[Snyk] Fix for 21 vulnerabilities #144

Thugnasty777 · 2024-03-15T00:05:46Z

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- static/node/package.json
- static/node/package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Priority Score (*)	Issue	Breaking Change	Exploit Maturity
619/1000 Why? Has a fix available, CVSS 8.1	Prototype Pollution SNYK-JS-AJV-584908	No	No Known Exploit
589/1000 Why? Has a fix available, CVSS 7.5	Improper Verification of Cryptographic Signature SNYK-JS-BROWSERIFYSIGN-6037026	No	No Known Exploit
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-COOKIEJAR-3149984	No	Proof of Concept
636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Arbitrary File Write via Archive Extraction (Zip Slip) SNYK-JS-DECOMPRESSTAR-559095	No	Proof of Concept
554/1000 Why? Has a fix available, CVSS 6.8	Cryptographic Issues SNYK-JS-ELLIPTIC-1064899	No	No Known Exploit
509/1000 Why? Has a fix available, CVSS 5.9	Timing Attack SNYK-JS-ELLIPTIC-511941	No	No Known Exploit
706/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.7	Cryptographic Issues SNYK-JS-ELLIPTIC-571484	No	Proof of Concept
768/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ES5EXT-6095076	No	Proof of Concept
484/1000 Why? Has a fix available, CVSS 5.4	Open Redirect SNYK-JS-GOT-2932019	Yes	No Known Exploit
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-HTTPCACHESEMANTICS-3248783	No	Proof of Concept
644/1000 Why? Has a fix available, CVSS 8.6	Prototype Pollution SNYK-JS-JSONSCHEMA-1920922	No	No Known Exploit
506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	No	Proof of Concept
589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-NORMALIZEURL-1296539	No	No Known Exploit
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Poisoning SNYK-JS-QS-3153490	No	Proof of Concept
624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536528	No	No Known Exploit
624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536531	No	No Known Exploit
410/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758	No	No Known Exploit
639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579147	No	No Known Exploit
639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579152	No	No Known Exploit
639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579155	No	No Known Exploit
596/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.5	Arbitrary Code Injection SNYK-JS-UNDERSCORE-1080984	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @truffle/config

The new version differs by 250 commits.

033fc64 Publish
8c81e30 Merge pull request #6187 from trufflesuite/decapitate
7591024 Remove gitHead field that snuck its way in
4c80841 Merge pull request #6180 from legobeat/node-version
25f02d2 Merge pull request #6185 from legobeat/devdeps-dedupe-babel
d235365 Merge pull request #6186 from legobeat/ci-node-20.5
48a2052 chore: yarn dedupe @ babel/ packages
d355b79 chore(ci): pin node 20 to 20.5 due to regression in 20.6
d0d0c89 Merge pull request #6178 from legobeat/achrinza-node-ipc
a9d543f Merge pull request #6177 from legobeat/deps-semver
1c79efe chore(deps): unpin semver
5ae76e9 deps(codec-components): bump @ microsoft/api-extractor to fix semver CVE
cb8bf8b yarn dedupe browserslist@^4.x
a830ff5 deps: dedupe core-js-compat to remove [email protected]
c31707c update yarn.lock
b349c1c deps: semver@^7.5.2->^7.5.4
53fcef0 update yarn.lock
005ebb9 deps: [email protected]>7.5.4
4ff7c58 update yarn.lock
cfde067 devDeps(spinners): remove unused @ types/semver
6af2e11 devDeps: @ types/semver->7.5.1
b1810cc deps: [email protected]>7.5.4
b7bc4c1 deps(core): [email protected]>7.5.4
9c581ec compile-solidity: type-assertion due to incompletely typed @ types/semver

See the full diff

Package name: @truffle/decoder

The new version differs by 250 commits.

a26df1f Publish
4df99df Merge pull request #6193 from legobeat/ci-yarn-deduplicate
39ffb36 apply lint:fix:dependencies
d37ed52 ci: enforce deduped lockfile when linting dependencies
b999099 chore: add yarn lockfile deduplication package scripts using yarn-deduplicate
6b2a081 Merge pull request #6194 from legobeat/yarn-dedupe-full-fewer
0f3d963 yarn refresh lockfile
17536c4 yarn deduplicate fewer
6accdbf devDeps: yarn deduplicate readable-stream
f322892 devDeps: yarn deduplicate object.assign
4fac8f1 devDeps: yarn deduplicate http-cache-semantics
7b2d2ff devDeps: yarn deduplicate acorn,ajv
6a0c3bd deps: yarn deduplicate bn.js@^5
a82c4ad devDeps: yarn deduplicate @ types/
f28ce63 deps: yarn dedupe strip-ansi,ansi-regex
9b23a59 devDeps: webpack@^5.73.0->^5.88.2
09ebe21 deps: yarn dedupe,lockbump apollo-server packages
a267cab yarn dedupe graphql,tslib
16e723d devDeps(db,db-kit): madge@^5.0.1->6.1.0
3344b45 Merge pull request #6192 from legobeat/deps-bump-eth-libs
4372ee3 update yarn.lock after rebase
0625db5 Merge pull request #6191 from legobeat/deps-dedupe-libs
0500ff7 deps: bump/dedupe web3, ethereumjs-util packages
4d64055 yarn dedupe ethers