[Snyk] Fix for 21 vulnerabilities #24

xan187 · 2022-10-05T18:53:45Z

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
- package-lock.json
Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Priority Score (*)	Issue	Breaking Change	Exploit Maturity
554/1000 Why? Has a fix available, CVSS 6.8	Cryptographic Issues SNYK-JS-ELLIPTIC-1064899	No	No Known Exploit
509/1000 Why? Has a fix available, CVSS 5.9	Timing Attack SNYK-JS-ELLIPTIC-511941	No	No Known Exploit
706/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.7	Cryptographic Issues SNYK-JS-ELLIPTIC-571484	No	Proof of Concept
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Information Exposure SNYK-JS-FOLLOWREDIRECTS-2332181	No	Proof of Concept
344/1000 Why? Has a fix available, CVSS 2.6	Information Exposure SNYK-JS-FOLLOWREDIRECTS-2396346	No	No Known Exploit
484/1000 Why? Has a fix available, CVSS 5.4	Open Redirect SNYK-JS-GOT-2932019	No	No Known Exploit
504/1000 Why? Has a fix available, CVSS 5.8	Prototype Pollution SNYK-JS-HIGHLIGHTJS-1045326	Yes	No Known Exploit
479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-HIGHLIGHTJS-1048676	Yes	No Known Exploit
589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOCHA-561476	No	No Known Exploit
589/1000 Why? Has a fix available, CVSS 7.5	Directory Traversal SNYK-JS-MOMENT-2440688	No	No Known Exploit
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOMENT-2944238	No	Proof of Concept
539/1000 Why? Has a fix available, CVSS 6.5	Information Exposure SNYK-JS-NODEFETCH-2342118	No	No Known Exploit
520/1000 Why? Has a fix available, CVSS 5.9	Denial of Service SNYK-JS-NODEFETCH-674311	No	No Known Exploit
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-PRISMJS-1076581	Yes	Proof of Concept
584/1000 Why? Has a fix available, CVSS 7.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-PRISMJS-1314893	Yes	No Known Exploit
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-PRISMJS-1585202	Yes	Proof of Concept
484/1000 Why? Has a fix available, CVSS 5.4	Cross-site Scripting (XSS) SNYK-JS-PRISMJS-2404333	Yes	No Known Exploit
629/1000 Why? Has a fix available, CVSS 8.3	Cross-site Scripting (XSS) SNYK-JS-PRISMJS-597628	Yes	No Known Exploit
589/1000 Why? Has a fix available, CVSS 7.5	Command Injection SNYK-JS-SSH2-1656673	Yes	No Known Exploit
596/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.5	Arbitrary Code Injection SNYK-JS-UNDERSCORE-1080984	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: follow-redirects

The new version differs by 67 commits.

3d81dc3 Release version 1.14.8 of the npm package.
62e546a Drop confidential headers across schemes.
2ede36d Release version 1.14.7 of the npm package.
8b347cb Drop Cookie header across domains.
6f5029a Release version 1.14.6 of the npm package.
af706be Ignore null headers.
d01ab7a Release version 1.14.5 of the npm package.
40052ea Make compatible with Node 17.
86f7572 Fix: clear internal timer on request abort to avoid leakage
2e1eaf0 Keep Authorization header on subdomain redirects.
2ad9e82 Carry over Host header on relative redirects ([Snyk] Fix for 5 vulnerabilities #172)
77e2a58 Release version 1.14.4 of the npm package.
eb6e76f Fix another self mention.
f26c6c6 Release version 1.14.3 of the npm package.
3f1b2f5 Fix timeout clearing.
422890d Release version 1.14.2 of the npm package.
af63a04 Update package-lock.json version.
21ba514 fix: address jest testing issue (fixes [Snyk] Fix for 21 vulnerabilities #153)
1b45be4 Remove CI on 6.0.
889b0eb Release version 1.14.1 of the npm package.
ffa0a85 Update dependencies.
8c6667f Do not remove all listeners on abort.
bbe5769 Release version 1.14.0 of the npm package.
cdd921f Fix socket leak.

See the full diff

Package name: node-fetch

The new version differs by 19 commits.

1ef4b56 backport of System Error when running Ganache 2.0.1 on darwin trufflesuite/ganache-ui#1449 (System Error when running Ganache 2.0.1 on linux trufflesuite/ganache-ui#1453)
8fe5c4e 2.x: Specify encoding as an optional peer dependency in package.json (Feature request: link logs to transaction details trufflesuite/ganache-ui#1310)
f56b0c6 fix(URL): prefer built in URL version when available and fallback to whatwg (System Error when running Ganache 1.1.0 on win32 trufflesuite/ganache-ui#1352)
b5417ae fix: import whatwg-url in a way compatible with ESM Node (#1303)
18193c5 fix v2.6.3 that did not sending query params (System Error when running Ganache 1.2.1 on darwin trufflesuite/ganache-ui#1301)
ace7536 fix: properly encode url with unicode characters (System Error when running Ganache 2.0.1 on darwin trufflesuite/ganache-ui#1291)
152214c Fix(package.json): Corrected main file path in package.json (System Error when running Ganache 2.0.0 on win32 trufflesuite/ganache-ui#1274)
b5e2e41 update version number
2358a6c Honor the `size` option after following a redirect and revert data uri support
8c197f8 docs: Fix typos and grammatical errors in README.md (System Error when running Ganache 1.0.2 on darwin trufflesuite/ganache-ui#686)
1e99050 fix: Change error message thrown with redirect mode set to error (System Error when running Ganache 1.1.0 on darwin trufflesuite/ganache-ui#653)
244e6f6 docs: Show backers in README
6a5d192 fix: Properly parse meta tag when parameters are reversed (System Error when running Ganache 1.0.2 on linux trufflesuite/ganache-ui#682)
47a24a0 chore: Add opencollective badge
7b13662 chore: Add funding link
5535c2e fix: Check for global.fetch before binding it (Ganache fails to deploy contract with >29kb binary trufflesuite/ganache-ui#674)
1d5778a docs: Add Discord badge
eb3a572 feat: Data URI support (System Error when running Ganache 1.1.0 on darwin trufflesuite/ganache-ui#659)
086be6f Remove --save option as it isn't required anymore (System Error when running Ganache 1.1.0 on darwin trufflesuite/ganache-ui#581)

See the full diff

Package name: node-ssh

The new version differs by 121 commits.

cd554c2 12.0.0
9c08154 📝 Document minimum version of Node.js in changelog
81e8639 📝 Document compilerOptions in README
4e136b8 Merge pull request System Error when running Ganache 1.0.2 on darwin trufflesuite/ganache-ui#396 from steelbrain/steelbrain/ssh2
8504792 🔥 Remove flow comment
68d72b1 🐛 Use the right STATUS_CODE
2cf5546 ⬆️ Upgrade to node-ssh v1
99c2509 Merge pull request System Error when running Ganache 1.0.2 on darwin trufflesuite/ganache-ui#395 from steelbrain/steelbrain/input-stream
4c15c3b 📝 Document change in CHANGELOG
0e2f58c ⬆️ Allow only readable streams
33f4e21 ⬆️ Bump up year to 2021
c3ec682 🆕 Add support for readable stream in stdin
69f85fe Merge pull request Blockchain process exited prematurely with code '7', due to signal 'null' when running Ganache 1.0.2 on darwin trufflesuite/ganache-ui#394 from steelbrain/steelbrain/maintenance
f802567 🐛 Fix ESLint/TS stuff in test
617aedf 🆕 Fix new issues from new codestyle
c49552c ⬆️ Upgrade all dev dependencies
3bc4a56 📝 Add docs about Typescript usage
ce21fa7 11.1.1
a3fe09a 📝 Document changes in CHANGELOG
302322d 🎨 Minor code cleanup
dd958a9 Merge pull request Add the packaging metadata to build the ganache snap trufflesuite/ganache-ui#341 from wmertens/patch-1
bc4d6f4 execCommand: always close stdin
766d9fe Merge pull request Not working properly with metamask. trufflesuite/ganache-ui#340 from smali-kazmi/master
63dd2cd Update README.md

See the full diff

Package name: react-syntax-highlighter

The new version differs by 124 commits.

e75a4c7 13.0.0
3ec6e08 Merge pull request Blockchain process exited prematurely with code '7', due to signal 'null'. trufflesuite/ganache-ui#274 from conorhastings/simmerer/improved-demo
6dc2b66 re-auto-generate async-languages and prism styles
b308629 allow style-switching on Prism example, change languages for selector
25f51f9 add language selector to default demo
d85780f consistent control ordering
56e1487 remove useless "defaultStyle" option
d7f6358 specify language for example diff code
21c1377 improved font sizing & title line height
b903c03 Merge branch 'master' into simmerer/improved-demo
3204faa Merge pull request #268 Fixed mined on time formatting issue on BlockCard trufflesuite/ganache-ui#269 from conorhastings/simmerer/update-highlight-lowlight
ee21ba2 Merge branch 'master' into simmerer/update-highlight-lowlight
1ece955 Merge pull request Can't start Ganache1.0.2 on Ubuntu 16.04 trufflesuite/ganache-ui#259 from napagroup/master
ac3f409 Merge pull request Incorrect timestamp of blocks mined trufflesuite/ganache-ui#268 from conorhastings/simmerer/update-refractor
9cf19dd update note on showInlineLineNumbers prop
434547e enable line numbering in virtualized demo
65b606c Merge pull request System Error when running Ganache 1.0.1 on linux trufflesuite/ganache-ui#272 from conorhastings/dependabot/npm_and_yarn/lodash-4.17.19
2612aab Merge pull request Already have a metamask account cannot import with ganache seed, needs json or privkey trufflesuite/ganache-ui#273 from conorhastings/dependabot/npm_and_yarn/codecov-3.7.1
9fca845 corrected snapshots (finally!)
89b2007 fix for nonexistent getLanguage() func
6fdd6ca Merge branch 'simmerer/update-highlight-lowlight' into improved-demo
688c50c better astGenerator inspection
dd9a2cb consistent markup for other examples
7893abf clean up layout for virtualized example

See the full diff

Package name: truffle

The new version differs by 250 commits.

90c9f7e Publish
8f135ce Update yarn.lock
17b997c Merge pull request System Error when running Ganache 2.5.4 on win32 trufflesuite/ganache-ui#3152 from trufflesuite/gwei
53f037e Merge pull request System Error when running Ganache 2.5.4 on win32 trufflesuite/ganache-ui#3146 from trufflesuite/update-mocha
7113313 Update highlightjs-solidity
6db3b6a Merge pull request System Error when running Ganache 2.5.4 on win32 trufflesuite/ganache-ui#3150 from trufflesuite/cruz/trufflesuite/web3-provider-engine-15.0.0-2
4c81358 Upgrade dependency: @ trufflesuite/web3-provider-engine@15.0.0-2
c78e34c Merge pull request System Error when running Ganache 2.5.4 on win32 trufflesuite/ganache-ui#3149 from trufflesuite/more-yul-jump-handling
9944cc8 Update debugger tests to 0.6.11
6714cc8 Fix interaction of phantom guard and jumps into unmapped code
e5db488 Better format locations with missing source path
078ea1e Accept colors as a mocha config field
21aa179 Correct typo with color property
56feea0 Add color option to the mocha config
22f4cdc Leave the debugger package using an older version of Mocha to bump later
afba441 Remove useColors option for mocha
1f5ac1f Remove node 8 from github actions tasks
3f19f30 Update travis config
6fbd31d Remove call in logger for tests
3e55bc7 Update Mocha
008497b Merge pull request System Error when running Ganache 2.5.4 on linux trufflesuite/ganache-ui#3145 from trufflesuite/bug/ethpm-method
32fe89a Update @ public to @ external to comply with changes to vyper in version 0.2.0
df44f8b Add space in vyper command
9628aa3 Increase test timeout