[Snyk] Fix for 16 vulnerabilities #16

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Open

nahidf wants to merge 1 commit into master from snyk-fix-213fd10ef950e3b43f4f85612fc130ba

Owner

nahidf commented Oct 5, 2022

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Arbitrary File Write via Archive Extraction (Zip Slip) SNYK-JS-DECOMPRESS-557358	No	Proof of Concept
	484/1000 Why? Has a fix available, CVSS 5.4	Open Redirect SNYK-JS-GOT-2932019	No	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	No	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	No	Proof of Concept
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	No	Proof of Concept
	541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	No	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-1019388	No	No Known Exploit
	676/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.1	Improper Privilege Management SNYK-JS-SHELLJS-2332187	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-TRIMNEWLINES-1298042	Yes	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	No	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	No	No Known Exploit
	576/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.1	Uninitialized Memory Exposure npm:tunnel-agent:20170305	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: chalk

The new version differs by 53 commits.

3fca615 2.0.0
f66271e Add tagged template literal (#163)
23ef1c7 fix linter errors
c015568 add rainbow example
09fb2d8 Re-implement `chalk.enabled` (#160)
608242a spoof supports-color
18f2e7c add host information output
523b998 Revert "TEMPORARY: emergency travis CI fix (see comments)"
54975fb TEMPORARY: emergency travis CI fix (see comments)
1d73b21 Improve readme
6f4d6b3 Bump dependencies
8702496 Remove `chalk.styles`
0412cdf Minor code improvements
249b9ac ES2015ify the codebase
cb3f230 Add RGB (256/Truecolor) support (#140)
dbae68d Update dependent package count in the readme (#154)
9b60021 Drop support for Node.js 0.10 and 0.12
0d21449 check parent builder object for enabled status (#142)
5a69476 add XO badge
492f11f add example file
4ce73b6 make XO happy
7c02cf4 Add log statement to chalk examples (#129)
835ca3d You've just reached 10,000 dependent modules. (#122)
74c087d minor doc improvements (#120)

See the full diff

Package name: yeoman-generator

The new version differs by 250 commits.

aad5fac 5.0.0
4f4a802 Add transform to expected priority.
57d240c Remove only from test.
812751f Lint fix
33d050f Implement getFeatures for singleton support.
99ac2c5 Add transform priority.
5136342 Bump peter-evans/create-pull-request from v3.8.0 to v3.8.2 (#1278)
fa408bd Bump actions/stale from v3.0.15 to v3.0.16 (#1275)
d7103f3 Drop reference from yeoman-test repository
b36f294 Bump yeoman-environment to 3.0.0-rc.1
ee0d1ad Hide shared options and drop support for kebab case options.
310f72d Fix spawn destinationRoot.
8f4afe9 Switch composeWith to use environment.
e9d0a15 Remove support for chainning at composeWith.
c2245e1 Switch from node 10 to 12 at Travis.
5be7b07 5.0.0-rc.0
8a448b4 Bump yeoman-environment to 3.0.0-rc.0
6d6c4b0 Changes to queueTransformStream
632d60d Add option to skip parsing options.
7050e53 Pass destinationRoot to spawn-command by default.
097cd20 Implement package-json mixin.
52c90a2 Add merge support to Storage.
f4336d9 5.0.0-beta.1
1952724 Change version to 5.0.0-beta.0

See the full diff

Package name: yosay

The new version differs by 4 commits.

4534a16 2.0.0
00c279f ES2015ify
af09c7a Bump minimum supported `node` version to `node@4`. ([Snyk] Security upgrade yeoman-generator from 0.19.2 to 5.0.0 #25)
1614e0a fix travis

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Denial of Service (DoS)
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Regular Expression Denial of Service (ReDoS)
🦉 More lessons are available in Snyk Learn


          fix: package.json & .snyk to reduce vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908
- https://snyk.io/vuln/SNYK-JS-DECOMPRESS-557358
- https://snyk.io/vuln/SNYK-JS-GOT-2932019
- https://snyk.io/vuln/SNYK-JS-LODASH-1018905
- https://snyk.io/vuln/SNYK-JS-LODASH-1040724
- https://snyk.io/vuln/SNYK-JS-LODASH-450202
- https://snyk.io/vuln/SNYK-JS-LODASH-567746
- https://snyk.io/vuln/SNYK-JS-LODASH-608086
- https://snyk.io/vuln/SNYK-JS-LODASH-73638
- https://snyk.io/vuln/SNYK-JS-LODASH-73639
- https://snyk.io/vuln/SNYK-JS-MINIMATCH-1019388
- https://snyk.io/vuln/SNYK-JS-SHELLJS-2332187
- https://snyk.io/vuln/SNYK-JS-TRIMNEWLINES-1298042
- https://snyk.io/vuln/npm:lodash:20180130
- https://snyk.io/vuln/npm:minimatch:20160620
- https://snyk.io/vuln/npm:tunnel-agent:20170305


The following vulnerabilities are fixed with a Snyk patch:
- https://snyk.io/vuln/npm:lodash:20180130

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet