Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

[Snyk] Fix for 1 vulnerabilities #12

Open
wants to merge 1 commit into
base: latest
Choose a base branch
from
Open

[Snyk] Fix for 1 vulnerabilities #12

wants to merge 1 commit into from

Conversation

snyk-bot
Copy link

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json
    • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
medium severity 658/1000
Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-HOSTEDGITINFO-1088355		 Yes Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: hosted-git-info The new version differs by 48 commits.
  • a810463 chore(release): 3.0.8
  • bede0dc fix: simplify the regular expression for shortcut matching
  • afe2808 chore(release): 3.0.7
  • eb5bd5a fix: correctly filter out urls for tarballs in gitlab
  • d30f96e chore(release): 3.0.6
  • c067102 fix: support to github gist legacy hash length
  • c53c6ab chore(release): 3.0.5
  • 167cef2 chore: properly advertise version support
  • 47c931e update lru-cache to latest
  • 8e0b0ec chore(release): 3.0.4
  • 0835306 fix: Do not pass scp-style URLs to the WhatWG url.URL
  • 6f39e93 chore(release): 3.0.3
  • 31140a7 Ensure passwords in hosted Git URLs are correctly escaped
  • 4636ac9 chore(release): 3.0.2
  • 3e5fbec fix: do not encodeURIComponent the domain
  • 97c8caa chore(release): 3.0.1
  • e3e3054 fix: update pathmatch for gitlab
  • af4835c test: added script to get coverage report
  • d04239b test: removed unused testing structure
  • 4693b9c test: moved all github url tests together
  • a03d51e test: added refactered tests for bitbucket
  • 0aea712 test: added ignore; for 100% testing (this seems wonky)
  • b473c55 test: added basic test for ._fill() method
  • fa87af7 fix: updated pathmatch for gitlab

See the full diff

Package name: init-package-json The new version differs by 21 commits.

See the full diff

Package name: libnpmhook The new version differs by 14 commits.

See the full diff

Package name: normalize-package-data The new version differs by 20 commits.

See the full diff

Package name: npm-package-arg The new version differs by 10 commits.
  • bf86221 chore(release): 7.0.0
  • 68a4fc3 deps: bump hosted-git-info to 3.0.2
  • ee44e84 chore: update deps
  • 1da5ca9 chore(release): 6.1.1
  • 84a9569 chore: add node 12 to travis
  • c5da1f4 chore: boost test coverage to 100%
  • 3909203 fix: preserve drive letter on windows git file:// urls
  • a5a18b3 chore: update CI for current Node LTS
  • b2c1e0c deps: bump devDeps
  • db7ca93 deps: bump deps

See the full diff

Package name: npm-pick-manifest The new version differs by 20 commits.
  • 405d00b chore(release): 4.0.0
  • 42c76d8 deps: bump npm-package-arg to v7
  • 8e66272 chore(release): 3.0.2
  • 420fb8c chore: update repo links
  • 543da7c chore(release): 3.0.1
  • 003286e fix: throw 403 for forbidden major/minor versions
  • ed0fc29 chore(release): 3.0.0
  • 6ab64fd chore: remove node 4.0 from travis
  • ad2a962 feat: throw forbidden error when package is blocked by policy
  • cf0c612 chore(release): 2.2.3
  • 5e89b62 fix(enjoyBy): rework semantics for enjoyBy again
  • dcef9cd chore(release): 2.2.2
  • 5684f45 fix(enjoyBy): rework semantics for enjoyBy
  • 3ed20c0 chore(release): 2.2.1
  • 96410c4 test: improve error messaging and add more tests to enjoyBy feature
  • b0ea20a chore(release): 2.2.0
  • 0b8a790 feat(enjoyBy): add opts.enjoyBy option to filter versions by date
  • 6effde4 opts: use figgy-pudding for opts
  • d5ae6c4 fix(audit): npm audit fix --force
  • 7c9e986 deps: add figgy-pudding

See the full diff

Package name: npm-registry-fetch The new version differs by 65 commits.
  • 622afb4 chore(release): 5.0.1
  • 7aa14fd deps: update all deps
  • 5764c15 deps: npm-package-arg@7
  • 786f092 chore(release): 5.0.0
  • 41ff216 chore: update travis config
  • 39e5cfe doc: fix badge url
  • 97c1208 chore: update tap, improve offline/prefer-offline tests
  • 82abf26 chore: Add missing tests and clean up dead code
  • 90ac7b1 fix: prefer const in getAuth function
  • e64702e fix: use minizlib instead of core zlib
  • 5cfe30b test: add string query example to test
  • e7286f7 fix!: Use native Promises
  • bb37f20 feat: refactor to use Minipass streams
  • b758555 chore(release): 4.0.2
  • e3a0186 fix: Add null check on body on 401 errors
  • ff5f990 test(check-response): Added missing tests
  • 49059f0 chore(release): 4.0.1
  • 8eae5f0 fix(deps): Add explicit dependency on safe-buffer
  • 5dbd1d7 chore(release): 4.0.0
  • 0c4f060 cacache@12.0.0, infer uid from cache folder
  • 4b62980 chore(release): 3.9.1
  • 7878bbe deps: make-fetch-happen@4.0.2
  • e064215 deps: lru-cache@5.1.1
  • 4491843 chore(release): 3.9.0

See the full diff

Package name: pacote The new version differs by 154 commits.
  • ed57e5c 10.1.2
  • d9bce22 git: resolved should be a git+ssh:// url, not just ssh://
  • 84535a3 git: Fall back from tgz to ssh on HTTP errors
  • 7ee23c3 git: make 'from' and 'resolved' consistent and useful
  • 10ff45f update deps to pull in newer hosted-git-info
  • 88beaab Return the requested spec as the 'from' value
  • e5b84f2 test: fix git configs for git 2.23 and above
  • 5a3bfbd typo in bin usage text
  • 04a0f0c Keep home dir out of snapshots
  • ae7c912 10.1.1
  • cb31be8 filter out .swp files from package
  • 43e239d 10.1.0
  • 3d4012a add pacote CLI
  • 99a3f21 update tap
  • dc10617 test: node 13 made errno a number again
  • e516f96 add repository field to package
  • 37f24b3 10.0.0
  • ad72e94 test: use t.testdir() instead of manually creating test dirs
  • a79846e fresh update all deps
  • 2e4482a Improve integrity consistency and handling
  • 9964c7b update tap and minipass-fetch
  • 6460b02 Remove spurious top-level dep on make-fetch-happen
  • 1f4473a Pack and unpack preserving exec perms on all package bins
  • 347c563 Cache manifest as fetcher.package

See the full diff

Package name: read-package-json The new version differs by 17 commits.
  • 9f7049d chore(release): 3.0.0
  • 19d9fbe fix: check-in updated lockfile
  • eef46fa chore: add engines definition
  • 36b7ef7 chore: remove old .travis.yml envs
  • b3a8831 globa@7.1.6
  • fb3ceae json-parse-even-better-errors@2.3.1
  • 78add03 npm-normalize-package-bin@1.0.1
  • 7595d70 normalize-package-data@3.0.0
  • 10175d8 chore(release): 2.1.2
  • fdbf082 fix: even better json errors, remove graceful-fs
  • e78afd6 chore(release): 2.1.1
  • b8cb5fa fix: normalize and sanitize pkg bin entries
  • 55382c2 chore(release): 2.1.0
  • 0a176cc Add some tests and clean up error handling for non-string bins
  • 76f6f42 feat: support bundleDependencies: true
  • 4e1e4d2 some tests for index.js parsing
  • 67f2d8d chore: update CI for current Node LTS

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@snyk-bot