New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 17 vulnerabilities #14

Open

chrisspradling1980 wants to merge 1 commit into master from snyk-fix-9291599b8f3f430bd2f19cb8f236331a

Owner

chrisspradling1980 commented Dec 20, 2023

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
- package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-DECODEURICOMPONENT-3149970	Yes	Proof of Concept
	579/1000 Why? Has a fix available, CVSS 7.3	Arbitrary File Overwrite SNYK-JS-FSTREAM-174725	Yes	No Known Exploit
	584/1000 Why? Has a fix available, CVSS 7.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-HAWK-2808852	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ISMYJSONVALID-597165	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Arbitrary Code Execution SNYK-JS-ISMYJSONVALID-597167	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-JSONPOINTER-1577288	Yes	Proof of Concept
	811/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 9.8	Prototype Pollution SNYK-JS-JSONPOINTER-598804	Yes	Proof of Concept
	644/1000 Why? Has a fix available, CVSS 8.6	Prototype Pollution SNYK-JS-JSONSCHEMA-1920922	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Poisoning SNYK-JS-QS-3153490	Yes	Proof of Concept
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Arbitrary File Overwrite SNYK-JS-TAR-174125	Yes	Proof of Concept
	579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution npm:extend:20180424	Yes	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:hoek:20180212	Yes	Proof of Concept
	576/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.1	Uninitialized Memory Exposure npm:tunnel-agent:20170305	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: gulp-sass

The new version differs by 15 commits.

5775044 Update CHANGELOG.md
978b8f6 Update to major version 5 (#802)
10eae93 Update changelog for 4.1.1
947b26c Upgrade lodash to fix a security issue (#776)
8d6ac29 Update changelog
43c0547 4.1.0
ebe3ec6 Set appropriate file stat times (#763)
7ab018e Migrate to the lodash package
fa670c6 4.0.2
fefa00e Revert package.json version bump
98254d2 Fix README typos
8a14419 Continue loading Node Sass by default
938afbe Add a note about synchronous versus asynchronous speed
7cc2db1 Make this package implementation-agnostic
643f73b Add documentation for synchronous code options

See the full diff

Package name: gulp-sourcemaps

The new version differs by 38 commits.

2bcfcbb 3.0.0
d8bed0c Merge pull request Bump jszip and snyk cisagov/cyber.dhs.gov#373 from adrian3d/update/doc-gulp-4
5686db3 Merge pull request Create Carttera cisagov/cyber.dhs.gov#380 from kennyr87/Bump minimist from 1.2.5 to 1.2.8 cisagov/cyber.dhs.gov#378/upgrade-css
2c66b2c Depdenency: Upgrade css to v3.0.0
9a9289b Breaking: Drop Node <6 support & upgrade identity-map which uses changes CSS sourcemaps (Bump npm from 7.20.5 to 9.5.1 cisagov/cyber.dhs.gov#376)
11d1e31 Update doc to gulp 4
bd0aeb0 Docs: Temporarily point at phated/gulp-sourcemaps for AppVeyor badge
7e69e97 Build: Ensure tests pass on Windows
404eb5b Docs: Update badges
8a22ecc Scaffold: Convert repository to use gulp patterns (closes Bump jekyll from 4.2.1 to 4.3.1 cisagov/cyber.dhs.gov#357) (Bump snyk from 1.676.0 to 1.1080.0 cisagov/cyber.dhs.gov#367)
06cf0f0 2.6.5
8f68c5f Merge pull request Bump html-proofer from 3.19.3 to 5.0.3 cisagov/cyber.dhs.gov#366 from gulp-sourcemaps/issue-363
178b1b7 issue-363: trying to get to 100% coverage again
3286f8f fixing older node code for es5
27e4c8b fixing linting errors
1de522e cleaning things up to get coverage up
01c802f issue-363: cleaned up commentFormatter code to handle css correctly on preExisting
5a99012 Use proper comment format for css with pre-existing comment.
492d937 2.6.4
6a037bf Merge pull request Bump html-proofer from 3.19.3 to 4.3.1 cisagov/cyber.dhs.gov#344 from gormac/master
fcf64d8 Prevent update to source-map 0.7.0
b97fe77 bump 2.6.3
e75e0c2 readme typos
8774287 Merge pull request [Snyk] Security upgrade html-proofer from 3.19.3 to 3.19.3 cisagov/cyber.dhs.gov#338 from ogvolkov/master

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Arbitrary Code Execution
🦉 Prototype Pollution


          fix: package.json & package-lock.json to reduce vulnerabilities

f2336c0

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908
- https://snyk.io/vuln/SNYK-JS-DECODEURICOMPONENT-3149970
- https://snyk.io/vuln/SNYK-JS-FSTREAM-174725
- https://snyk.io/vuln/SNYK-JS-HAWK-2808852
- https://snyk.io/vuln/SNYK-JS-ISMYJSONVALID-597165
- https://snyk.io/vuln/SNYK-JS-ISMYJSONVALID-597167
- https://snyk.io/vuln/SNYK-JS-JSONPOINTER-1577288
- https://snyk.io/vuln/SNYK-JS-JSONPOINTER-598804
- https://snyk.io/vuln/SNYK-JS-JSONSCHEMA-1920922
- https://snyk.io/vuln/SNYK-JS-MINIMATCH-3050818
- https://snyk.io/vuln/SNYK-JS-MINIMIST-2429795
- https://snyk.io/vuln/SNYK-JS-MINIMIST-559764
- https://snyk.io/vuln/SNYK-JS-QS-3153490
- https://snyk.io/vuln/SNYK-JS-TAR-174125
- https://snyk.io/vuln/npm:extend:20180424
- https://snyk.io/vuln/npm:hoek:20180212
- https://snyk.io/vuln/npm:tunnel-agent:20170305

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet