Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Fix for 20 vulnerabilities #87

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

pjmolina
Copy link
Owner

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json
    • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 619/1000
Why? Has a fix available, CVSS 8.1
Prototype Pollution
SNYK-JS-AJV-584908
Yes No Known Exploit
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5
Prototype Pollution
SNYK-JS-ASYNC-2441827
Yes Proof of Concept
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3
Prototype Pollution
SNYK-JS-AWSSDK-1059424
No Proof of Concept
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5
Denial of Service (DoS)
SNYK-JS-DECODEURICOMPONENT-3149970
No Proof of Concept
medium severity 626/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.1
Man-in-the-Middle (MitM)
SNYK-JS-HTTPSPROXYAGENT-469131
Yes Proof of Concept
high severity 644/1000
Why? Has a fix available, CVSS 8.6
Prototype Pollution
SNYK-JS-JSONSCHEMA-1920922
Yes No Known Exploit
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3
Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-1018905
Yes Proof of Concept
high severity 681/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.2
Command Injection
SNYK-JS-LODASH-1040724
Yes Proof of Concept
high severity 731/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 8.2
Prototype Pollution
SNYK-JS-LODASH-567746
Yes Proof of Concept
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3
Prototype Pollution
SNYK-JS-LODASH-608086
Yes Proof of Concept
low severity 506/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 3.7
Prototype Pollution
SNYK-JS-MINIMIST-2429795
Yes Proof of Concept
medium severity 601/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.6
Prototype Pollution
SNYK-JS-MINIMIST-559764
Yes Proof of Concept
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5
Prototype Poisoning
SNYK-JS-QS-3153490
Yes Proof of Concept
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5
Regular Expression Denial of Service (ReDoS)
SNYK-JS-SEMVER-3247795
Yes Proof of Concept
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3
Prototype Pollution
SNYK-JS-XML2JS-5414874
No Proof of Concept
high severity 741/1000
Why? Mature exploit, Has a fix available, CVSS 7.1
Uninitialized Memory Exposure
npm:base64url:20180511
Yes Mature
low severity 506/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 3.7
Regular Expression Denial of Service (ReDoS)
npm:bson:20180225
Yes Proof of Concept
medium severity 641/1000
Why? Mature exploit, Has a fix available, CVSS 5.1
Uninitialized Memory Exposure
npm:concat-stream:20160901
Yes Mature
high severity 579/1000
Why? Has a fix available, CVSS 7.3
Insecure Randomness
npm:crypto-browserify:20140722
No No Known Exploit
low severity 506/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 3.7
Regular Expression Denial of Service (ReDoS)
npm:debug:20170905
Yes Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: connect-mongo The new version differs by 90 commits.
  • 63ca966 docs: update readme and bump version to 3.0.0
  • aceb1ee chore: bump version to 3.0.0-rc.2
  • 0e4a234 test: add test cases on event listener
  • e77a7f1 test: replace mocha with jest (#324)
  • ad39e88 test: replace deprecated collection.insert to collection.insertOne
  • 545c06e docs: update README on testing
  • 2d5442e chore: upgrade depns mocha
  • 5d3a321 chore: upgrade nyc depns
  • 54cd91d chore: upgrade depns
  • afb7a12 docs: remove some badges
  • 6c2484b docs: update README for supporting version
  • c925c92 test: fix test case
  • 6827330 chore: bump version to 3.0.0-rc.1
  • f62692b ci: update .npmignore
  • aa2637d ci: remove node 6 support and add linting in travis
  • 801291b fix linting error
  • f928547 travis add test on Node 12
  • 12275f0 better linting
  • eb23b1e linting fix
  • 66194c7 bump major version to 3.0.0-rc
  • f29084f Wait for client open, before calling db. (#321)
  • d252bfc Install Stale bot
  • 15d91c1 Transparent crypto support (#314)
  • 08ccada Update readme refer to latest release to avoid confusion

See the full diff

Package name: grunt-cli The new version differs by 5 commits.

See the full diff

Package name: mongoose The new version differs by 250 commits.
  • 66d559b chore: release 4.7.7
  • 0504ec6 fix(populate): handle nested virtuals in virtual populate
  • b412210 test(populate): repro #4581
  • 4efecd5 fix(utils): don't crash if to[key] is null
  • 066f128 chore: upgrade mongodb -> 2.2.21
  • 370ac04 chore: upgrade bson dep to match mongodb-core
  • dd8003b fix: add a toBSON to documents for easier querying
  • ab680e4 test: repro #4866
  • 075213f chore: upgrade mongodb -> 2.2.20
  • e4fb16c chore: actually bump to 2.2.19
  • f47260b chore: upgrade mongodb -> 2.2.18
  • 344a2b7 chore: remove vestigial log
  • 625e5cd Merge branch 'master' of github.com:Automattic/mongoose
  • 2c020d1 chore: improve spelling re: #4858
  • f921d15 Merge pull request #4854 from davidwu226/master
  • 32208ba chore: now working on 4.7.7
  • faf2c6a chore: release 4.7.6
  • 5a1129a Fix warning from Bluebird:
  • 175ad20 fix(query): don't call error handler if passRawResult is true and no error occurred
  • d1492ce test(query): repro #4836
  • 22552c5 docs(populate): remove implicit Model.populate() example
  • 62c8b08 fix(populate): use base model name if no discriminator for backwards compat
  • f0aa82d test(populate): repro #4843
  • 8f39e1b fix: handle refs correctly even if using browser driver

See the full diff

Package name: newrelic The new version differs by 250 commits.
  • f35a229 release: 6.5.0 (2020-03-19)
  • 5779e3c Updated release notes
  • 435d053 Merge pull request #1969 from NodeJS-agent/ntzaperas/attribute-rename
  • 3d0dbd2 Rename span error attribute
  • a01821f Fix span error attributes appearing on span intrinsics
  • 76e0572 Updated changelog for v6.5.0.
  • cd9406c Merge pull request #1966 from NodeJS-agent/ntzaperas/lasp-span-errors
  • bfb2e70 Remove span_error_attributes feature flag
  • 613a285 Test span error attributes and HSM/ignore
  • a4ac95b Merge pull request #1964 from NodeJS-agent/mgoin/ConvertAgentAggregatorsUnitTests
  • 2de8843 Merge pull request #1959 from NodeJS-agent/mgoin/ConvertAgentsUnitTestFullyTap
  • 3f53da6 Converts event-aggregator.test.js to fully use tap API.
  • e339089 Use the same attributes on spans as on TransactionErrors
  • 0166c8a Span error attributes should adhere to security policy
  • de2658d Converts base-aggregator.test.js to fully use tap API.
  • 1e036e5 Converts synthetics.test.js to fully use tap API.
  • 6d75845 Converts intrinsics.test.js to fully use tap API.
  • 8c43fc6 Converts agent.test.js to fully use tap API.
  • ade4dc3 Merge pull request #1957 from NodeJS-agent/ntzaperas/NODE-2307-error-attrs-on-spans
  • 2ce89a6 Put span error attributes behind a feature flag
  • 9013e0f Tests for span error attributes
  • 64c6d47 Update tests to match new error interface
  • ecae7a2 Add error info to span and link to TransactionError events
  • 233e48e Merge pull request #1956 from NodeJS-agent/mgoin/NODE-2314-EventHandlersNotCleaningUp

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Command Injection
🦉 More lessons are available in Snyk Learn

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants