Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Fix for 7 vulnerabilities #472

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

titanism
Copy link
Contributor

@titanism titanism commented Sep 6, 2024

snyk-top-banner

Snyk has created this PR to fix 7 vulnerabilities in the yarn dependencies of this project.

Snyk changed the following file(s):

  • template/package.json
  • template/yarn.lock

Note for zero-installs users

If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the .yarn/cache/ directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to run yarn to update the contents of the ./yarn/cache directory.
If you are not using zero-install you can ignore this as your flow should likely be unchanged.

Vulnerabilities that will be fixed with an upgrade:

Issue Score
high severity Prototype Pollution
SNYK-JS-PROTOBUFJS-5756498
  751  
high severity Prototype Pollution
SNYK-JS-PROTOBUFJS-2441248
  731  
high severity Improper Control of Generation of Code ('Code Injection')
SNYK-JS-PUGCODEGEN-7086056
  696  
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-SEMVER-3247795
  696  
high severity Improper Input Validation
SNYK-JS-FOLLOWREDIRECTS-6141137
  686  
medium severity Information Exposure
SNYK-JS-FOLLOWREDIRECTS-6444610
  646  
high severity Prototype Pollution
SNYK-JS-UNDERSCOREDEEP-2936792
  624  

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Improper Input Validation
🦉 Prototype Pollution
🦉 Improper Control of Generation of Code ('Code Injection')
🦉 More lessons are available in Snyk Learn

[//]: # 'snyk:metadata:{"customTemplate":{"variablesUsed":[],"fieldsUsed":[]},"dependencies":[{"name":"@ladjs/i18n","from":"7.2.6","to":"8.0.0"},{"name":"@slack/web-api","from":"6.7.1","to":"6.12.1"},{"name":"cabin","from":"9.1.2","to":"11.0.0"},{"name":"mandarin","from":"4.2.0","to":"5.0.2"},{"name":"pug","from":"3.0.2","to":"3.0.3"}],"env":"prod","issuesToFix":[{"exploit_maturity":"Proof of Concept","id":"SNYK-JS-FOLLOWREDIRECTS-6141137","priority_score":686,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"7.3","score":365},{"type":"scoreVersion","label":"v1","score":1}],"severity":"high","title":"Improper Input Validation"},{"exploit_maturity":"Proof of Concept","id":"SNYK-JS-FOLLOWREDIRECTS-6444610","priority_score":646,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"6.5","score":325},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Information Exposure"},{"exploit_maturity":"Proof of Concept","id":"SNYK-JS-PROTOBUFJS-2441248","priority_score":731,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"8.2","score":410},{"type":"scoreVersion","label":"v1","score":1}],"severity":"high","title":"Prototype Pollution"},{"exploit_maturity":"Proof of Concept","id":"SNYK-JS-PROTOBUFJS-5756498","priority_score":751,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"8.6","score":430},{"type":"scoreVersion","label":"v1","score":1}],"severity":"high","title":"Prototype Pollution"},{"exploit_maturity":"Proof of Concept","id":"SNYK-JS-PUGCODEGEN-7086056","priority_score":696,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"7.5","score":375},{"type":"scoreVersion","label":"v1","score":1}],"severity":"high","title":"Improper Control of Generation of Code ('Code Injection')"},{"exploit_maturity":"Proof of Concept","id":"SNYK-JS-SEMVER-3247795","priority_score":696,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"7.5","score":375},{"type":"scoreVersion","label":"v1","score":1}],"severity":"high","title":"Regular Expression Denial of Service (ReDoS)"},{"exploit_maturity":"Proof of Concept","id":"SNYK-JS-SEMVER-3247795","priority_score":696,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"7.5","score":375},{"type":"scoreVersion","label":"v1","score":1}],"severity":"high","title":"Regular Expression Denial of Service (ReDoS)"},{"exploit_maturity":"No Known Exploit","id":"SNYK-JS-UNDERSCOREDEEP-2936792","priority_score":624,"priority_score_factors":[{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"8.2","score":410},{"type":"scoreVersion","label":"v1","score":1}],"severity":"high","title":"Prototype Pollution"}],"prId":"00fd875c-fcad-43a1-8ae5-e73583fa843b","prPublicId":"00fd875c-fcad-43a1-8ae5-e73583fa843b","packageManager":"yarn","priorityScoreList":[686,646,731,751,696,696,624],"projectPublicId":"deecffb5-5423-445c-8826-70aff63668ac","projectUrl":"https://app.snyk.io/org/titanism/project/deecffb5-5423-445c-8826-70aff63668ac?utm_source=github&utm_medium=referral&page=fix-pr","prType":"fix","templateFieldSources":{"branchName":"default","commitMessage":"default","description":"default","title":"default"},"templateVariants":["priorityScore"],"type":"auto","upgrade":["SNYK-JS-FOLLOWREDIRECTS-6141137","SNYK-JS-FOLLOWREDIRECTS-6444610","SNYK-JS-PROTOBUFJS-2441248","SNYK-JS-PROTOBUFJS-5756498","SNYK-JS-PUGCODEGEN-7086056","SNYK-JS-SEMVER-3247795","SNYK-JS-UNDERSCOREDEEP-2936792"],"vulns":["SNYK-JS-FOLLOWREDIRECTS-6141137","SNYK-JS-FOLLOWREDIRECTS-6444610","SNYK-JS-PROTOBUFJS-2441248","SNYK-JS-PROTOBUFJS-5756498","SNYK-JS-PUGCODEGEN-7086056","SNYK-JS-SEMVER-3247795","SNYK-JS-UNDERSCOREDEEP-2936792"],"patch":[],"isBreakingChange":true,"remediationStrategy":"vuln"}'

Copy link

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/@cospired/[email protected] None 0 229 kB e110c0
npm/@google-cloud/[email protected] environment 0 133 kB google-wombot
npm/@google-cloud/[email protected] None 0 31.3 kB google-wombot
npm/@google-cloud/[email protected] None 0 36.1 kB google-wombot
npm/@google-cloud/[email protected] environment 0 3.99 MB google-wombot
npm/@grpc/[email protected] environment, filesystem, network 0 1.63 MB murgatroid99
npm/@grpc/[email protected] filesystem 0 120 kB murgatroid99
npm/@jsdoc/[email protected] None 0 26.7 kB hegemonic
npm/@ladjs/[email protected] environment 0 23.3 kB titanism
npm/@slack/[email protected] None 0 216 kB filmaj
npm/@slack/[email protected] filesystem 0 2.09 MB e-zim
npm/@types/[email protected] None 0 6.66 kB types
npm/@types/[email protected] None 0 14.1 kB types
npm/@types/[email protected] None 0 73 kB types
npm/@types/[email protected] None 0 5.41 kB types
npm/@types/[email protected] None 0 20.4 kB types
npm/@types/[email protected] None 0 7.5 kB types
npm/[email protected] None 0 24.4 kB rreverser
npm/[email protected] network 0 2.14 MB jasonsaayman
npm/[email protected] environment 0 129 kB titanism
npm/[email protected] filesystem 0 318 kB hegemonic
npm/[email protected] None 0 8.11 kB thlorenz
npm/[email protected] None 0 107 kB michaelficarra
npm/[email protected] None 0 32.3 kB eslintbot
npm/[email protected] None 0 73.6 kB eslintbot
npm/[email protected] None 0 314 kB ariya
npm/[email protected] None 0 36.3 kB michaelficarra
npm/[email protected] None 0 50.6 kB michaelficarra
npm/[email protected] None 0 30 kB olalonde, rubenverborgh
npm/[email protected] environment, network 0 73.6 kB google-wombot
npm/[email protected] environment, filesystem 0 75.2 kB google-wombot
npm/[email protected] environment, filesystem, shell 0 516 kB google-wombot
npm/[email protected] environment, filesystem, network, shell 0 3.23 MB google-wombot
npm/[email protected] filesystem 0 25.2 kB google-wombot
npm/[email protected] filesystem 0 38.7 kB google-wombot
npm/[email protected] None 0 18.3 kB wooorm
npm/[email protected] None 0 16.8 kB wooorm
npm/[email protected] None 0 7.53 kB wooorm
npm/[email protected] None 0 17.7 kB wooorm
npm/[email protected] None 0 10.7 kB wooorm
npm/[email protected] None 0 18.3 kB wooorm
npm/[email protected] None 0 30.6 kB remarkablemark
npm/[email protected] None 0 3.26 kB cheton
npm/[email protected] None 0 3.29 kB parroit
npm/[email protected] None 0 59.3 kB michaelkourlas
npm/[email protected] None 0 1.53 MB hegemonic
npm/[email protected] None 0 34 kB gkz
npm/[email protected] None 0 119 kB dcode
npm/[email protected] environment, filesystem, network 0 20 kB titanism
npm/[email protected] None 0 154 kB valeriangalliat
npm/[email protected] None 0 428 kB tonybrix
npm/[email protected] None 0 10.7 kB schnittstabil
npm/[email protected] None 0 50.1 kB gkz
npm/[email protected] None 0 36 kB gkz
npm/[email protected] None 0 86.1 kB google-wombot
npm/[email protected] filesystem, shell 0 112 kB google-wombot
npm/[email protected] filesystem, network 0 2.77 MB google-wombot
npm/[email protected] environment 0 29.5 kB rob-w
npm/[email protected] environment, eval, filesystem 0 59.7 kB pug-bot
npm/[email protected] None 0 33.5 kB google-wombot
npm/[email protected] None 0 9.45 kB wooorm
npm/[email protected] None 0 11.1 kB wcjiang
npm/[email protected] None 0 7.47 kB wooorm
npm/[email protected] filesystem 0 16.7 kB wooorm
npm/[email protected] filesystem 0 14.4 kB wooorm
npm/[email protected] None 0 10.2 kB wooorm
npm/[email protected] filesystem, unsafe 0 19.6 kB hegemonic
npm/[email protected] None 0 18.2 kB google-wombot
npm/[email protected] None 0 9.97 MB sindresorhus
npm/[email protected] None 0 6.96 kB sindresorhus
npm/[email protected] None 0 30.5 kB remarkablemark
npm/[email protected] environment, network 0 65.8 kB google-wombot
npm/[email protected] None 0 112 kB sveyret
npm/[email protected] None 0 20.9 kB gkz
npm/[email protected] environment, eval, filesystem 0 1.3 MB alexlamsl
npm/[email protected] None 0 5.14 kB wooorm
npm/[email protected] None 0 10.6 kB jonschlinkert
npm/[email protected] None 0 169 kB michaelkourlas

🚮 Removed packages: npm/@babel/[email protected]), npm/@babel/[email protected]), npm/@babel/[email protected]), npm/@babel/[email protected]), npm/@babel/[email protected]), npm/@babel/[email protected]), npm/@babel/[email protected]), npm/@cospired/[email protected]), npm/@google-cloud/[email protected]), npm/@google-cloud/[email protected]), npm/@google-cloud/[email protected]), npm/@google-cloud/[email protected]), npm/@grpc/[email protected]), npm/@grpc/[email protected]), npm/@jridgewell/[email protected]), npm/@jridgewell/[email protected]), npm/@jridgewell/[email protected]), npm/@ladjs/[email protected]), npm/@nicolo-ribaudo/[email protected]), npm/@slack/[email protected]), npm/@slack/[email protected]), npm/[email protected]), npm/[email protected]), npm/[email protected]), npm/[email protected]), npm/[email protected]), npm/[email protected]), npm/[email protected]), npm/[email protected]), npm/[email protected]), npm/[email protected]), npm/[email protected]), npm/[email protected]), npm/[email protected]), npm/[email protected]), npm/[email protected]), npm/[email protected]), npm/[email protected]), npm/[email protected]), npm/[email protected]), npm/[email protected]), npm/[email protected]), npm/[email protected]), npm/[email protected]), npm/[email protected]), npm/[email protected]), npm/[email protected]), npm/[email protected]), npm/[email protected]), npm/[email protected]), npm/[email protected]), npm/[email protected]), npm/[email protected]), npm/[email protected]), npm/[email protected]), npm/[email protected]), npm/[email protected]), npm/[email protected]), npm/[email protected]), npm/[email protected]), npm/[email protected]), npm/[email protected]), npm/[email protected]), npm/[email protected]), npm/[email protected]), npm/[email protected]), npm/[email protected]), npm/[email protected]), npm/[email protected]), npm/[email protected]), npm/[email protected]), npm/[email protected]), npm/[email protected]), npm/[email protected]), npm/[email protected]), npm/[email protected]), npm/[email protected])

View full report↗︎

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants