Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Fix for 15 vulnerabilities #45

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

baophucct
Copy link
Owner

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5
Regular Expression Denial of Service (ReDoS)
SNYK-JS-ANSIREGEX-1583908
Yes Proof of Concept
critical severity 679/1000
Why? Has a fix available, CVSS 9.3
Incomplete List of Disallowed Inputs
SNYK-JS-BABELTRAVERSE-5962463
Yes No Known Exploit
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3
Regular Expression Denial of Service (ReDoS)
SNYK-JS-BROWSERSLIST-1090194
Yes Proof of Concept
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3
Regular Expression Denial of Service (ReDoS)
SNYK-JS-COLORSTRING-1082939
Yes Proof of Concept
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3
Regular Expression Denial of Service (ReDoS)
SNYK-JS-GLOBPARENT-1016905
Yes Proof of Concept
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3
Regular Expression Denial of Service (ReDoS)
SNYK-JS-HTMLMINIFIER-3091181
Yes Proof of Concept
medium severity 429/1000
Why? Has a fix available, CVSS 4.3
Reverse Tabnabbing
SNYK-JS-ISTANBULREPORTS-2328088
Yes No Known Exploit
medium severity 641/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.4
Prototype Pollution
SNYK-JS-JSON5-3182856
Yes Proof of Concept
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3
Regular Expression Denial of Service (ReDoS)
SNYK-JS-POSTCSS-1255640
Yes Proof of Concept
medium severity 479/1000
Why? Has a fix available, CVSS 5.3
Improper Input Validation
SNYK-JS-POSTCSS-5926692
Yes No Known Exploit
medium severity 646/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.5
Server-side Request Forgery (SSRF)
SNYK-JS-REQUEST-3361831
Yes Proof of Concept
medium severity 646/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.5
Prototype Pollution
SNYK-JS-TOUGHCOOKIE-5672873
Yes Proof of Concept
high severity 589/1000
Why? Has a fix available, CVSS 7.5
Prototype Pollution
SNYK-JS-UNSETVALUE-2400660
Yes No Known Exploit
low severity 506/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 3.7
Regular Expression Denial of Service (ReDoS)
npm:braces:20180219
Yes Proof of Concept
medium severity 479/1000
Why? Has a fix available, CVSS 5.3
Regular Expression Denial of Service (ReDoS)
npm:content-type-parser:20170905
Yes No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: css-loader The new version differs by 98 commits.
  • 634ab49 chore(release): 2.0.0
  • 6ade2d0 refactor: remove unused file (#860)
  • e7525c9 test: nested url (#859)
  • 7259faa test: css hacks (#858)
  • 5e6034c feat: allow to filter import at-rules (#857)
  • 5e702e7 feat: allow filtering urls (#856)
  • 9642aa5 test: css stuff (#855)
  • 3338656 fix: reduce number of require for url (#854)
  • 533abbe test: issue 636 (#853)
  • 08c551c refactor: better warning on invalid url resolution (#852)
  • b0aa159 test: issue #589 (#851)
  • f599c70 fix: broken unucode characters (#850)
  • 1e551f3 test: issue 286 (#849)
  • 419d27b docs: improve readme (#848)
  • d94a698 refactor: webpack-default (#847)
  • b97d997 feat: schema options
  • 453248f fix: support module resolution in composes (#845)
  • 8a6ea10 refactor: postcss plugins (#844)
  • fdcf687 fix: url resolving logic (#843)
  • 889dc7f feat: allow to disable css modules and disable their by default (#842)
  • ee2d253 test: importLoaders option (#841)
  • 1dad1fb feat: reuse postcss ast from other loaders (i.e `postcss-loader`) (#840)
  • fe94ebc test: icss reserved keywords (#839)
  • 9eaba66 refactor: migrate on message api for postcss-icss-plugin (#838)

See the full diff

Package name: fork-ts-checker-webpack-plugin The new version differs by 250 commits.

See the full diff

Package name: html-webpack-plugin The new version differs by 203 commits.
  • eb73905 chore(release): 4.0.0
  • 42a6d4a Add typing for getHooks
  • a1a37cf Release html-webpack-plugin 4.0.0-beta.14
  • 97f9fb9 fix: load script files before style files files in defer script loading mode
  • e97ce17 Release html-webpack-plugin 4.0.0-beta.13
  • e448b5d Release html-webpack-plugin 4.0.0-beta.12
  • de315eb feat: Add defer script loading
  • 7df269f feat: Provide a verbose error message if html minification failed
  • 1d66e53 feat: merge templateParameters with default template parameters
  • dfb98e7 Fix typo in template option docts
  • 096a760 Fix broken links in examples
  • a195c34 docs: Update template-option documentation
  • 40b410e docs: Update example for template parameters
  • bf017f3 chore: Release 4.0.0-beta.11
  • 2549557 test: Don't use minification for speed measurement
  • de22fc2 test: Adjust measurment for node 6 on travis
  • 24bf1b5 fix: Update references to html-minifier
  • f4eafdc chore: Release 4.0.0-beta.10
  • a2ad30a refactor: Use getAssetPath instead of calling the hook directly
  • 2595a79 chore: Release 4.0.0-beta.9
  • c66766c feat: Add support for minifying inline ES6 inside html templates
  • 655cbcd Fix README typo
  • 6de319b update lodash dependency for prototype polution vulnerability
  • 35a1541 Properly encode file names emitted as part of URLs.

See the full diff

Package name: ts-jest The new version differs by 250 commits.
  • 6916e7b Merge pull request #650 from kulshekhar/kulshekhar-patch-1
  • 54a30eb Bump the version (minor)
  • 9e61969 Merge pull request #626 from huafu/feature/upgrade-babel-and-fix-tsconfig
  • ef21f50 Merge branch 'master' into feature/upgrade-babel-and-fix-tsconfig
  • c67ba4d Merge pull request #649 from kulshekhar/greenkeeper/monorepo.react-16.4.2
  • 9a6904f Merge branch 'master' of https://github.com/kulshekhar/ts-jest into feature/upgrade-babel-and-fix-tsconfig
  • 8a94008 chore(package): update react-test-renderer to version 16.4.2
  • 6e73fb9 chore(package): update react to version 16.4.2
  • c947791 chore(package): update @ types/node to version 10.5.5 (#646)
  • fd24ae6 Merge pull request #640 from jmheik/to-dev-deps
  • e2028da Merge branch 'master' into to-dev-deps
  • 4396dde Merge pull request #641 from jeznag/patch-1
  • 7d78123 Merge branch 'master' into patch-1
  • b38e4ca Add TypeScript ^3.0.0 as supported peer dependencies (#644)
  • 1e287f3 Add more details on using module name mapper
  • df71945 doc: adds troubleshooting wiki page links
  • 0b2e406 Move dev only deps to devDependencies.
  • fb5cd12 chore: simplify jest config test helper + moves test utils
  • ddc8c32 chore: moves test-utils.ts in __helpers__ dir
  • a5370cf Merge branch 'master' into feature/upgrade-babel-and-fix-tsconfig
  • db590d2 Update @ types/react to the latest version 🚀 (#631)
  • 4fc3933 chore: changes after GeeWee review
  • fbe4f1f perf: do not hash cache key, jest does it underneath
  • 5ab100c fix: resolves correctly config file path (fix #636)

See the full diff

Package name: webpack The new version differs by 250 commits.
  • 610f368 5.0.0
  • 5ce65c1 update examples
  • bbe1230 Merge pull request #11628 from webpack/bugfix/real-content-hash
  • 75ecff2 5.0.0-rc.6
  • bfc35d6 Merge pull request #11603 from MayaWolf/master
  • 76e8cbd Merge pull request #11622 from webpack/dependabot/npm_and_yarn/types/node-13.13.25
  • 9fd1be2 chore(deps-dev): bump @ types/node from 13.13.23 to 13.13.25
  • 36bcfaa Merge pull request #11621 from webpack/bugfix/11619
  • 9130d10 fix called variables with ProvidePlugin
  • 3e42105 Merge pull request #11620 from webpack/bugfix/11617
  • 4709719 skip connections copied to concatenated module
  • 57b493f 5.0.0-rc.5
  • 1658e2f Merge pull request #11618 from webpack/bugfix/11615
  • a8fb45d fixes crash in SideEffectsFlagPlugin
  • 84b196d emit error instead of crashing when unexpected problem occurs
  • 5573fed Merge pull request #11601 from Hornwitser/improve-suggested-polyfill-config
  • 9b5cce9 Merge pull request #11609 from snitin315/export-types
  • 37c495c export type RuleSetUseItem
  • 39faf34 export type RuleSetUse
  • e5fd246 export type RuleSetConditionAbsolute
  • 660baad export RuleSetCondition types
  • 13e3ca5 Merge pull request #11602 from webpack/bugfix/shared-runtime-chunk
  • 9c0587e Merge pull request #11606 from webpack/dependabot/npm_and_yarn/simple-git-2.21.0
  • 502d166 Merge pull request #11607 from webpack/dependabot/npm_and_yarn/acorn-8.0.4

See the full diff

Package name: webpack-dev-server The new version differs by 250 commits.
  • c9271b9 chore(release): 4.0.0
  • 18bf369 test: fix stability (#3676)
  • cdcabb2 fix: respect protocol from browser for manual setup (#3675)
  • 1768d6b fix: initial reloading for lazy compilation (#3662)
  • 4f5bab1 docs: improve examples (#3672)
  • f2d87fb fix: improve https CLI output (#3673)
  • 0277c5e chore: remove redundant console statements (#3671)
  • 16fcdbc docs: add `ipc` example (#3667)
  • 8915fb8 test: add e2e tests for built in routes (#3669)
  • 4d1cbe1 docs: ask `version` information in issue template (#3668)
  • b6c1881 chore(deps-dev): bump core-js from 3.16.1 to 3.16.2 (#3666)
  • ffa8cc5 chore(deps-dev): bump supertest from 6.1.5 to 6.1.6 (#3665)
  • f1fdaa7 chore(release): 4.0.0-rc.1
  • c4678bc fix: legacy API (#3660)
  • d8bdd03 test: fix stability (#3661)
  • 22b1414 refactor: remove `killable` (#3657)
  • 75bafbf test: add e2e tests for module federation (#3658)
  • 493ccbd chore(deps): update `ws` (#3652)
  • ae8c523 test: add e2e test for universal compiler (#3656)
  • f94b84f chore(deps): update (#3655)
  • 1923132 test: fix cli
  • 2adfd01 test: fix todo (#3653)
  • 6e2cbde fix: proxy logging and allow to pass options without the `target` option (#3651)
  • c9ccc96 fix: respect infastructureLogging.level for client.logging (#3613)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Improper Input Validation
🦉 More lessons are available in Snyk Learn

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants