New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 5 vulnerabilities #12

Open

rasputtintin wants to merge 1 commit into master from snyk-fix-729b69657ee3531793d60ffb0dcc4391

Owner

rasputtintin commented Aug 24, 2023

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
- package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	534/1000 Why? Has a fix available, CVSS 6.4	Improper Authentication SNYK-JS-JSONWEBTOKEN-3180022	Yes	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Improper Restriction of Security Token Assignment SNYK-JS-JSONWEBTOKEN-3180024	Yes	No Known Exploit
	554/1000 Why? Has a fix available, CVSS 6.8	Use of a Broken or Risky Cryptographic Algorithm SNYK-JS-JSONWEBTOKEN-3180026	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOMENT-2944238	Yes	Proof of Concept
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-PROTOBUFJS-2441248	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @mojaloop/central-services-stream

The new version differs by 15 commits.

bf597c5 chore(release): 11.0.0 [skip ci]
f22ece0 fix: updated peerDependencies as NPM v7+ handles their resolution for us
35313c3 feat(mojaloop/#2092)!: upgrade nodeJS version for core services (#125)
d07dd2e fix: Bump lodash from 4.17.19 to 4.17.21 (#117)
41a0b5e fix: [Security] Bump glob-parent from 5.1.1 to 5.1.2 (#118)
ff3fbea fix: Bump normalize-url from 4.5.0 to 4.5.1 (#119)
4a6dc3b feat(2151): helm-release-v12.1.0 (#116)
c4903f0 [Security] Bump ini from 1.3.5 to 1.3.8 (#109)
65913b6 Updated dependencies (#106)
d64d4b2 make audit resolver run on production only by default, bump package to 10.2.0 (#100)
b1c5d75 #1289 Log optimisation (#91)
398c429 Update version to v9.2.0 (#81)
be4acac Added updated Mojaloop license (#78)
1c70e43 Added updated Mojaloop license (#77)
0f2dfc1 updated dependencies and node version to latest LTS version (#75)

See the full diff

Package name: @mojaloop/event-sdk

The new version differs by 31 commits.

e90cdda chore(release): 12.0.0 [skip ci]
52f81db chore(mojaloop/#3455): nodejs upgrade (#73)
2aa1caf chore(release): 11.0.2 [skip ci]
f57c3b3 fix: moved logger dependency as a peerDependency to be consistent with other mojaloop repos
c7c7714 chore(release): 11.0.1 [skip ci]
0fab3e9 fix: postchangelog now will correctly work
28ce298 chore(release): 11.0.0 [skip ci]
6fa9f74 feat(mojaloop/#2092): upgrade nodeJS version for core services (#67)
f5d863a chore: add tsconfig option to build declaration file (#64)
085a6ae feat(2151): helm release v12.1.0 (fix(mojaloop/#3615): update dependencies mojaloop/event-sidecar#56)
4eea6cd feat(2151): helm-release-v12.1.0 (chore(mojaloop/#3533): update dependencies mojaloop/event-sidecar#55)
86d4c3d feat(ci/cd): add pr title check (Bump minimist from 1.2.5 to 1.2.6 mojaloop/event-sidecar#47)
8eec478 chore: update license file (Bump tar from 6.1.0 to 6.1.11 mojaloop/event-sidecar#45)
fa0d1ff Bump ini from 1.3.5 to 1.3.7 (Bump ajv from 6.12.0 to 6.12.6 mojaloop/event-sidecar#46)
5aef313 Bump highlight.js from 10.1.1 to 10.4.1 (Bump path-parse from 1.0.6 to 1.0.7 mojaloop/event-sidecar#44)
e6597ac update dependencies to remove vulnerabilities (Bump lodash from 4.17.20 to 4.17.21 mojaloop/event-sidecar#42)
45ca858 updated link (Bump normalize-url from 4.5.0 to 4.5.1 mojaloop/event-sidecar#40)
bd02ba9 Resolve some of the audit issues (Bump glob-parent from 5.1.1 to 5.1.2 mojaloop/event-sidecar#39)
ea95367 Feature/#1383 doc update (Bump hosted-git-info from 2.8.8 to 2.8.9 mojaloop/event-sidecar#38)
726108f Fix/#1263 tracetags refresh (Bump handlebars from 4.7.6 to 4.7.7 mojaloop/event-sidecar#37)
678319f Fix/#1263 encode tracestate missing tracestates on new (Bump djv from 2.1.2 to 2.1.4 mojaloop/event-sidecar#36)
53735fe Feature/#1263 encode tracestate (Bump y18n from 3.2.1 to 3.2.2 mojaloop/event-sidecar#35)
1e3a873 Fix/other tracestate missing 2 (Bump ssri from 8.0.0 to 8.0.1 mojaloop/event-sidecar#34)
063e50d Fix/other tracestate missing (fix: refactored dockerfile to follow builder and not use root mojaloop/event-sidecar#33)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Use of a Broken or Risky Cryptographic Algorithm
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution


          fix: package.json & package-lock.json to reduce vulnerabilities

2a93344

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-JSONWEBTOKEN-3180022
- https://snyk.io/vuln/SNYK-JS-JSONWEBTOKEN-3180024
- https://snyk.io/vuln/SNYK-JS-JSONWEBTOKEN-3180026
- https://snyk.io/vuln/SNYK-JS-MOMENT-2944238
- https://snyk.io/vuln/SNYK-JS-PROTOBUFJS-2441248

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet