Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Security upgrade npm from 5.6.0 to 7.21.0 #77

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

Omrisnyk
Copy link
Owner

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • openshift/message-board/message-board-web/package.json
    • openshift/message-board/message-board-web/package-lock.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 125/1000
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 0, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.08, Score Version: V5
Missing Release of Resource after Effective Lifetime
SNYK-JS-INFLIGHT-6095116
Yes No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Release notes
Package name: npm
  • 7.21.0 - 2021-08-19

    v7.21.0 (2021-08-19)

    FEATURES

    BUG FIXES

    DEPENDENCIES

    • df57f0d53 @ npmcli/run-script@1.8.6
    • 8183976cf normalize-package-data@3.0.3:
      • fix: account for "licence" as spelling variant
    • f07772401 init-package-json@2.0.4
    • 991a3bd39 read-package-json@4.0.0
    • e9e5ee560 @ npmcli/arborist@2.8.2:
      • fix: treat top-level global packages as "top" nodes
      • fix: load global symlinks implicitly as file: deps
      • fix(reify): debug crash when extracting into symlink
      • fix: node_modules must be a directory
      • fix: make Node.children() a case-insensitive Map
      • fix(reify): verify existing deps in nm are dirs
    • b6f40b5f8 tar@6.1.10:
      • fix: prune dirCache properly for unicode, windows
      • fix: reserve paths properly for unicode, windows
      • fix: prevent path escape using drive-relative paths
      • fix: drop dirCache for symlink on all platforms
    • 218cacadc is-core-module@2.6.0
    • 7ac621cd1 smart-buffer@4.2.0
    • 94f92de13 make-fetch-happen@9.0.5
    • 71cdfd898 spdx-license-ids@3.0.10:
      • update license list to v3.14
  • 7.20.6 - 2021-08-12

    v7.20.6 (2021-08-12)

    DEPENDENCIES

    • 5bebf280f tar@6.1.8
      • fix: reserve paths case-insensitively
    • 5d89de44d tar@6.1.7:
      • fix: normalize paths on Windows systems
    • a1bdbea97 #3569 remove byte-size (@ wraithgar)
    • 61782fa85 @ npmcli/map-workspaces@1.0.4:
      • fix: better error message for duplicate workspace names
    • b88f770fa @ npmcli/arborist@2.8.1:
      • [#3632] Fix "cannot read property path of null" error in 'npm dedupe'
      • fix(shrinkwrap): always set name on the root node

    DOCUMENTATION

  • 7.20.5 - 2021-08-05

    v7.20.5 (2021-08-05)

    DEPENDENCIES

    • 44377738e graceful-fs@4.2.8
      • fix: start retrying immediately, stop after 60 seconds
  • 7.20.4 - 2021-08-05

    v7.20.4 (2021-08-05)

    BUG FIXES

    DEPENDENCIES

    • 15fae4941 tar@6.1.6:
      • fix: properly handle top-level files when using strip
      • Avoid an unlikely but theoretically possible redos
      • WriteEntry backpressure
      • fix(unpack): always resume parsing after an entry error
      • fix(unpack): fix hang on large file on open() fail
      • fix: properly prefix hard links
    • 745326de0 libnpmexec@2.0.1:
      • Clear progress bar which overlays confirm prompt
    • e82bcd4e8 graceful-fs@4.2.7:
      • fix: start retrying immediately, stop after 10 attempts
  • 7.20.3 - 2021-07-29

    v7.20.3 (2021-07-29)

    BUG FIXES

    DEPENDENCIES

    • 97cb5ec31 @ npmcli/arborist@2.8.0:
      • Refactor ideal tree building to handle more complicated
        peerDependencies use cases.
      • Do not modify ideal tree while checking if a peerSet can be placed.
    • 7db1a0a26 chore(deps): mime-types@1.49.0 mime-db@1.49.0
  • 7.20.2 - 2021-07-27

    v7.20.2 (2021-07-27)

    DEPENDENCIES

    • f5aab1f88 tar@6.1.1
      • fix: strip absolute paths more comprehensively
    • ce8fb0f69 tar@6.1.2
      • fix: Remove paths from dirCache when no longer dirs
    • ced85087a gauge@3.0.1
      • add missing dependency to package.json
  • 7.20.1 - 2021-07-22

    BUG FIXES

    DOCUMENTATION

    DEPENDENCIES

  • 7.20.0 - 2021-07-15

    v7.20.0 (2021-07-15)

    FEATURES

    BUG FIXES

    DOCUMENTATION

    DEPENDENCIES

    • 691816f3d @ npmcli/arborist@2.7.1
      • fixes running prepare scripts for workspaces on reify
      • ensure pacote always compares correct integrity values
    • b9597e944 make-fetch-happen@9.0.4
      • fix: retry socket timeout failures
      • fix: clean up invalid indexes and content after cacache read errors
    • f573e7c56 minipass-fetch@1.3.4
      • fix: correctly handle error events that happen after response events
    • 2d5797ea0 pacote@11.3.5
      • fix: show more actionable messages for git pathspec errors
      • fix: include all dep types when building for prepare
      • fix: do not set mtime when unpacking
  • 7.19.1 - 2021-07-01
  • 7.19.0 - 2021-06-24
  • 7.18.1 - 2021-06-17
  • 7.18.0 - 2021-06-17
  • 7.17.0 - 2021-06-10
  • 7.16.0 - 2021-06-03
  • 7.15.1 - 2021-05-31
  • 7.15.0 - 2021-05-27
  • 7.14.0 - 2021-05-20
  • 7.13.0 - 2021-05-13
  • 7.12.1 - 2021-05-10
  • 7.12.0 - 2021-05-06
  • 7.11.2 - 2021-04-29
  • 7.11.1 - 2021-04-23
  • 7.11.0 - 2021-04-23
  • 7.10.0 - 2021-04-15
  • 7.9.0 - 2021-04-08
  • 7.8.0 - 2021-04-01
  • 7.7.6 - 2021-03-29
  • 7.7.5 - 2021-03-25
  • 7.7.4 - 2021-03-24
  • 7.7.3 - 2021-03-24
  • 7.7.2 - 2021-03-24
  • 7.7.1 - 2021-03-24
  • 7.7.0 - 2021-03-23
  • 7.6.3 - 2021-03-11
  • 7.6.2 - 2021-03-09
  • 7.6.1 - 2021-03-04
  • 7.6.0 - 2021-02-25
  • 7.5.6 - 2021-02-22
  • 7.5.5 - 2021-02-22
  • 7.5.4 - 2021-02-12
  • 7.5.3 - 2021-02-08
  • 7.5.2 - 2021-02-02
  • 7.5.1 - 2021-02-01
  • 7.5.0 - 2021-01-28
  • 7.4.3 - 2021-01-21
  • 7.4.2 - 2021-01-15
  • 7.4.1 - 2021-01-14
  • 7.4.0 - 2021-01-07
  • 7.3.0 - 2020-12-18
  • 7.2.0 - 2020-12-15
  • 7.1.2 - 2020-12-11
  • 7.1.1 - 2020-12-09
  • 7.1.0 - 2020-12-04
  • 7.0.15 - 2020-11-27
  • 7.0.14 - 2020-11-23
  • 7.0.13 - 2020-11-20
  • 7.0.12 - 2020-11-17
  • 7.0.11 - 2020-11-13
  • 7.0.10 - 2020-11-10
  • 7.0.9 - 2020-11-06
  • 7.0.8 - 2020-11-03
  • 7.0.7 - 2020-10-30
  • 7.0.6 - 2020-10-27
  • 7.0.5 - 2020-10-23
  • 7.0.4 - 2020-10-23
  • 7.0.3 - 2020-10-20
  • 7.0.2 - 2020-10-16
  • 7.0.1 - 2020-10-15
  • 7.0.0 - 2020-10-13
  • 7.0.0-rc.4 - 2020-10-09
  • 7.0.0-rc.3 - 2020-10-06
  • 7.0.0-rc.2 - 2020-10-02
  • 7.0.0-rc.1 - 2020-10-02
  • 7.0.0-rc.0 - 2020-10-01
  • 7.0.0-beta.13 - 2020-09-29
  • 7.0.0-beta.12 - 2020-09-22
  • 7.0.0-beta.11 - 2020-09-16
  • 7.0.0-beta.10 - 2020-09-08
  • 7.0.0-beta.9 - 2020-09-04
  • 7.0.0-beta.8 - 2020-09-01
  • 7.0.0-beta.7 - 2020-08-25
  • 7.0.0-beta.6 - 2020-08-21
  • 7.0.0-beta.5 - 2020-08-18
  • 7.0.0-beta.4 - 2020-08-11
  • 7.0.0-beta.3 - 2020-08-10
  • 7.0.0-beta.2 - 2020-08-07
  • 7.0.0-beta.1 - 2020-08-05
  • 7.0.0-beta.0 - 2020-08-04
  • 6.14.18 - 2022-12-21
  • 6.14.17 - 2022-04-28
  • 6.14.16 - 2022-01-19
  • 6.14.15 - 2021-08-24
  • 6.14.14 - 2021-07-27

    6.14.14 (2021-07-27)

    DEPENDENCIES

  • 6.14.13 - 2021-04-12
  • 6.14.12 - 2021-03-25
  • 6.14.11 - 2021-01-08
  • 6.14.10 - 2020-12-18
  • 6.14.9 - 2020-11-20
  • 6.14.8 - 2020-08-17
  • 6.14.7 - 2020-07-21
  • 6.14.6 - 2020-07-07
  • 6.14.5 - 2020-05-04
  • 6.14.4 - 2020-03-25
  • 6.14.3 - 2020-03-19
  • 6.14.2 - 2020-03-03
  • 6.14.1 - 2020-02-27
  • 6.14.0 - 2020-02-25
  • 6.13.7 - 2020-01-28
  • 6.13.6 - 2020-01-09
  • 6.13.5 - 2020-01-09
  • 6.13.4 - 2019-12-11
  • 6.13.3 - 2019-12-10
  • 6.13.2 - 2019-12-03
  • 6.13.1 - 2019-11-18
  • 6.13.0 - 2019-11-05
  • 6.12.1 - 2019-10-29
  • 6.12.0 - 2019-10-08
  • 6.12.0-next.0 - 2019-09-26
  • 6.11.3 - 2019-09-03
  • 6.11.2 - 2019-08-22
  • 6.11.1 - 2019-08-21
  • 6.11.0 - 2019-08-20
  • 6.10.3 - 2019-08-06
  • 6.10.2 - 2019-07-23
  • 6.10.2-next.3 - 2019-07-22
  • 6.10.2-next.2 - 2019-07-21
  • 6.10.2-next.1 - 2019-07-17
  • 6.10.2-next.0 - 2019-07-16
  • 6.10.1 - 2019-07-11
  • 6.10.1-next.2 - 2019-07-10
  • 6.10.1-next.1 - 2019-07-03
  • 6.10.1-next.0 - 2019-07-03
  • 6.10.0 - 2019-07-03
  • 6.10.0-next.0 - 2019-07-01
  • 6.9.2 - 2019-06-27
  • 6.9.1-next.0 - 2019-03-20
  • 6.9.0 - 2019-03-06
  • 6.9.0-next.0 - 2019-02-21
  • 6.8.0 - 2019-02-13
  • 6.8.0-next.2 - 2019-02-07
  • 6.8.0-next.1 - 2019-02-06
  • 6.8.0-next.0 - 2019-01-31
  • 6.7.0 - 2019-01-23
  • 6.6.0 - 2019-01-17
  • 6.6.0-next.1 - 2019-01-10
  • 6.6.0-next.0 - 2018-12-12
  • 6.5.0 - 2018-12-10
  • 6.5.0-next.0 - 2018-11-28
  • 6.4.1 - 2018-08-29
  • 6.4.1-next.0 - 2018-08-23
  • 6.4.0 - 2018-08-15
  • 6.4.0-next.0 - 2018-08-09
  • 6.3.0 - 2018-08-02
  • 6.3.0-next.0 - 2018-07-25
  • 6.2.0 - 2018-07-14
  • 6.2.0-next.1 - 2018-07-05
  • 6.2.0-next.0 - 2018-06-29
  • 6.1.0 - 2018-05-24
  • 6.1.0-next.0 - 2018-05-17
  • 6.0.1 - 2018-05-10
  • 6.0.1-next.0 - 2018-05-04
  • 6.0.0 - 2018-04-24
  • 6.0.0-next.2 - 2018-04-21
  • 6.0.0-next.1 - 2018-04-13
  • 6.0.0-next.0 - 2018-03-23
  • 5.10.0 - 2018-05-11
  • 5.10.0-next.1 - 2018-05-07
  • 5.10.0-next.0 - 2018-04-13
  • 5.9.0-next.0 - 2018-03-23
  • 5.8.0 - 2018-03-23
  • 5.8.0-next.0 - 2018-03-13
  • 5.7.1 - 2018-02-22
  • 5.7.0 - 2018-02-21
  • 5.6.0 - 2017-11-28
from npm GitHub release notes

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

…ft/message-board/message-board-web/package-lock.json to reduce vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-INFLIGHT-6095116
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants