[Snyk] Fix for 1 vulnerabilities #32

saurabharch · 2023-06-21T16:16:18Z

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- deps/npm/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	658/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: init-package-json

The new version differs by 21 commits.

1703339 2.0.1
a99f769 npm-package-arg@8.1.0
434ecd4 read-package-json@3.0.0
5ac9b2a 2.0.0
6396ea8 chore: changelog for v2.0.0
f4c67c5 BREAKING: requires node10+
35b18fc chore: update to auto-bump on npm version system
786e88b chore: bump transitive deps
32012d9 validate-npm-package-license@3.0.4
5deeae9 npm-package-arg@8.0.1
56477ed read-package-json@2.1.2
68f5b77 semver@7.3.2
6b865ec rimraf@3.0.2
9a05ee4 chore: remove standard-version dev dep
16c52cb test: removes dev dep in npm
c0ace81 fix: accounts dot vs dash version/license config
b20020b mkdirp@1.0.4
4c22248 tap@14.10.8
3e772e9 Updated package-lock to v2
2b5d21e chore: updating package-lock.json
8515942 chore: update CI for current Node LTS

See the full diff

Package name: normalize-package-data

The new version differs by 12 commits.

e584704 3.0.0
6899b0c fix: broken tests w/ latest hosted-git-info
40d07df hosted-git-info@3.0.6
e938119 chore: update engines
7e70f63 resolve@1.17.0
0ba7f91 semver@7.3.2
30afb71 chore: remove async dev dep
db9c672 tap@14.10.8
cc89759 chore: remove underscore dev dep
b224ba1 chore: update to package-lock v2
dedb606 2.5.0
f97372c deps: use `resolve.isCore` instead of `is-builtin-module` for better data and better node compat (Disable SyntaxError tests in preparation for CL v8/node#99)

See the full diff

Package name: npm-install-checks

The new version differs by 13 commits.

9b68df3 4.0.0
d498feb allow engine if npm version not specified
f9cc89a update travis to only include live nodes
0fc0126 auto-publish scripts
ca36bca update changelog for v4
a0d38b4 update docs for v4
44b7124 Simplified functionality needed for npm v7
1646fd7 remove unnecessary deps and metadata
d74d479 chore: project settings
d4463a3 chore(deps): update semver, tap, standard
89937d4 minimal package
893b181 fix: allow pre-release versions of npm and node
ab92033 chore: bump version of semver package

See the full diff

Package name: npm-package-arg

The new version differs by 23 commits.

26ffdd5 chore(release): 8.0.0
17598ad chore: normalize settings, license, and update standard-version
ba85e68 drop support for node 6 and 8
2c06e53 update tap
9434f79 chore: update semver to v7
bf86221 chore(release): 7.0.0
68a4fc3 deps: bump hosted-git-info to 3.0.2
ee44e84 chore: update deps
1da5ca9 chore(release): 6.1.1
84a9569 chore: add node 12 to travis
c5da1f4 chore: boost test coverage to 100%
3909203 fix: preserve drive letter on windows git file:// urls
a5a18b3 chore: update CI for current Node LTS
b2c1e0c deps: bump devDeps
db7ca93 deps: bump deps
4760e1c chore(release): 6.1.0
7d0d957 deps: bump devDeps
4b62929 deps: bump deps
adf41e8 docs(coc): updated CODE_OF_CONDUCT.md
f446255 docs(contributing): updated CONTRIBUTING.md
861040c meta: standardise release process
ab99f8e feat(alias): add `npm:` registry alias spec ([Snyk] Fix for 4 vulnerabilities #34)
647a0b3 fix(git): Fix gitRange for git+ssh for private git ([Snyk] Security upgrade npm-lifecycle from 2.0.3 to 3.0.0 #33)

See the full diff

Package name: pacote

The new version differs by 218 commits.

e88f844 10.3.0
b21dd92 update semver
d8ab8cf update npm-packlist
361f0b3 update tap
c4bbf23 test: make the remote timeout test time out forever
b4ea91f npm-registry-fetch 6.0.0
591edd8 @ npmcli/installed-package-contents@1.0.5
5ce1093 test: make remote timeout test more reliably time out
48fc9b8 use WhatWG URL instead of url.parse
e515bce Update deps, float patch for npm-registry-fetch
cf50f54 update @ npmcli/installed-package-contents, require node >=10
698e996 Extract: rimraf dir contents, not dir itself
e568305 add @ npmcli/installed-package-contents module
e8a80d7 upgrade all deps
dfccb4f remove extraneous isNaN checking in git opts
e33c9ce 10.2.1
bad55cd fix: Do not drop perms in git when not root
ccc9e20 bin: only add log listener once
8a8cd6a 10.2.0
e8c274c registry: verify integrity when loading manifest
f28888e bin: Only JSON.stringify by default if an object
0018eda 10.1.6
fc1053f git: prefer git+https over git+ssh for hosted repo
9d2ce90 10.1.5

See the full diff

Package name: read-package-json

The new version differs by 17 commits.

9f7049d chore(release): 3.0.0
19d9fbe fix: check-in updated lockfile
eef46fa chore: add engines definition
36b7ef7 chore: remove old .travis.yml envs
b3a8831 globa@7.1.6
fb3ceae json-parse-even-better-errors@2.3.1
78add03 npm-normalize-package-bin@1.0.1
7595d70 normalize-package-data@3.0.0
10175d8 chore(release): 2.1.2
fdbf082 fix: even better json errors, remove graceful-fs
e78afd6 chore(release): 2.1.1
b8cb5fa fix: normalize and sanitize pkg bin entries
55382c2 chore(release): 2.1.0
0a176cc Add some tests and clean up error handling for non-string bins
76f6f42 feat: support bundleDependencies: true
4e1e4d2 some tests for index.js parsing
67f2d8d chore: update CI for current Node LTS

See the full diff

Package name: semver

The new version differs by 214 commits.

e7b78de chore: release 7.5.2
58c791f fix: diff when detecting major change from prerelease (doc: alphabetize all.markdown nodejs/node#566)
5c8efbc fix: preserve build in raw after inc (io.js TC Meeting 2015-01-28 nodejs/node#565)
717534e fix: better handling of whitespace (stream: use nop as write() callback if omitted nodejs/node#564)
2f738e9 chore: bump @ npmcli/template-oss from 4.14.1 to 4.15.1 (SyntaxError: Unexpected reserved word nodejs/node#558)
aa016a6 chore: release 7.5.1
d30d25a fix: show type on invalid semver error (deps: fix v8 armv6 run-time detection nodejs/node#559)
09c69e2 chore: bump @ npmcli/template-oss from 4.13.0 to 4.14.1 (deps: upgrade v8 to 4.1.0.12 nodejs/node#555)
5b02ad7 chore: release 7.5.0
e219bb4 fix: throw on bad version with correct error message (doc: dns.lookupService has wrong header level nodejs/node#552)
503a4e5 feat: allow identifierBase to be false (Function redefinition in vm.runInContext nodejs/node#548)
fc2f3df fix: incorrect results from diff sometimes with prerelease versions (docs: remove incorrect entry from changelog nodejs/node#546)
2781767 fix: avoid re-instantiating SemVer during diff compare (gulp runs in error nodejs/node#547)
82aa7f6 chore: release 7.4.0
731d896 chore: enable CD (docs: more explicit crypto.pseudoRandomBytes information nodejs/node#545)
940723d fix: intersects with v0.0.0 and v0.0.0-0 (src: s/node/io.js/ in iojs --help message nodejs/node#538)
aa516b5 fix: faster parse options (Buffer api for conversion from/to ArrayBuffer nodejs/node#535)
61e6ea1 fix: faster cache key factory for range ("uid must be an unsigned int" on io.js 1.0.3 (x64) on 64-bit Windows 8.1 nodejs/node#536)
f8b8b61 fix: optimistic parse (lib: use const to define constants nodejs/node#541)
796cbe2 fix: semver.diff prerelease to release recognition (WIP events: optimize emit() nodejs/node#533)
3f222b1 fix: reuse comparators on subset (Embed io.js in a C++ 3d game engine? nodejs/node#537)
113f513 feat: identifierBase parameter for .inc (MariaSQL will not install nodejs/node#532)
ea689bc chore: basic type test for RELEASE_TYPES
c5d29df docs: Add "Constants" section to README

See the full diff

Package name: update-notifier

The new version differs by 50 commits.

311557e 6.0.0
9183541 Require Node.js 14 and move to ESM
3fdb218 5.1.0
73c391b Upgrade dependencies
0a6027e Move to GitHub Actions
d8fa601 Rename `master` branch to `main`
f63b2eb 5.0.1
9e2b772 Update dependencies
da7c464 5.0.0
5b440c2 Require Node.js 10
3dfe42d Don't suggest to upgrade to lower version ([v8] Stop using deprecated fields of v8::FastApiCallbackOptions v8/node#192)
132b7ce Remove a project from "Users" section (Replace uses of deprecated V8 API v8/node#191)
c9d2166 4.1.1
f42fc8f Improve vertical alignment of the notifier output (Define XxxStream.prototype.onread as an accessor in JavaScript sense v8/node#183)
71a3f19 Use HTTPS links
64c5236 Fix Travis
9d9f4ff 4.1.0
4062f12 Update dependencies
adbeb6e Add template support for the `message` option (2024-04-02: Fix header list v8/node#175)
adf7803 4.0.0
fb5161c Remove the `callback` option (Change parallel.status to skip failing tests v8/node#158)
39682de Rename `boxenOpts` option to `boxenOptions`
bc1721a Avoid showing notification if current version is the latest (Don't use soon-to-be-deprecated V8 Api v8/node#174)
ccaf686 Update dependencies

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)

The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-SEMVER-3247795

fix: deps/npm/package.json to reduce vulnerabilities

94660ca

The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-SEMVER-3247795

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Snyk] Fix for 1 vulnerabilities #32

[Snyk] Fix for 1 vulnerabilities #32

saurabharch commented Jun 21, 2023

[Snyk] Fix for 1 vulnerabilities #32

Are you sure you want to change the base?

[Snyk] Fix for 1 vulnerabilities #32

Conversation

saurabharch commented Jun 21, 2023

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Vulnerabilities that will be fixed

With an upgrade: