New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 9 vulnerabilities #1

Open

snyk-bot wants to merge 1 commit into master from snyk-fix-da828c64dc60287421790b5e0d528d7e

snyk-bot commented Mar 21, 2021

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
Find out more.

⚠️

Warning

Failed to update the package-lock.json, please update manually before merging.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	616/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.9	Server-Side Request Forgery (SSRF) SNYK-JS-AXIOS-1038255	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-ENGINEIO-1056749	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	No Known Exploit
	715/1000 Why? Has a fix available, CVSS 9.8	Use After Free SNYK-JS-NODESASS-535497	No	No Known Exploit
	509/1000 Why? Has a fix available, CVSS 5.9	Denial of Service (DoS) SNYK-JS-NODESASS-542662	No	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Insecure Defaults SNYK-JS-SOCKETIO-1024859	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-SOCKETIOPARSER-1056752	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-YARGSPARSER-560381	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: karma

The new version differs by 131 commits.

3653caf chore(release): 6.0.0 [skip ci]
04a811d fix(ci): abandon browserstack tests for Safari and IE (Does the ie7-restore-right-whitespace() mixin make sense? twbs/bootstrap#3615)
4bf90f7 feat(client): update banner with connection, test status, ping times (Carousel stop sliding when reaching the last item. twbs/bootstrap#3611)
68c4a3a chore(test): run client tests without grunt wrapper (Responsive Typography twbs/bootstrap#3604)
fec972f fix(middleware): catch errors when loading a module (Better integration between input-append and search-query twbs/bootstrap#3605)
3fca456 fix(server): clean up close-server logic (Compilation error on Windows twbs/bootstrap#3607)
1c9c2de fix(test): mark all second connections reconnects (Website CPU usage twbs/bootstrap#3598)
87f7e5e chore(license): Update copyright notice to 2020 [ci skip] (Fix typo in base-css.html#forms twbs/bootstrap#3568)
e6b045f chore(deps): npm audit fix the package-lock.json (Provide a way to have a fixed width sidebar in an otherwise fluid layout. twbs/bootstrap#3603)
3c649fa chore(build): remove obsolete Grunt tasks (Align dropdown to the left instead of the right twbs/bootstrap#3602)
8997b74 fix(test): clear up clearContext (Popover visibility twbs/bootstrap#3597)
fe0e24a chore(build): unify client bundling scripts (Twitter Feed Widget -- design twbs/bootstrap#3600)
1a65bf1 feat(server): remove deprecated static methods (Label are forced in gray -> unreadable againts dark background twbs/bootstrap#3595)
fb76ed6 chore(test): remove usage of deprecated buffer API (btn-group that wraps randomly twbs/bootstrap#3596)
35a5842 feat(server): print stack of unhandledrejections (README.md clarify the process of running tests. twbs/bootstrap#3593)
4a8178f fix(client): do not reset karmaNavigating in unload handler (Navbar links not using <nav> tag. twbs/bootstrap#3591)
603bbc0 feat(cli): error out on unexpected options or parameters (Compile error in WinLess with buttons.less twbs/bootstrap#3589)
7a3bd55 feat: remove support for running dart code in the browser (Documentation for grid system doesn't reflect 940px grid twbs/bootstrap#3592)
1b9e1de fix(deps): bump socket-io to v3 (Allow jQuery object for title in popover (or add close button option) twbs/bootstrap#3586)
3fed0bc fix(cve): update yargs to 16.1.1 to fix cve-2020-7774 in y18n (Documentation text doesn't match example twbs/bootstrap#3578)
f819fa8 fix(cve): update ua-parser-js to 0.7.23 to fix CVE-2020-7793 (ie support placeholder color twbs/bootstrap#3584)
05dc288 fix(context): do not error when karma is navigating (RTL Support twbs/bootstrap#3565)
e5086fc docs: clarify `browser_complete` vs `run_complete`
ead31cd chore(release): 5.2.3 [skip ci]

See the full diff

Package name: linkinator

The new version differs by 10 commits.

3bd911c fix(deps): update dependency meow to v6 (Fixed readme spelling mistake, closes #123 twbs/bootstrap#125)
da2c010 chore(deps): update dependency c8 to v7 (.container has conflicts twbs/bootstrap#130)
8fd1dd8 chore(deps): update dependency sinon to v8 (Added Split Button twbs/bootstrap#131)
116a2cd test: add cli tests (class secondary referenced, but not defined in css/less twbs/bootstrap#128)
6f1ecdb fix(deps): update dependency update-notifier to v4 (Fixed duplicate element ids in documentation twbs/bootstrap#126)
c6b7c86 build: fix compiler error (WISHLIST twbs/bootstrap#127)
8240159 feat: add `filter` function as an option to linkinator.check() (Add for html5 form -> ... input[type=email] and input[type=email]:focus twbs/bootstrap#120)
873dac6 docs: include result.parent property in README example (Mozilla Firefox three-color gradient fix twbs/bootstrap#121)
9813a61 fix: handle base correctly (First cut of selector optimization (issue #100) twbs/bootstrap#114)
d653f2c fix: stringify js for json (Dropdown menu not working in Konqueror twbs/bootstrap#118)

See the full diff

Package name: node-sass

The new version differs by 6 commits.

b54053a Update changelog
01db051 4.13.1
338fd7a Merge pull request from GHSA-f6rp-gv58-9cw3
c6f2e5a doc: README example fix (2.0.2 carousel not automatically cycling (JSFiddle link included) twbs/bootstrap#2787)
fbc9ff5 Merge pull request Compiling Bootstrap 2.0.2 Fails twbs/bootstrap#2754 from saper/no-map-if-not-requested
8498f70 Fix Missed offset feature within row-fluid twbs/bootstrap#2394: sourceMap option should have consistent behaviour

See the full diff

Package name: nodemon

The new version differs by 7 commits.

9a67f36 feat: update chokidar to v3
6781b40 docs: add license file
0e6ba3c fix: wait for all subprocesses to terminate (fixes issue [2.0-wip] Positioning of .brand in a navbar with .container-fluid off by 10px twbs/bootstrap#1476)
b58cf7d chore: Merge branch 'master'
95a4c09 docs: add to faq
3a2eaf7 choe: merge master
3d90879 chore: add logo to site

See the full diff

Package name: postcss-cli

The new version differs by 15 commits.

745ad2c 7.0.0
cf6ea09 Update eslint config
ea1cec4 Update eslint-config-problems to version 3.1.0 (Sticky footer twbs/bootstrap#306)
1519430 Update globby to version 10.0.1 (Icon Buttons twbs/bootstrap#303)
5b47456 Update eslint to version 6.8.0 (thead tbody first/lastitem border radius leads to unnice radius in first tbody row twbs/bootstrap#305)
e241672 Update nyc to version 15.0.0 (tabs/pills on left side, right side, or bottom of div (not just top) twbs/bootstrap#297)
4a87ff1 Update chalk to version 3.0.0 (bootstrap-1.3.0.zip wrong css file twbs/bootstrap#294)
e666505 Update prettier to version 1.19.1 (center pagination? twbs/bootstrap#304)
0d3591a Update ava to version 2.4.0 (Dropdown Menu doesn't work with Form inside twbs/bootstrap#302)
cb9f451 Update fs-extra to version 8.1.0 (Fixed typo twbs/bootstrap#301)
4f68a46 Update chokidar to version 3.3.0 (add margin between consecutive fields with error twbs/bootstrap#300)
5c22ddb Update yargs to version 15.0.2 (modal "shown" event fires before transitions finish. twbs/bootstrap#298)
79eb0ac Update get-stdin to version 7.0.0 (whitespace: replace some TAB entries by spaces in mixins.less twbs/bootstrap#273)
71384c6 Update Travis config; remove AppVeyor
6b92df3 BREAKING: Drop Node 6 & 8; test on new Node versions

See the full diff

Package name: stylelint

The new version differs by 192 commits.

04af9e4 13.0.0
704f6a2 Prepare 13.0.0
50ba8a9 Reorder changelog
1666bba Update devDependencies (Fix typo in readme. twbs/bootstrap#4542)
062d298 Reindent nodejs.yml (Handle locally-installing node packages twbs/bootstrap#4541)
a24e44a Fix atypical rule README structure (Collapse not working properly in IE9 twbs/bootstrap#4537)
616ad71 Bump husky from 4.0.3 to 4.0.6 (Table with vertical scrolling? twbs/bootstrap#4536)
5e58ee7 Bump globby from 10.0.2 to 11.0.0 (Append alignment problem twbs/bootstrap#4528)
eaee6a4 Refactor CLI options definition (Incongruous Documentation twbs/bootstrap#4530)
6a2ffbd Fix plugin path
644b713 Fix Windows path problem
1005cbd Add info about invalid syntax in FAQ (Ctrl + click on open dropdown doesn't open a new tab twbs/bootstrap#4535)
18b1f99 Fix help text indentation (Cloned Carousel unresponsive twbs/bootstrap#4531)
d3c4a9f Update CHANGELOG.md
32f67e7 Update CHANGELOG.md
04ec577 Bump globby from 10.0.1 to 11.0.0
d9dbce2 Process multiple spaces in media-feature-parentheses-space-inside (collapsible accordian broken (visually) in IE9 twbs/bootstrap#4513)
1dc203e Regenerate package-lock.json (margin-bottom of <p> (paragraphs) stated was old value twbs/bootstrap#4517)
36bf292 Bump husky from 3.1.0 to 4.0.3 (Improve submenu behavior twbs/bootstrap#4527)
f5529d5 Bump @ types/micromatch from 3.1.1 to 4.0.0 (2.1 regression: forms: thin line drawn over radio buttons with error twbs/bootstrap#4526)
a254fd2 Bump got from 10.2.0 to 10.2.1 (Missing "Using Less with Bootstrap" page twbs/bootstrap#4525)
f2e9f02 Bump remark-validate-links from 9.0.1 to 9.1.0 (Some bugs twbs/bootstrap#4524)
74d5233 Remove unneeded `@ types/meow` package (icons turn white on active nav tabs twbs/bootstrap#4523)
cef0b95 Update CHANGELOG.md

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-LODASH-567746	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic


          fix: package.json & .snyk to reduce vulnerabilities

7c8b4b5

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-AXIOS-1038255
- https://snyk.io/vuln/SNYK-JS-ENGINEIO-1056749
- https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905
- https://snyk.io/vuln/SNYK-JS-NODESASS-535497
- https://snyk.io/vuln/SNYK-JS-NODESASS-542662
- https://snyk.io/vuln/SNYK-JS-SOCKETIO-1024859
- https://snyk.io/vuln/SNYK-JS-SOCKETIOPARSER-1056752
- https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381


The following vulnerabilities are fixed with a Snyk patch:
- https://snyk.io/vuln/SNYK-JS-LODASH-567746

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet