Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Fix for 41 vulnerabilities #9

Merged
merged 1 commit into from
Nov 13, 2020

Conversation

snyk-bot
Copy link

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

    • package.json
  • Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
    Find out more.

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 619/1000
Why? Has a fix available, CVSS 8.1
Prototype Pollution
SNYK-JS-AJV-584908
Yes No Known Exploit
high severity 599/1000
Why? Has a fix available, CVSS 7.7
Remote Memory Exposure
SNYK-JS-BL-608877
No No Known Exploit
high severity 630/1000
Why? Has a fix available, CVSS 8.1
Internal Property Tampering
SNYK-JS-BSON-561052
Yes No Known Exploit
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3
Prototype Pollution
SNYK-JS-LODASH-450202
Yes Proof of Concept
medium severity 636/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.3
Prototype Pollution
SNYK-JS-LODASH-567746
Yes Proof of Concept
high severity 704/1000
Why? Has a fix available, CVSS 9.8
Prototype Pollution
SNYK-JS-LODASH-590103
Yes No Known Exploit
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3
Prototype Pollution
SNYK-JS-LODASH-608086
Yes Proof of Concept
high severity 579/1000
Why? Has a fix available, CVSS 7.3
Prototype Pollution
SNYK-JS-LODASH-73638
Yes No Known Exploit
medium severity 434/1000
Why? Has a fix available, CVSS 4.4
Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-73639
Yes No Known Exploit
high severity 579/1000
Why? Has a fix available, CVSS 7.3
SQL Injection
SNYK-JS-LOOPBACKCONNECTORMONGODB-73555
Yes No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5
Denial of Service (DoS)
SNYK-JS-MONGODB-473855
Yes No Known Exploit
medium severity 661/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.8
Arbitrary Code Injection
SNYK-JS-MORGAN-72579
No Proof of Concept
high severity 684/1000
Why? Has a fix available, CVSS 9.4
Arbitrary Code Execution
SNYK-JS-SANITIZEHTML-585892
Yes No Known Exploit
high severity 619/1000
Why? Has a fix available, CVSS 8.1
Cross-site Scripting (XSS)
SNYK-JS-SERIALIZEJAVASCRIPT-536840
Yes No Known Exploit
high severity 706/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.7
Arbitrary Code Injection
SNYK-JS-SERIALIZEJAVASCRIPT-570062
Yes Proof of Concept
high severity 816/1000
Why? Mature exploit, Has a fix available, CVSS 8.6
Uninitialized Memory Exposure
npm:base64-url:20180512
No Mature
low severity 506/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 3.7
Regular Expression Denial of Service (ReDoS)
npm:braces:20180219
Yes Proof of Concept
low severity 292/1000
Why? Proof of Concept exploit, CVSS 3.7
Regular Expression Denial of Service (ReDoS)
npm:clean-css:20180306
Yes Proof of Concept
low severity 399/1000
Why? Has a fix available, CVSS 3.7
Regular Expression Denial of Service (ReDoS)
npm:debug:20170905
Yes No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5
Regular Expression Denial of Service (ReDoS)
npm:fresh:20170908
No No Known Exploit
low severity 399/1000
Why? Has a fix available, CVSS 3.7
Regular Expression Denial of Service (ReDoS)
npm:hawk:20160119
Yes No Known Exploit
medium severity 529/1000
Why? Has a fix available, CVSS 6.3
Prototype Pollution
npm:hoek:20180212
Yes No Known Exploit
medium severity 539/1000
Why? Has a fix available, CVSS 6.5
Timing Attack
npm:http-signature:20150122
Yes No Known Exploit
medium severity 529/1000
Why? Has a fix available, CVSS 6.3
Prototype Pollution
npm:lodash:20180130
Yes No Known Exploit
medium severity 469/1000
Why? Has a fix available, CVSS 5.1
Denial of Service (DoS)
npm:mem:20180117
Yes No Known Exploit
low severity 399/1000
Why? Has a fix available, CVSS 3.7
Regular Expression Denial of Service (ReDoS)
npm:mime:20170907
Yes No Known Exploit
medium severity 479/1000
Why? Has a fix available, CVSS 5.3
Regular Expression Denial of Service (ReDoS)
npm:moment:20160126
No No Known Exploit
medium severity 509/1000
Why? Has a fix available, CVSS 5.9
Regular Expression Denial of Service (ReDoS)
npm:moment:20161019
No No Known Exploit
low severity 399/1000
Why? Has a fix available, CVSS 3.7
Regular Expression Denial of Service (ReDoS)
npm:moment:20170905
No No Known Exploit
medium severity 479/1000
Why? Has a fix available, CVSS 5.3
Regular Expression Denial of Service (ReDoS)
npm:ms:20151024
No No Known Exploit
low severity 399/1000
Why? Has a fix available, CVSS 3.7
Regular Expression Denial of Service (ReDoS)
npm:ms:20170412
No No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5
Regular Expression Denial of Service (ReDoS)
npm:negotiator:20160616
No No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5
Prototype Override Protection Bypass
npm:qs:20170213
Yes No Known Exploit
high severity 569/1000
Why? Has a fix available, CVSS 7.1
Cross-site Scripting (XSS)
npm:react:20150318
No No Known Exploit
medium severity 469/1000
Why? Has a fix available, CVSS 5.1
Remote Memory Exposure
npm:request:20160119
Yes No Known Exploit
medium severity 656/1000
Why? Mature exploit, Has a fix available, CVSS 5.4
Cross-site Scripting (XSS)
npm:sanitize-html:20161026
No Mature
medium severity 479/1000
Why? Has a fix available, CVSS 5.3
Root Path Disclosure
npm:send:20151103
No No Known Exploit
medium severity 576/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.1
Uninitialized Memory Exposure
npm:tunnel-agent:20170305
Yes Proof of Concept
medium severity 479/1000
Why? Has a fix available, CVSS 5.3
Regular Expression Denial of Service (ReDoS)
npm:uglify-js:20151024
No No Known Exploit
medium severity 429/1000
Why? Has a fix available, CVSS 4.3
Cross-site Scripting (XSS)
npm:validator:20150313
No No Known Exploit
medium severity 479/1000
Why? Has a fix available, CVSS 5.3
Buffer Overflow
npm:validator:20160218
Yes No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: accepts The new version differs by 23 commits.

See the full diff

Package name: cheerio The new version differs by 106 commits.

See the full diff

Package name: compression The new version differs by 162 commits.

See the full diff

Package name: connect-mongo The new version differs by 217 commits.

See the full diff

Package name: debug The new version differs by 165 commits.

See the full diff

Package name: errorhandler The new version differs by 37 commits.

See the full diff

Package name: express The new version differs by 250 commits.

See the full diff

Package name: express-session The new version differs by 250 commits.

See the full diff

Package name: express-state The new version differs by 3 commits.

See the full diff

Package name: express-validator The new version differs by 144 commits.

See the full diff

Package name: gulp-less The new version differs by 2 commits.

See the full diff

Package name: helmet The new version differs by 172 commits.
  • c2d0810 3.8.2
  • 3da2f55 Update changelog for 3.8.2 release
  • 35e7d97 Update connect to 3.6.5
  • 5587ecc 3.8.1
  • 3b95345 Prepare for 3.8.1 release
  • 3ca8991 3.8.0
  • 33fff29 Update to [email protected]
  • 146594f 3.7.0
  • 39b7f11 Update changelog for 3.7.0 release
  • d46443a Update helmet-csp to 2.5.0
  • fb407df Update security reporting instructions
  • f6270e3 Minor: fix typo in test description
  • 0624fea Update changelog for incorrect usage change
  • 35a247f Update error message when doing `app.use(helmet)`
  • 4ecf148 Add a test when called directly
  • e213d87 warn if a helmet constructor is used directly as handler
  • 7255042 Travis: test on Node 8
  • d09b414 Add some useless Markdown files to npmignore
  • d5dce64 Minor: move default middleware definition into index.js
  • 267ac75 Use `--fix` flag with Standard to auto-fix errors
  • 64e815b Minor: clean up main function for clarity
  • f034913 Update Sinon and Standard
  • 60db9c5 3.6.1
  • 621ff8f Update changelog for 3.6.1 release

See the full diff

Package name: loopback-connector-mongodb The new version differs by 112 commits.

See the full diff

Package name: mongodb The new version differs by 250 commits.
  • c6f417e chore(release): 3.1.13
  • 210c71d fix(db_ops): ensure we async resolve errors in createCollection
  • 5ad9fa9 fix(changeStream): properly handle changeStream event mid-close (Wrong Map Visualization freeCodeCamp/freeCodeCamp#1902)
  • e806be4 fix(bulk): honor ignoreUndefined in initializeUnorderedBulkOp
  • 050267d fix(*): restore ability to webpack by removing `makeLazyLoader`
  • 6e896f4 docs: adding aggregation, createIndex, and runCommand examples
  • cb3cd12 chore(release): 3.1.12
  • 508d685 Revert "chore(release): 3.2.0"
  • e7619aa chore(release): 3.2.0
  • d0dc228 chore(travis): include forgotten stage info for sharded builds
  • ffbe90b chore(travis): run sharded tests in travis as well
  • 9bef6e7 feat(core): update to mongodb-core v3.1.11
  • e4bb39e chore(release): 3.1.11
  • 76c0130 chore(core): bump version of mongodb-core
  • a3adb3f fix(bulk): fix error propagation in empty bulk.execute
  • ec0e30e doc(change-streams): correct typo, add missing example
  • 10ea992 chore(package): update lock file
  • fcb3ec1 test(sharded): reduce some sharded errors
  • d4eae97 test(sessions): undo hack for apm events in sessions tests
  • 0eaca21 test(sessions): fixing broken session test
  • 6790a74 test(sharding): fixing old sharding tests
  • 98f0c68 test(sharded): fixing sharded operation test
  • c6a9baa test(sessions): fixing session tests in sharded env
  • 985f0e9 test(drop): fixing drop assertions for sharded tests

See the full diff

Package name: morgan The new version differs by 149 commits.

See the full diff

Package name: request The new version differs by 250 commits.

See the full diff

Package name: sanitize-html The new version differs by 250 commits.

See the full diff

Package name: uglify-js The new version differs by 65 commits.

See the full diff

Package name: validator The new version differs by 250 commits.

See the full diff

Package name: webpack The new version differs by 250 commits.

See the full diff

With a Snyk patch:
Severity Priority Score (*) Issue Exploit Maturity
low severity 399/1000
Why? Has a fix available, CVSS 3.7
Regular Expression Denial of Service (ReDoS)
npm:hawk:20160119
No Known Exploit
medium severity 539/1000
Why? Has a fix available, CVSS 6.5
Timing Attack
npm:http-signature:20150122
No Known Exploit
medium severity 529/1000
Why? Has a fix available, CVSS 6.3
Prototype Pollution
npm:lodash:20180130
No Known Exploit
low severity 399/1000
Why? Has a fix available, CVSS 3.7
Regular Expression Denial of Service (ReDoS)
npm:mime:20170907
No Known Exploit
medium severity 469/1000
Why? Has a fix available, CVSS 5.1
Remote Memory Exposure
npm:request:20160119
No Known Exploit
medium severity 576/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.1
Uninitialized Memory Exposure
npm:tunnel-agent:20170305
Proof of Concept
medium severity 479/1000
Why? Has a fix available, CVSS 5.3
Regular Expression Denial of Service (ReDoS)
npm:uglify-js:20151024
No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the effected dependencies could be upgraded.

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-AJV-584908
- https://snyk.io/vuln/SNYK-JS-BL-608877
- https://snyk.io/vuln/SNYK-JS-BSON-561052
- https://snyk.io/vuln/SNYK-JS-LODASH-450202
- https://snyk.io/vuln/SNYK-JS-LODASH-567746
- https://snyk.io/vuln/SNYK-JS-LODASH-590103
- https://snyk.io/vuln/SNYK-JS-LODASH-608086
- https://snyk.io/vuln/SNYK-JS-LODASH-73638
- https://snyk.io/vuln/SNYK-JS-LODASH-73639
- https://snyk.io/vuln/SNYK-JS-LOOPBACKCONNECTORMONGODB-73555
- https://snyk.io/vuln/SNYK-JS-MONGODB-473855
- https://snyk.io/vuln/SNYK-JS-MORGAN-72579
- https://snyk.io/vuln/SNYK-JS-SANITIZEHTML-585892
- https://snyk.io/vuln/SNYK-JS-SERIALIZEJAVASCRIPT-536840
- https://snyk.io/vuln/SNYK-JS-SERIALIZEJAVASCRIPT-570062
- https://snyk.io/vuln/npm:base64-url:20180512
- https://snyk.io/vuln/npm:braces:20180219
- https://snyk.io/vuln/npm:clean-css:20180306
- https://snyk.io/vuln/npm:debug:20170905
- https://snyk.io/vuln/npm:fresh:20170908
- https://snyk.io/vuln/npm:hawk:20160119
- https://snyk.io/vuln/npm:hoek:20180212
- https://snyk.io/vuln/npm:http-signature:20150122
- https://snyk.io/vuln/npm:lodash:20180130
- https://snyk.io/vuln/npm:mem:20180117
- https://snyk.io/vuln/npm:mime:20170907
- https://snyk.io/vuln/npm:moment:20160126
- https://snyk.io/vuln/npm:moment:20161019
- https://snyk.io/vuln/npm:moment:20170905
- https://snyk.io/vuln/npm:ms:20151024
- https://snyk.io/vuln/npm:ms:20170412
- https://snyk.io/vuln/npm:negotiator:20160616
- https://snyk.io/vuln/npm:qs:20170213
- https://snyk.io/vuln/npm:react:20150318
- https://snyk.io/vuln/npm:request:20160119
- https://snyk.io/vuln/npm:sanitize-html:20161026
- https://snyk.io/vuln/npm:send:20151103
- https://snyk.io/vuln/npm:tunnel-agent:20170305
- https://snyk.io/vuln/npm:uglify-js:20151024
- https://snyk.io/vuln/npm:validator:20150313
- https://snyk.io/vuln/npm:validator:20160218


The following vulnerabilities are fixed with a Snyk patch:
- https://snyk.io/vuln/npm:hawk:20160119
- https://snyk.io/vuln/npm:http-signature:20150122
- https://snyk.io/vuln/npm:lodash:20180130
- https://snyk.io/vuln/npm:mime:20170907
- https://snyk.io/vuln/npm:request:20160119
- https://snyk.io/vuln/npm:tunnel-agent:20170305
- https://snyk.io/vuln/npm:uglify-js:20151024
@Tshegofatso Tshegofatso merged commit 9ad037d into staging Nov 13, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
2 participants