New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

[Snyk] Fix for 6 vulnerabilities #8

Open

Dmarch28 wants to merge 1 commit into master from snyk-fix-d508f6de6037075da2a5f9e4da66b733

Owner

Dmarch28 commented Mar 11, 2021

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- deps/npm/docs/package.json
- deps/npm/docs/package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	616/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.9	Server-Side Request Forgery (SSRF) SNYK-JS-AXIOS-1038255	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-ENGINEIO-1056749	No	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	No	No Known Exploit
	661/1000 Why? Recently disclosed, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-PRISMJS-1076581	No	No Known Exploit
	629/1000 Why? Has a fix available, CVSS 8.3	Cross-site Scripting (XSS) SNYK-JS-PRISMJS-597628	No	No Known Exploit
	566/1000 Why? Recently disclosed, Has a fix available, CVSS 5.6	Command Injection SNYK-JS-REACTDEVUTILS-1083268	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: gatsby

The new version differs by 250 commits.

f1d3f7b chore(release): Publish
6e6ea56 chore(release): Publish rc
df50ce7 fix(gatsby): Add dir=ltr to Fast Refresh overlay (Inconsistent Date.prototype.getTime() value across different Node.js versions nodejs/node#29900) (fs: remove options.encoding from Dir.read*() nodejs/node#29908)
83adec5 chore(docs): update readme (windowsHide:true prevents SIGINT on child processes nodejs/node#29837) (module: warn on require of .js inside type: module nodejs/node#29909)
b2628da will git stop being weird (Gyp Python 3 fixes for Windows nodejs/node#29897) (NodeJs 12.11.1 NGHTTP2_ENHANCE_YOUR_CALM nodejs/node#29907)
c98c87f chore(release): Publish rc
c8bf571 fix(gatsby-source-wordpress): image fixes (configure.py: upgrade from optparse to argparse nodejs/node#29813) (test: remove unnecessary --expose-internals flags nodejs/node#29886)
85bb8ea fix(gatsby-plugin-image): Update peerdeps (src: bring 425 status code name into accordance with RFC 8470 nodejs/node#29880) (regex source property escaping value changed? nodejs/node#29888)
c266b83 fix(gatsby): Remove `react-hot-loader` deps & other unused deps (vm: add Synthetic modules nodejs/node#29864) (http2: allow passing FileHandle to respondWithFD nodejs/node#29876)
222ca3f fix(gatsby): with some custom babel configs array spreading with Set is not safe (deps: update npm to 6.12.0 nodejs/node#29885) (test: fix flaky test-http2-client-upload nodejs/node#29889)
ea31900 chore(release): Publish rc
f070422 fix(gatsby): Fix various small DEV_SSR bugs exposed in development_runtime tests (#29720) (esm: Unflag --experimental-modules nodejs/node#29866)
cb3b1ca chore: update peerdeps to latest major versions (doc: notes about forwarding stream options nodejs/node#29857) (esm: unflag --experimental-exports nodejs/node#29867)
8639f7b fix(create-gatsby): Use legacy peer deps (stream: How to destroy and stop Readable? nodejs/node#29856) (module: allow unrestricted cjs requires nodejs/node#29862)
fdc1fe2 fix(gatsby): fix some css HMR edge cases (doc: fix tls version values nodejs/node#29839) (Future work for source-map functionality nodejs/node#29865)
e8a7e3b fix(gatsby-plugin-preact): fix fast-refresh (Weird behaviour when spawning bash scripts nodejs/node#29831) (doc: Documenting known issues and discrepancies nodejs/node#29860)
e7453c3 fix(gatsby): Improve Fast Refresh overlay styles (http: IncomingMessage destroyed state nodejs/node#29855) (stream: don't emit 'error' on non destructive errors? nodejs/node#29861)
76f4f96 chore: upgrade postcss & plugins (The digest function of the Crypto module's Hash object fails encoding hash in utf16le encoding nodejs/node#29793)
de6cba6 chore(release): Publish rc
aafe584 fix: query on demand loading indicator always active on preact. (The differences between http2 compatibility API and http[s] nodejs/node#29829) (stream: don't deadlock duplexpair nodejs/node#29836)
34f5b8c fix(hmr): accept hot updates for modules above page templates (cli: rename --loader to --experimental-loader nodejs/node#29752) (Update.README.js nodejs/node#29835)
b8d21f8 fix(gatsby): workaround graphql-compose issue (doc: correct typos in security release process nodejs/node#29822) (lib: introduce no-mixed-operators eslint rule to lib nodejs/node#29834)
32fee71 fix(gatsby): eslint linting (v12.11.1 release proposal nodejs/node#29796) (build: replace optparse for argparse in configure.py nodejs/node#29814)
bca7951 fix(gatsby-source-wordpress): HTML image regex's (repl: check for NODE_REPL_EXTERNAL_MODULE nodejs/node#29778) (http2: support passing options of http2.connect to net.connect nodejs/node#29816)

See the full diff

Package name: gatsby-plugin-sharp

The new version differs by 250 commits.

83cd408 chore(release): Publish
d6f0318 chore: use packlist for cleanup-package-dir (doc: add Gireesh to TSC nodejs/node#26657)
aa300f4 chore(docs):fixed file names and links in query-execution (doc: update spawnSync() status value possibilities nodejs/node#26680)
11ab72a chore(docs): fixed some links in query-execution (timers: remove dead code and simplify args check nodejs/node#26555)
fed2619 fix(docs): query filters -> update dictionary, code fences, fix code, brand name (http: improve for-loop readability in _http_outgoing.js nodejs/node#26408)
7de5f18 add code fences (tools: add and apply eslint rule no-regex-spaces nodejs/node#26409)
823e473 fix(docs): schema -> fix 404, remove deleted page from sidebar, apply redirects (doc: fix nits in report docs nodejs/node#26461)
21b94df Docs - Remove not inclusive words (src: remove already elevated Isolate namespace nodejs/node#26294)
652af04 fix(docs): schema -> code fences, code fix (tools: use dmn@2.2.1 nodejs/node#26462)
6b96972 chore(docs): Update GraphQL spelling in README.md (perf_hooks: reset prev_ before starting ELD timer nodejs/node#26693)
c2aeded fix(gatsby): properly unlock processes onExit ([v11.x] backport warning handler refactoring nodejs/node#26670)
93fdc09 fix(gatsby): only enable debugger when argument is given (C++ errors and JS errors format mismatch nodejs/node#26669)
7e83ace chore(docs): fix typos (src: fix warning in node_messaging nodejs/node#26682)
c40434a chore(docs): Fix a typo (add internal documentation nodejs/node#26665)
18f6b4d chore(docs): Fix typos (Node REPL broken from 11.10.* to 11.11.* on fish shell nodejs/node#26663)
dedd37f chore(gatsby-plugin-sharp, gatsby-transformer-sharp): update dependencies (doc: clarify http.ClientRequest path description nodejs/node#26259)
7975b91 chore(gatsby-recipes): Add a contributing.md to recipes (timers: refactor timer callback initialization nodejs/node#26583)
ac72bfb chore(release): Publish
703678e Admin/recipes gui (src: remove unused Converter object nodejs/node#26243)
04c75bb fix(gatsby): fix error from ts conversion (src: elevate v8 namespaces for PropertyAttribute nodejs/node#26681)
25e3a63 fix(gatsby): fix materialization edge case with nullish values (lib: run prepareMainThreadExecution for third_party_main nodejs/node#26677)
19020c2 chore(benchmarks): set semver to match any patch/minor for most deps (lib: use const where possible nodejs/node#26679)
608f40c chore: cherrypick Renovate updates (Stream this.push and spread operator does not work nodejs/node#26582)
6ba68f8 feat(gatsby): Support React 17's new JSX Transform (doc: update the Troubleshooting section of the Collaborator Guide nodejs/node#26652)

See the full diff

Package name: prismjs

The new version differs by 222 commits.

88a17b4 1.23.0
5dc7b42 Changelog v1.23.0 (child_process: execFile and fork arg parsing ambiguity nodejs/node#2681)
37b9c9a PHP: Fixed exponential backtracking ("Octal literals are not allowed in strict mode." is not a synax error nodejs/node#2684)
89f1e18 Latte: Fixed exponential backtracking (Merge vee-eight-4.5 into master nodejs/node#2682)
0a3932f C-like: Made all comments greedy (fs.realpath 70x slower than native nodejs/node#2680)
cdb24ab Line Highlight: Fixed print background color (Unreachable code in buffer.js and unsigned bitwise shifts. nodejs/node#2668)
e644178 Added test for polynomial backtracking (Object initializer for complex object( object inside object) nodejs/node#2597)
b40f8f4 Line highlight: Fixed top offset in combination with Line numbers (TCP socket unable to connect to localhost nodejs/node#2237)
2af3e2c Markdown: Improved URL tokenization (src: increment NODE_MODULE_VERSION to 46 nodejs/node#2678)
df0738e Test page: Don't trigger ad-blockers with class (http.IncomingMessage: fix forgotten 'message' to 'socket' nodejs/node#2677)
b5f4f10 Test page: Added "Share" option (crypto: Use OPENSSL_cleanse to shred the data. nodejs/node#2575)
0604793 New `start` script to start local server (tools: fix anchors in generated documents nodejs/node#2491)
8828500 Tests: Added strict checks for `Prism.languages.extend` (process: improve implement of process.uptime() nodejs/node#2572)
7266e32 Treeview: Fixed icons on dark themes ([3.2.0] Potential memory leak nodejs/node#2631)
7f23ef3 Fixed Danger CI for forks (doc: update COLLABORATOR_GUIDE nodejs/node#2638)
990f48f Fixed build
071232b Readme: Added alternative link for Chinese translation
fc57999 Bump ini from 1.3.5 to 1.3.7 (Investigate flaky test eval_messages nodejs/node#2672)
2ea202b README: Removed broken icon for Chinese translation (test: test-child-process-fork-net2 is flaky nodejs/node#2670)
9f82de5 thousands -> millions
f154134 CSP: Added missing directives and keywords (test: mark test-net-server-max-connections as flaky nodejs/node#2664)
a7ccc16 CSP: Do not highlight directive names with adjacent hyphens (test: mark test-vm-syntax-error-stderr as flaky nodejs/node#2662)
e01ecd0 Scheme: Fixed number pattern (test: mark eval_messages as flaky nodejs/node#2648)
05afbb1 Added test for exponential backtracking ([This is question] New node.js will provide the binary of master (develop) branch? nodejs/node#2590)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic


          fix: deps/npm/docs/package.json & deps/npm/docs/package-lock.json to …

203c3f9

…reduce vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-AXIOS-1038255
- https://snyk.io/vuln/SNYK-JS-ENGINEIO-1056749
- https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905
- https://snyk.io/vuln/SNYK-JS-PRISMJS-1076581
- https://snyk.io/vuln/SNYK-JS-PRISMJS-597628
- https://snyk.io/vuln/SNYK-JS-REACTDEVUTILS-1083268

# for free to join this conversation on GitHub. Already have an account? # to comment

Labels

None yet