Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

[Snyk] Fix for 55 vulnerabilities #116

Open
wants to merge 1 commit into
base: latest
Choose a base branch
from

Conversation

snyk-io[bot]
Copy link

@snyk-io snyk-io bot commented Oct 22, 2024

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • workspaces/arborist/test/fixtures/tap-with-yarn-lock/node_modules/esprima/package.json
    • workspaces/arborist/test/fixtures/tap-with-yarn-lock/node_modules/esprima/.snyk

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 147/1000
Why? Confidentiality impact: High, Integrity impact: High, Availability impact: None, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 1345, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 8.63, Likelihood: 1.69, Score Version: V5
Directory Traversal
SNYK-JS-ADMZIP-1065796
Yes No Known Exploit
high severity 159/1000
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00396, Social Trends: No, Days since published: 1136, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.65, Score Version: V5
Regular Expression Denial of Service (ReDoS)
SNYK-JS-ANSIREGEX-1583908
No Proof of Concept
high severity 169/1000
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00045, Social Trends: No, Days since published: 162, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.81, Score Version: V5
Uncontrolled resource consumption
SNYK-JS-BRACES-6838727
Yes Proof of Concept
high severity 159/1000
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00242, Social Trends: No, Days since published: 1383, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.65, Score Version: V5
Denial of Service (DoS)
SNYK-JS-ENGINEIO-1056749
Yes Proof of Concept
high severity 114/1000
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00096, Social Trends: No, Days since published: 701, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 1.89, Score Version: V5
Denial of Service (DoS)
SNYK-JS-ENGINEIO-3136336
Yes No Known Exploit
medium severity 121/1000
Why? Confidentiality impact: High, Integrity impact: None, Availability impact: None, Scope: Changed, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Adjacent, EPSS: 0.01055, Social Trends: No, Days since published: 1847, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 6.65, Likelihood: 1.82, Score Version: V5
Man-in-the-Middle (MitM)
SNYK-JS-HTTPSPROXYAGENT-469131
Yes Proof of Concept
medium severity 141/1000
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Local, EPSS: 0.01055, Social Trends: No, Days since published: 327, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.35, Score Version: V5
Missing Release of Resource after Effective Lifetime
SNYK-JS-INFLIGHT-6095116
Yes Proof of Concept
medium severity 179/1000
Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): Low, Attack Complexity: High, Attack Vector: Network, EPSS: 0.01027, Social Trends: No, Days since published: 667, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 7.84, Likelihood: 2.28, Score Version: V5
Prototype Pollution
SNYK-JS-JSON5-3182856
Yes Proof of Concept
medium severity 123/1000
Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: None, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): Required, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00105, Social Trends: No, Days since published: 989, Reachable: No, Transitive dependency: No, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 98, Impact: 4.19, Likelihood: 2.93, Score Version: V5
Cross-site Scripting (XSS)
SNYK-JS-KARMA-2395349
Yes Proof of Concept
medium severity 81/1000
Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: None, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): Required, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00093, Social Trends: No, Days since published: 972, Reachable: No, Transitive dependency: No, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 98, Impact: 4.19, Likelihood: 1.93, Score Version: V5
Open Redirect
SNYK-JS-KARMA-2396325
Yes No Known Exploit
medium severity 45/1000
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: Low, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00306, Social Trends: No, Days since published: 694, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 2.35, Likelihood: 1.9, Score Version: V5
Regular Expression Denial of Service (ReDoS)
SNYK-JS-LOADERUTILS-3042992
Yes No Known Exploit
high severity 115/1000
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.0097, Social Trends: No, Days since published: 718, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 1.91, Score Version: V5
Prototype Pollution
SNYK-JS-LOADERUTILS-3043105
Yes No Known Exploit
medium severity 45/1000
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: Low, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00694, Social Trends: No, Days since published: 715, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 2.35, Likelihood: 1.91, Score Version: V5
Regular Expression Denial of Service (ReDoS)
SNYK-JS-LOADERUTILS-3105943
Yes No Known Exploit
medium severity 63/1000
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00231, Social Trends: No, Days since published: 1345, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 2.35, Likelihood: 2.65, Score Version: V5
Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-1018905
Yes Proof of Concept
high severity 239/1000
Why? Confidentiality impact: High, Integrity impact: High, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): High, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00858, Social Trends: No, Days since published: 1345, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 9.79, Likelihood: 2.44, Score Version: V5
Code Injection
SNYK-JS-LODASH-1040724
Yes Proof of Concept
high severity 152/1000
Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.02082, Social Trends: No, Days since published: 1939, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.62, Likelihood: 2.69, Score Version: V5
Prototype Pollution
SNYK-JS-LODASH-450202
Yes Proof of Concept
high severity 150/1000
Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 1523, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.62, Likelihood: 2.67, Score Version: V5
Prototype Pollution
SNYK-JS-LODASH-608086
Yes Proof of Concept
high severity 170/1000
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 190, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.83, Score Version: V5
Prototype Pollution
SNYK-JS-LODASH-6139239
Yes Proof of Concept
high severity 149/1000
Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00128, Social Trends: No, Days since published: 2090, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.62, Likelihood: 2.64, Score Version: V5
Prototype Pollution
SNYK-JS-LODASH-73638
Yes Proof of Concept
medium severity 133/1000
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): High, Attack Complexity: High, Attack Vector: Network, EPSS: 0.004, Social Trends: No, Days since published: 2027, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.21, Score Version: V5
Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-73639
Yes Proof of Concept
medium severity 75/1000
Why? Confidentiality impact: High, Integrity impact: None, Availability impact: None, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): Low, Attack Complexity: Low, Attack Vector: Local, EPSS: 0.00047, Social Trends: No, Days since published: 1006, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 5.99, Likelihood: 1.24, Score Version: V5
Information Exposure
SNYK-JS-LOG4JS-2348757
Yes No Known Exploit
high severity 124/1000
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00045, Social Trends: No, Days since published: 162, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.06, Score Version: V5
Inefficient Regular Expression Complexity
SNYK-JS-MICROMATCH-6838728
Yes No Known Exploit
low severity 59/1000
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Network, EPSS: 0.03488, Social Trends: No, Days since published: 946, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Low, Package Popularity Score: 99, Impact: 2.35, Likelihood: 2.51, Score Version: V5
Prototype Pollution
SNYK-JS-MINIMIST-2429795
Yes Proof of Concept
medium severity 137/1000
Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Network, EPSS: 0.00105, Social Trends: No, Days since published: 1686, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 5.62, Likelihood: 2.42, Score Version: V5
Prototype Pollution
SNYK-JS-MINIMIST-559764
Yes Proof of Concept
high severity 154/1000
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 867, Reachable: No, Transitive dependency: No, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.56, Score Version: V5
Regular Expression Denial of Service (ReDoS)
SNYK-JS-MOCHA-2863123
Yes No Known Exploit
high severity 154/1000
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 1668, Reachable: No, Transitive dependency: No, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.56, Score Version: V5
Regular Expression Denial of Service (ReDoS)
SNYK-JS-MOCHA-561476
Yes No Known Exploit
medium severity 111/1000
Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: None, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00111, Social Trends: No, Days since published: 585, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 4.19, Likelihood: 2.64, Score Version: V5
Server-side Request Forgery (SSRF)
SNYK-JS-REQUEST-3361831
Yes Proof of Concept
high severity 159/1000
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.0016, Social Trends: No, Days since published: 490, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.64, Score Version: V5
Regular Expression Denial of Service (ReDoS)
SNYK-JS-SEMVER-3247795
Yes Proof of Concept
medium severity 63/1000
Why? Confidentiality impact: Low, Integrity impact: None, Availability impact: None, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00162, Social Trends: No, Days since published: 1384, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 2.35, Likelihood: 2.64, Score Version: V5
Insecure Defaults
SNYK-JS-SOCKETIO-1024859
Yes Proof of Concept
high severity 159/1000
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00242, Social Trends: No, Days since published: 1383, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.65, Score Version: V5
Denial of Service (DoS)
SNYK-JS-SOCKETIOPARSER-1056752
Yes Proof of Concept
critical severity 186/1000
Why? Confidentiality impact: High, Integrity impact: High, Availability impact: High, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.0021, Social Trends: No, Days since published: 723, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Critical, Package Popularity Score: 99, Impact: 9.79, Likelihood: 1.9, Score Version: V5
Improper Input Validation
SNYK-JS-SOCKETIOPARSER-3091012
Yes No Known Exploit
medium severity 111/1000
Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: None, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00213, Social Trends: No, Days since published: 480, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 4.19, Likelihood: 2.65, Score Version: V5
Prototype Pollution
SNYK-JS-TOUGHCOOKIE-5672873
Yes Proof of Concept
medium severity 46/1000
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: Low, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 1077, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 2.35, Likelihood: 1.92, Score Version: V5
Regular Expression Denial of Service (ReDoS)
SNYK-JS-UGLIFYJS-1727251
Yes No Known Exploit
high severity 115/1000
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 982, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 1.92, Score Version: V5
Prototype Pollution
SNYK-JS-UNSETVALUE-2400660
Yes No Known Exploit
high severity 115/1000
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 1983, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 98, Impact: 5.99, Likelihood: 1.92, Score Version: V5
Regular Expression Denial of Service (ReDoS)
SNYK-JS-USERAGENT-174737
Yes No Known Exploit
medium severity 207/1000
Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): Required, Privileges Required (PR): Low, Attack Complexity: High, Attack Vector: Network, EPSS: 0.00059, Social Trends: No, Days since published: 55, Reachable: No, Transitive dependency: No, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 7.84, Likelihood: 2.64, Score Version: V5
Cross-site Scripting (XSS)
SNYK-JS-WEBPACK-7840298
Yes Proof of Concept
medium severity 63/1000
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00222, Social Trends: No, Days since published: 1245, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 2.35, Likelihood: 2.65, Score Version: V5
Regular Expression Denial of Service (ReDoS)
SNYK-JS-WS-1296835
Yes Proof of Concept
high severity 245/1000
Why? Confidentiality impact: High, Integrity impact: High, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Network, EPSS: 0.03027, Social Trends: No, Days since published: 1327, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 9.79, Likelihood: 2.49, Score Version: V5
Arbitrary Code Injection
SNYK-JS-XMLHTTPREQUESTSSL-1082936
Yes Proof of Concept
high severity 149/1000
Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00208, Social Trends: No, Days since published: 1275, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.62, Likelihood: 2.65, Score Version: V5
Access Restriction Bypass
SNYK-JS-XMLHTTPREQUESTSSL-1255647
Yes Proof of Concept
low severity 58/1000
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Network, EPSS: 0.00117, Social Trends: No, Days since published: 2437, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Low, Package Popularity Score: 99, Impact: 2.35, Likelihood: 2.42, Score Version: V5
Regular Expression Denial of Service (ReDoS)
npm:braces:20180219
Yes Proof of Concept
low severity 58/1000
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Network, EPSS: 0.00296, Social Trends: No, Days since published: 2583, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Low, Package Popularity Score: 99, Impact: 2.35, Likelihood: 2.43, Score Version: V5
Regular Expression Denial of Service (ReDoS)
npm:debug:20170905
Yes Proof of Concept
critical severity 187/1000
Why? Confidentiality impact: High, Integrity impact: High, Availability impact: High, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00526, Social Trends: No, Days since published: 2731, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Critical, Package Popularity Score: 99, Impact: 9.79, Likelihood: 1.9, Score Version: V5
Arbitrary Code Injection
npm:growl:20160721
Yes No Known Exploit
high severity 257/1000
Why? Confidentiality impact: None, Integrity impact: Low, Availability impact: High, Scope: Unchanged, Exploit Maturity: Functional, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00659, Social Trends: No, Days since published: 2389, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 7.03, Likelihood: 3.66, Score Version: V5
Uninitialized Memory Exposure
npm:https-proxy-agent:20180402
Yes Mature
medium severity 140/1000
Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): Low, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00122, Social Trends: No, Days since published: 2442, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 5.62, Likelihood: 2.48, Score Version: V5
Prototype Pollution
npm:lodash:20180130
Yes Proof of Concept
low severity 40/1000
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: Low, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Network, EPSS: 0.00171, Social Trends: No, Days since published: 2717, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Low, Package Popularity Score: 100, Impact: 2.35, Likelihood: 1.67, Score Version: V5
Regular Expression Denial of Service (ReDoS)
npm:ms:20170412
Yes No Known Exploit
high severity 114/1000
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00112, Social Trends: No, Days since published: 3050, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 1.89, Score Version: V5
Regular Expression Denial of Service (ReDoS)
npm:negotiator:20160616
No No Known Exploit
high severity 114/1000
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00115, Social Trends: No, Days since published: 2588, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 98, Impact: 5.99, Likelihood: 1.89, Score Version: V5
Regular Expression Denial of Service (ReDoS)
npm:parsejson:20170908
Yes No Known Exploit
high severity 114/1000
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00105, Social Trends: No, Days since published: 3040, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 1.89, Score Version: V5
Denial of Service (DoS)
npm:ws:20160624
No No Known Exploit
medium severity 46/1000
Why? Confidentiality impact: Low, Integrity impact: None, Availability impact: None, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 2814, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 2.35, Likelihood: 1.92, Score Version: V5
Insecure Randomness
npm:ws:20160920
No No Known Exploit
high severity 220/1000
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Functional, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 2539, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 3.67, Score Version: V5
Denial of Service (DoS)
npm:ws:20171108
Yes Mature

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: glob The new version differs by 118 commits.
  • a68703e 9.0.0
  • 58159ca test: cwd can be a url
  • a547a9c more docs
  • 42a3ac7 link to bash manual for Pattern Matching
  • 474172d update readme with cwd URL support
  • ad3904d update readme with posix class support
  • b22fc7d minimatch@7.3.0
  • cdd1627 update all the things, remove unused mkdirp types
  • 75c6416 Merge branch 'v9'
  • fa0cd77 cwd can be a file:// url
  • d03ed0a typedoc github action
  • 9a5a45a put bench results in readme
  • 20b2f88 docs, fix benchmark script
  • 4829c88 upgrade ci actions
  • 5cbacdd minimatch@7.2.0
  • 210310b omit symlinks on windows
  • d34c8d5 full test coverage, clean up signals and remove extranous code
  • 5f21b46 adding lots of tests, clean up types
  • b12e6ba slashes on nodir test
  • 75f74b0 more windows test slashes
  • 3aa1abd more windows test affordances
  • 3e68a7b some windows test affordances
  • 8c2e082 feature complete and tests passing
  • c3be35a correct ** vs ./** behavior

See the full diff

Package name: karma The new version differs by 250 commits.
  • d8cf806 chore(release): 6.4.3 [skip ci]
  • d7f2d69 fix: add build commits for patch release
  • 85a2eeb build(deps-dev): bump decode-uri-component from 0.2.0 to 0.2.2
  • 0bffce2 build(deps): updated socket.io version to fix security issues with socket.io-parser and engine.io
  • 86667ab build(deps): bump follow-redirects from 1.11.0 to 1.15.4
  • 450fdfd docs: Add deprecation notice to Karma README
  • 9de3c00 chore(release): 6.4.2 [skip ci]
  • c6a4271 fix: few typos
  • 50f9635 docs: update codeclimate badge in readme.md
  • 0013121 chore(release): 6.4.1 [skip ci]
  • 63d86be fix: pass integrity value
  • 84f7cc3 chore(release): 6.4.0 [skip ci]
  • f2d0663 docs: add integrity parameter
  • dc51a2e feat: support SRI verification of link tags
  • 6a54b1c feat: support SRI verification of script tags
  • 5e71cf5 chore(release): 6.3.20 [skip ci]
  • e17698f fix: prefer IPv4 addresses when resolving domains
  • 60f4f79 build: add Node 16 and 18 to the CI matrix
  • 6ff5aaf chore(release): 6.3.19 [skip ci]
  • 099b85e fix(client): error out when opening a new tab fails
  • b659015 ci: lint and commitlint in its own workflow
  • 31701a2 chore(release): 6.3.18 [skip ci]
  • 52a30bb fix(deps): upgrade socket.io to v4.4.1
  • 7aeb3f8 docs(configuration-file): document async function

See the full diff

Package name: karma-mocha The new version differs by 18 commits.

See the full diff

Package name: karma-safaritechpreview-launcher The new version differs by 6 commits.
  • 311655f BREAKING CHANGE: drops support for node before version 8
  • 4411752 BREAKING CHANGE: support Safari 12 on macOS Mojave
  • 913c8c1 BREAKING CHANGE: support Safari 12 on macOS Mojave
  • 6df4a5f Fix another syntax error
  • 59ad2c0 Fix syntax error
  • 25a2013 Add plugin example

See the full diff

Package name: karma-sauce-launcher The new version differs by 65 commits.

See the full diff

Package name: mocha The new version differs by 250 commits.

See the full diff

Package name: webpack The new version differs by 250 commits.
  • eabf85d chore(release): 5.94.0
  • 955e057 security: fix DOM clobbering in auto public path
  • 9822387 test: fix
  • cbb86ed test: fix
  • 5ac3d7f fix: unexpected asi generation with sequence expression
  • 2411661 security: fix DOM clobbering in auto public path
  • b8c03d4 fix: unexpected asi generation with sequence expression
  • f46a03c revert: do not use heuristic fallback for "module-import"
  • 60f1898 fix: do not use heuristic fallback for "module-import"
  • 66306aa Revert "fix: module-import get fallback from externalsPresets"
  • 8bf907b fix: handle ASI for export declaration
  • 420cb39 fix: handle ASI for export declaration
  • 844fe4b fix: ts types
  • e8384b2 chore(deps-dev): bump @ types/node from 22.2.0 to 22.3.0 in the dependencies group
  • 78f7842 chore(deps-dev): bump @ types/node in the dependencies group
  • a2b0f9b fix: ts types
  • 46cee28 feat: support `webpackIgnore` for `new URL()` construction
  • 71ce863 fix: mangle destruction incorrect with export named default
  • ddbea27 test: name in multi compiler ...

…s/esprima/package.json & workspaces/arborist/test/fixtures/tap-with-yarn-lock/node_modules/esprima/.snyk to reduce vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-ADMZIP-1065796
- https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908
- https://snyk.io/vuln/SNYK-JS-BRACES-6838727
- https://snyk.io/vuln/SNYK-JS-ENGINEIO-1056749
- https://snyk.io/vuln/SNYK-JS-ENGINEIO-3136336
- https://snyk.io/vuln/SNYK-JS-HTTPSPROXYAGENT-469131
- https://snyk.io/vuln/SNYK-JS-INFLIGHT-6095116
- https://snyk.io/vuln/SNYK-JS-JSON5-3182856
- https://snyk.io/vuln/SNYK-JS-KARMA-2395349
- https://snyk.io/vuln/SNYK-JS-KARMA-2396325
- https://snyk.io/vuln/SNYK-JS-LOADERUTILS-3042992
- https://snyk.io/vuln/SNYK-JS-LOADERUTILS-3043105
- https://snyk.io/vuln/SNYK-JS-LOADERUTILS-3105943
- https://snyk.io/vuln/SNYK-JS-LODASH-1018905
- https://snyk.io/vuln/SNYK-JS-LODASH-1040724
- https://snyk.io/vuln/SNYK-JS-LODASH-450202
- https://snyk.io/vuln/SNYK-JS-LODASH-608086
- https://snyk.io/vuln/SNYK-JS-LODASH-6139239
- https://snyk.io/vuln/SNYK-JS-LODASH-73638
- https://snyk.io/vuln/SNYK-JS-LODASH-73639
- https://snyk.io/vuln/SNYK-JS-LOG4JS-2348757
- https://snyk.io/vuln/SNYK-JS-MICROMATCH-6838728
- https://snyk.io/vuln/SNYK-JS-MINIMIST-2429795
- https://snyk.io/vuln/SNYK-JS-MINIMIST-559764
- https://snyk.io/vuln/SNYK-JS-MOCHA-2863123
- https://snyk.io/vuln/SNYK-JS-MOCHA-561476
- https://snyk.io/vuln/SNYK-JS-REQUEST-3361831
- https://snyk.io/vuln/SNYK-JS-SEMVER-3247795
- https://snyk.io/vuln/SNYK-JS-SOCKETIO-1024859
- https://snyk.io/vuln/SNYK-JS-SOCKETIOPARSER-1056752
- https://snyk.io/vuln/SNYK-JS-SOCKETIOPARSER-3091012
- https://snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873
- https://snyk.io/vuln/SNYK-JS-UGLIFYJS-1727251
- https://snyk.io/vuln/SNYK-JS-UNSETVALUE-2400660
- https://snyk.io/vuln/SNYK-JS-USERAGENT-174737
- https://snyk.io/vuln/SNYK-JS-WEBPACK-7840298
- https://snyk.io/vuln/SNYK-JS-WS-1296835
- https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUESTSSL-1082936
- https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUESTSSL-1255647
- https://snyk.io/vuln/npm:braces:20180219
- https://snyk.io/vuln/npm:debug:20170905
- https://snyk.io/vuln/npm:growl:20160721
- https://snyk.io/vuln/npm:https-proxy-agent:20180402
- https://snyk.io/vuln/npm:lodash:20180130
- https://snyk.io/vuln/npm:ms:20170412
- https://snyk.io/vuln/npm:negotiator:20160616
- https://snyk.io/vuln/npm:parsejson:20170908
- https://snyk.io/vuln/npm:ws:20160624
- https://snyk.io/vuln/npm:ws:20160920
- https://snyk.io/vuln/npm:ws:20171108


The following vulnerabilities are fixed with a Snyk patch:
- https://snyk.io/vuln/npm:hawk:20160119
- https://snyk.io/vuln/npm:http-signature:20150122
- https://snyk.io/vuln/npm:mime:20170907
- https://snyk.io/vuln/npm:request:20160119
- https://snyk.io/vuln/npm:tunnel-agent:20170305
Copy link

sourcery-ai bot commented Oct 22, 2024

🧙 Sourcery has finished reviewing your pull request!


Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time. You can also use
    this command to specify where the summary should be inserted.

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

Copy link

@sourcery-ai sourcery-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have skipped reviewing this pull request. Here's why:

  • It seems to have been created by a bot (hey, snyk-io[bot]!). We assume it knows what it's doing!
  • It seems to have been created by a bot ('[Snyk]' found in title). We assume it knows what it's doing!

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants