New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 10 vulnerabilities #8

Open

snyk-bot wants to merge 1 commit into master from snyk-fix-b660015ac81c47a7d836de2f8de434f1

snyk-bot commented Mar 9, 2023

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
- package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	490/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-RAMDA-1582370	No	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Improper Input Validation SNYK-JS-URIJS-1055003	No	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Improper Input Validation SNYK-JS-URIJS-1078286	No	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Open Redirect SNYK-JS-URIJS-1319803	No	Proof of Concept
	579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-URIJS-1319806	No	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Open Redirect SNYK-JS-URIJS-2401466	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Improper Input Validation SNYK-JS-URIJS-2415026	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Open Redirect SNYK-JS-URIJS-2419067	No	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Misinterpretation of Input SNYK-JS-URIJS-2440699	No	Proof of Concept
	591/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.4	Cross-site Scripting (XSS) SNYK-JS-URIJS-2441239	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: ramda

The new version differs by 250 commits.

1a5d40b Version 0.27.2
4d8e8f0 Merge pull request #3212 from ramda/davidchambers/trim
94d0570 Security fix for ReDoS (#3177)
8ae355e update test string for trim
6bb8eea Version 0.27.1
ed191e6 Merge pull request #2832 from kibertoad/chore/update-dependencies-2
20ba763 Update dependencies
a6620f6 Update Babel to v7 (#2829)
2705518 Execute tests on Node 12 (#2828)
c45208e hasPath return false for non-object checks (#2825)
0baeda1 updated invoker.js documentation (#2821)
072d417 Including BR translation. (#2621)
ca1e2b5 add an example which covers error and value (#2806)
271b044 docs: Add @ since where it is missing (#2793)
ac58c96 Update `pathSatisfies` to handles empty `path` arguments (#2791)
b25ac73 Fix typo in split docs (#2792)
7d55e91 Add R.xor (Exclusive OR) (#2646)
efd899b feature: adding paths operator - #2740 (#2742)
235a370 fix: rename then to andThen (#2772)
8d59032 Fix broken link in readme (#2768)
38feed2 remove erroneous quotes in tryCatch documentation (#2765)
ce4f936 fix `@ since` in `includes` (#2764)
626762b Reference to Ramda Conventions wiki page (#2718)
878cacd Add prebench script (#2759)

See the full diff

Package name: urijs

The new version differs by 27 commits.

b655c1b chore(build): bumping to version 1.19.11
b0c9796 fix(parse): handle CR,LF,TAB
88805fd fix(parse): handle excessive slashes in scheme-relative URLs
926b2aa chore(build): bumping to version 1.19.10
a8166fe fix(parse): handle excessive colons in scheme delimiter
01920b5 chore(build): bumping to version 1.19.9
86d1052 fix(parse): remove leading whitespace
efae1e5 chore(build): bumping to version 1.19.8
6ea641c fix(parse): case insensitive scheme - #412
19e54c7 chore(build): bumping to version 1.19.7
547d4b6 build: update jquery
aab4a43 build: remove obsolete build tools
ac43ca8 fix(parse): more backslash galore #410
622db6d docs: add security policy
8e51b00 fix(parse): prevent overwriting __proto__ in parseQuery()
46c8ac0 chore(build): bumping to version 1.19.6
a1ad8bc fix(parse): treat backslash as forwardslash in scheme delimiter
d7bb4ce chore(build): bumping to version 1.19.5
bf04ec5 chore(build): bumping to version 1.19.4
b02bf03 fix(parse): treat backslash as forwardslash in authority (#403)
d7064ab chore(build): bumping to version 1.19.3
4f45faf fix(parse): treat backslash as forwardslash in authority
594ffc1 chore(build): bumping to version 1.19.2
e780eeb chore: inform people of modern APIs

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Open Redirect
🦉 Prototype Pollution
🦉 More lessons are available in Snyk Learn


          fix: package.json & package-lock.json to reduce vulnerabilities

f7c3836

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-RAMDA-1582370
- https://snyk.io/vuln/SNYK-JS-URIJS-1055003
- https://snyk.io/vuln/SNYK-JS-URIJS-1078286
- https://snyk.io/vuln/SNYK-JS-URIJS-1319803
- https://snyk.io/vuln/SNYK-JS-URIJS-1319806
- https://snyk.io/vuln/SNYK-JS-URIJS-2401466
- https://snyk.io/vuln/SNYK-JS-URIJS-2415026
- https://snyk.io/vuln/SNYK-JS-URIJS-2419067
- https://snyk.io/vuln/SNYK-JS-URIJS-2440699
- https://snyk.io/vuln/SNYK-JS-URIJS-2441239

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet