New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

[Snyk] Fix for 8 vulnerabilities #324

Open

aliscco wants to merge 1 commit into main from snyk-fix-c46ddb7dc103259a5882f65c47d9a262

Owner

aliscco commented Apr 28, 2023

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- node_modules/nock/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	No	Proof of Concept
	484/1000 Why? Has a fix available, CVSS 5.4	Open Redirect SNYK-JS-GOT-2932019	Yes	No Known Exploit
	429/1000 Why? Has a fix available, CVSS 4.3	Reverse Tabnabbing SNYK-JS-ISTANBULREPORTS-2328088	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-2342073	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-2342082	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOCHA-2863123	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Information Exposure SNYK-JS-SEMANTICRELEASE-2866292	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: got

The new version differs by 222 commits.

5e17bb7 11.8.5
bce8ce7 Backport 861ccd9ac2237df762a9e2beed7edd88c60782dc
8ced192 Fix build
670eb04 11.8.4
20f29fe Backport [Snyk] Security upgrade gulp from 3.9.1 to 5.0.0 #1543: Initialize globalResponse in case of ignored HTTPError ([Snyk] Security upgrade mocha from 3.5.3 to 4.0.0 #2017)
0da732f 11.8.3
9463bb6 Bump cacheable-request dependency ([Snyk] Security upgrade ava from 1.4.1 to 6.0.0 #1921)
0e167b8 HTTPError code set to 'HTTPError' [Snyk] Security upgrade nyc from 11.9.0 to 13.0.1 #1711 ([Snyk] Security upgrade mocha from 2.5.3 to 4.0.0 #1739)
f896aa5 11.8.2
3bd245f Instantiate CacheableLookup only when needed ([Snyk] Fix for 1 vulnerabilities #1529)
a72ed84 11.8.1
4c815c3 Do not throw on custom stack traces ([Snyk] Security upgrade coveralls from 2.13.3 to 3.0.0 #1491)
e0cb820 11.8.0
f65c9ef Upgrade dependencies
7acd380 Fix for sending files with size `0` on `stat` ([Snyk] Fix for 10 vulnerabilities #1488)
6aa86f2 Fix indentation in the readme
3dd2273 `beforeRetry` allows stream body if different from original ([Snyk] Security upgrade semantic-release from 15.14.0 to 17.0.1 #1501)
b1afa2b Fix readme example comment ([Snyk] Security upgrade jest from 25.5.4 to 27.0.0 #1505)
390b145 Set default value for an options object ([Snyk] Fix for 6 vulnerabilities #1495)
87dadd5 Fixed documentation example for `responseType` ([Snyk] Security upgrade coveralls from 2.13.3 to 3.0.0 #1494)
3bf3e3b Add `lookup` option documentation ([Snyk] Security upgrade istanbul from 0.3.22 to 0.4.5 #1483)
c31366b Add a test for [Snyk] Security upgrade eslint-release from 1.2.0 to 2.0.0 #1438 ([Snyk] Security upgrade mocha from 3.5.3 to 4.0.0 #1469)
5d62958 11.7.0
88b32ea Fix a regression where body was sent after redirect

See the full diff

Package name: mocha

The new version differs by 250 commits.

5f96d51 build(v10.1.0): release
ed74f16 build(v10.1.0): update CHANGELOG
51d4746 chore(devDeps): update 'ESLint' to v8 (#4926)
4e06a6f fix(browser): increase contrast for replay buttons (#4912)
41567df Support prefers-color-scheme: dark (#4896)
61b4b92 fix the regular expression for function `clean` in `utils.js` (#4770)
77c18d2 chore: use standard 'Promise.allSettled' instead of polyfill (#4905)
84b2f84 chore(ci): upgrade GH actions to latest versions (#4899)
023f548 build(v10.0.0): release
62b1566 build(v10.0.0): update CHANGELOG
fbe7a24 chore: update dependencies (#4878)
2b98521 docs: replace 'git.io' short links (#4877) [ci skip]
007fa65 chore(ci): add Node v18 to test matrix (#4876)
f6695f0 chore(esm): remove code for Node v12 (#4874)
59f6192 chore(ci): conditionally skip 'push' event (#4872)
b863359 docs: fix 'fgrep' url (#4873)
baaa41a chore(ci): ignore changes to docs files (#4871)
ac81cc5 refactor!: drop support of 'growl' notification (#4866)
3946453 chore(deps)!: upgrade 'minimatch' (#4865)
592905b refactor!: rename 'bin/mocha' to 'bin/mocha.js' (#4863)
b7b849b refactor!: remove deprecated Runner signature (#4861)
0608fa3 chore(site): fix supporters' download (#4859)
785aeb1 chore(test): drop AMD/'requirejs' (#4857)
ed640c4 chore(devDeps): upgrade 'coffee-script' (#4856)

See the full diff

Package name: semantic-release

The new version differs by 60 commits.

58a226f fix(log-repo): use the original form of the repo url to remove the need to mask credentials ([Snyk] Security upgrade ava from 1.4.1 to 2.0.0 #2459)
17d60d3 build(deps): bump npm from 8.3.1 to 8.12.0 ([Snyk] Security upgrade tsd from 0.11.0 to 0.12.0 #2447)
ab45ab1 chore(lint): disabled rules that dont apply to this project ([Snyk] Fix for 2 vulnerabilities #2408)
ea389c3 chore(deps): update dependency yargs-parser to 13.1.2 [security] ([Snyk] Security upgrade jest from 25.4.0 to 28.0.0 #2402)
fa994db build(deps): bump node-fetch from 2.6.1 to 2.6.7 ([Snyk] Security upgrade ava from 1.4.1 to 2.0.0 #2399)
b79116b build(deps): bump trim-off-newlines from 1.0.1 to 1.0.3
6fd7e56 build(deps): bump minimist from 1.2.5 to 1.2.6
2b94bb4 docs: update broken link to CI config recipes ([Snyk] Fix for 2 vulnerabilities #2378)
b4bc191 docs: Correct circleci workflow ([Snyk] Security upgrade tsd from 0.9.0 to 0.12.0 #2365)
2c30e26 Merge pull request [Snyk] Fix for 2 vulnerabilities #2333 from semantic-release/next
0eca144 fix(npm-plugin): upgraded to the stable version
8097afb fix(npm-plugin): upgraded to the latest beta version
95af1e4 Merge pull request [Snyk] Fix for 2 vulnerabilities #2332 from semantic-release/beta
f634b8c fix(npm-plugin): upgraded to the beta, which upgrades npm to v8
d9e5bc0 fix: upgrade `marked` to resolve ReDos vulnerability ([Snyk] Security upgrade coveralls from 2.13.3 to 3.0.0 #2330)
dd7d664 docs: fix a broken link ([Snyk] Fix for 2 vulnerabilities #2318)
cd6136d docs: wrong prerelease example ([Snyk] Security upgrade xo from 0.25.4 to 0.42.0 #2307)
e62c83d docs: remove repeated 'with' word ([Snyk] Fix for 2 vulnerabilities #2289)
5d78fa4 docs(breaking-change): highlighted the need for `BREAKING CHANGE: ` to be in the commit footer ([Snyk] Security upgrade coveralls from 2.13.3 to 3.0.0 #2283)
b64855f docs(badge): mentioned referencing the commit convention ([Snyk] Fix for 2 vulnerabilities #2269)
09bcf7a docs: update badges to include preset names ([Snyk] Security upgrade xo from 0.24.0 to 0.42.0 #2266)
8e96b23 docs(issue-templates): fixed links to templates for opening issues ([Snyk] Fix for 2 vulnerabilities #2264)
5535268 docs: fix typo ([Snyk] Security upgrade xo from 0.25.4 to 0.42.0 #2262)
7f971f3 fix: bump @ semantic-release/commit-analyzer to 9.0.2 ([Snyk] Fix for 2 vulnerabilities #2258)

See the full diff

Package name: tap

The new version differs by 171 commits.

bc49fb7 15.0.0
4378608 remove publishConfig beta tag
2c2e75f provide mkdirRecursive polyfill for old node versions
8f4c855 correctly specify 10.0.x versions
5e61672 update deps
c44c418 Support 10.0 and test in CI
dc5c841 tcompare@5.0.4
385b6d2 Add .taprc.yml/yaml handling to change log
4f87466 just run regular test script as snap script
315a921 delete FORCE_COLOR/NO_COLOR rather than setting to '0'
564e96f Add detection for .yaml and .yml
75bae93 update cli doc
c1289bf 15.0.0-3
d6fe32f Do not CI on node 10
d2e0428 do not use equals() alias in self-test
3f787c4 tell npm to be colorful in CI
1512818 run tests with color on github actions
4626fa1 Docs: update documentation for tap v15
02d536b libtap@1.0.1
f7c7c58 update cli doc
2aa497c 15.0.0-2
8d7f62e Add support for overriding libtap's internal settings
29eed63 new snapshot folder layout
3a28d4d update libtap git ref to isaacs/tap-v15-prep branch

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Open Redirect


          fix: node_modules/nock/package.json to reduce vulnerabilities

6c02f68

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908
- https://snyk.io/vuln/SNYK-JS-GOT-2932019
- https://snyk.io/vuln/SNYK-JS-ISTANBULREPORTS-2328088
- https://snyk.io/vuln/SNYK-JS-MARKED-2342073
- https://snyk.io/vuln/SNYK-JS-MARKED-2342082
- https://snyk.io/vuln/SNYK-JS-MINIMATCH-3050818
- https://snyk.io/vuln/SNYK-JS-MOCHA-2863123
- https://snyk.io/vuln/SNYK-JS-SEMANTICRELEASE-2866292

snyk-bot mentioned this pull request

[Snyk] Fix for 16 vulnerabilities #426

Open

# for free to join this conversation on GitHub. Already have an account? # to comment

Labels

None yet