[Snyk] Fix for 7 vulnerabilities #13

snyk-bot · 2020-09-24T04:12:48Z

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
- package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Priority Score (*)	Issue	Breaking Change	Exploit Maturity
295/1000 Why? CVSS 5.9	Timing Attack SNYK-JS-ELLIPTIC-511941	Yes	No Known Exploit
492/1000 Why? Proof of Concept exploit, CVSS 7.7	Cryptographic Issues SNYK-JS-ELLIPTIC-571484	Yes	Proof of Concept
646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Denial of Service (DoS) SNYK-JS-HTTPPROXY-569139	Yes	Proof of Concept
626/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.1	Man-in-the-Middle (MitM) SNYK-JS-HTTPSPROXYAGENT-469131	Yes	Proof of Concept
387/1000 Why? Proof of Concept exploit, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
591/1000 Why? Recently disclosed, Has a fix available, CVSS 5.9	Denial of Service SNYK-JS-NODEFETCH-674311	Yes	No Known Exploit
589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:underscore.string:20170908	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: bat-client

The new version differs by 48 commits.

f0f0d4e Removed BitGo dependency to mitigate security vulnerabilities
f22787d fix broken integration tests, flaky index tests (hook up search in urlbar brave/browser-laptop#56)
75f0aa4 Refactor to use brave-crypto for passphrases (Fill out OS X menu according to spec brave/browser-laptop#52)
dd36177 Sanity check on reconcileStamp (Check that we're using these babel / webpack optimizations brave/browser-laptop#53)
3f42033 Update bat-client to show bip39 and accept either bip39 or niceware ([Snyk] Security upgrade bat-client from 1.0.8 to 2.2.4 #48)
5458396 Change ballot commit interval to [1s..5m] ([Snyk] Security upgrade bat-client from 1.0.8 to 2.2.4 #47)
de3fd33 Adds memos to the state ([Snyk] Security upgrade bat-client from 1.0.8 to 2.2.4 #46)
7ae5250 Adds validation function for passphrase ([Snyk] Security upgrade bat-client from 1.0.8 to 2.2.4 #45)
ec2c97d More instrumentation ([Snyk] Security upgrade bat-client from 1.0.8 to 2.2.4 #44)
573a72e 3rd attempt to update the joi dependency (per node security alert) ([Snyk] Security upgrade bat-client from 1.0.8 to 2.2.4 #43)
da8029b Update joi dependency per https://nodesecurity.io/advisories/566 ([Snyk] Fix for 62 vulnerabilities #42)
8f792cd Update joi dependency per https://nodesecurity.io/advisories/566 ([Snyk] Security upgrade bat-client from 1.0.8 to 2.2.4 #41)
9190956 Have publishersInfo batch results ([Snyk] Security upgrade bat-client from 1.0.8 to 2.2.4 #39)
013f307 2.0.7: add -b option (balance server prefix) to blastoff.js ([Snyk] Security upgrade bat-client from 1.0.8 to 4.0.0 #37)
378ae28 2.0.6: change reconcile to not be sticky wrt surveyor used after failure ([Snyk] Security upgrade bat-client from 1.0.8 to 2.2.4 #36)
c429ca9 2.0.5: add Client.prototype.publishersInfo ([Snyk] Security upgrade bat-client from 1.0.8 to 2.2.4 #33)
81795a8 2.0.4: no fuzzing if LEDGER_NO_FUZZING=1 ([Snyk] Security upgrade bat-client from 1.0.8 to 4.0.0 #32)
9922fad 2.0.3: test already used promo, setPromo callback include response ([Snyk] Security upgrade bat-client from 1.0.8 to 4.0.0 #31)
0b6d0b4 2.0.2: allow overriding paymentId during getPromotion ([Snyk] Security upgrade bat-client from 1.0.8 to 4.0.0 #30)
a09dcda 2.0.1: Fix grant claim route in setPromotion ([Snyk] Security upgrade bat-client from 1.0.8 to 4.0.0 #29)
464a85a Merge pull request [Snyk] Fix for 1 vulnerabilities #27 from brave-intl/load-faster
01b9780 2.0.0: use bat-publisher@2.0.0
5c784c1 1.5.2: fix missing params init and add test for getPromotion
4300724 1.5.1: update package.json

See the full diff

Package name: bat-publisher

The new version differs by 50 commits.

b806cdd 2.0.24: updated deps ([Snyk] Security upgrade bat-client from 1.0.8 to 2.2.4 #46)
09bf6e6 Reverting PR [Snyk] Security upgrade bat-client from 1.0.8 to 2.2.4 #43 ([Snyk] Security upgrade bat-client from 1.0.8 to 2.2.4 #44)
b07a954 Removing rulesets from bat-publisher ([Snyk] Security upgrade bat-client from 1.0.8 to 2.2.4 #43)
a874678 Breaking up large rulesets, formatting ([Snyk] Fix for 62 vulnerabilities #42)
90ed696 Switch from random-lib to brave-crypto. ([Snyk] Security upgrade bat-client from 1.0.8 to 2.2.4 #41)
6b4a042 Bumping to 2.0.19 ([Snyk] Security upgrade bat-client from 1.0.8 to 4.0.0 #40)
020c6f1 random-lib@3.0.0 ([Snyk] Security upgrade bat-client from 1.0.8 to 2.2.4 #39)
0be8ac4 Fixing infinite loop/crash when no result sets have a pinPercentage ([Snyk] Security upgrade bat-client from 1.0.8 to 2.2.4 #35)
35714c8 Prune return if prune happened or not ([Snyk] Security upgrade bat-client from 1.0.8 to 2.2.4 #34)
1889528 2.0.16 ([Snyk] Security upgrade bat-client from 1.0.8 to 4.0.0 #30)
957368c Adds some more null checks ([Snyk] Security upgrade bat-client from 1.0.8 to 4.0.0 #29)
a3eee82 2.0.14: handle pinned publishers before statistical voting ([Snyk] Security upgrade bat-client from 1.0.8 to 2.2.4 #24)
13686d8 Adds null checks ([Snyk] Fix for 1 vulnerabilities #23)
d512f6c 2.0.12: nom lint'ed ([Snyk] Security upgrade bat-client from 1.0.8 to 2.2.4 #22)
888e6d3 Removes metascraper ([Snyk] Fix for 1 vulnerabilities #21)
dfa9b2f Fixes typo ([Snyk] Fix for 1 vulnerabilities #20)
40a6efe Adds support for partial publishers ([Snyk] Security upgrade bat-client from 1.0.8 to 2.2.4 #19)
4f5c06e 3rd attempt to update joi dependency (per node security alert) ([Snyk] Fix for 4 vulnerabilities #18)
e4f1d3a Update joi dependency per https://nodesecurity.io/advisories/566 ([Snyk] Security upgrade bat-client from 1.0.8 to 2.2.4 #17)
87e6a7b Update joi dependency per https://nodesecurity.io/advisories/566 ([Snyk] Fix for 1 vulnerabilities #15)
57f3cbf 2.0.5: use options.windowP instead of options.rawP when scraping a page ([Snyk] Security upgrade url-loader from 0.6.2 to 1.0.0 #12)
b17d057 Fixes corupted state, when window is missing ([Snyk] Fix for 7 vulnerabilities #13)
5eb7d94 add twitch#channel URI ([Snyk] Security upgrade bat-client from 1.0.8 to 2.2.4 #11)
5c0b080 2.0.3: ignore all errors when processing favicon ([Snyk] Security upgrade bat-client from 1.0.8 to 2.2.4 #10)

See the full diff

Package name: prop-types

The new version differs by 23 commits.

fa6fbb7 15.6.2
5115f5c Merge pull request Back button stops working brave/browser-laptop#180 from jaller94/master
2ac742c Merge pull request Add brave menu on windows brave/browser-laptop#171 from barrymichaeldoyle/master
a7a5a64 Merge pull request Win 10 needs branding for Apps & Features brave/browser-laptop#194 from facebook/no-fbjs
d6c9c5c Preserve "Invariant Violation" name
07d1b47 Remove fbjs dependency
3c99d57 Remove trailing spaces
a36cda8 Move explanation of `isRequired` and show it in `PropTypes.shape`
ba3da12 Show that shapes can have required properties
2bde8eb Add example for `PropTypes.exact`
d65f80e Updated vars to consts and lets in PropTypesProductionStandalone-test.js
c10c93f Updated vars to consts and lets in PropTypesDevelopmentStandalone-test.js
8e2b34e Updated vars to consts and lets in PropTypesDevelopmentReact15.js
c5527c8 Updated vars with consts and lets in PropTypesProductionReact15-test.js
7cc8c81 Add 15.6.1 to CHANGELOG
5df7296 15.6.1
b7d03ce Point readme to correct docs for production builds (use a font that looks a little cleaner on the mac brave/browser-laptop#153)
a94243f Update the repository location (pinned tabs don't load correctly on new windows brave/browser-laptop#148)
77c62a7 Fix failing tests (app state is not stored if all windows are closed before quitting brave/browser-laptop#129)
644844c Merge pull request Make urlbar autocomplete private tab aware brave/browser-laptop#140 from flarnie/master
0b5db12 Add `CODE_OF_CONDUCT`
a6900f0 Add CONTRIBUTING.md
492e230 Update README.md with improved importing for CDNs (Context menu: open in new tab not working brave/browser-laptop#104)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-ELLIPTIC-511941 - https://snyk.io/vuln/SNYK-JS-ELLIPTIC-571484 - https://snyk.io/vuln/SNYK-JS-HTTPPROXY-569139 - https://snyk.io/vuln/SNYK-JS-HTTPSPROXYAGENT-469131 - https://snyk.io/vuln/SNYK-JS-MINIMIST-559764 - https://snyk.io/vuln/SNYK-JS-NODEFETCH-674311 - https://snyk.io/vuln/npm:underscore.string:20170908

snyk-bot mentioned this pull request Jan 26, 2022

[Snyk] Fix for 1 vulnerabilities #21

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Snyk] Fix for 7 vulnerabilities #13

[Snyk] Fix for 7 vulnerabilities #13

snyk-bot commented Sep 24, 2020

[Snyk] Fix for 7 vulnerabilities #13

Are you sure you want to change the base?

[Snyk] Fix for 7 vulnerabilities #13

Conversation

snyk-bot commented Sep 24, 2020

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Vulnerabilities that will be fixed

With an upgrade: