[Snyk] Fix for 17 vulnerabilities #63

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Open

tejzpr wants to merge 1 commit into master from snyk-fix-9dc704c64aead868ea938270ea190df1

Owner

tejzpr commented Feb 7, 2024

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-AMMO-548920	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-COLORSTRING-1082939	Yes	Proof of Concept
	641/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.4	Prototype Pollution SNYK-JS-JSON5-3182856	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LOADERUTILS-3042992	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-LOADERUTILS-3043105	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LOADERUTILS-3105943	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-POSTCSS-1255640	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Poisoning SNYK-JS-QS-3153490	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Improper input validation npm:call:20160705	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:content:20170908	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:content:20180305	Yes	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	CORS Bypass npm:hapi:20151020	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) npm:hapi:20151223	Yes	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Potentially loose security restrictions npm:hapi:20151228	Yes	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:hoek:20180212	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Override Protection Bypass npm:qs:20170213	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: boom

The new version differs by 88 commits.

75de579 7.3.0
a236a89 add debug mode to reformat() (webpack loader null gatsbyjs/gatsby#211)
8727b89 Add changelog.md (gatsby develop -> Cannot read property 'indexOf' of undefined gatsbyjs/gatsby#210)
af5dc90 Update README.md
692379a 7.2.2
25d4ab8 Remove engines. Closes Require a whitelist for "page" file types gatsbyjs/gatsby#208
87d4562 misc
9e2c5e4 misc
bf7ee73 7.2.1
8e9e651 Update hoek. Closes Having a svg file inside /pages causes an error gatsbyjs/gatsby#206
2790af3 misc
e11e99e node 11 + cleanup
cb994ed version 7.2.0
c897ab6 424 Failed dependency implementation (Resolve user configured webpack loaders gatsbyjs/gatsby#188)
9681132 docs(readme): clarified `boomify` statusCode default option (Add support for json/yaml/toml pages gatsbyjs/gatsby#187)
9fac0ec Fix spelling mistake (Add "view page source on GitHub" link to starters gatsbyjs/gatsby#182)
e3dc6a9 Corrected minor typo in README.md (gatsby error on c9.io :: npm EPEERINVALID history gatsbyjs/gatsby#180)
3e25415 Fix typo in README ([cli] Running an unknown command doesn't show the help section gatsbyjs/gatsby#178)
55d8996 Test boomify with instanceof
19189a9 7.1.1
310c986 Support instanceof Boom. Closes Make it easy to pick typographic "theme" in blog starter gatsbyjs/gatsby#173
a47d150 7.1.0
9bfefb6 decorate option. Closes Building from HTML source gatsbyjs/gatsby#172
a75a104 Clarified usage of new

See the full diff

Package name: extract-text-webpack-plugin

The new version differs by 177 commits.

cc3ba94 chore(release): 3.0.2
d5a1de2 fix: refer to the `entrypoint` instead of the first `module` (`module.identifier`) (Fixes formatting issue on ordered list in README.md gatsbyjs/gatsby#601)
5286ab2 build(defaults): update to v1.6.0 (Add "2016 JavaScript Rising Stars" gatsbyjs/gatsby#652)
4cfde50 chore(release): 3.0.1
8de6558 fix: get real path from `__filename` instead of `__dirname` (`NS`)
510704f fix(index): stricter check for `shouldExtract !== wasExtracted` (Rendering one type of data file in different ways gatsbyjs/gatsby#605)
6a660f3 docs(README): update install instructions (Glamor server side styles are not loaded gatsbyjs/gatsby#570)
083a6c8 docs(README): add custom `[contenthash]` formats (Add a noscript tag for better DX in develop mode with JS disabled gatsbyjs/gatsby#566)
d7a75fc chore(release): 3.0.0
7ae32d9 refactor: Apply webpack-defaults & webpack 3.x support (Project Amp starter blog gatsbyjs/gatsby#540)
dd43832 fix: add missing `options.ignoreOrder` details in Error message (Relative require from frontmatter gatsbyjs/gatsby#539)
e81b883 chore(release): 2.1.2
8766821 fix(index): resolve schemas relative to `__dirname` (Added blog to README.md gatsbyjs/gatsby#536)
0271b39 chore(release): 2.1.1
e595417 fix: don't extract from common async chunks (Use slice not startsWith as it's poorly supported gatsbyjs/gatsby#508)
a8ae003 chore(package): fix broken links && update devDependencies (Fix hot reloading by making auto-generated route components es6 classes instead of functional components gatsbyjs/gatsby#531)
c3cb091 fix(loader): rm unnecessary `this.cacheable` (caching) (Bad request (400) after new install gatsbyjs/gatsby#530)
eaa5236 docs: rm `RELEASE.md` (Fix hot reloading by making auto-generated route components es6 classes instead of functional components gatsbyjs/gatsby#532)
671e35e chore(package): update `webpack-sources` v0.1.0...1.0.1 (Parse the port to a number if needed, further fixing #524 gatsbyjs/gatsby#526)
dfeb347 fix: validation schema (`schema-utils`) (Trouble with "gatsby develop" command gatsbyjs/gatsby#527)
d0e88d0 docs(README): add lead-in description (Best Practice: RSS and Atom Feeds gatsbyjs/gatsby#517)
58dd5d3 fix: add a not null check for the content property before throwing error (Add stateofjs.com to list of sites gatsbyjs/gatsby#404)
6c50d8e Update README.md (Drop Hapi and use Webpack Dev Server's built-in express server? gatsbyjs/gatsby#469)
c63dc04 docs(README): clarify to set allChunks option when using CommonsChunkPlugin (Compile to static html but allow some custom JS to be proccessed gatsbyjs/gatsby#476)

See the full diff

Package name: hapi

The new version differs by 250 commits.

b8e64d0 Update version
5ced8ae 18.1.0
7578f61 Expose bourne settings. Closes Error: librsvg-2.so.2: cannot enable executable stack as shared object requires: gatsbyjs/gatsby#3917
3378e78 Update dep. Closes Add editorconfig, possibly prettier setup to all official starters gatsbyjs/gatsby#3922
4b59b3f 18.0.1
5f6a00b misc
ccc538d Typo
1af289f Update deps. Closes Errors when adding default import of styled-components through WebPack's ProvidePlugin gatsbyjs/gatsby#3912. Closes Document how to create custom fragments gatsbyjs/gatsby#3914
aa3934f Add IDEs
75756f6 Fix route assert. Closes update odayaka.net to showcase gatsbyjs/gatsby#3909
06a48ea 18.0.0
4da282e Its 2019
4bd7c38 Update deps. Closes Log type conflics when inferring graphql types gatsbyjs/gatsby#3905. Closes Plugin Library build fixes gatsbyjs/gatsby#3906. Closes add info about org-mode transformer plugin gatsbyjs/gatsby#3907. Closes [www] add gatsby-orga starter gatsbyjs/gatsby#3908
3350a5c Refactor cache config. Closes Revert "Use HTTPS over git:// when cloning starters (#3820)" gatsbyjs/gatsby#3876, Closes [Blog/Docs] Zoom bug at 110% – text gets smaller gatsbyjs/gatsby#3904
03e03dc Split request.info.responded to responded and completed. Closes Update [gatsby-plugin-postcss-sass] to process Sass before running PostCSS? gatsbyjs/gatsby#3901
7521468 Coverage
a3a5ca9 Fix close event handling in node 11. Closes Topics/update prismjs language dependencies gatsbyjs/gatsby#3898
7b85840 Fix test
17ca301 Exclude vs
5e91092 Fix test. For Publish our new package template as a standalone tool that everyone can use gatsbyjs/gatsby#3900
89604b0 Merge pull request Publish our new package template as a standalone tool that everyone can use gatsbyjs/gatsby#3900 from AdriVanHoudt/fix-test-803
a4f9121 Merge pull request Styling images when using gatsby-remark-images gatsbyjs/gatsby#3882 from dominykas/validate-cookies-alt
04758ac Update API.md
413290f For Fix markdown table syntax in README gatsbyjs/gatsby#3897

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Denial of Service (DoS)
🦉 CORS Bypass
🦉 Prototype Pollution
🦉 More lessons are available in Snyk Learn


          fix: package.json to reduce vulnerabilities

9d31995

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-AMMO-548920
- https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908
- https://snyk.io/vuln/SNYK-JS-COLORSTRING-1082939
- https://snyk.io/vuln/SNYK-JS-JSON5-3182856
- https://snyk.io/vuln/SNYK-JS-LOADERUTILS-3042992
- https://snyk.io/vuln/SNYK-JS-LOADERUTILS-3043105
- https://snyk.io/vuln/SNYK-JS-LOADERUTILS-3105943
- https://snyk.io/vuln/SNYK-JS-POSTCSS-1255640
- https://snyk.io/vuln/SNYK-JS-QS-3153490
- https://snyk.io/vuln/npm:call:20160705
- https://snyk.io/vuln/npm:content:20170908
- https://snyk.io/vuln/npm:content:20180305
- https://snyk.io/vuln/npm:hapi:20151020
- https://snyk.io/vuln/npm:hapi:20151223
- https://snyk.io/vuln/npm:hapi:20151228
- https://snyk.io/vuln/npm:hoek:20180212
- https://snyk.io/vuln/npm:qs:20170213

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment