New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 7 vulnerabilities #8929

Closed

snyk-bot wants to merge 1 commit into master from snyk-fix-4b7a9484a49ff8594832fd022d287d4a

Contributor

snyk-bot commented Nov 16, 2022

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Issue	Breaking Change	Exploit Maturity
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	Open Redirect SNYK-JS-NODEFORGE-2330875	Yes	Proof of Concept
	Prototype Pollution SNYK-JS-NODEFORGE-2331908	Yes	No Known Exploit
	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430337	Yes	No Known Exploit
	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430339	Yes	No Known Exploit
	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430341	Yes	No Known Exploit

Commit messages

Package name: html-webpack-plugin

The new version differs by 93 commits.

873d75b chore(release): 5.5.0
ddeb774 chore: update examples
1e42625 feat: Support type=module via scriptLoading option
7d3645b Bump pretty-error to 4.0.0 to fix transitive vuln for ansi-regex CVE-2021-3807
79be779 [chore] changes actions to run on pull_requests
b7e5859 [chore] fixes CI to avoid race conditions
48131d3 chore(release): 5.4.0
16a841a [chore] rebuild examples
3bb7c17 Update index.js
e38ac97 Update index.js
f08bd02 [chore] updates fixtures
d62a10f [chore] upgrades [email protected] -> 6.0.2
2f5de7a Remove archived plugin
8f8f7c5 chore(release): 5.3.2
053c6e6 chore: update snapshot tests for webpack 5.4.0
9c7fba0 Fix security vulnerabilities
b98fbeb Fix security vulnerabilities
25cdfc7 Added inject-body-webpack-plugin to readme
0e4c1fb Update README to document actual behavior
0a6568d chore(release): 5.3.1
82d0ee8 fix: remove loader-utils from plugin core
6f39192 chore(release): 5.3.0
d654f5b feat: allow to modify the interpolation options in webpack config
41d7a50 feat: drop loader-utils dependency

See the full diff

Package name: webpack-dev-server

The new version differs by 250 commits.

5280ee7 docs: fix typo
d834582 chore(release): 4.7.3
7b8c85b chore(deps): update `selfsigned` (Update karma-coverage-istanbul-reporter to the latest version 🚀 #4170)
d598325 chore: fix lint
c1907f1 refactor: remove redundant `if` statements (Update eslint requirement from 5.2.0 to 5.4.0 #4158)
e535f25 ci: debug (Update webpack to the latest version 🚀 #4144)
75999bb chore(release): 4.7.2
90a96f7 ci: fix (Fix css loading #4143)
f6bc644 fix: compatible with `onAfterSetupMiddleware`
317e4b9 docs: fix testing instructions (Update url-loader to the latest version 🚀 #4133)
ff4550e test: remove redundant test cases related to 3rd party code (Don't block on slow pages, igoring polyfill.io #4131)
0dd1ee6 test: add e2e tests for `setupExitSignals` option (Some icones fix #4130)
afe4975 chore(release): 4.1.7
4e5d8ea fix: droped `url` package ( Merge remote-tracking branch 'origin/2.3' #4132)
b0c98f0 chore(release): 4.7.0
3138213 chore(deps): update (Update url-loader to the latest version 🚀 #4127)
8f02c3f feat: added types
f4fb15f fix: update description of `onAfterSetupMiddleware` and `onBeforeSetupMiddleware` options (Add missing dependency #4126)
37b73d5 test: add e2e test for `WEBPACK_SERVE` env variable (Typo #4125)
f5a9d05 chore(deps-dev): bump eslint from 8.4.1 to 8.5.0 (Fix reater layer i18n #4121)
c9b959f chore(deps): bump ws from 8.3.0 to 8.4.0 ([requires.io] dependency update on master branch #4124)
42208aa chore(deps-dev): bump lint-staged from 12.1.2 to 12.1.3 (some Bootstrap fix #4122)
f440f84 chore(deps): bump express from 4.17.1 to 4.17.2 ([requires.io] dependency update on master branch #4120)
c13aa56 feat: added the `setupMiddlewares` option (Fix font loading #4068)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Open Redirect
🦉 More lessons are available in Snyk Learn


          fix: package.json to reduce vulnerabilities

33b719a

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908
- https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-2330875
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-2331908
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-2430337
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-2430339
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-2430341

github-actions bot reviewed

View reviewed changes

github-actions bot left a comment

Examples: https://camptocamp.github.io/ngeo/snyk-fix-4b7a9484a49ff8594832fd022d287d4a/examples/
Storybook: https://camptocamp.github.io/ngeo/snyk-fix-4b7a9484a49ff8594832fd022d287d4a/storybook/
API help: https://camptocamp.github.io/ngeo/snyk-fix-4b7a9484a49ff8594832fd022d287d4a/api/apihelp/apihelp.html
API documentation: https://camptocamp.github.io/ngeo/snyk-fix-4b7a9484a49ff8594832fd022d287d4a/apidoc/

sbrunner added the dependencies label

sbrunner closed this

sbrunner deleted the snyk-fix-4b7a9484a49ff8594832fd022d287d4a branch

November 16, 2022 13:13

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels