Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

[Snyk] Fix for 23 vulnerabilities #144

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

[Snyk] Fix for 23 vulnerabilities #144

wants to merge 1 commit into from

Conversation

sumodgeorge
Copy link
Owner

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • static/node/package.json
    • static/node/package-lock.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 619/1000
Why? Has a fix available, CVSS 8.1		 Prototype Pollution
SNYK-JS-AJV-584908		 No No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Improper Verification of Cryptographic Signature
SNYK-JS-BROWSERIFYSIGN-6037026		 No No Known Exploit
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-COOKIEJAR-3149984		 No Proof of Concept
medium severity 636/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.3		 Arbitrary File Write via Archive Extraction (Zip Slip)
SNYK-JS-DECOMPRESSTAR-559095		 No Proof of Concept
medium severity 554/1000
Why? Has a fix available, CVSS 6.8		 Cryptographic Issues
SNYK-JS-ELLIPTIC-1064899		 No No Known Exploit
medium severity 509/1000
Why? Has a fix available, CVSS 5.9		 Timing Attack
SNYK-JS-ELLIPTIC-511941		 No No Known Exploit
high severity 706/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.7		 Cryptographic Issues
SNYK-JS-ELLIPTIC-571484		 No Proof of Concept
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-ES5EXT-6095076		 No Proof of Concept
medium severity 519/1000
Why? Has a fix available, CVSS 6.1		 Open Redirect
SNYK-JS-EXPRESS-6474509		 No No Known Exploit
medium severity 484/1000
Why? Has a fix available, CVSS 5.4		 Open Redirect
SNYK-JS-GOT-2932019		 Yes No Known Exploit
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-HTTPCACHESEMANTICS-3248783		 No Proof of Concept
high severity 644/1000
Why? Has a fix available, CVSS 8.6		 Prototype Pollution
SNYK-JS-JSONSCHEMA-1920922		 No No Known Exploit
low severity 506/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 3.7		 Prototype Pollution
SNYK-JS-MINIMIST-2429795		 No Proof of Concept
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-NORMALIZEURL-1296539		 No No Known Exploit
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5		 Prototype Poisoning
SNYK-JS-QS-3153490		 No Proof of Concept
high severity 624/1000
Why? Has a fix available, CVSS 8.2		 Arbitrary File Overwrite
SNYK-JS-TAR-1536528		 No No Known Exploit
high severity 624/1000
Why? Has a fix available, CVSS 8.2		 Arbitrary File Overwrite
SNYK-JS-TAR-1536531		 No No Known Exploit
low severity 410/1000
Why? Has a fix available, CVSS 3.7		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-TAR-1536758		 No No Known Exploit
high severity 639/1000
Why? Has a fix available, CVSS 8.5		 Arbitrary File Write
SNYK-JS-TAR-1579147		 No No Known Exploit
high severity 639/1000
Why? Has a fix available, CVSS 8.5		 Arbitrary File Write
SNYK-JS-TAR-1579152		 No No Known Exploit
high severity 639/1000
Why? Has a fix available, CVSS 8.5		 Arbitrary File Write
SNYK-JS-TAR-1579155		 No No Known Exploit
medium severity 596/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.5		 Arbitrary Code Injection
SNYK-JS-UNDERSCORE-1080984		 Yes Proof of Concept
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5		 Prototype Pollution
SNYK-JS-WEB3UTILS-6229337		 Yes Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: @truffle/config The new version differs by 250 commits.
  • 033fc64 Publish
  • 8c81e30 Merge pull request #6187 from trufflesuite/decapitate
  • 7591024 Remove gitHead field that snuck its way in
  • 4c80841 Merge pull request #6180 from legobeat/node-version
  • 25f02d2 Merge pull request #6185 from legobeat/devdeps-dedupe-babel
  • d235365 Merge pull request #6186 from legobeat/ci-node-20.5
  • 48a2052 chore: yarn dedupe @ babel/ packages
  • d355b79 chore(ci): pin node 20 to 20.5 due to regression in 20.6
  • d0d0c89 Merge pull request #6178 from legobeat/achrinza-node-ipc
  • a9d543f Merge pull request #6177 from legobeat/deps-semver
  • 1c79efe chore(deps): unpin semver
  • 5ae76e9 deps(codec-components): bump @ microsoft/api-extractor to fix semver CVE
  • cb8bf8b yarn dedupe browserslist@^4.x
  • a830ff5 deps: dedupe core-js-compat to remove semver@7.0.0
  • c31707c update yarn.lock
  • b349c1c deps: semver@^7.5.2->^7.5.4
  • 53fcef0 update yarn.lock
  • 005ebb9 deps: semver@7.5.2->7.5.4
  • 4ff7c58 update yarn.lock
  • cfde067 devDeps(spinners): remove unused @ types/semver
  • 6af2e11 devDeps: @ types/semver->7.5.1
  • b1810cc deps: semver@7.5.2->7.5.4
  • b7bc4c1 deps(core): semver@7.5.2->7.5.4
  • 9c581ec compile-solidity: type-assertion due to incompletely typed @ types/semver

See the full diff

Package name: @truffle/decoder The new version differs by 250 commits.
  • a26df1f Publish
  • 4df99df Merge pull request #6193 from legobeat/ci-yarn-deduplicate
  • 39ffb36 apply lint:fix:dependencies
  • d37ed52 ci: enforce deduped lockfile when linting dependencies
  • b999099 chore: add yarn lockfile deduplication package scripts using yarn-deduplicate
  • 6b2a081 Merge pull request #6194 from legobeat/yarn-dedupe-full-fewer
  • 0f3d963 yarn refresh lockfile
  • 17536c4 yarn deduplicate fewer
  • 6accdbf devDeps: yarn deduplicate readable-stream
  • f322892 devDeps: yarn deduplicate object.assign
  • 4fac8f1 devDeps: yarn deduplicate http-cache-semantics
  • 7b2d2ff devDeps: yarn deduplicate acorn,ajv
  • 6a0c3bd deps: yarn deduplicate bn.js@^5
  • a82c4ad devDeps: yarn deduplicate @ types/
  • f28ce63 deps: yarn dedupe strip-ansi,ansi-regex
  • 9b23a59 devDeps: webpack@^5.73.0->^5.88.2
  • 09ebe21 deps: yarn dedupe,lockbump apollo-server packages
  • a267cab yarn dedupe graphql,tslib
  • 16e723d devDeps(db,db-kit): madge@^5.0.1->6.1.0
  • 3344b45 Merge pull request #6192 from legobeat/deps-bump-eth-libs
  • 4372ee3 update yarn.lock after rebase
  • 0625db5 Merge pull request #6191 from legobeat/deps-dedupe-libs
  • 0500ff7 deps: bump/dedupe web3, ethereumjs-util packages
  • 4d64055 yarn dedupe ethers

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Cryptographic Issues
🦉 More lessons are available in Snyk Learn

@snyk-bot
fix: static/node/package.json & static/node/package-lock.json to redu…
9b9016b 
…ce vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-AJV-584908
- https://snyk.io/vuln/SNYK-JS-BROWSERIFYSIGN-6037026
- https://snyk.io/vuln/SNYK-JS-COOKIEJAR-3149984
- https://snyk.io/vuln/SNYK-JS-DECOMPRESSTAR-559095
- https://snyk.io/vuln/SNYK-JS-ELLIPTIC-1064899
- https://snyk.io/vuln/SNYK-JS-ELLIPTIC-511941
- https://snyk.io/vuln/SNYK-JS-ELLIPTIC-571484
- https://snyk.io/vuln/SNYK-JS-ES5EXT-6095076
- https://snyk.io/vuln/SNYK-JS-EXPRESS-6474509
- https://snyk.io/vuln/SNYK-JS-GOT-2932019
- https://snyk.io/vuln/SNYK-JS-HTTPCACHESEMANTICS-3248783
- https://snyk.io/vuln/SNYK-JS-JSONSCHEMA-1920922
- https://snyk.io/vuln/SNYK-JS-MINIMIST-2429795
- https://snyk.io/vuln/SNYK-JS-NORMALIZEURL-1296539
- https://snyk.io/vuln/SNYK-JS-QS-3153490
- https://snyk.io/vuln/SNYK-JS-TAR-1536528
- https://snyk.io/vuln/SNYK-JS-TAR-1536531
- https://snyk.io/vuln/SNYK-JS-TAR-1536758
- https://snyk.io/vuln/SNYK-JS-TAR-1579147
- https://snyk.io/vuln/SNYK-JS-TAR-1579152
- https://snyk.io/vuln/SNYK-JS-TAR-1579155
- https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984
- https://snyk.io/vuln/SNYK-JS-WEB3UTILS-6229337
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sumodgeorge @snyk-bot