New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

[Snyk] Fix for 4 vulnerabilities #1912

Open

aliscco wants to merge 1 commit into main from snyk-fix-f6c082b89f68a72eeeaf836f23227210

Owner

aliscco commented May 16, 2024

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- node_modules/@actions/http-client/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	661/1000 Why? Recently disclosed, Has a fix available, CVSS 7.5	Uncontrolled resource consumption SNYK-JS-BRACES-6838727	Yes	No Known Exploit
	631/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.2	Missing Release of Resource after Effective Lifetime SNYK-JS-INFLIGHT-6095116	Yes	Proof of Concept
	661/1000 Why? Recently disclosed, Has a fix available, CVSS 7.5	Inefficient Regular Expression Complexity SNYK-JS-MICROMATCH-6838728	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: jest

The new version differs by 250 commits.

8f9b812 v28.0.0
f424551 feat: Jest 28 blog post (#12732)
c79f8d6 feat: roll v28 docs (#12733)
e9f6610 Remove `core.autocrlf` config on CI (#12731)
9342a23 docs: add mention of expect breaking change to upgrade guide (#12730)
e1f2515 chore: add missing `throw`
039f43e chore: combine all v27 docs into a single one (#12729)
256c1af chore(website): add some admonitions to 25.x (#12565)
fc85b8f fix: replace hash routine md5 with sha256 (#12722)
c1a57cb chore(deps): bump isbinaryfile dependency to ^5.0.0 (#12726)
9ebfe0a chorer: add note about babel config to upgrade guide (#12724)
4ec4b98 chore: cache yarn deps on netlify (#12725)
62afb83 chore: revert #12718 and simply do not bundle type declarations of `@ jest/globals` (#12721)
4f1d199 Add Yarn dedupe CI check (#12717)
7a8c9cf Lock source-map-support verion to 0.5.13 (#12720)
811228d Support error logging before jest retry (#12201)
a28db24 chore: do not bundle type definitions for packages which have only one `.d.ts` file (#12718)
49ee158 update dependency @ microsoft/api-extractor to 7.23.0 (#12716)
e72c52f feat(jest-runner): export `TestRunner` interface types and reexport types from other packages (#12715)
3c6f14b feat(jest-resolve): expose `PackageFilter`, `PathFilter` and `PackageJSON` types (#12712)
a293b75 refactor(jest-transform): rename TransformerConfig (#12708)
625e0bc show that setupFilesAfterEnv scripts can define beforeAll (#12702)
0208815 feat(jest-resolve): expose `JestResolver`, `AsyncResolver` and `SyncResolver` types (#12707)
75c7c40 docs: use admonitions in ExpectAPI.md (#12679)

See the full diff

Package name: ts-jest

The new version differs by 169 commits.

05ebe5c chore(release): 26.1.2 ([Snyk] Security upgrade mocha from 2.5.3 to 4.0.0 #1800)
30939a3 Merge pull request [Snyk] Security upgrade ava from 1.4.1 to 6.0.0 #1799 from kulshekhar/dependabot/npm_and_yarn/types/react-16.9.43
4b9581a build(deps-dev): bump @ types/react from 16.9.42 to 16.9.43
a16d43a build(deps-dev): bump @ commitlint/cli from 9.0.1 to 9.1.2 ([Snyk] Security upgrade ava from 1.4.1 to 6.0.0 #1797)
bd44d0c build(deps-dev): bump @ commitlint/config-conventional ([Snyk] Security upgrade nyc from 11.9.0 to 13.0.1 #1798)
a26239e build(docs-infra): update e2e README.md ([Snyk] Security upgrade ava from 1.4.1 to 6.0.0 #1796)
d9b62e3 chore(devs-infra): set minimum node version at 10.21.0 ([Snyk] Security upgrade tap from 7.1.2 to 12.0.2 #1793)
47312b3 build(deps-dev): bump eslint-plugin-jsdoc from 29.1.3 to 29.1.4 ([Snyk] Security upgrade ava from 1.4.1 to 6.0.0 #1795)
38df9b8 build(deps-dev): bump @ types/react from 16.9.41 to 16.9.42 ([Snyk] Security upgrade ava from 2.4.0 to 6.0.0 #1792)
ce38f3b build(deps-dev): bump @ types/node from 12.12.48 to 12.12.50 ([Snyk] Security upgrade tap from 15.2.3 to 18.0.0 #1791)
e6dbe4b build(deps-dev): bump eslint-plugin-jsdoc from 29.1.2 to 29.1.3 ([Snyk] Security upgrade tap from 11.1.5 to 12.0.2 #1790)
6948855 fix(config): invalidate cache when other options in `tsconfig` change ([Snyk] Security upgrade karma from 1.7.1 to 4.2.0 #1788)
8d02622 build(deps-dev): bump eslint-plugin-jsdoc from 29.1.0 to 29.1.2 ([Snyk] Security upgrade ava from 2.4.0 to 6.0.0 #1789)
7f731ed perf(compiler): cache module resolution for `isolatedModules: false` ([Snyk] Security upgrade ava from 0.25.0 to 2.0.0 #1786)
5d20cd5 build(deps-dev): bump eslint-plugin-jsdoc from 28.6.1 to 29.1.0 ([Snyk] Security upgrade ava from 2.4.0 to 6.0.0 #1787)
5f26054 fix(compiler): use `resolveModuleNames` TypeScript API to get resolved modules for test files ([Snyk] Security upgrade ava from 1.4.1 to 6.0.0 #1784)
00a3726 chore(typings): expose `compilerModule` and `TTypeScript` as public typings ([Snyk] Security upgrade ava from 1.4.1 to 6.0.0 #1785)
5da0da1 chore(devs-infra): remove ! on realpath of LanguageService ([Snyk] Security upgrade ava from 2.4.0 to 6.0.0 #1783)
1409274 build(deps-dev): bump @ typescript-eslint/eslint-plugin ([Snyk] Security upgrade ava from 1.4.1 to 6.0.0 #1779)
18e9deb Merge pull request [Snyk] Security upgrade ava from 1.4.1 to 6.0.0 #1780 from kulshekhar/dependabot/npm_and_yarn/typescript-eslint/parser-3.6.0
3274c50 build(deps-dev): bump @ typescript-eslint/parser from 3.5.0 to 3.6.0
f0f1473 build(deps-dev): bump @ types/jest from 26.0.3 to 26.0.4 ([Snyk] Security upgrade ava from 1.4.1 to 6.0.0 #1782)
3529c76 build(deps-dev): bump @ types/node from 12.12.47 to 12.12.48 ([Snyk] Fix for 2 vulnerabilities #1781)
669974e build(deps-dev): bump eslint-plugin-jest from 23.17.1 to 23.18.0 ([Snyk] Security upgrade tap from 7.1.2 to 12.0.2 #1778)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Uncontrolled resource consumption
🦉 Prototype Pollution


          fix: node_modules/@actions/http-client/package.json to reduce vulnera…

ace8e91

…bilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-BRACES-6838727
- https://snyk.io/vuln/SNYK-JS-INFLIGHT-6095116
- https://snyk.io/vuln/SNYK-JS-MICROMATCH-6838728
- https://snyk.io/vuln/SNYK-JS-UNSETVALUE-2400660

# for free to join this conversation on GitHub. Already have an account? # to comment

Labels

None yet