Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Security upgrade npm from 5.6.0 to 7.0.0 #76

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

Omrisnyk
Copy link
Owner

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • openshift/message-board/message-board-web/package.json
    • openshift/message-board/message-board-web/package-lock.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 159/1000
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00299, Social Trends: No, Days since published: 806, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.65, Score Version: V5
Regular Expression Denial of Service (ReDoS)
SNYK-JS-ANSIREGEX-1583908
Yes Proof of Concept
medium severity 61/1000
Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: None, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): Required, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00063, Social Trends: No, Days since published: 526, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 4.19, Likelihood: 1.45, Score Version: V5
Open Redirect
SNYK-JS-GOT-2932019
Yes No Known Exploit
medium severity 63/1000
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00231, Social Trends: No, Days since published: 1015, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 2.35, Likelihood: 2.65, Score Version: V5
Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-1018905
Yes Proof of Concept
high severity 239/1000
Why? Confidentiality impact: High, Integrity impact: High, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): High, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00606, Social Trends: No, Days since published: 1015, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 9.79, Likelihood: 2.43, Score Version: V5
Command Injection
SNYK-JS-LODASH-1040724
Yes Proof of Concept
high severity 151/1000
Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.01362, Social Trends: No, Days since published: 1609, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.62, Likelihood: 2.67, Score Version: V5
Prototype Pollution
SNYK-JS-LODASH-450202
Yes Proof of Concept
high severity 150/1000
Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 1193, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.62, Likelihood: 2.67, Score Version: V5
Prototype Pollution
SNYK-JS-LODASH-608086
Yes Proof of Concept
high severity 149/1000
Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00117, Social Trends: No, Days since published: 1760, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.62, Likelihood: 2.64, Score Version: V5
Prototype Pollution
SNYK-JS-LODASH-73638
Yes Proof of Concept
medium severity 133/1000
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): High, Attack Complexity: High, Attack Vector: Network, EPSS: 0.00317, Social Trends: No, Days since published: 1697, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.2, Score Version: V5
Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-73639
Yes Proof of Concept
medium severity 118/1000
Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: None, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00063, Social Trends: No, Days since published: 255, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 4.19, Likelihood: 2.81, Score Version: V5
Server-side Request Forgery (SSRF)
SNYK-JS-REQUEST-3361831
Yes Proof of Concept
medium severity 118/1000
Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: None, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00173, Social Trends: No, Days since published: 150, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 4.19, Likelihood: 2.81, Score Version: V5
Prototype Pollution
SNYK-JS-TOUGHCOOKIE-5672873
Yes Proof of Concept
medium severity 140/1000
Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): Low, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00121, Social Trends: No, Days since published: 2112, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 5.62, Likelihood: 2.48, Score Version: V5
Prototype Pollution
npm:lodash:20180130
Yes Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Release notes
Package name: npm
  • 7.0.0 - 2020-10-13

    v7.0.0 (2020-10-12)

    BUG FIXES

    DOCUMENTATION

    DEPENDENCIES

    • 15366a1cf npm-registry-fetch@8.1.5
    • f04a74140 init-package-json@2.0.0
      • 1de21dce0 fix: support dot-separated aliases defined in a .npmrc ini files for init-* configs (@ ruyadorno)
    • a67275cd9 eslint@7.11.0
    • 6fb83b78d hosted-git-info@3.0.6
    • 1ca30cc9b libnpmfund@1.0.0
    • 28a2d2ba4 @ npmcli/arborist@1.0.0
      • npm/rfcs#239 Improve handling of conflicting peerDependencies in transitive dependencies, so that --force will always accept a best effort override, and --strict-peer-deps will fail faster on conflicts.
    • 9306c6833 libnpmfund@1.0.1
    • fafb348ef npm-package-arg@8.1.0
    • 365f2e756 read-package-json@3.0.0
  • 7.0.0-rc.4 - 2020-10-09

    v7.0.0-rc.4 (2020-10-09)

    • 09b456f2d @ npmcli/config@1.2.1
      • #1919 exposes npm_config_user_agent env variable (@ nlf)
    • e859fba9e #1936 fix npx for non-interactive shells (@ nlf)
    • 9320b8e4f #1906 restore old npx behavior of running existing bins first (@ nlf)
    • 7bd47ca2c @ npmcli/arborist@0.0.33
      • fixed handling of invalid package.json file
    • 02737453b make-fetch-happen@8.0.10
      • do not calculate integrity values of http errors
  • 7.0.0-rc.3 - 2020-10-06

    v7.0.0-rc.3 (2020-10-06)

  • 7.0.0-rc.2 - 2020-10-02

    v7.0.0-rc.2 (2020-10-02)

    • 6de81a013 @ npmcli/run-script@1.7.2
      • Fix regression running 'install' scripts when package.json does not contain a scripts object
  • 7.0.0-rc.1 - 2020-10-02

    v7.0.0-rc.1 (2020-10-02)

    • 281a7f39a @ npmcli/arborist@0.0.31
      • Allow npm update to update bundled root dependencies
      • Only do implicit node-gyp build for gyp files named binding.gyp
    • 384f5ec47 update minipass-fetch to fix many 'cb() never called' errors
    • 7b1e75906 @ npmcli/run-script@1.7.1
      • Only do implicit node-gyp build for gyp files named binding.gyp
    • c20e2f0c7 #1892 Support --omit options in npm outdated
  • 7.0.0-rc.0 - 2020-10-01

    v7.0.0-rc.0 (2020-10-01)

  • 7.0.0-beta.13 - 2020-09-29

    v7.0.0-beta.13 (2020-09-29)

  • 7.0.0-beta.12 - 2020-09-22

    v7.0.0-beta.12 (2020-09-22)

    • 24f3a5448 #1811 npm ci should never save package.json or lockfile (@ isaacs)
    • 5e780a5f0 remove unused spec parameter, assign error code (@ nlf)
    • f019a248a Remove unused npx binary (@ isaacs)
    • db157b3ce @ npmcli/arborist@0.0.27
      • Resolve race condition with conflicting bin links in local installs
      • #1812 Log engine mismatches more usefully
      • #1814 Do not loop trying to resolve dependencies that fail to load
      • npm/rfcs#224 Do not automatically install optional peer dependencies
      • Add the strictPeerDeps option, defaulting to false
      • fix forwarding configs to resolve pkg spec when adding new deps
    • b3a50d275 #1846 @ npmcli/run-script@1.6.0
      • This updates node-gyp to v7, allowing us to deduplicate a lot of significant dependencies.
    • a1d375f6b #1819 Add --strict-peer-deps option (@ isaacs)
    • 5837a4843 #1699 Use allow/deny list in docs (@ luciomartinez)
  • 7.0.0-beta.11 - 2020-09-16

    v7.0.0-beta.11 (2020-09-16)

    • 63005f4a9 #1639 npm view should not output extra newline (@ MylesBorins)
    • 3743a42c8 #1750 add outdated tests (@ claudiahdz)
    • 2019abdf1 #1786 add lib/link.js tests (@ ruyadorno)
    • 2f8d11968 @ npmcli/arborist@0.0.25
      • add meta vulnerability calculator for faster audits
      • changed parsing specs to be relative to cwd
      • fix logging script execution
      • fix properly following resolved symlinks
      • fix package.json dependencies order
    • 49b2bf5a7 @ npmcli/config@1.1.8
      • fix unkown envs to be passed through
      • fix setting correct globalPrefix on load
    • f9aac351d libnpmversion@1.0.5
      • fix git ignored lockfiles
  • 7.0.0-beta.10 - 2020-09-08

    v7.0.0-beta.10 (2020-09-08)

  • 7.0.0-beta.9 - 2020-09-04
  • 7.0.0-beta.8 - 2020-09-01
  • 7.0.0-beta.7 - 2020-08-25
  • 7.0.0-beta.6 - 2020-08-21
  • 7.0.0-beta.5 - 2020-08-18
  • 7.0.0-beta.4 - 2020-08-11
  • 7.0.0-beta.3 - 2020-08-10
  • 7.0.0-beta.2 - 2020-08-07
  • 7.0.0-beta.1 - 2020-08-05
  • 7.0.0-beta.0 - 2020-08-04
  • 6.14.18 - 2022-12-21
  • 6.14.17 - 2022-04-28
  • 6.14.16 - 2022-01-19
  • 6.14.15 - 2021-08-24
  • 6.14.14 - 2021-07-27
  • 6.14.13 - 2021-04-12
  • 6.14.12 - 2021-03-25
  • 6.14.11 - 2021-01-08
  • 6.14.10 - 2020-12-18
  • 6.14.9 - 2020-11-20
  • 6.14.8 - 2020-08-17
  • 6.14.7 - 2020-07-21
  • 6.14.6 - 2020-07-07
  • 6.14.5 - 2020-05-04
  • 6.14.4 - 2020-03-25
  • 6.14.3 - 2020-03-19
  • 6.14.2 - 2020-03-03
  • 6.14.1 - 2020-02-27
  • 6.14.0 - 2020-02-25
  • 6.13.7 - 2020-01-28
  • 6.13.6 - 2020-01-09
  • 6.13.5 - 2020-01-09
  • 6.13.4 - 2019-12-11
  • 6.13.3 - 2019-12-10
  • 6.13.2 - 2019-12-03
  • 6.13.1 - 2019-11-18
  • 6.13.0 - 2019-11-05
  • 6.12.1 - 2019-10-29
  • 6.12.0 - 2019-10-08
  • 6.12.0-next.0 - 2019-09-26
  • 6.11.3 - 2019-09-03
  • 6.11.2 - 2019-08-22
  • 6.11.1 - 2019-08-21
  • 6.11.0 - 2019-08-20
  • 6.10.3 - 2019-08-06
  • 6.10.2 - 2019-07-23
  • 6.10.2-next.3 - 2019-07-22
  • 6.10.2-next.2 - 2019-07-21
  • 6.10.2-next.1 - 2019-07-17
  • 6.10.2-next.0 - 2019-07-16
  • 6.10.1 - 2019-07-11
  • 6.10.1-next.2 - 2019-07-10
  • 6.10.1-next.1 - 2019-07-03
  • 6.10.1-next.0 - 2019-07-03
  • 6.10.0 - 2019-07-03
  • 6.10.0-next.0 - 2019-07-01
  • 6.9.2 - 2019-06-27
  • 6.9.1-next.0 - 2019-03-20
  • 6.9.0 - 2019-03-06
  • 6.9.0-next.0 - 2019-02-21
  • 6.8.0 - 2019-02-13
  • 6.8.0-next.2 - 2019-02-07
  • 6.8.0-next.1 - 2019-02-06
  • 6.8.0-next.0 - 2019-01-31
  • 6.7.0 - 2019-01-23
  • 6.6.0 - 2019-01-17
  • 6.6.0-next.1 - 2019-01-10
  • 6.6.0-next.0 - 2018-12-12
  • 6.5.0 - 2018-12-10
  • 6.5.0-next.0 - 2018-11-28
  • 6.4.1 - 2018-08-29
  • 6.4.1-next.0 - 2018-08-23
  • 6.4.0 - 2018-08-15
  • 6.4.0-next.0 - 2018-08-09
  • 6.3.0 - 2018-08-02
  • 6.3.0-next.0 - 2018-07-25
  • 6.2.0 - 2018-07-14
  • 6.2.0-next.1 - 2018-07-05
  • 6.2.0-next.0 - 2018-06-29
  • 6.1.0 - 2018-05-24
  • 6.1.0-next.0 - 2018-05-17
  • 6.0.1 - 2018-05-10
  • 6.0.1-next.0 - 2018-05-04
  • 6.0.0 - 2018-04-24
  • 6.0.0-next.2 - 2018-04-21
  • 6.0.0-next.1 - 2018-04-13
  • 6.0.0-next.0 - 2018-03-23
  • 5.10.0 - 2018-05-11
  • 5.10.0-next.1 - 2018-05-07
  • 5.10.0-next.0 - 2018-04-13
  • 5.9.0-next.0 - 2018-03-23
  • 5.8.0 - 2018-03-23
  • 5.8.0-next.0 - 2018-03-13
  • 5.7.1 - 2018-02-22
  • 5.7.0 - 2018-02-21
  • 5.6.0 - 2017-11-28
from npm GitHub release notes
Commit messages
Package name: npm The new version differs by 250 commits.
  • 3b4ba65 7.0.0
  • bbfc75d chore: fix weird .gitignore thing that happened somehow
  • 8a2d375 docs: changelog for v7.0.0
  • 365f2e7 read-package-json@3.0.0
  • fafb348 npm-package-arg@8.1.0
  • 9306c68 libnpmfund@1.0.1
  • 569cd64 libnpmfund@1.0.0
  • ac9fde7 Integration code for @ npmcli/arborist@1.0.0
  • 704b9cd @ npmcli/arborist@1.0.0
  • 3955bb9 hosted-git-info@3.0.6
  • da240ef fix: patch config.js to remove duplicate values
  • 9ae45a8 init-package-json@2.0.0
  • 41ab36d eslint@7.11.0
  • c474a15 npm-registry-fetch@8.1.5
  • efc6786 fix: make sure publishConfig is passed through
  • 1e4e6e9 docs: v7 using npm config refresh
  • 5c1c2da fix: init config aliases
  • 5bc7eb2 docs: v7 npm-install refresh
  • 1a35d87 7.0.0-rc.4
  • 7a5a557 docs: changelog for v7.0.0-rc.4
  • f0cf859 chore: dedupe deps
  • 0273745 make-fetch-happen@8.0.10
  • 7bd47ca @ npmcli/arborist@0.0.33
  • 9320b8e only escape arguments, not the command name

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Open Redirect
🦉 Prototype Pollution
🦉 More lessons are available in Snyk Learn

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants