From 6f68896ce9bb6c00018cb61c18ee8965dc8902ec Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Fri, 1 May 2020 02:23:53 +0100 Subject: [PATCH 1/2] fix: tools/npm/.snyk & tools/npm/package.json to reduce vulnerabilities The following vulnerabilities are fixed with a Snyk patch: - https://snyk.io/vuln/SNYK-JS-LODASH-567746 --- tools/npm/.snyk | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 tools/npm/.snyk diff --git a/tools/npm/.snyk b/tools/npm/.snyk new file mode 100644 index 000000000000..31630cde3f52 --- /dev/null +++ b/tools/npm/.snyk @@ -0,0 +1,34 @@ +# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities. +version: v1.14.1 +ignore: {} +# patches apply the minimum changes required to fix a vulnerability +patch: + SNYK-JS-LODASH-567746: + - '@bazel/karma > karma > lodash': + patched: '2020-05-01T01:23:51.258Z' + - '@bazel/karma > karma > combine-lists > lodash': + patched: '2020-05-01T01:23:51.258Z' + - '@bazel/karma > karma-sauce-launcher > sauce-connect-launcher > lodash': + patched: '2020-05-01T01:23:51.258Z' + - '@bazel/karma > karma > log4js > hipchat-notifier > lodash': + patched: '2020-05-01T01:23:51.258Z' + - '@bazel/karma > karma-sauce-launcher > sauce-connect-launcher > async > lodash': + patched: '2020-05-01T01:23:51.258Z' + - '@bazel/karma > karma-sauce-launcher > wd > archiver > lodash': + patched: '2020-05-01T01:23:51.258Z' + - '@bazel/karma > karma-sauce-launcher > wd > async > lodash': + patched: '2020-05-01T01:23:51.258Z' + - '@bazel/karma > karma > log4js > mailgun-js > async > lodash': + patched: '2020-05-01T01:23:51.258Z' + - '@bazel/karma > karma-sauce-launcher > wd > archiver > async > lodash': + patched: '2020-05-01T01:23:51.258Z' + - '@bazel/karma > karma > log4js > slack-node > requestretry > lodash': + patched: '2020-05-01T01:23:51.258Z' + - '@bazel/karma > karma-sauce-launcher > wd > archiver > archiver-utils > lodash': + patched: '2020-05-01T01:23:51.258Z' + - '@bazel/karma > karma-sauce-launcher > wd > archiver > zip-stream > lodash': + patched: '2020-05-01T01:23:51.258Z' + - '@bazel/karma > karma-sauce-launcher > wd > archiver > zip-stream > archiver-utils > lodash': + patched: '2020-05-01T01:23:51.258Z' + - '@bazel/karma > karma-sauce-launcher > wd > lodash': + patched: '2020-05-01T01:23:51.258Z' From cc40370b2361735d858ce9b5c88b467c3cf41a0d Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Fri, 1 May 2020 02:23:54 +0100 Subject: [PATCH 2/2] fix: tools/npm/.snyk & tools/npm/package.json to reduce vulnerabilities The following vulnerabilities are fixed with a Snyk patch: - https://snyk.io/vuln/SNYK-JS-LODASH-567746 --- tools/npm/package.json | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/tools/npm/package.json b/tools/npm/package.json index 7f9af0e34b61..356f5aedb276 100644 --- a/tools/npm/package.json +++ b/tools/npm/package.json @@ -6,9 +6,13 @@ "@angular/compiler-cli": "6.1.9", "@bazel/karma": "0.21.0", "@bazel/typescript": "0.21.0", - "typescript": "~3.1.1" + "typescript": "~3.1.1", + "snyk": "^1.316.1" }, "scripts": { - "//": "TODO(gregmagolan): figure out how to keep @bazel/karma & @bazel/typescript dependencies here up to date with the root package.json; NOTE: versions of @angular/x don't matter here as they are only require to create the @npm//@angular/bazel target name" - } + "//": "TODO(gregmagolan): figure out how to keep @bazel/karma & @bazel/typescript dependencies here up to date with the root package.json; NOTE: versions of @angular/x don't matter here as they are only require to create the @npm//@angular/bazel target name", + "snyk-protect": "snyk protect", + "prepare": "yarn run snyk-protect" + }, + "snyk": true } \ No newline at end of file