[Snyk] Fix for 11 vulnerabilities#424

Merged

mergify[bot] merged 1 commit intomainfrom

snyk-fix-67f07734e19c95f6d0ac47dae2b9fbc4

Apr 10, 2023

snyk-bot commented Mar 19, 2023

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- src/m365/spfx/commands/project/test-projects/spfx-131-webpart-nolib/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Issue	Breaking Change	Exploit Maturity
	Prototype Pollution SNYK-JS-AJV-584908	No	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BROWSERSLIST-1090194	No	Proof of Concept
	Denial of Service (DoS) SNYK-JS-ENGINEIO-1056749	No	Proof of Concept
	Denial of Service (DoS) SNYK-JS-ENGINEIO-3136336	No	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	No	Proof of Concept
	Cross-site Scripting (XSS) SNYK-JS-KARMA-2395349	No	Proof of Concept
	Open Redirect SNYK-JS-KARMA-2396325	No	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LOADERUTILS-3042992	No	No Known Exploit
	Prototype Pollution SNYK-JS-LOADERUTILS-3043105	No	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LOADERUTILS-3105943	No	No Known Exploit

Commit messages

Package name: gulp

The new version differs by 134 commits.

55eb23a Release: 4.0.0
173a532 Docs: Fix the installation instructions
ec54d09 Docs: Improve note about out-of-date docs
03b7c98 Docs: Update recipes to install gulp@next
2eba29e Docs: Remove run-sequence from recipes
76eb4d6 Docs: Add installation instructions & update badges
fbc162f Docs: Remove references to gulp-util
3011cf9 Scaffold: Normalize repository
f27be05 Update: Remove graceful-fs from test suite
361ab63 Upgrade: Update glob-watcher
064d100 Build: Avoid broken node 9
057df59 Release: 4.0.0-alpha.3
c1ba80c Breaking: Upgrade major versions of glob-watcher, gulp-cli & vinyl-fs
89acc5c Docs: Improve ES2015 task exporting examples (Docs improvement: Docs version matching CLI version. pnp/cli-microsoft365#1999)
0ac9e04 Docs: Add "Project structure" section to CONTRIBUTING.md (Enhance 'site remove' supporting deletion o365 group connected site. Closes #1561 pnp/cli-microsoft365#1859)
723cbc4 Docs: Fix syntax in recipe example (New Command: teams user app remove. Closes #1711 pnp/cli-microsoft365#1715)
d420a6a Docs: Have gulp.lastRun take a function to avoid task registration (Enhancement: extend 'flow run get' with approver information pnp/cli-microsoft365#1828)
29ece6f Upgrade: Update undertaker
e931cb0 Docs: Fix changelog typos (UnhandledPromiseRejectionWarning: ParserError: Unexpected token type: Colon, value: : pnp/cli-microsoft365#1696)
477db84 Docs: Add a "BrowserSync with Gulp 4" recipe (New command: spo file sharinginfo get pnp/cli-microsoft365#1659)
d4ed3c7 Docs: Add options.cwd for gulp.src API (Added sample script closing #1506 pnp/cli-microsoft365#1645)
5dc3b07 Docs: Update gulp.watch API to align with glob-watcher
0c66069 Breaking: Replace chokidar as gulp.watch with glob-watcher wrapper
c3dbc10 Docs: Clarify incremental builds example (New command: List Microsoft To Do task lists pnp/cli-microsoft365#1609)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Cross-site Scripting (XSS)
🦉 More lessons are available in Snyk Learn


          fix: src/m365/spfx/commands/project/test-projects/spfx-131-webpart-no…

a50b21c

…lib/package.json to reduce vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-AJV-584908
- https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908
- https://snyk.io/vuln/SNYK-JS-BROWSERSLIST-1090194
- https://snyk.io/vuln/SNYK-JS-ENGINEIO-1056749
- https://snyk.io/vuln/SNYK-JS-ENGINEIO-3136336
- https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905
- https://snyk.io/vuln/SNYK-JS-KARMA-2395349
- https://snyk.io/vuln/SNYK-JS-KARMA-2396325
- https://snyk.io/vuln/SNYK-JS-LOADERUTILS-3042992
- https://snyk.io/vuln/SNYK-JS-LOADERUTILS-3043105
- https://snyk.io/vuln/SNYK-JS-LOADERUTILS-3105943

sonarqubecloud bot commented Mar 19, 2023

Kudos, SonarCloud Quality Gate passed!

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
0.0% Duplication

mergify bot merged commit 38890a5 into main

mergify bot deleted the snyk-fix-67f07734e19c95f6d0ac47dae2b9fbc4 branch

April 10, 2023 09:00

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet