[Snyk] Fix for 3 vulnerabilities #21

snyk-bot · 2022-03-21T04:42:54Z

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- examples/delegated-routing/package.json

Vulnerabilities that will be fixed

With an upgrade:

Priority Score (*)	Issue	Breaking Change	Exploit Maturity
566/1000 Why? Recently disclosed, Has a fix available, CVSS 5.6	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430337	Yes	No Known Exploit
651/1000 Why? Recently disclosed, Has a fix available, CVSS 7.3	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430339	Yes	No Known Exploit
566/1000 Why? Recently disclosed, Has a fix available, CVSS 5.6	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430341	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: ipfs

The new version differs by 250 commits.

3f407ae chore: publish
2b633f6 chore: update contributors
a6bcad5 fix: types path for ipfs-core (#3356)
b07f944 chore: add @ types/yargs for better inference (#3357)
16ecc74 fix: files ls should return string (#3352)
3250ff4 feat: enable custom formats for dag put and get (#3347)
4eb196c fix: do not double normalise input url (#3351)
33aa632 docs: clarify that mtime and mode are optional (#3302)
5cc6dfe fix: remove buffer export from ipfs-core (#3348)
d27b6d1 chore: bundle size increased by 186B (#3344)
2bcc0af chore: run docker rc release separately (#3342)
3e7e222 docs: fixes "interface-ipfs-core" link (#3334)
fdc19a4 fix: build before reinstalling example deps (#3341)
66f2081 chore: re-enable node 15 (#3339)
e53d3f8 chore: build ipfs-core before ipfs during release (#3340)
6c06322 chore: disable node 15 until it can generate random numbers again
bbcaf34 feat: type check & generate defs from jsdoc (#3281)
4b8021d feat: implement message-port ipfs.ls (#3322)
1ba0bf0 docs: fix typo (#3329)
7f32f7f feat: webui v2.11.4 (#3317)
3218067 chore: fix typo (#3320)
639d71f fix: use fetch in electron renderer and electron-fetch in main (#3251)
8e44e52 chore: update chromedriver (#3319)
2ff7ca5 chore: use eslint-config-ipfs (#3287)

See the full diff

Package name: libp2p-delegated-content-routing

The new version differs by 20 commits.

dff4cbd chore: release version v0.4.3
4d166ab chore: update contributors
d36b085 chore: update ipfs-http-client dep ([Snyk] Security upgrade ipfs from 0.34.4 to 0.51.0 #23)
f672b84 docs: document required API endpoints ([Snyk] Fix for 3 vulnerabilities #21)
ad91771 chore: release version v0.4.2
8e532ea chore: update contributors
7af6f74 chore: use it-all ([Snyk] Fix for 3 vulnerabilities #20)
6ff0e64 chore: release version v0.4.1
3868dce chore: update contributors
b2690c7 fix: async it refs ([Snyk] Fix for 3 vulnerabilities #19)
31b26bc chore: release version v0.4.0
524e11f chore: update contributors
22ff40c chore: rename timeout option ([Snyk] Security upgrade libp2p-gossipsub from 0.9.2 to 0.12.0 #18)
ac371f1 chore: release version v0.3.1
7cd8394 chore: update contributors
55d6108 fix: limit concurrent HTTP requests ([Snyk] Fix for 2 vulnerabilities #16)
69f1f94 docs: update readme to be async ([Snyk] Security upgrade ipfs from 0.34.4 to 0.41.0 #11)
42b7b07 chore: release version v0.3.0
52a92db chore: update contributors
0e2d91f feat: refactor to use async/await ([Snyk] Upgrade libp2p-bootstrap from 0.13.0 to 0.14.0 #7)

See the full diff

Package name: libp2p-delegated-peer-routing

The new version differs by 57 commits.

d724f18 chore: release version v0.11.0
39d670a chore: update contributors
1664f69 chore: update peer-id dep ([pull] master from libp2p:master #47)
974b634 chore: release version v0.10.0
7f2107e chore: update contributors
44cd293 chore: update to new multiformats ([pull] master from libp2p:master #46)
f16ca8f chore: release version v0.9.0
35e065b chore: update contributors
53fcd78 chore: add github actions
541e3cc chore: update deps
4612728 chore: remove peer deps (chore(deps-dev): bump @libp2p/daemon-client from 2.0.4 to 3.0.0 #44)
01524ac chore: release version v0.8.2
3b41409 chore: update contributors
e54b447 chore: release version v0.8.1
da7a339 chore: update contributors
9eebd2e chore: update deps (chore(deps-dev): bump @libp2p/daemon-server from 2.0.4 to 3.0.0 #43)
1a3d47d chore: update readme with query endpoint for closest peers (chore(deps-dev): bump @libp2p/interop from 2.1.0 to 3.0.0 #42)
5c3fb76 chore: release version v0.8.0
ba5f9fa chore: update contributors
3ff6b8f chore: update ipfs-http-client peer dep ([pull] master from libp2p:master #41)
93b1873 chore: docs update (chore(deps-dev): bump ipfs-http-client from 57.0.3 to 58.0.0 #40)
a03b822 chore: release version v0.7.0
a290191 chore: update contributors
bd9ecc3 fix: accept http client instance ([pull] master from libp2p:master #39)

See the full diff

Package name: libp2p-kad-dht

The new version differs by 207 commits.

9f4e32d chore: release version v0.27.0
84083e5 chore: update contributors
2719733 chore: update peer-id
64f775b chore: update libp2p-crypto (dns4 dialling fails libp2p/js-libp2p#260)
50ea7aa fix: do not send messages if the network is not running (Ensure all libp2p packages have lead maintainters libp2p/js-libp2p#259)
b805cab chore: guard on table refresh running (Make libp2p a state machine libp2p/js-libp2p#257)
c2c5782 chore: release version v0.26.7
9b97220 chore: update contributors
40142a5 chore: update deps
930a87e chore(deps): bump libp2p-crypto from 0.19.7 to 0.20.0 (Already piped error libp2p/js-libp2p#244)
4a1c5af chore: release version v0.26.6
c06bf0b chore: update contributors
1471fb9 fix: increase time between table refresh (chore: change dependency name from libp2p-railing to libp2p-bootstrap libp2p/js-libp2p#256)
e4b6d4f chore(deps-dev): bump libp2p from 0.33.0 to 0.34.0 (chore: upgrade libp2p-mplex libp2p/js-libp2p#255)
2a2e1af chore: release version v0.26.5
7d8e428 chore: update contributors
4f79899 fix: do not pollute routing table with useless peers (feat: enable relay by default (no hop) libp2p/js-libp2p#254)
39e10e3 chore: release version v0.26.4
27d32de chore: update contributors
f7a2a02 fix: require at least one successful put (Enable relay by default (not hop) libp2p/js-libp2p#253)
5318296 chore: release version v0.26.3
82fe877 chore: update contributors
d90f1a6 fix: count successful puts (Update deps and fix non deterministic browser test libp2p/js-libp2p#252)
9134014 chore: release version v0.26.2

See the full diff

Package name: libp2p-webrtc-star

The new version differs by 160 commits.

9dc6899 chore: publish
28db4a0 chore: update to new peer-id and libp2p-crypto (⚡️ 0.26 RELEASE 🚀 libp2p/js-libp2p#387)
22ffd5c chore: publish
e2683bd chore: update deps (multiaddr string representation: use /p2p by default libp2p/js-libp2p#386)
0d5bad4 docs: add js example to readme
39ea3b2 chore: publish
57ad848 chore: create prerelease
845b40d chore: upgrade to GitHub-native Dependabot (fix: disable dht by default #338 libp2p/js-libp2p#339)
8c7f5de feat: make into monorepo (Add dialBest to the API libp2p/js-libp2p#376)
b4e4180 chore: update uint8arrays (Issues on the documentation libp2p/js-libp2p#375)
590c5fc chore: release version v0.23.0
e88d63d chore: update contributors
e4360f2 chore: update deps (feat: integrate gossipsub by default libp2p/js-libp2p#365)
c629cc1 chore: release version v0.22.4
d01cd4a chore: update contributors
441a34e chore: update deps and use socket.io server v4 (feat: sign pubsub messages libp2p/js-libp2p#362)
4822c40 chore: release version v0.22.3
a046a72 chore: update contributors
1076b5b chore: update ipfs-utils dep (If I need only an outgoing connection, why libp2p should be start()'ed to listening for incoming connections? libp2p/js-libp2p#341)
f61c4a1 chore: remove unecessary async fn in test (feat: update to the latest switch libp2p/js-libp2p#336)
2eacc5f chore: release version v0.22.2
4ccf5be chore: update contributors
4c82721 chore: add err code for unknown signal server on dial (Windows testing is back!! libp2p/js-libp2p#335)
c780457 chore: release version v0.22.1

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-NODEFORGE-2430337 - https://snyk.io/vuln/SNYK-JS-NODEFORGE-2430339 - https://snyk.io/vuln/SNYK-JS-NODEFORGE-2430341

fix: examples/delegated-routing/package.json to reduce vulnerabilities

a1bacdd

The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-NODEFORGE-2430337 - https://snyk.io/vuln/SNYK-JS-NODEFORGE-2430339 - https://snyk.io/vuln/SNYK-JS-NODEFORGE-2430341

snyk-bot mentioned this pull request Apr 8, 2022

[Snyk] Fix for 1 vulnerabilities #22

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Snyk] Fix for 3 vulnerabilities #21

[Snyk] Fix for 3 vulnerabilities #21

snyk-bot commented Mar 21, 2022

[Snyk] Fix for 3 vulnerabilities #21

Are you sure you want to change the base?

[Snyk] Fix for 3 vulnerabilities #21

Conversation

snyk-bot commented Mar 21, 2022

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Vulnerabilities that will be fixed

With an upgrade: