Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Fix for 37 vulnerabilities #26

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

antoniopironti
Copy link
Owner

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json
    • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5
Regular Expression Denial of Service (ReDoS)
SNYK-JS-ANSIREGEX-1583908
No Proof of Concept
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5
Denial of Service (DoS)
SNYK-JS-ENGINEIO-1056749
Yes Proof of Concept
high severity 584/1000
Why? Has a fix available, CVSS 7.4
Authorization Bypass
SNYK-JS-EXPRESSJWT-575022
Yes No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5
Denial of Service (DoS)
SNYK-JS-FILETYPE-2958042
Yes No Known Exploit
medium severity 636/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.3
Directory Traversal
SNYK-JS-GRUNT-2635969
No Proof of Concept
medium severity 646/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.5
Race Condition
SNYK-JS-GRUNT-2813632
No Proof of Concept
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3
Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-1018905
No Proof of Concept
high severity 681/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.2
Command Injection
SNYK-JS-LODASH-1040724
No Proof of Concept
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3
Prototype Pollution
SNYK-JS-LODASH-450202
No Proof of Concept
high severity 731/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 8.2
Prototype Pollution
SNYK-JS-LODASH-567746
No Proof of Concept
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3
Prototype Pollution
SNYK-JS-LODASH-608086
No Proof of Concept
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3
Prototype Pollution
SNYK-JS-LODASH-73638
No Proof of Concept
medium severity 541/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 4.4
Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-73639
No Proof of Concept
high severity 589/1000
Why? Has a fix available, CVSS 7.5
Directory Traversal
SNYK-JS-MOMENT-2440688
No No Known Exploit
medium severity 646/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.5
Validation Bypass
SNYK-JS-SANITIZEHTML-1070780
Yes Proof of Concept
medium severity 539/1000
Why? Has a fix available, CVSS 6.5
Access Restriction Bypass
SNYK-JS-SANITIZEHTML-1070786
Yes No Known Exploit
medium severity 479/1000
Why? Has a fix available, CVSS 5.3
Regular Expression Denial of Service (ReDoS)
SNYK-JS-SANITIZEHTML-2957526
Yes No Known Exploit
critical severity 684/1000
Why? Has a fix available, CVSS 9.4
Arbitrary Code Execution
SNYK-JS-SANITIZEHTML-585892
Yes No Known Exploit
critical severity 791/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 9.4
SQL Injection
SNYK-JS-SEQUELIZE-2932027
Yes Proof of Concept
high severity 564/1000
Why? Has a fix available, CVSS 7
SQL Injection
SNYK-JS-SEQUELIZE-2959225
Yes No Known Exploit
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5
Denial of Service (DoS)
SNYK-JS-SQLITE3-2388645
No Proof of Concept
high severity 624/1000
Why? Has a fix available, CVSS 8.2
Arbitrary File Overwrite
SNYK-JS-TAR-1536528
No No Known Exploit
high severity 624/1000
Why? Has a fix available, CVSS 8.2
Arbitrary File Overwrite
SNYK-JS-TAR-1536531
No No Known Exploit
low severity 410/1000
Why? Has a fix available, CVSS 3.7
Regular Expression Denial of Service (ReDoS)
SNYK-JS-TAR-1536758
No No Known Exploit
high severity 639/1000
Why? Has a fix available, CVSS 8.5
Arbitrary File Write
SNYK-JS-TAR-1579147
No No Known Exploit
high severity 639/1000
Why? Has a fix available, CVSS 8.5
Arbitrary File Write
SNYK-JS-TAR-1579152
No No Known Exploit
high severity 639/1000
Why? Has a fix available, CVSS 8.5
Arbitrary File Write
SNYK-JS-TAR-1579155
No No Known Exploit
high severity 741/1000
Why? Mature exploit, Has a fix available, CVSS 7.1
Uninitialized Memory Exposure
npm:base64url:20180511
Yes Mature
high severity 589/1000
Why? Has a fix available, CVSS 7.5
Authentication Bypass
npm:jsonwebtoken:20150331
Yes No Known Exploit
high severity 649/1000
Why? Has a fix available, CVSS 8.7
Forgeable Public/Private Tokens
npm:jws:20160726
Yes No Known Exploit
medium severity 636/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.3
Prototype Pollution
npm:lodash:20180130
No Proof of Concept
medium severity 479/1000
Why? Has a fix available, CVSS 5.3
Regular Expression Denial of Service (ReDoS)
npm:moment:20160126
No No Known Exploit
medium severity 509/1000
Why? Has a fix available, CVSS 5.9
Regular Expression Denial of Service (ReDoS)
npm:moment:20161019
No No Known Exploit
low severity 399/1000
Why? Has a fix available, CVSS 3.7
Regular Expression Denial of Service (ReDoS)
npm:moment:20170905
No No Known Exploit
medium severity 429/1000
Why? Has a fix available, CVSS 4.3
Cross-site Scripting (XSS)
npm:sanitize-html:20141024
No No Known Exploit
medium severity 449/1000
Why? Has a fix available, CVSS 4.7
Cross-site Scripting (XSS)
npm:sanitize-html:20160801
No No Known Exploit
medium severity 656/1000
Why? Mature exploit, Has a fix available, CVSS 5.4
Cross-site Scripting (XSS)
npm:sanitize-html:20161026
No Mature

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: file-type The new version differs by 123 commits.

See the full diff

Package name: grunt The new version differs by 21 commits.

See the full diff

Package name: sequelize The new version differs by 250 commits.
  • 7bb60e3 fix: properly escaoe multiple `$` in `fn` args (#14678)
  • 86d35b1 docs: added nest option inside findAll query (#14683)
  • 2f3b924 fix(postgres): use schema set in sequelize config by default (#14665)
  • cbdf73e feat: exports types to support typescript >= 4.5 nodenext module (#14620)
  • a333862 docs(readme): update README to be more like main (#14626)
  • e1a9c28 fix: kill connection on commit/rollback error (#14535)
  • b37df96 feat: support cyclic foreign keys (#14499)
  • e37c572 fix: accept replacements in `ARRAY[]` & followed by `;` (#14518)
  • 6c5f8ec test: disable mysql/mariadb deadlock test (#14514)
  • 87655eb build: fix esdoc (#14513)
  • ccaa399 fix: do not replace `:replacements` inside of strings (#14472)
  • 5954d2c feat(types): make `Model.init` aware of pre-configured foreign keys (#14370)
  • 0d0aade fix(types): make `WhereOptions` more accurate (#14368)
  • 7e8b707 docs: restore Model api reference & make fail on error (#14323)
  • ca0e017 test: disable deadlock test for mariadb 10.5.15 (#14314)
  • 62564f7 docs: fix dead link in API reference (#14313)
  • cdc8881 build: remove v6 docs from repository (#14234)
  • 730af27 docs: document scope whereMergeStrategy option (#14201)
  • 8349c02 feat: add whereScopeStrategy to merge where scopes with Op.and (#14152)
  • e974e20 feat(types): make `Model.getAttributes` stricter (#14017)
  • 2d339d0 fix: fix typo in query-generator.js error message (#14151)
  • b80aeed fix(types): update return type of `Model.update` (#14155)
  • f5c06bd feat(types): infer nullable creation attributes as optional (#14147)
  • af6cbe6 build(deps): move @ types/validator to prod deps (#14159)

See the full diff

Package name: socket.io The new version differs by 57 commits.
  • 1af3267 chore(release): 3.0.0
  • 02951c4 chore(release): 3.0.0-rc4
  • 54bf4a4 feat: emit an Error object upon middleware error
  • aa7574f feat: serve msgpack bundle
  • 64056d6 docs(examples): update TypeScript example
  • cacad70 chore(release): 3.0.0-rc3
  • d16c035 refactor: rename ERROR to CONNECT_ERROR
  • 5c73733 feat: add support for catch-all listeners
  • 129c641 feat: make Socket#join() and Socket#leave() synchronous
  • 0d74f29 refactor(typings): export Socket class
  • 7603da7 feat: remove prod dependency to socket.io-client
  • a81b9f3 docs(examples): add example with TypeScript
  • 20ea6bd docs(examples): add example with ES modules
  • 0ce5b4c chore(release): 3.0.0-rc2
  • 8a5db7f refactor: remove duplicate _sockets map
  • 2a05042 refactor: add additional typings
  • 91cd255 fix: close clients with no namespace
  • 58b66f8 refactor: hide internal methods and properties
  • 669592d feat: move binary detection back to the parser
  • 2d2a31e chore: publish the wrapper.mjs file
  • ebb0575 chore(release): 3.0.0-rc1
  • c0d171f test: use the reconnect event of the Manager
  • 9c7a48d test: use the complete export name
  • 4bd5b23 feat: throw upon reserved event names

See the full diff

Package name: sqlite3 The new version differs by 44 commits.

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Forgeable Public/Private Tokens
🦉 Arbitrary File Write
🦉 Arbitrary File Write
🦉 More lessons are available in Snyk Learn

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908
- https://snyk.io/vuln/SNYK-JS-ENGINEIO-1056749
- https://snyk.io/vuln/SNYK-JS-EXPRESSJWT-575022
- https://snyk.io/vuln/SNYK-JS-FILETYPE-2958042
- https://snyk.io/vuln/SNYK-JS-GRUNT-2635969
- https://snyk.io/vuln/SNYK-JS-GRUNT-2813632
- https://snyk.io/vuln/SNYK-JS-LODASH-1018905
- https://snyk.io/vuln/SNYK-JS-LODASH-1040724
- https://snyk.io/vuln/SNYK-JS-LODASH-450202
- https://snyk.io/vuln/SNYK-JS-LODASH-567746
- https://snyk.io/vuln/SNYK-JS-LODASH-608086
- https://snyk.io/vuln/SNYK-JS-LODASH-73638
- https://snyk.io/vuln/SNYK-JS-LODASH-73639
- https://snyk.io/vuln/SNYK-JS-MOMENT-2440688
- https://snyk.io/vuln/SNYK-JS-SANITIZEHTML-1070780
- https://snyk.io/vuln/SNYK-JS-SANITIZEHTML-1070786
- https://snyk.io/vuln/SNYK-JS-SANITIZEHTML-2957526
- https://snyk.io/vuln/SNYK-JS-SANITIZEHTML-585892
- https://snyk.io/vuln/SNYK-JS-SEQUELIZE-2932027
- https://snyk.io/vuln/SNYK-JS-SEQUELIZE-2959225
- https://snyk.io/vuln/SNYK-JS-SQLITE3-2388645
- https://snyk.io/vuln/SNYK-JS-TAR-1536528
- https://snyk.io/vuln/SNYK-JS-TAR-1536531
- https://snyk.io/vuln/SNYK-JS-TAR-1536758
- https://snyk.io/vuln/SNYK-JS-TAR-1579147
- https://snyk.io/vuln/SNYK-JS-TAR-1579152
- https://snyk.io/vuln/SNYK-JS-TAR-1579155
- https://snyk.io/vuln/npm:base64url:20180511
- https://snyk.io/vuln/npm:jsonwebtoken:20150331
- https://snyk.io/vuln/npm:jws:20160726
- https://snyk.io/vuln/npm:lodash:20180130
- https://snyk.io/vuln/npm:moment:20160126
- https://snyk.io/vuln/npm:moment:20161019
- https://snyk.io/vuln/npm:moment:20170905
- https://snyk.io/vuln/npm:sanitize-html:20141024
- https://snyk.io/vuln/npm:sanitize-html:20160801
- https://snyk.io/vuln/npm:sanitize-html:20161026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants