Skip to content

[Snyk] Fix for 22 vulnerabilities#2

Open
snyk-bot wants to merge 1 commit intomasterfrom
snyk-fix-dec28cd91a383f804e76e59c412bbb7a
Open

[Snyk] Fix for 22 vulnerabilities#2
snyk-bot wants to merge 1 commit intomasterfrom
snyk-fix-dec28cd91a383f804e76e59c412bbb7a

Conversation

@snyk-bot
Copy link

@snyk-bot snyk-bot commented Sep 8, 2021

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Insecure Encryption
SNYK-JS-BCRYPT-572911		 Yes No Known Exploit
medium severity 616/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.9		 Cryptographic Issues
SNYK-JS-BCRYPT-575033		 Yes Proof of Concept
medium severity 526/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 4.1		 Arbitrary Code Injection
SNYK-JS-EJS-1049328		 Yes Proof of Concept
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Denial of Service (DoS)
SNYK-JS-EXPRESSFILEUPLOAD-473997		 Yes No Known Exploit
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5		 Prototype Pollution
SNYK-JS-EXPRESSFILEUPLOAD-595969		 Yes Proof of Concept
high severity 579/1000
Why? Has a fix available, CVSS 7.3		 Prototype Pollution
SNYK-JS-MATHJS-1016401		 Yes No Known Exploit
high severity 624/1000
Why? Has a fix available, CVSS 8.2		 Arbitrary File Overwrite
SNYK-JS-TAR-1536528		 Yes No Known Exploit
high severity 688/1000
Why? Currently trending on Twitter, Has a fix available, CVSS 8.2		 Arbitrary File Overwrite
SNYK-JS-TAR-1536531		 Yes No Known Exploit
low severity 410/1000
Why? Has a fix available, CVSS 3.7		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-TAR-1536758		 Yes No Known Exploit
high severity 711/1000
Why? Recently disclosed, Has a fix available, CVSS 8.5		 Arbitrary File Write
SNYK-JS-TAR-1579147		 Yes No Known Exploit
high severity 711/1000
Why? Recently disclosed, Has a fix available, CVSS 8.5		 Arbitrary File Write
SNYK-JS-TAR-1579152		 Yes No Known Exploit
high severity 711/1000
Why? Recently disclosed, Has a fix available, CVSS 8.5		 Arbitrary File Write
SNYK-JS-TAR-1579155		 Yes No Known Exploit
high severity 654/1000
Why? Has a fix available, CVSS 8.8		 Arbitrary Code Execution
SNYK-JS-TYPEDFUNCTION-174139		 No No Known Exploit
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-VALIDATOR-1090599		 Yes Proof of Concept
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-VALIDATOR-1090600		 Yes Proof of Concept
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-VALIDATOR-1090601		 Yes Proof of Concept
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-VALIDATOR-1090602		 Yes Proof of Concept
high severity 579/1000
Why? Has a fix available, CVSS 7.3		 Arbitrary Code Execution
npm:mathjs:20170331		 No No Known Exploit
medium severity 494/1000
Why? Has a fix available, CVSS 5.6		 Arbitrary Code Execution
npm:mathjs:20170402		 No No Known Exploit
medium severity 494/1000
Why? Has a fix available, CVSS 5.6		 Arbitrary Code Execution
npm:mathjs:20170527		 No No Known Exploit
high severity 579/1000
Why? Has a fix available, CVSS 7.3		 Arbitrary Code Execution
npm:mathjs:20171118		 No No Known Exploit
critical severity 704/1000
Why? Has a fix available, CVSS 9.8		 Arbitrary Code Execution
npm:mathjs:20171118-1		 No No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: bcrypt The new version differs by 167 commits.
  • 61139e6 v5.0.0
  • 1bde62c Update node-pre-gyp to 0.15.0
  • 40770d6 Add NodeJS 14 to appveyor CI
  • 5916a46 Merge pull request #807 from techhead/known_length
  • f28e916 Reword comment
  • ca1e43b Add test for embedded NULs
  • 1a81858 Pass key_len to bcrypt(). Fix for issues #774, #776
  • cf4efd9 Merge pull request #647 from ilatypov/master
  • 15febd1 Allow using an enterprise artifactory.
  • 96c41e2 Mark z/OS compatibility code as such
  • dd32df1 Add z/OS support
  • ac14738 Update CHANGELOG.md
  • d9e54b4 Merge pull request #806 from techhead/2b_overflow
  • 9548df5 Fix overflow bug. See issue #776
  • 4c38d38 Merge pull request #804 from jokester/add-arm64-build
  • 41d9ba2 add linux-arm64 to build matrix
  • bc114fb Update node-addon-api to v3.0.0
  • 61f6308 Use travis to deploy future releases
  • 87c214f v4.0.1
  • 9758e68 Prepare for uploading releases from inside docker
  • 1511821 Define _GNU_SOURCE while compiling for MUSL
  • e01e78a Add alpine-linux to CI
  • bbb6b2d Readme: fix node version for v4.0.0
  • 738e4e2 Update CHANGELOG.md

See the full diff

Package name: express-fileupload The new version differs by 250 commits.

See the full diff

Package name: mathjs The new version differs by 250 commits.
  • 2594c69 Publish v7.5.1
  • ecb8051 Fix object pollution vulnerability in `math.config`
  • a2858e2 Publish v7.5.0
  • a72deb3 Update history
  • c5ab722 Merge branch 'pickrandom-allow-any-array)' of https://github.com/KonradLinkowski/mathjs into develop
  • 7575156 Publish v7.4.0
  • 642db06 Update history
  • 439ec41 Feat/rotate matrix (#1984)
  • 7854a9b Update history
  • a5cbb6a pickRandom - flatten the array
  • ca05c25 Allow any array in pickRandom function
  • bc4d94b Update history and authors list
  • becab40 sqrtm - throw an error for matrices with dimension greater than two (#1977)
  • f3c4a90 Update history
  • 9f06dad floor and cell with precision (#1967)
  • 76f6085 Publish v7.3.0
  • 73c66b9 Update devDependencies
  • f2d7a1b Update history and authors list
  • 1d0ce02 Merge remote-tracking branch 'origin/develop' into develop
  • f5d843b Binary, octal, and hexadecimal literals and formatting (#1968)
  • d82fc39 Simplify require url in math_worker example
  • 91fa8ea Fix require url in math_worker example
  • 18996cb Update devDependencies
  • 93ac70a Update history and authors list

See the full diff

Package name: sequelize The new version differs by 250 commits.
  • 56bb1d6 fix(dependency): upgrade validator (#13350)
  • b674600 chores: keep only @ papb email in maintainers field
  • 5fa695f meta: empty commit to rerun ci
  • dc3ec53 fix(ci): fix semantic-release usage
  • c7d7ca5 meta: forbid auto major version release
  • cd2de40 fix(typings): make `Transactionable` compatible with `TransactionOptions` (#13334)
  • 1a16b91 fix(utils): clone attributes before mutating them (#13226)
  • 39299a6 docs(read-replication.md): fix typo (#13179)
  • d0d7188 docs(eager-loading.md): fix typo (#13161)
  • 1cfbd33 fix(data-types): use proper field name for `ARRAY(ENUM)` (#13210)
  • 444f06f docs(migrations.md): grammar improvements (#13294)
  • b33d78e fix(typings): fix `ignoreDuplicates` option (#13220)
  • 6b0b532 fix(typings): allow `schema` for queryInterface methods (#13223)
  • 63ceb73 fix(typings): restrict update typings (#13216)
  • 143cc84 fix(typings): `returning` can specify column names (#13215)
  • 8f2a0d5 fix(typings): model init returns model class, not instance (#13214)
  • deeb5c6 fix(plurals): bump inflection dependency (#13260)
  • 421f44d docs(model-querying-basics.md): fix typo (#13256)
  • 68ef453 docs(model-querying-basics.md): fix typo (#13324)
  • 1c1aa33 refactor: nonempty array check style
  • 6dcb565 fix(bulk-create): `ON CONFLICT` with unique index (#13345)
  • 97b3767 meta: improve `contributing.md` and `sscce.js`
  • 0a90312 meta: remove unused Dockerfile
  • aaf3234 meta: refactor mocha configuration

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

@snyk-bot
fix: package.json to reduce vulnerabilities
6e5010b 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-BCRYPT-572911
- https://snyk.io/vuln/SNYK-JS-BCRYPT-575033
- https://snyk.io/vuln/SNYK-JS-EJS-1049328
- https://snyk.io/vuln/SNYK-JS-EXPRESSFILEUPLOAD-473997
- https://snyk.io/vuln/SNYK-JS-EXPRESSFILEUPLOAD-595969
- https://snyk.io/vuln/SNYK-JS-MATHJS-1016401
- https://snyk.io/vuln/SNYK-JS-TAR-1536528
- https://snyk.io/vuln/SNYK-JS-TAR-1536531
- https://snyk.io/vuln/SNYK-JS-TAR-1536758
- https://snyk.io/vuln/SNYK-JS-TAR-1579147
- https://snyk.io/vuln/SNYK-JS-TAR-1579152
- https://snyk.io/vuln/SNYK-JS-TAR-1579155
- https://snyk.io/vuln/SNYK-JS-TYPEDFUNCTION-174139
- https://snyk.io/vuln/SNYK-JS-VALIDATOR-1090599
- https://snyk.io/vuln/SNYK-JS-VALIDATOR-1090600
- https://snyk.io/vuln/SNYK-JS-VALIDATOR-1090601
- https://snyk.io/vuln/SNYK-JS-VALIDATOR-1090602
- https://snyk.io/vuln/npm:mathjs:20170331
- https://snyk.io/vuln/npm:mathjs:20170402
- https://snyk.io/vuln/npm:mathjs:20170527
- https://snyk.io/vuln/npm:mathjs:20171118
- https://snyk.io/vuln/npm:mathjs:20171118-1
@sonarqubecloud
Copy link

sonarqubecloud bot commented Sep 8, 2021

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@snyk-bot