Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Fix for 39 vulnerabilities #101

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

yuhonghong66
Copy link
Owner

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • api-server/package.json
    • api-server/package-lock.json
    • api-server/.snyk

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5
Regular Expression Denial of Service (ReDoS)
SNYK-JS-ANSIREGEX-1583908
No Proof of Concept
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5
Prototype Pollution
SNYK-JS-ASYNC-2441827
Yes Proof of Concept
medium severity 429/1000
Why? Has a fix available, CVSS 4.3
Insufficiently Protected Credentials
SNYK-JS-AUTH0JS-565004
No No Known Exploit
high severity 630/1000
Why? Has a fix available, CVSS 8.1
Internal Property Tampering
SNYK-JS-BSON-561052
Yes No Known Exploit
medium severity 646/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.5
Filter Bypass
SNYK-JS-EXPRESSVALIDATOR-174763
Yes Proof of Concept
medium severity 539/1000
Why? Has a fix available, CVSS 6.5
Configuration Override
SNYK-JS-HELMETCSP-469436
No No Known Exploit
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3
Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-1018905
No Proof of Concept
high severity 681/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.2
Command Injection
SNYK-JS-LODASH-1040724
No Proof of Concept
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3
Prototype Pollution
SNYK-JS-LODASH-450202
No Proof of Concept
high severity 731/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 8.2
Prototype Pollution
SNYK-JS-LODASH-567746
No Proof of Concept
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3
Prototype Pollution
SNYK-JS-LODASH-608086
No Proof of Concept
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3
Prototype Pollution
SNYK-JS-LODASH-73638
No Proof of Concept
medium severity 541/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 4.4
Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-73639
No Proof of Concept
medium severity 479/1000
Why? Has a fix available, CVSS 5.3
SQL Injection
SNYK-JS-LOOPBACK-174846
No No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5
Directory Traversal
SNYK-JS-MOMENT-2440688
No No Known Exploit
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5
Regular Expression Denial of Service (ReDoS)
SNYK-JS-MOMENT-2944238
No Proof of Concept
high severity 589/1000
Why? Has a fix available, CVSS 7.5
Denial of Service (DoS)
SNYK-JS-MONGODB-473855
Yes No Known Exploit
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3
Prototype Pollution
SNYK-JS-NCONF-2395478
No Proof of Concept
high severity 706/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.7
Server-side Request Forgery (SSRF)
SNYK-JS-NETMASK-1089716
No Proof of Concept
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3
Open Redirect
SNYK-JS-NODEFORGE-2330875
Yes Proof of Concept
medium severity 529/1000
Why? Has a fix available, CVSS 6.3
Prototype Pollution
SNYK-JS-NODEFORGE-2331908
Yes No Known Exploit
medium severity 494/1000
Why? Has a fix available, CVSS 5.6
Improper Verification of Cryptographic Signature
SNYK-JS-NODEFORGE-2430337
Yes No Known Exploit
high severity 579/1000
Why? Has a fix available, CVSS 7.3
Improper Verification of Cryptographic Signature
SNYK-JS-NODEFORGE-2430339
Yes No Known Exploit
medium severity 494/1000
Why? Has a fix available, CVSS 5.6
Improper Verification of Cryptographic Signature
SNYK-JS-NODEFORGE-2430341
Yes No Known Exploit
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3
Prototype Pollution
SNYK-JS-NODEFORGE-598677
Yes Proof of Concept
high severity 751/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 8.6
Command Injection
SNYK-JS-NODEMAILER-1038834
No Proof of Concept
medium severity 636/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.3
HTTP Header Injection
SNYK-JS-NODEMAILER-1296415
No Proof of Concept
high severity 726/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 8.1
Remote Code Execution (RCE)
SNYK-JS-PACRESOLVER-1564857
No Proof of Concept
medium severity 454/1000
Why? Has a fix available, CVSS 4.8
Session Fixation
SNYK-JS-PASSPORT-2840631
No No Known Exploit
high severity 619/1000
Why? Has a fix available, CVSS 8.1
Cross-site Scripting (XSS)
SNYK-JS-SERIALIZEJAVASCRIPT-536840
Yes No Known Exploit
high severity 706/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.7
Arbitrary Code Injection
SNYK-JS-SERIALIZEJAVASCRIPT-570062
Yes Proof of Concept
medium severity 737/1000
Why? Currently trending on Twitter, Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 6.4
Command Injection
SNYK-JS-SNYK-3037342
No Proof of Concept
medium severity 737/1000
Why? Currently trending on Twitter, Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 6.4
Command Injection
SNYK-JS-SNYKGOPLUGIN-3037316
No Proof of Concept
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3
Regular Expression Denial of Service (ReDoS)
SNYK-JS-VALIDATOR-1090599
Yes Proof of Concept
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3
Regular Expression Denial of Service (ReDoS)
SNYK-JS-VALIDATOR-1090600
Yes Proof of Concept
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3
Regular Expression Denial of Service (ReDoS)
SNYK-JS-VALIDATOR-1090601
Yes Proof of Concept
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3
Regular Expression Denial of Service (ReDoS)
SNYK-JS-VALIDATOR-1090602
Yes Proof of Concept
medium severity 469/1000
Why? Has a fix available, CVSS 5.1
Denial of Service (DoS)
npm:mem:20180117
No No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: auth0-js The new version differs by 147 commits.

See the full diff

Package name: connect-mongo The new version differs by 90 commits.

See the full diff

Package name: express-state The new version differs by 3 commits.

See the full diff

Package name: express-validator The new version differs by 105 commits.

See the full diff

Package name: googleapis The new version differs by 250 commits.

See the full diff

Package name: helmet The new version differs by 65 commits.
  • 5d964d4 3.21.1
  • 1e9b8ea Update changelog for 3.21.1 release
  • 86f1f59 Update helmet-csp to 2.9.2
  • 76ca5bd Update Standard devDependency to latest version
  • 0dad3c2 3.21.0
  • 33cfd10 Update changelog for 3.21.0 release
  • 349117f Update helmet-csp to 2.9.1
  • 03d4fa6 Update x-xss-protection from 1.2.0 to 1.3.0
  • 3b9d0e8 Update devDependencies to latest versions
  • 80fe85f Remove old HISTORY.md
  • e3ea074 Use sinon's default sandbox feature
  • 968fabd 3.20.1
  • d588453 Update changelog for 3.20.1 release
  • a5a9679 Update Sinon and Standard to latest versions
  • 844739c Update helmet-csp to v2.9.0
  • b2a3700 3.20.0
  • 87d7323 Update changelog for 3.20.0 release
  • a711731 Update Mocha and Standard to latest versions
  • 6aab72d Update helmet-csp to 2.8.0
  • ac46aaf Minor: in changelog, change "updated" header in under 3.19.0
  • 17707ae 3.19.0
  • ca34982 Update changelog for 3.19.0 release
  • 06d5bde Update all remaining outdated dependencies
  • 91e071c Update helmet-crossdomain from 0.3.0 to 0.4.0

See the full diff

Package name: loopback The new version differs by 97 commits.

See the full diff

Package name: loopback-boot The new version differs by 3 commits.

See the full diff

Package name: mongodb The new version differs by 81 commits.
  • c6f417e chore(release): 3.1.13
  • 210c71d fix(db_ops): ensure we async resolve errors in createCollection
  • 5ad9fa9 fix(changeStream): properly handle changeStream event mid-close (Wrong Map Visualization freeCodeCamp/freeCodeCamp#1902)
  • e806be4 fix(bulk): honor ignoreUndefined in initializeUnorderedBulkOp
  • 050267d fix(*): restore ability to webpack by removing `makeLazyLoader`
  • 6e896f4 docs: adding aggregation, createIndex, and runCommand examples
  • cb3cd12 chore(release): 3.1.12
  • 508d685 Revert "chore(release): 3.2.0"
  • e7619aa chore(release): 3.2.0
  • d0dc228 chore(travis): include forgotten stage info for sharded builds
  • ffbe90b chore(travis): run sharded tests in travis as well
  • 9bef6e7 feat(core): update to mongodb-core v3.1.11
  • e4bb39e chore(release): 3.1.11
  • 76c0130 chore(core): bump version of mongodb-core
  • a3adb3f fix(bulk): fix error propagation in empty bulk.execute
  • ec0e30e doc(change-streams): correct typo, add missing example
  • 10ea992 chore(package): update lock file
  • fcb3ec1 test(sharded): reduce some sharded errors
  • d4eae97 test(sessions): undo hack for apm events in sessions tests
  • 0eaca21 test(sessions): fixing broken session test
  • 6790a74 test(sharding): fixing old sharding tests
  • 98f0c68 test(sharded): fixing sharded operation test
  • c6a9baa test(sessions): fixing session tests in sharded env
  • 985f0e9 test(drop): fixing drop assertions for sharded tests

See the full diff

Package name: passport The new version differs by 126 commits.

See the full diff

Package name: validator The new version differs by 250 commits.

See the full diff

With a Snyk patch:
Severity Priority Score (*) Issue Exploit Maturity
medium severity 626/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.1
Man-in-the-Middle (MitM)
SNYK-JS-HTTPSPROXYAGENT-469131
Proof of Concept
high severity 731/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 8.2
Prototype Pollution
SNYK-JS-LODASH-567746
Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Filter Bypass
🦉 More lessons are available in Snyk Learn

…er/.snyk to reduce vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908
- https://snyk.io/vuln/SNYK-JS-ASYNC-2441827
- https://snyk.io/vuln/SNYK-JS-AUTH0JS-565004
- https://snyk.io/vuln/SNYK-JS-BSON-561052
- https://snyk.io/vuln/SNYK-JS-EXPRESSVALIDATOR-174763
- https://snyk.io/vuln/SNYK-JS-HELMETCSP-469436
- https://snyk.io/vuln/SNYK-JS-LODASH-1018905
- https://snyk.io/vuln/SNYK-JS-LODASH-1040724
- https://snyk.io/vuln/SNYK-JS-LODASH-450202
- https://snyk.io/vuln/SNYK-JS-LODASH-567746
- https://snyk.io/vuln/SNYK-JS-LODASH-608086
- https://snyk.io/vuln/SNYK-JS-LODASH-73638
- https://snyk.io/vuln/SNYK-JS-LODASH-73639
- https://snyk.io/vuln/SNYK-JS-LOOPBACK-174846
- https://snyk.io/vuln/SNYK-JS-MOMENT-2440688
- https://snyk.io/vuln/SNYK-JS-MOMENT-2944238
- https://snyk.io/vuln/SNYK-JS-MONGODB-473855
- https://snyk.io/vuln/SNYK-JS-NCONF-2395478
- https://snyk.io/vuln/SNYK-JS-NETMASK-1089716
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-2330875
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-2331908
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-2430337
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-2430339
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-2430341
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-598677
- https://snyk.io/vuln/SNYK-JS-NODEMAILER-1038834
- https://snyk.io/vuln/SNYK-JS-NODEMAILER-1296415
- https://snyk.io/vuln/SNYK-JS-PACRESOLVER-1564857
- https://snyk.io/vuln/SNYK-JS-PASSPORT-2840631
- https://snyk.io/vuln/SNYK-JS-SERIALIZEJAVASCRIPT-536840
- https://snyk.io/vuln/SNYK-JS-SERIALIZEJAVASCRIPT-570062
- https://snyk.io/vuln/SNYK-JS-SNYK-3037342
- https://snyk.io/vuln/SNYK-JS-SNYKGOPLUGIN-3037316
- https://snyk.io/vuln/SNYK-JS-VALIDATOR-1090599
- https://snyk.io/vuln/SNYK-JS-VALIDATOR-1090600
- https://snyk.io/vuln/SNYK-JS-VALIDATOR-1090601
- https://snyk.io/vuln/SNYK-JS-VALIDATOR-1090602
- https://snyk.io/vuln/npm:mem:20180117


The following vulnerabilities are fixed with a Snyk patch:
- https://snyk.io/vuln/SNYK-JS-HTTPSPROXYAGENT-469131
- https://snyk.io/vuln/SNYK-JS-LODASH-567746
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants