Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Security upgrade @reactioncommerce/api-plugin-files from 1.0.19 to 1.1.0 #227

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

fix: package.json to reduce vulnerabilities

5b32639
Select commit
Loading
Failed to load commit list.
Open

[Snyk] Security upgrade @reactioncommerce/api-plugin-files from 1.0.19 to 1.1.0 #227

fix: package.json to reduce vulnerabilities
5b32639
Select commit
Loading
Failed to load commit list.
Mend Bolt for GitHub / WhiteSource Security Check failed Aug 31, 2023 in 9m 26s

Security Report

7 new vulnerabilities were introduced in this branch.

❌ New vulnerabilities:

CVE Severity CVSS Score Vulnerable Library Suggested Fix Issue
CVE-2023-26136

Dependency Hierarchy:

-> api-plugin-authentication-2.2.3.tgz (Root Library)

   -> logger-1.1.3.tgz

     -> node-loggly-bulk-2.2.5.tgz

       -> request-2.88.2.tgz

         -> ❌ tough-cookie-2.5.0.tgz (Vulnerable Library)

Critical 9.8 tough-cookie-2.5.0.tgz Upgrade to version: tough-cookie - 4.1.3 None
CVE-2022-25883

Dependency Hierarchy:

-> ❌ semver-6.3.0.tgz (Vulnerable Library)

High 7.5 semver-6.3.0.tgz Upgrade to version: semver - 5.7.2,6.3.1,7.5.2;org.webjars.npm:semver:7.5.2 None
CVE-2022-25883

Dependency Hierarchy:

-> sharp-0.29.3.tgz (Root Library)

   -> ❌ semver-7.3.5.tgz (Vulnerable Library)

High 7.5 semver-7.3.5.tgz Upgrade to version: semver - 5.7.2,6.3.1,7.5.2;org.webjars.npm:semver:7.5.2 None
CVE-2022-25883

Dependency Hierarchy:

-> api-core-2.0.0.tgz (Root Library)

   -> mongodb-3.6.2.tgz

     -> require_optional-1.0.1.tgz

       -> ❌ semver-5.7.1.tgz (Vulnerable Library)

High 7.5 semver-5.7.1.tgz Upgrade to version: semver - 5.7.2,6.3.1,7.5.2;org.webjars.npm:semver:7.5.2 None
CVE-2022-25883

Dependency Hierarchy:

-> api-plugin-tags-1.1.1.tgz (Root Library)

   -> data-factory-1.0.1.tgz

     -> preset-env-7.12.1.tgz

       -> core-js-compat-3.7.0.tgz

         -> ❌ semver-7.0.0.tgz (Vulnerable Library)

High 7.5 semver-7.0.0.tgz Upgrade to version: semver - 5.7.2,6.3.1,7.5.2;org.webjars.npm:semver:7.5.2 None
CVE-2022-24999

Dependency Hierarchy:

-> api-core-2.0.0.tgz (Root Library)

   -> express-4.17.1.tgz

     -> ❌ qs-6.7.0.tgz (Vulnerable Library)

High 7.5 qs-6.7.0.tgz Upgrade to version: qs - 6.2.4,6.3.3,6.4.1,6.5.3,6.6.1,6.7.3,6.8.3,6.9.7,6.10.3 #221
CVE-2022-24999

Dependency Hierarchy:

-> api-plugin-authentication-2.2.3.tgz (Root Library)

   -> logger-1.1.3.tgz

     -> node-loggly-bulk-2.2.5.tgz

       -> request-2.88.2.tgz

         -> ❌ qs-6.5.2.tgz (Vulnerable Library)

High 7.5 qs-6.5.2.tgz Upgrade to version: qs - 6.2.4,6.3.3,6.4.1,6.5.3,6.6.1,6.7.3,6.8.3,6.9.7,6.10.3 #221

Base branch total remaining vulnerabilities: 55
Base branch commit: null


Total libraries scanned: 836

Scan token: 219c623e78cf432dba13f2fdf36d4938