From c37847dc2e92a30a04eef41714393621a0518319 Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Thu, 13 Jan 2022 15:08:41 +0000 Subject: [PATCH] fix: package.json & .snyk to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-AJV-584908 - https://snyk.io/vuln/SNYK-JS-AWSSDK-1059424 - https://snyk.io/vuln/SNYK-JS-BUNYAN-573166 - https://snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-2332181 - https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767 - https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1279029 - https://snyk.io/vuln/SNYK-JS-HANDLEBARS-173692 - https://snyk.io/vuln/SNYK-JS-HANDLEBARS-174183 - https://snyk.io/vuln/SNYK-JS-HANDLEBARS-469063 - https://snyk.io/vuln/SNYK-JS-HANDLEBARS-480388 - https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478 - https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534988 - https://snyk.io/vuln/SNYK-JS-HANDLEBARS-567742 - https://snyk.io/vuln/SNYK-JS-HTMLTOTEXT-571464 - https://snyk.io/vuln/SNYK-JS-INI-1048974 - https://snyk.io/vuln/SNYK-JS-KNEX-471962 - https://snyk.io/vuln/SNYK-JS-LODASH-1018905 - https://snyk.io/vuln/SNYK-JS-LODASH-1040724 - https://snyk.io/vuln/SNYK-JS-LODASH-450202 - https://snyk.io/vuln/SNYK-JS-LODASH-567746 - https://snyk.io/vuln/SNYK-JS-LODASH-590103 - https://snyk.io/vuln/SNYK-JS-LODASH-608086 - https://snyk.io/vuln/SNYK-JS-LODASH-73638 - https://snyk.io/vuln/SNYK-JS-LODASH-73639 - https://snyk.io/vuln/SNYK-JS-MARKDOWNIT-2331914 - https://snyk.io/vuln/SNYK-JS-MARKDOWNIT-459438 - https://snyk.io/vuln/SNYK-JS-MINIMIST-559764 - https://snyk.io/vuln/SNYK-JS-NODEMAILER-1038834 - https://snyk.io/vuln/SNYK-JS-NODEMAILER-1296415 - https://snyk.io/vuln/SNYK-JS-PATHPARSE-1077067 - https://snyk.io/vuln/SNYK-JS-POSTCSS-1255640 - https://snyk.io/vuln/SNYK-JS-SANITIZEHTML-1070780 - https://snyk.io/vuln/SNYK-JS-SANITIZEHTML-1070786 - https://snyk.io/vuln/SNYK-JS-SANITIZEHTML-585892 - https://snyk.io/vuln/SNYK-JS-STATICEVAL-173693 - https://snyk.io/vuln/SNYK-JS-TAR-1536528 - https://snyk.io/vuln/SNYK-JS-TAR-1536531 - https://snyk.io/vuln/SNYK-JS-TAR-1536758 - https://snyk.io/vuln/SNYK-JS-TAR-1579147 - https://snyk.io/vuln/SNYK-JS-TAR-1579152 - https://snyk.io/vuln/SNYK-JS-TAR-1579155 - https://snyk.io/vuln/SNYK-JS-UGLIFYJS-1727251 - https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984 - https://snyk.io/vuln/SNYK-JS-VALIDATOR-1090599 - https://snyk.io/vuln/SNYK-JS-VALIDATOR-1090600 - https://snyk.io/vuln/SNYK-JS-VALIDATOR-1090601 - https://snyk.io/vuln/SNYK-JS-VALIDATOR-1090602 - https://snyk.io/vuln/npm:braces:20180219 - https://snyk.io/vuln/npm:extend:20180424 - https://snyk.io/vuln/npm:hoek:20180212 - https://snyk.io/vuln/npm:lodash:20180130 - https://snyk.io/vuln/npm:mime:20170907 - https://snyk.io/vuln/npm:moment:20170905 - https://snyk.io/vuln/npm:validator:20180218 The following vulnerabilities are fixed with a Snyk patch: - https://snyk.io/vuln/SNYK-JS-LODASH-567746 - https://snyk.io/vuln/npm:debug:20170905 - https://snyk.io/vuln/npm:extend:20180424 - https://snyk.io/vuln/npm:hoek:20180212 - https://snyk.io/vuln/npm:mime:20170907 - https://snyk.io/vuln/npm:moment:20170905 - https://snyk.io/vuln/npm:ms:20170412 - https://snyk.io/vuln/npm:stringstream:20180511 --- .snyk | 181 +++++++++++++++++++++++++++++++++++++++++++++++++++ package.json | 44 +++++++------ 2 files changed, 205 insertions(+), 20 deletions(-) create mode 100644 .snyk diff --git a/.snyk b/.snyk new file mode 100644 index 000000000000..266742a7dd0f --- /dev/null +++ b/.snyk @@ -0,0 +1,181 @@ +# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities. +version: v1.22.1 +ignore: {} +# patches apply the minimum changes required to fix a vulnerability +patch: + 'npm:debug:20170905': + - brute-knex > express > debug: + patched: '2022-01-13T15:08:37.989Z' + - brute-knex > express > finalhandler > debug: + patched: '2022-01-13T15:08:37.989Z' + - brute-knex > express > send > debug: + patched: '2022-01-13T15:08:37.989Z' + - brute-knex > express > serve-static > send > debug: + patched: '2022-01-13T15:08:37.989Z' + 'npm:extend:20180424': + - superagent > extend: + patched: '2022-01-13T15:08:37.989Z' + - analytics-node > superagent > extend: + patched: '2022-01-13T15:08:37.989Z' + - knex > liftoff > extend: + patched: '2022-01-13T15:08:37.989Z' + - knex-migrator > knex > liftoff > extend: + patched: '2022-01-13T15:08:37.989Z' + - sqlite3 > node-pre-gyp > request > extend: + patched: '2022-01-13T15:08:37.989Z' + - ghost-ignition > bunyan-loggly > node-loggly-bulk > request > extend: + patched: '2022-01-13T15:08:37.989Z' + - knex-migrator > sqlite3 > node-pre-gyp > request > extend: + patched: '2022-01-13T15:08:37.989Z' + - bookshelf-relations > ghost-ignition > bunyan-loggly > node-loggly-bulk > request > extend: + patched: '2022-01-13T15:08:37.989Z' + - gscan > ghost-ignition > bunyan-loggly > node-loggly-bulk > request > extend: + patched: '2022-01-13T15:08:37.989Z' + - knex-migrator > ghost-ignition > bunyan-loggly > node-loggly-bulk > request > extend: + patched: '2022-01-13T15:08:37.989Z' + 'npm:hoek:20180212': + - ghost-ignition > bunyan-loggly > node-loggly-bulk > request > hawk > hoek: + patched: '2022-01-13T15:08:37.989Z' + - ghost-ignition > bunyan-loggly > node-loggly-bulk > request > hawk > boom > hoek: + patched: '2022-01-13T15:08:37.989Z' + - ghost-ignition > bunyan-loggly > node-loggly-bulk > request > hawk > sntp > hoek: + patched: '2022-01-13T15:08:37.989Z' + - bookshelf-relations > ghost-ignition > bunyan-loggly > node-loggly-bulk > request > hawk > hoek: + patched: '2022-01-13T15:08:37.989Z' + - gscan > ghost-ignition > bunyan-loggly > node-loggly-bulk > request > hawk > hoek: + patched: '2022-01-13T15:08:37.989Z' + - knex-migrator > ghost-ignition > bunyan-loggly > node-loggly-bulk > request > hawk > hoek: + patched: '2022-01-13T15:08:37.989Z' + - bookshelf-relations > ghost-ignition > bunyan-loggly > node-loggly-bulk > request > hawk > boom > hoek: + patched: '2022-01-13T15:08:37.989Z' + - gscan > ghost-ignition > bunyan-loggly > node-loggly-bulk > request > hawk > boom > hoek: + patched: '2022-01-13T15:08:37.989Z' + - knex-migrator > ghost-ignition > bunyan-loggly > node-loggly-bulk > request > hawk > boom > hoek: + patched: '2022-01-13T15:08:37.989Z' + - ghost-ignition > bunyan-loggly > node-loggly-bulk > request > hawk > cryptiles > boom > hoek: + patched: '2022-01-13T15:08:37.989Z' + - bookshelf-relations > ghost-ignition > bunyan-loggly > node-loggly-bulk > request > hawk > sntp > hoek: + patched: '2022-01-13T15:08:37.989Z' + - gscan > ghost-ignition > bunyan-loggly > node-loggly-bulk > request > hawk > sntp > hoek: + patched: '2022-01-13T15:08:37.989Z' + - knex-migrator > ghost-ignition > bunyan-loggly > node-loggly-bulk > request > hawk > sntp > hoek: + patched: '2022-01-13T15:08:37.989Z' + - bookshelf-relations > ghost-ignition > bunyan-loggly > node-loggly-bulk > request > hawk > cryptiles > boom > hoek: + patched: '2022-01-13T15:08:37.989Z' + - gscan > ghost-ignition > bunyan-loggly > node-loggly-bulk > request > hawk > cryptiles > boom > hoek: + patched: '2022-01-13T15:08:37.989Z' + - knex-migrator > ghost-ignition > bunyan-loggly > node-loggly-bulk > request > hawk > cryptiles > boom > hoek: + patched: '2022-01-13T15:08:37.989Z' + - sqlite3 > node-pre-gyp > hawk > hoek: + patched: '2022-01-13T15:08:37.989Z' + - sqlite3 > node-pre-gyp > hawk > boom > hoek: + patched: '2022-01-13T15:08:37.989Z' + - sqlite3 > node-pre-gyp > hawk > sntp > hoek: + patched: '2022-01-13T15:08:37.989Z' + - knex-migrator > sqlite3 > node-pre-gyp > hawk > hoek: + patched: '2022-01-13T15:08:37.989Z' + - sqlite3 > node-pre-gyp > hawk > cryptiles > boom > hoek: + patched: '2022-01-13T15:08:37.989Z' + - knex-migrator > sqlite3 > node-pre-gyp > hawk > boom > hoek: + patched: '2022-01-13T15:08:37.989Z' + - knex-migrator > sqlite3 > node-pre-gyp > hawk > sntp > hoek: + patched: '2022-01-13T15:08:37.989Z' + - knex-migrator > sqlite3 > node-pre-gyp > hawk > cryptiles > boom > hoek: + patched: '2022-01-13T15:08:37.989Z' + SNYK-JS-LODASH-567746: + - amperize > lodash: + patched: '2022-01-13T15:08:37.989Z' + - analytics-node > lodash: + patched: '2022-01-13T15:08:37.989Z' + - archiver > lodash: + patched: '2022-01-13T15:08:37.989Z' + - bookshelf > lodash: + patched: '2022-01-13T15:08:37.989Z' + - ghost-ignition > lodash: + patched: '2022-01-13T15:08:37.989Z' + - bookshelf-relations > lodash: + patched: '2022-01-13T15:08:37.989Z' + - ghost-gql > lodash: + patched: '2022-01-13T15:08:37.989Z' + - knex > lodash: + patched: '2022-01-13T15:08:37.989Z' + - knex-migrator > lodash: + patched: '2022-01-13T15:08:37.989Z' + - amperize > async > lodash: + patched: '2022-01-13T15:08:37.989Z' + - archiver > async > lodash: + patched: '2022-01-13T15:08:37.989Z' + - archiver > archiver-utils > lodash: + patched: '2022-01-13T15:08:37.989Z' + - archiver > zip-stream > lodash: + patched: '2022-01-13T15:08:37.989Z' + - bookshelf-relations > ghost-ignition > lodash: + patched: '2022-01-13T15:08:37.989Z' + - gscan > ghost-ignition > lodash: + patched: '2022-01-13T15:08:37.989Z' + - knex-migrator > ghost-ignition > lodash: + patched: '2022-01-13T15:08:37.989Z' + - knex-migrator > knex > lodash: + patched: '2022-01-13T15:08:37.989Z' + - archiver > zip-stream > archiver-utils > lodash: + patched: '2022-01-13T15:08:37.989Z' + 'npm:mime:20170907': + - brute-knex > express > send > mime: + patched: '2022-01-13T15:08:37.989Z' + - brute-knex > express > serve-static > send > mime: + patched: '2022-01-13T15:08:37.989Z' + 'npm:moment:20170905': + - ghost-ignition > moment: + patched: '2022-01-13T15:08:37.989Z' + - ghost-storage-base > moment: + patched: '2022-01-13T15:08:37.989Z' + - moment-timezone > moment: + patched: '2022-01-13T15:08:37.989Z' + - ghost-ignition > bunyan > moment: + patched: '2022-01-13T15:08:37.989Z' + - bookshelf-relations > ghost-ignition > moment: + patched: '2022-01-13T15:08:37.989Z' + - gscan > ghost-ignition > moment: + patched: '2022-01-13T15:08:37.989Z' + - knex-migrator > ghost-ignition > moment: + patched: '2022-01-13T15:08:37.989Z' + - bookshelf-relations > ghost-ignition > bunyan > moment: + patched: '2022-01-13T15:08:37.989Z' + - gscan > ghost-ignition > bunyan > moment: + patched: '2022-01-13T15:08:37.989Z' + - knex-migrator > ghost-ignition > bunyan > moment: + patched: '2022-01-13T15:08:37.989Z' + - ghost-ignition > bunyan-loggly > node-loggly-bulk > moment: + patched: '2022-01-13T15:08:37.989Z' + - bookshelf-relations > ghost-ignition > bunyan-loggly > node-loggly-bulk > moment: + patched: '2022-01-13T15:08:37.989Z' + - gscan > ghost-ignition > bunyan-loggly > node-loggly-bulk > moment: + patched: '2022-01-13T15:08:37.989Z' + - knex-migrator > ghost-ignition > bunyan-loggly > node-loggly-bulk > moment: + patched: '2022-01-13T15:08:37.989Z' + 'npm:ms:20170412': + - brute-knex > express > debug > ms: + patched: '2022-01-13T15:08:37.989Z' + - brute-knex > express > send > ms: + patched: '2022-01-13T15:08:37.989Z' + - brute-knex > express > finalhandler > debug > ms: + patched: '2022-01-13T15:08:37.989Z' + - brute-knex > express > send > debug > ms: + patched: '2022-01-13T15:08:37.989Z' + - brute-knex > express > serve-static > send > debug > ms: + patched: '2022-01-13T15:08:37.989Z' + - brute-knex > express > serve-static > send > ms: + patched: '2022-01-13T15:08:37.989Z' + 'npm:stringstream:20180511': + - sqlite3 > node-pre-gyp > request > stringstream: + patched: '2022-01-13T15:08:37.989Z' + - ghost-ignition > bunyan-loggly > node-loggly-bulk > request > stringstream: + patched: '2022-01-13T15:08:37.989Z' + - knex-migrator > sqlite3 > node-pre-gyp > request > stringstream: + patched: '2022-01-13T15:08:37.989Z' + - bookshelf-relations > ghost-ignition > bunyan-loggly > node-loggly-bulk > request > stringstream: + patched: '2022-01-13T15:08:37.989Z' + - gscan > ghost-ignition > bunyan-loggly > node-loggly-bulk > request > stringstream: + patched: '2022-01-13T15:08:37.989Z' + - knex-migrator > ghost-ignition > bunyan-loggly > node-loggly-bulk > request > stringstream: + patched: '2022-01-13T15:08:37.989Z' diff --git a/package.json b/package.json index 4bde0f7a52b0..bca7f0b19fad 100644 --- a/package.json +++ b/package.json @@ -21,21 +21,23 @@ "start": "node index", "dev": "DEBUG=ghost:* grunt dev", "test": "grunt validate --verbose", - "init": "yarn global add knex-migrator ember-cli grunt-cli && yarn install && grunt symlink && grunt init || true" + "init": "yarn global add knex-migrator ember-cli grunt-cli && yarn install && grunt symlink && grunt init || true", + "prepublish": "npm run snyk-protect", + "snyk-protect": "snyk-protect" }, "engines": { "node": "^4.5.0 || ^6.9.0 || ^8.9.0" }, "dependencies": { - "amperize": "0.3.6", + "amperize": "1.0.0", "analytics-node": "2.4.1", "archiver": "1.3.0", "bcryptjs": "2.4.3", "bluebird": "3.5.1", "body-parser": "1.18.2", "bookshelf": "0.10.3", - "bookshelf-relations": "0.1.3", - "brute-knex": "https://github.com/cobbspur/brute-knex/tarball/37439f56965b17d29bb4ff9b3f3222b2f4bd6ce3", + "bookshelf-relations": "2.1.0", + "brute-knex": "4.0.1", "bson-objectid": "1.2.1", "chalk": "1.1.3", "cheerio": "0.22.0", @@ -47,50 +49,51 @@ "downsize": "0.0.8", "express": "4.16.2", "express-brute": "1.0.1", - "express-hbs": "1.0.4", - "extract-zip": "1.6.6", + "express-hbs": "2.3.5", + "extract-zip": "1.6.8", "fs-extra": "3.0.1", "ghost-gql": "0.0.8", - "ghost-ignition": "2.8.16", + "ghost-ignition": "4.2.2", "ghost-storage-base": "0.0.1", "glob": "5.0.15", "got": "7.1.0", - "gscan": "1.2.3", - "html-to-text": "3.3.0", + "gscan": "4.0.2", + "html-to-text": "6.0.0", "image-size": "0.6.1", "intl": "1.2.5", "intl-messageformat": "1.3.0", - "jsonpath": "1.0.0", - "knex": "0.12.9", - "knex-migrator": "2.1.9", - "lodash": "4.17.4", - "markdown-it": "8.4.0", + "jsonpath": "1.1.1", + "knex": "0.19.5", + "knex-migrator": "3.4.7", + "lodash": "4.17.21", + "markdown-it": "12.3.2", "markdown-it-footnote": "3.0.1", "markdown-it-lazy-headers": "0.1.3", "markdown-it-mark": "2.0.0", "mobiledoc-dom-renderer": "0.6.5", - "moment": "2.19.2", + "moment": "2.19.3", "moment-timezone": "0.5.14", "multer": "1.3.0", "mysql": "2.15.0", "nconf": "0.9.1", "netjet": "1.1.4", - "nodemailer": "0.7.1", + "nodemailer": "6.6.1", "oauth2orize": "1.11.0", "passport": "0.4.0", "passport-http-bearer": "1.0.1", "passport-oauth2-client-password": "0.1.2", "path-match": "1.2.4", "rss": "1.2.2", - "sanitize-html": "1.16.1", + "sanitize-html": "2.3.2", "semver": "5.4.1", "simple-dom": "0.3.2", "simple-html-tokenizer": "0.4.3", "superagent": "3.8.1", "unidecode": "0.1.8", "uuid": "3.1.0", - "validator": "6.3.0", - "xml": "1.0.1" + "validator": "13.7.0", + "xml": "1.0.1", + "@snyk/protect": "latest" }, "optionalDependencies": { "sqlite3": "3.1.13" @@ -150,5 +153,6 @@ "grunt-update-submodules", "sinon" ] - } + }, + "snyk": true }