New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 14 vulnerabilities #16

Open

snyk-bot wants to merge 1 commit into master from snyk-fix-d3dcf60d8027a1b5629b74c577f33c51

snyk-bot commented Aug 19, 2022

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
Find out more.

⚠️

Warning

Failed to update the package-lock.json, please update manually before merging.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	484/1000 Why? Has a fix available, CVSS 5.4	Open Redirect SNYK-JS-GOT-2932019	No	No Known Exploit
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Arbitrary Code Injection SNYK-JS-JSON-1082930	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKDOWNIT-2331914	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	No	Proof of Concept
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536528	No	No Known Exploit
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536531	No	No Known Exploit
	410/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758	No	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579147	No	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579152	No	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579155	No	No Known Exploit
	596/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.5	Arbitrary Code Injection SNYK-JS-UNDERSCORE-1080984	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: json

The new version differs by 6 commits.

e08c868 11.0.0
0672aad fix test suite for new '-d DELIM' tests for node >=12
4a69ea3 doc, fix tests, and improve errors for '-d DELIM' change in Find parent .nrepl-port file BetterThanTomorrow/calva#150
4114e32 Fix Code injection in `-d DELIM` through use of eval (Find parent .nrepl-port file BetterThanTomorrow/calva#150)
27e1ad7 update devDeps to latest version; regen 'json_parse' with latest uglify-js version (tests still pass)
ffeaab4 bump semver (Thoughts on integrating with/adding stuff from clj-refactor BetterThanTomorrow/calva#137) and fix tools/perf.js

See the full diff

Package name: minimist

The new version differs by 4 commits.

7efb22a 1.2.6
ef88b93 security notice for additional prototype pollution issue
c2b9819 isConstructorOrProto adapted from PR
bc8ecee test from prototype pollution PR

See the full diff

Package name: node-gyp

The new version differs by 250 commits.

f5fa6b8 chore: release 8.4.1
cc37b88 fix: windows command missing space (Error: "spawn EINVAL" on vscode with shadow-cljs - CVE-2024-27980 related? BetterThanTomorrow/calva#2553)
8083f6b deps: npmlog@6.0.0
787cf7f docs: fix typo in powershell node-gyp update
7073c65 chore: release 8.4.0
a27dc08 feat: build with config.gypi from node headers
5a00387 feat: support vs2022 (Replace Current Form (or Selection) with Pretty Printed Form also sorts map entries alphabetically by key BetterThanTomorrow/calva#2533)
fb85fb2 chore: release 8.3.0
5585792 feat(gyp): update gyp to v0.10.0 (Make list items in the inspector get a bit easier to read BetterThanTomorrow/calva#2521)
b05b4fe chore(deps): bump make-fetch-happen from 8.0.14 to 9.1.0
0a67dcd test: Python 3.10 was release on Oct. 4th (Update default Jack-in nrepl dependencies nrepl 1.1.1, cider-nrepl 0.47.1 BetterThanTomorrow/calva#2504)
f2ad87f chore: refactor the creation of config.gypi file
bc47cd6 chore: release 8.2.0
ed9a9ed feat(gyp): update gyp to v0.9.6 (WIP: Add webview output experience BetterThanTomorrow/calva#2481)
660dd7b doc: correct link to "binding.gyp files out in the wild" (Add a separator line between evaluation outputs to the Output terminal BetterThanTomorrow/calva#2483)
ec15a3e chore(deps): bump tar from 6.1.0 to 6.1.2 (Paredit Multicursor - Rewrap BetterThanTomorrow/calva#2474)
78361b3 ISSUE_TEMPLATE.md: Instructions for old versions (Add legacy opt-in for printing bare stdout to the REPL Window BetterThanTomorrow/calva#2470)
f0882b1 fix: missing spaces
c8c0af7 fix: doc how to update node-gyp independently from npm
b6e1cc7 Add title to node-gyp version document (Add a Terminal output destination option BetterThanTomorrow/calva#2452)
b7bccdb ci: GitHub Actions Test on node: [12.x, 14.x, 16.x] (2436 show output channel BetterThanTomorrow/calva#2439)
161c235 doc(wiki): safer doc names, remove unnecessary TypedArray doc
b52e487 doc(wiki): link to docs/ from README
f0a4835 doc(wiki): move wiki docs into doc/

See the full diff

Package name: nodemon

The new version differs by 98 commits.

27e91c3 fix: update packge-lock
0144e4f fix: bump update-notifier to v6.0.0 (REPL eval errors omit important info and are hard to parse BetterThanTomorrow/calva#2029)
c870342 chore: update supporters
5c0b472 chore: add supporter
e26aaa9 fix: support windows by using path.delimiter
9d1afd7 docs: add syntax highlighting to sample-nodemon.md (Exception thrown is not being returned in editor BetterThanTomorrow/calva#1982) (Deftype formatter issue BetterThanTomorrow/calva#2004)
de5d32a docs: Unified Node.js capitalization (1985 webpack cli crash BetterThanTomorrow/calva#1986)
e890927 docs: add note to faq with example showing how to watch any file extension (Newline lacking before results when evaluating at the REPL prompt BetterThanTomorrow/calva#1931)
bc4547b chore: update sponsors
07159c5 chore: add supporters
cd100da chore: update supporters
6a34922 chore: supporters
e5d6067 chore: updating supporters
242f9f7 Merge branch 'main' of github.com:remy/nodemon
141e58c chore: update supporters
53422af ci(release): workflow uses 'npm' cache (Calva does not fall back on lsp definitions when nrepl definitions fail BetterThanTomorrow/calva#1933)
581c641 ci(node.js): workflow uses 'npm' cache (Cleanup as line comments BetterThanTomorrow/calva#1934)
cb1c8b9 docs: Fix typo in faq.md (note on shortcut conflict in custom commands BetterThanTomorrow/calva#1950)
54784ab fix: bump prod dep versions
26db983 chore: update supporters
61e7abd fix: add windows signals SIGUSR2 & SIGUSR1 to terminate the process (Don't add extra lines for output in default message handler BetterThanTomorrow/calva#1938)
b449171 docs: Fix typo in faq.md
0a3175f chore: update supporters
18516d8 chore: add supporter

See the full diff

Package name: tar

The new version differs by 27 commits.

3e35515 4.4.18
52b09e3 fix: prevent path escape using drive-relative paths
bb93ba2 fix: reserve paths properly for unicode, windows
2f1bca0 fix: prune dirCache properly for unicode, windows
9bf70a8 4.4.17
6aafff0 fix: skip extract if linkpath is stripped entirely
5c5059a fix: reserve paths case-insensitively
fd6accb 4.4.16
53cea6e tests: run (and pass) on windows
166cfc0 fix: refactoring to pass tests on Windows
ce5148e fix: refactoring to pass tests on Windows
3f2e2da fix: normalize paths on Windows systems
e29a665 fix: properly prefix hard links
fd2a38d chore: WriteEntry cleaner write() handling
7b2acc5 update deps
83bb22c WriteEntry backpressure
0dcc5b2 chore: track fs state on WriteEntry class, not in arguments
adf3511 Avoid an unlikely but theoretically possible redos
d688cad fix: properly handle top-level files when using strip
ea6f254 unpack: keep path reservations longer
b2a97e1 Address unpack race conditions using path reservations
f0fe3aa basic path reservation system
843c897 4.4.15
46fe350 Remove paths from dirCache when no longer dirs

See the full diff

Package name: vsce

The new version differs by 250 commits.

9b2b16b fix: force fix release due to markdown-it
3ab7de2 build: ⬆️ update markdown-it
507fd82 fix: add preRelease flag to api (Improve docs for complete beginners to Clojure/ClojureScript BetterThanTomorrow/calva#679)
d81a42f fix: docker base image needs be at latest `node:14-alpine` (Formatting a specific file causes some shortcuts to stop working BetterThanTomorrow/calva#651)
e53c78d fix: entrypoint validation without js tag ([Feature Request]: Add support for Figwheel configuration {:target :bundle} BetterThanTomorrow/calva#676)
dc68cc8 feat: sanity check to validate entrypoints (Debug decorations are breaking after stepping through code during debug session BetterThanTomorrow/calva#669)
f4a8264 validate the package if pre-release flag is passed (Provide alternative default keybindings for Windows BetterThanTomorrow/calva#666)
e5af890 fix: 🐛 publishing with version should check for the right version
12586ed Merge pull request Stop tokenizing reader tags as part of forms BetterThanTomorrow/calva#668 from microsoft/TylerLeonhardt/only-enforce-major-minor
63c89ae fix: typo
4cf4c73 fix: only enforce major and minor version of types check
f710e83 Merge pull request Give the inString lexer a junk terminal BetterThanTomorrow/calva#660 from microsoft/sandy081/prerelease-validate-engine
e675eca refactor: undo
ba006e3 fix: validate engine for prereleases
2c60208 Merge pull request WIP: Terminal Jack-in BetterThanTomorrow/calva#654 from microsoft/sandy081/preReleases
376a6a8 test: add tests
dc4cf1b feat: add --pre-release flag and support
4d571f2 feat(api): ✨ add target options to API
6a0c946 feat: error when publishing an extension that uses `enabledApiProposals`
a38657e fix: package should not check for publisher
7182692 feat: allow config via package.json for vsce package/publish
afa459f feat: add --no-rewrite-relative-links
35e9716 fix: validate version with prerelease at publish time
525f2fc docs: add conventional commit badge

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Open Redirect
🦉 Arbitrary Code Injection
🦉 Prototype Pollution
🦉 More lessons are available in Snyk Learn


          fix: package.json & .snyk to reduce vulnerabilities

5decfc2

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908
- https://snyk.io/vuln/SNYK-JS-GOT-2932019
- https://snyk.io/vuln/SNYK-JS-JSON-1082930
- https://snyk.io/vuln/SNYK-JS-MARKDOWNIT-2331914
- https://snyk.io/vuln/SNYK-JS-MINIMIST-2429795
- https://snyk.io/vuln/SNYK-JS-TAR-1536528
- https://snyk.io/vuln/SNYK-JS-TAR-1536531
- https://snyk.io/vuln/SNYK-JS-TAR-1536758
- https://snyk.io/vuln/SNYK-JS-TAR-1579147
- https://snyk.io/vuln/SNYK-JS-TAR-1579152
- https://snyk.io/vuln/SNYK-JS-TAR-1579155
- https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984
- https://snyk.io/vuln/SNYK-JS-WS-1296835


The following vulnerabilities are fixed with a Snyk patch:
- https://snyk.io/vuln/SNYK-JS-LODASH-567746

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet