New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

[Snyk] Fix for 14 vulnerabilities #197

Open

snyk-bot wants to merge 1 commit into main from snyk-fix-b9ee08612e5d2e1be7d3c28baee4145e

snyk-bot commented Apr 26, 2023

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- node_modules/esutils/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-1019388	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOCHA-2863123	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOCHA-561476	Yes	No Known Exploit
	676/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.1	Improper Privilege Management SNYK-JS-SHELLJS-2332187	No	Proof of Concept
	596/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.5	Arbitrary Code Injection SNYK-JS-UNDERSCORE-1080984	No	Proof of Concept
	354/1000 Why? Has a fix available, CVSS 2.8	Insecure use of /tmp folder npm:cli:20160615	No	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Yes	Proof of Concept
	704/1000 Why? Has a fix available, CVSS 9.8	Arbitrary Code Injection npm:growl:20160721	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:ms:20151024	No	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: jshint

The new version differs by 250 commits.

61c868c v2.13.4
eb4609a [[FIX]] Remove shelljs
b23e125 [[CHORE]] Remove shelljs from internal tooling
56d4a47 [[CHORE]] Use consistent interface for fs ops
33cfc87 [[CHORE]] Migrate from TravisCI to CircleCI
a53cc95 [[CHORE]] Update version of package manifest (#3602)
2a842ac v2.13.3
06accfa [[CHORE]] Correct annotation for globals
b1426f1 [[FIX]] Recognize ES2020 globals
be94b1d [[DOCS]] Remove david-dm badges (#3596)
5608b03 v2.13.2
043f98a [[CHORE]] Add package-lock.json
cc1adf6 [[FIX]] Add missing well-known globals (#3582)
057b1c6 [[FIX]] Tolerate keyword in object shorthand
ecae54a [[FIX]] Tolerate unterminated nullish coalescing
ca06e6a [[FIX]] add URL for node in src/vars.js (#3570)
75e48b7 [[FIX]] change escape-sequence handler for double quotes (\") (#3566)
4a681b9 [[FIX]] Limit "Too many Errors" (E043) to errors only (#3562)
fddcd02 v2.13.1
11dc0a6 [[FIX]] Allow optional chaining call as satement
7c890aa [[FIX]] Tolerate dangling NewExpression
71ec395 [[FIX]] Allow invoking result of optional chaining
7bae44b v2.13.0
7c36c81 Merge pull request #3486 from jshint/v2.12.0

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Improper Privilege Management
🦉 More lessons are available in Snyk Learn


          fix: node_modules/esutils/package.json to reduce vulnerabilities

50fd881

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-MINIMATCH-1019388
- https://snyk.io/vuln/SNYK-JS-MINIMATCH-3050818
- https://snyk.io/vuln/SNYK-JS-MINIMIST-2429795
- https://snyk.io/vuln/SNYK-JS-MINIMIST-559764
- https://snyk.io/vuln/SNYK-JS-MOCHA-2863123
- https://snyk.io/vuln/SNYK-JS-MOCHA-561476
- https://snyk.io/vuln/SNYK-JS-SHELLJS-2332187
- https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984
- https://snyk.io/vuln/npm:cli:20160615
- https://snyk.io/vuln/npm:debug:20170905
- https://snyk.io/vuln/npm:growl:20160721
- https://snyk.io/vuln/npm:minimatch:20160620
- https://snyk.io/vuln/npm:ms:20151024
- https://snyk.io/vuln/npm:ms:20170412

aliscco mentioned this pull request

[Snyk] Security upgrade gulp-mocha from 4.3.1 to 9.0.0 #822

Open

# for free to join this conversation on GitHub. Already have an account? # to comment

Labels

None yet