New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 12 vulnerabilities #6

Open

snyk-bot wants to merge 1 commit into main from snyk-fix-518e1a80213db1ca8707b7ec9759503b

snyk-bot commented Mar 9, 2023

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- packages/optimizer/demo/express/package.json
- packages/optimizer/demo/express/package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	671/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7	Remote Code Execution (RCE) SNYK-JS-HANDLEBARS-1056767	No	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-HANDLEBARS-1279029	No	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-HANDLEBARS-480388	No	No Known Exploit
	619/1000 Why? Has a fix available, CVSS 8.1	Arbitrary Code Execution SNYK-JS-HANDLEBARS-534478	No	No Known Exploit
	704/1000 Why? Has a fix available, CVSS 9.8	Prototype Pollution SNYK-JS-HANDLEBARS-534988	No	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-HANDLEBARS-567742	No	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Information Exposure SNYK-JS-NODEFETCH-2342118	No	No Known Exploit
	520/1000 Why? Has a fix available, CVSS 5.9	Denial of Service SNYK-JS-NODEFETCH-674311	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-NTHCHECK-1586032	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-POSTCSS-1090595	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-POSTCSS-1255640	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Poisoning SNYK-JS-QS-3153490	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @ampproject/toolbox-optimizer

The new version differs by 250 commits.

f2c2de8 v2.8.1
969b947 re-generate test snapshots
fda5ea2 Make ESM config consistent (Make ESM config consistent ampproject/amp-toolbox#1237)
6031314 v2.8.1-canary.1
9cfffc6 update changelog
06e7ca5 Add SSR support for fluid layout (Add SSR support for fluid layout ampproject/amp-toolbox#1232)
3443fca Update error handler to support module and nomodule version (Update error handler to support module and nomodule version ampproject/amp-toolbox#1236)
5d38b31 v2.8.1-canary.0
4751c6d force exact version deps
ad35c9e update dependencies to match next
67dea43 Fix experimental ext (Fix: don't auto import experimental bento components ampproject/amp-toolbox#1234)
8d3ac85 update githead
6103eb5 v2.8.0
4280c62 cleanup changelog
c85dd88 v2.8.0-canary.21
912420a Update changelog
e85d2a8 Pull latest component versions from amphtml repo (Pull latest component versions from amphtml repo ampproject/amp-toolbox#1235)
b02027c Use different endpoint to fetch latest component prod versions
d834730 v2.8.0-canary.20
4b4b103 initiatlize default cache
2c0197a v2.8.0-canary.19
a650f33 update changelog
6440bd3 Correctly initialize cache during tests
f44ef8c upgrade cssnano-simple

See the full diff

Package name: express

The new version differs by 173 commits.

3d7fce5 4.17.3
f906371 build: update example dependencies
6381bc6 deps: qs@6.9.7
a007863 deps: body-parser@1.19.2
e98f584 Revert "build: use minimatch@3.0.4 for Node.js < 4"
a659137 tests: use strict mode
a39e409 tests: prevent leaking changes to NODE_ENV
82de4de examples: fix path traversal in downloads example
12310c5 build: use nyc for test coverage
884657d examples: remove bitwise syntax for includes check
7511d08 build: use minimatch@3.0.4 for Node.js < 4
2585f20 tests: fix test missing assertion
9d09762 build: supertest@6.2.2
43cc56e build: clean up gitignore
1c7bbcc build: Node.js@14.19
9cbbc8a deps: cookie@0.4.2
6fbc269 pref: remove unnecessary regexp for trust proxy
2bc734a deps: accepts@~1.3.8
89bb531 docs: fix typo in res.download jsdoc
744564f tests: add test for multiple ips in "trust proxy"
da6cb0e tests: add range tests to res.download
00ad5be tests: add more tests for app.request & app.response
141914e tests: fix tests that did not bubble errors
bd4fdfe tests: remove global dependency on should

See the full diff

Package name: hbs

The new version differs by 69 commits.

00764e0 v4.1.2
8dcac86 tests: add test for layout that does not exist
1046191 test: add test for layout using async helper
9c6ee6f test: add test for async helper with layout
b109867 lint: fix redeclared variable
7920ac6 build: Node.js@12.22
5623682 deps: handlebars@4.7.7
81ee48a build: supertest@6.1.3
c90ac58 build: eslint-plugin-markdown@2.0.1
5179777 build: eslint@7.24.0
4c73a69 build: mocha@8.3.2
0826373 build: Node.js@14.16
711c4fa build: Node.js@12.21
a48b2bf build: Node.js@10.24
c9ba0a3 build: eslint@7.21.0
dfc44e3 build: eslint-plugin-markdown@2.0.0
f3f5697 build: Node.js@12.20
b2a461b build: eslint@7.18.0
3852e7c build: supertest@6.1.1
67c942d build: eslint@7.16.0
14c84ff build: Node.js@14.15
1fcbd8b build: mocha@8.2.1
20afe45 build: eslint@7.13.0
bd96ad1 build: Node.js@12.19

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Remote Code Execution (RCE)
🦉 Prototype Pollution
🦉 Denial of Service (DoS)
🦉 More lessons are available in Snyk Learn


          fix: packages/optimizer/demo/express/package.json & packages/optimize…

28ea903

…r/demo/express/package-lock.json to reduce vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767
- https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1279029
- https://snyk.io/vuln/SNYK-JS-HANDLEBARS-480388
- https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478
- https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534988
- https://snyk.io/vuln/SNYK-JS-HANDLEBARS-567742
- https://snyk.io/vuln/SNYK-JS-NODEFETCH-2342118
- https://snyk.io/vuln/SNYK-JS-NODEFETCH-674311
- https://snyk.io/vuln/SNYK-JS-NTHCHECK-1586032
- https://snyk.io/vuln/SNYK-JS-POSTCSS-1090595
- https://snyk.io/vuln/SNYK-JS-POSTCSS-1255640
- https://snyk.io/vuln/SNYK-JS-QS-3153490

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet