
  • 33c2cb3 fix(docs): update to new require paths in docs
  • b500008 build(scripts): remove nyc dependency, use tap directly to generate coverage
  • 0e05b18 chore(package): update echint to version 2.0.0
  • 9c21e4d test(dependency): adding missing dependency
  • 423c578 test(dependencies): tap has build-in reporter formatting now
  • 4926007 build(build): improved build process
  • 2a1ea36 Merge pull request #64 from ahmadnassri/greenkeeper/remove-node-0.10
  • 6dd199e chore: drop support for Node.js 0.10
  • a12fd05 Merge pull request replace node-uuid with uuid #63 from ahmadnassri/greenkeeper-tap-8.0.0
  • eaf66eb chore(package): update tap to version 8.0.0
  • 12239a6 Merge pull request #62 from ahmadnassri/greenkeeper-codeclimate-test-reporter-0.4.0
  • 2bbbf42 chore(package): update codeclimate-test-reporter to version 0.4.0
  • e76c48f Merge pull request #58 from ahmadnassri/greenkeeper-tap-mocha-reporter-3.0.0
  • cb22949 chore(package): update tap-mocha-reporter to version 3.0.0

See the full diff

Package name: hawk The new version differs by 124 commits.

See the full diff

Package name: tunnel-agent The new version differs by 6 commits.

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution

@snyk-bot snyk-bot requested review from a team as code owners September 30, 2022 16:03
@github-actions
Copy link
Contributor

Warnings
⚠️

"fix: test/fixtures/qs-package/node_modules/snyk/node_modules/request/package.json to reduce vulnerabilities" is too long. Keep the first line of your commit message under 72 characters.

Generated by 🚫 dangerJS against 288f03f

@JackuB JackuB closed this Sep 30, 2022
@shaniHerz shaniHerz reopened this Oct 4, 2022
@shaniHerz shaniHerz closed this Oct 8, 2022
@darscan darscan deleted the snyk-fix-6282053658f3e94e3e09de0a294489ce branch January 20, 2023 18:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@klesniewski klesniewski Awaiting requested review from klesniewski klesniewski was automatically assigned from snyk/snyk-open-source

@hadasgo hadasgo Awaiting requested review from hadasgo hadasgo was automatically assigned from snyk/snyk-open-source

@jk05 jk05 Awaiting requested review from jk05 jk05 was automatically assigned from snyk/snyk-open-source

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@snyk-bot @JackuB @shaniHerz