From 8fe8330c3f9fd266c5a5a77068a649b726638d36 Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Wed, 5 Oct 2022 10:57:04 +0000 Subject: [PATCH] fix: package.json, package-lock.json & .snyk to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-LODASH-1018905 - https://snyk.io/vuln/SNYK-JS-LODASH-1040724 - https://snyk.io/vuln/SNYK-JS-LODASH-567746 - https://snyk.io/vuln/SNYK-JS-LODASH-608086 - https://snyk.io/vuln/SNYK-JS-NORMALIZEURL-1296539 The following vulnerabilities are fixed with a Snyk patch: - https://snyk.io/vuln/SNYK-JS-LODASH-567746 --- .snyk | 8 ++++++++ package-lock.json | 17 +++++++++++------ package.json | 14 +++++++++----- 3 files changed, 28 insertions(+), 11 deletions(-) create mode 100644 .snyk diff --git a/.snyk b/.snyk new file mode 100644 index 00000000..9d5d3151 --- /dev/null +++ b/.snyk @@ -0,0 +1,8 @@ +# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities. +version: v1.25.0 +ignore: {} +# patches apply the minimum changes required to fix a vulnerability +patch: + SNYK-JS-LODASH-567746: + - express-validation > lodash: + patched: '2022-10-05T10:57:00.158Z' diff --git a/package-lock.json b/package-lock.json index 8b0836bf..07f2fe60 100644 --- a/package-lock.json +++ b/package-lock.json @@ -4,6 +4,11 @@ "lockfileVersion": 1, "requires": true, "dependencies": { + "@snyk/protect": { + "version": "1.1021.0", + "resolved": "https://registry.npmjs.org/@snyk/protect/-/protect-1.1021.0.tgz", + "integrity": "sha512-d301HqyFvhvXa6SOIL5OSDYECOooMs4ARZdBlg7pY5SOW7jXksPBP95imaIRrS7qos9CZ5f7h8orkM9J2B3EOQ==" + }, "abbrev": { "version": "1.1.1", "resolved": "https://registry.npmjs.org/abbrev/-/abbrev-1.1.1.tgz", @@ -2856,9 +2861,9 @@ } }, "lodash": { - "version": "4.17.15", - "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz", - "integrity": "sha512-8xOcRHvCjnocdS5cpwXQXVzmmh5e5+saE2QGoeQmbKmRS6J3VQppPOIt0MnmE+4xlZoumy0GPG0D0MVIQbNA1A==" + "version": "4.17.21", + "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz", + "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==" }, "lowercase-keys": { "version": "1.0.1", @@ -3211,9 +3216,9 @@ "dev": true }, "normalize-url": { - "version": "5.0.0", - "resolved": "https://registry.npmjs.org/normalize-url/-/normalize-url-5.0.0.tgz", - "integrity": "sha512-bAEm2fx8Dq/a35Z6PIRkkBBJvR56BbEJvhpNtvCZ4W9FyORSna77fn+xtYFjqk5JpBS+fMnAOG/wFgkQBmB7hw==" + "version": "5.3.1", + "resolved": "https://registry.npmjs.org/normalize-url/-/normalize-url-5.3.1.tgz", + "integrity": "sha512-K1c7+vaAP+Yh5bOGmA10PGPpp+6h7WZrl7GwqKhUflBc9flU9pzG27DDeB9+iuhZkE3BJZOcgN1P/2sS5pqrWw==" }, "npm-run-path": { "version": "2.0.2", diff --git a/package.json b/package.json index ad4cab8b..342cb5e5 100644 --- a/package.json +++ b/package.json @@ -9,7 +9,9 @@ "scripts": { "start": "env-cmd nodemon --watch ./src -e js src/index.js", "test": "mocha --timeout 10000 && npm run lint", - "lint": "eslint ." + "lint": "eslint .", + "prepare": "npm run snyk-protect", + "snyk-protect": "snyk-protect" }, "repository": { "type": "git", @@ -29,13 +31,14 @@ "express": "^4.15.5", "express-validation": "^1.0.2", "joi": "^11.1.1", - "lodash": "^4.17.15", + "lodash": "^4.17.21", "morgan": "^1.9.1", - "normalize-url": "^5.0.0", + "normalize-url": "^5.3.1", "pdf-parse": "^1.1.1", "puppeteer": "^2.0.0", "server-destroy": "^1.0.1", - "winston": "^2.3.1" + "winston": "^2.3.1", + "@snyk/protect": "latest" }, "devDependencies": { "chai": "^4.1.2", @@ -46,5 +49,6 @@ "mocha": "^4.0.1", "nodemon": "^1.12.1", "supertest": "^3.0.0" - } + }, + "snyk": true }