-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Snyk] Security upgrade tap from 5.8.0 to 11.1.3 #57
base: master
Are you sure you want to change the base?
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-HAWK-2808852
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
❌ Jit has detected 29 important findings in this PR that you should review.
The findings are detailed below as separate comments.
It’s highly recommended that you fix these security issues before merge.
@@ -10,6 +10,6 @@ | |||
"dependencies": { | |||
"node-uuid": "1.4.0", | |||
"qs": "0.0.6", | |||
"tap": "^5.8.0" | |||
"tap": "^11.1.3" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Security control: Software Component Analysis Js
Type: Arbitrary Code Execution In Handlebars
Description: tap>nyc>istanbul-reports>[email protected]
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_finding
Ignore this specific single instance of finding#jit_undo_ignore
Undo ignore command
@@ -10,6 +10,6 @@ | |||
"dependencies": { | |||
"node-uuid": "1.4.0", | |||
"qs": "0.0.6", | |||
"tap": "^5.8.0" | |||
"tap": "^11.1.3" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Security control: Software Component Analysis Js
Type: Arbitrary Code Execution In Handlebars
Description: tap>nyc>istanbul-reports>[email protected]
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_finding
Ignore this specific single instance of finding#jit_undo_ignore
Undo ignore command
@@ -10,6 +10,6 @@ | |||
"dependencies": { | |||
"node-uuid": "1.4.0", | |||
"qs": "0.0.6", | |||
"tap": "^5.8.0" | |||
"tap": "^11.1.3" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Security control: Software Component Analysis Js
Type: Prototype Pollution In Minimist
Description: _Paths from library to vulnerable dependencies:
- tap>nyc>mkdirp>[email protected]
- tap>nyc>caching-transform>mkdirp>[email protected]
- tap>nyc>istanbul-reports>handlebars>optimist>[email protected]_
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_finding
Ignore this specific single instance of finding#jit_undo_ignore
Undo ignore command
@@ -10,6 +10,6 @@ | |||
"dependencies": { | |||
"node-uuid": "1.4.0", | |||
"qs": "0.0.6", | |||
"tap": "^5.8.0" | |||
"tap": "^11.1.3" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Security control: Software Component Analysis Js
Type: Remote Code Execution In Handlebars When Compiling Templates
Description: tap>nyc>istanbul-reports>[email protected]
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_finding
Ignore this specific single instance of finding#jit_undo_ignore
Undo ignore command
@@ -10,6 +10,6 @@ | |||
"dependencies": { | |||
"node-uuid": "1.4.0", | |||
"qs": "0.0.6", | |||
"tap": "^5.8.0" | |||
"tap": "^11.1.3" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Security control: Software Component Analysis Js
Type: Denial Of Service In Handlebars
Description: tap>nyc>istanbul-reports>[email protected]
Severity: MEDIUM
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_finding
Ignore this specific single instance of finding#jit_undo_ignore
Undo ignore command
@@ -10,6 +10,6 @@ | |||
"dependencies": { | |||
"node-uuid": "1.4.0", | |||
"qs": "0.0.6", | |||
"tap": "^5.8.0" | |||
"tap": "^11.1.3" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Security control: Software Component Analysis Js
Type: Regular Expression Denial Of Service (Redos) In Lodash
Description: _Paths from library to vulnerable dependencies:
- tap>nyc>istanbul-lib-instrument>babel-types>[email protected]
- tap>nyc>istanbul-lib-instrument>babel-generator>babel-types>[email protected]
- tap>nyc>istanbul-lib-instrument>babel-template>babel-traverse>babel-types>[email protected]_
Severity: MEDIUM
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_finding
Ignore this specific single instance of finding#jit_undo_ignore
Undo ignore command
@@ -10,6 +10,6 @@ | |||
"dependencies": { | |||
"node-uuid": "1.4.0", | |||
"qs": "0.0.6", | |||
"tap": "^5.8.0" | |||
"tap": "^11.1.3" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Security control: Software Component Analysis Js
Type: Prototype Pollution In Handlebars
Description: tap>nyc>istanbul-reports>[email protected]
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_finding
Ignore this specific single instance of finding#jit_undo_ignore
Undo ignore command
@@ -10,6 +10,6 @@ | |||
"dependencies": { | |||
"node-uuid": "1.4.0", | |||
"qs": "0.0.6", | |||
"tap": "^5.8.0" | |||
"tap": "^11.1.3" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Security control: Software Component Analysis Js
Type: Regular Expression Denial Of Service In Handlebars
Description: tap>nyc>istanbul-reports>[email protected]
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_finding
Ignore this specific single instance of finding#jit_undo_ignore
Undo ignore command
@@ -10,6 +10,6 @@ | |||
"dependencies": { | |||
"node-uuid": "1.4.0", | |||
"qs": "0.0.6", | |||
"tap": "^5.8.0" | |||
"tap": "^11.1.3" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Security control: Software Component Analysis Js
Type: Prototype Pollution In Handlebars
Description: tap>nyc>istanbul-reports>[email protected]
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_finding
Ignore this specific single instance of finding#jit_undo_ignore
Undo ignore command
@@ -10,6 +10,6 @@ | |||
"dependencies": { | |||
"node-uuid": "1.4.0", | |||
"qs": "0.0.6", | |||
"tap": "^5.8.0" | |||
"tap": "^11.1.3" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Security control: Software Component Analysis Js
Type: Regular Expression Denial Of Service In Path-Parse
Description: tap>nyc>istanbul-lib-report>[email protected]
Severity: MEDIUM
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_finding
Ignore this specific single instance of finding#jit_undo_ignore
Undo ignore command
Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.
Changes included in this PR
Vulnerabilities that will be fixed
With an upgrade:
Why? Has a fix available, CVSS 7.4
SNYK-JS-HAWK-2808852
(*) Note that the real score may have changed since the PR was raised.
Commit messages
Package name: tap
The new version differs by 250 commits.See the full diff
Check the changes in this PR to ensure they won't cause issues with your project.
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
🛠 Adjust project settings
📚 Read more about Snyk's upgrade and patch logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.