Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 22 vulnerabilities #53

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Fix for 22 vulnerabilities #53

wants to merge 1 commit into from

Conversation

jeremylorino
Copy link
Owner

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json
    • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-ANSIREGEX-1583908		 Yes Proof of Concept
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5		 Prototype Pollution
SNYK-JS-ASYNC-2441827		 No Proof of Concept
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-AXIOS-1579269		 No Proof of Concept
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5		 Denial of Service (DoS)
SNYK-JS-DECODEURICOMPONENT-3149970		 No Proof of Concept
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3		 Information Exposure
SNYK-JS-FOLLOWREDIRECTS-2332181		 No Proof of Concept
low severity 344/1000
Why? Has a fix available, CVSS 2.6		 Information Exposure
SNYK-JS-FOLLOWREDIRECTS-2396346		 No No Known Exploit
medium severity 484/1000
Why? Has a fix available, CVSS 5.4		 Open Redirect
SNYK-JS-GOT-2932019		 No No Known Exploit
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-HTTPCACHESEMANTICS-3248783		 No Proof of Concept
medium severity 703/1000
Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 6.2		 Missing Release of Resource after Effective Lifetime
SNYK-JS-INFLIGHT-6095116		 No Proof of Concept
high severity 644/1000
Why? Has a fix available, CVSS 8.6		 Prototype Pollution
SNYK-JS-JSONSCHEMA-1920922		 No No Known Exploit
medium severity 529/1000
Why? Has a fix available, CVSS 6.3		 Arbitrary File Write via Archive Extraction (Zip Slip)
SNYK-JS-JSZIP-3188562		 No No Known Exploit
medium severity 479/1000
Why? Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-MINIMATCH-3050818		 Yes No Known Exploit
low severity 506/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 3.7		 Prototype Pollution
SNYK-JS-MINIMIST-2429795		 No Proof of Concept
medium severity 539/1000
Why? Has a fix available, CVSS 6.5		 Information Exposure
SNYK-JS-NODEFETCH-2342118		 Yes No Known Exploit
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-PARSELINKHEADER-1582783		 No Proof of Concept
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5		 Prototype Poisoning
SNYK-JS-QS-3153490		 No Proof of Concept
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-SEMVER-3247795		 Yes Proof of Concept
high severity 624/1000
Why? Has a fix available, CVSS 8.2		 Arbitrary File Overwrite
SNYK-JS-TAR-1536528		 Yes No Known Exploit
low severity 410/1000
Why? Has a fix available, CVSS 3.7		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-TAR-1536758		 Yes No Known Exploit
high severity 639/1000
Why? Has a fix available, CVSS 8.5		 Arbitrary File Write
SNYK-JS-TAR-1579147		 Yes No Known Exploit
high severity 639/1000
Why? Has a fix available, CVSS 8.5		 Arbitrary File Write
SNYK-JS-TAR-1579152		 Yes No Known Exploit
high severity 639/1000
Why? Has a fix available, CVSS 8.5		 Arbitrary File Write
SNYK-JS-TAR-1579155		 Yes No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: @google-cloud/logging-winston The new version differs by 103 commits.
  • 8305c92 chore: release 1.0.0 (#326)
  • a46f385 chore: remove root and samples package-lock.json (#338)
  • fc87d65 fix(deps): bump minimum required dependencies (#336)
  • 2d72bc1 chore: update @ google-cloud/common to 2.x (#331)
  • d55c939 build: remove verbose logging from test scripts (#332)
  • 2214438 build: ignore proto files in test coverage (#330)
  • 9afc5e0 chore: clean up dev dependencies (#327)
  • c83050b build: add configuration for automated doc deployment (#328)
  • 059c2a1 fix(deps): update dependency @ google-cloud/logging to v5 (#324)
  • b3d666e build: updated kokoro config for coverage and release-please (#321)
  • 6260654 build: add new kokoro config for coverage and release-please (#320)
  • 450295f fix: use immutable winston level (#319)
  • 6182968 fix(deps): update dependency google-auth-library to v4 (#317)
  • c7ab418 chore(deps): update dependency @ google-cloud/common to v1 (#318)
  • 27b41e4 chore(chore): upgrade to gts 1.0.0 (#310)
  • d466a45 build: only pipe to codecov if tests run on Node 10
  • a61911b build: allow Node 10 on presubmit to push to codecov (#316)
  • 7418f77 build: allow Node 10 to push to codecov (#315)
  • 1f3e345 build: patch Windows container, fixing Node 10 (#314)
  • 7010ee5 chore: do not run CI on grpc-js (#311)
  • 7ff405c chore(deps): update dependency eslint-plugin-node to v9 (#312)
  • c777689 build!: upgrade engines field to >=8.10.0 (#308)
  • 08631b7 chore!: drop node 6 support (#307)
  • f762657 chore: removing node6 CI (#309)

See the full diff

Package name: @google-cloud/pubsub The new version differs by 250 commits.
  • bb26010 chore: release 0.29.0 (#609)
  • c72491f refactor(subscriber): message stream retry logic (#607)
  • 46c75a2 chore(deps): update dependency jsdoc to v3.6.2 (#606)
  • ef45af3 refactor: use core grpc (#608)
  • 6415e7c fix(deps): update dependency google-gax to v1 (#604)
  • 2e669a1 fix(deps): update dependency @ google-cloud/precise-date to v1 (#603)
  • baf9d39 fix(deps): update dependency google-auth-library to v4 (#601)
  • 1ae8db9 fix: DEADLINE_EXCEEDED retry code is idempotent (#605)
  • a72df8a test: fix snapshot fixture creation (#602)
  • 39b1dac fix: DEADLINE_EXCEEDED no longer treated as idempotent and retried
  • 22dc668 build: update build config and doc comments (#593)
  • 181553a fix(deps): update dependency @ google-cloud/paginator to v1 (#592)
  • 76f5c7b build: allow Node 10 on presubmit to push to codecov (#598)
  • bbc59fa build: allow Node 10 to push to codecov (#597)
  • 397f876 build: patch Windows container, fixing Node 10 (#596)
  • a9dd7f1 chore: do not run CI on grpc-js (#586)
  • fb76bf4 chore(deps): update dependency eslint-plugin-node to v9 (#587)
  • d01d010 fix(deps): update dependency @ google-cloud/projectify to v1 (#588)
  • dad7530 fix(deps): update dependency @ google-cloud/promisify to v1 (#589)
  • 6ef6260 chore(deps): update dependency gts to v1 (#579)
  • 2116474 build!: upgrade engines field to >=8.10.0 (#584)
  • 2004351 chore: removing node6 CI (#585)
  • 4214a4f fix(deps): update dependency google-gax to ^0.26.0 (#583)
  • b5f8df2 chore: update formatting for generated code (#580)

See the full diff

Package name: @google-cloud/storage The new version differs by 250 commits.
  • 6161c63 chore: release 5.17.0 (#1744)
  • 97edb9a sample: add turbo replication samples (#1618)
  • 809bf11 fix: remove compodoc dev dependency (#1745)
  • 291e6ef feat: add support for rpo (turbo replication) metadata field when cre… (#1648)
  • 437d400 chore(deps): gcs-resumable-upload migration (#1736)
  • 00392a4 chore: add api_shortname and library_type to repo metadata (#1737)
  • 9758632 docs(badges): tweak badge to use new preview/stable language (#1314) (#1739)
  • 552ebef docs(node): support "stable"/"preview" release level (#1312) (#1738)
  • 42f4207 chore(deps): update dependency @ types/tmp to v0.2.3 (#1734)
  • 2aad922 samples: Delete setPublicAccessPreventionUnspecified.js (#1733)
  • 257f771 samples: download byte range (#1732)
  • 29f91cb samples: added samples for upload from / download into memory (#1731)
  • 8ecb70e build: add generated samples to .eslintignore (#1730)
  • 1457404 chore: create interfaces for conformance test API results (#1728)
  • 09af838 chore: release 5.16.1 (#1717)
  • 2c2510a chore: address lint issues (#1726)
  • 6490abf Revert "fix: revert skip validation (#1718)" (#1721)
  • db4e2df samples: upload without authentication (#1711)
  • d77979b fix: stop File.download from truncating output file on failure (#1720)
  • 0c75e33 fix: revert skip validation (#1718)
  • c365254 fix: change properties with function value to methods (#1715)
  • 669a34d chore(deps): update gcs-resumable-upload to ^3.6.0 (#1710)
  • 9018e17 chore: release 5.16.0 (#1709)
  • 50cdbb6 feat: improved error messages for resumable uploads (#1708)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Open Redirect
🦉 More lessons are available in Snyk Learn

@snyk-bot
fix: package.json & package-lock.json to reduce vulnerabilities
719fb0c 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908
- https://snyk.io/vuln/SNYK-JS-ASYNC-2441827
- https://snyk.io/vuln/SNYK-JS-AXIOS-1579269
- https://snyk.io/vuln/SNYK-JS-DECODEURICOMPONENT-3149970
- https://snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-2332181
- https://snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-2396346
- https://snyk.io/vuln/SNYK-JS-GOT-2932019
- https://snyk.io/vuln/SNYK-JS-HTTPCACHESEMANTICS-3248783
- https://snyk.io/vuln/SNYK-JS-INFLIGHT-6095116
- https://snyk.io/vuln/SNYK-JS-JSONSCHEMA-1920922
- https://snyk.io/vuln/SNYK-JS-JSZIP-3188562
- https://snyk.io/vuln/SNYK-JS-MINIMATCH-3050818
- https://snyk.io/vuln/SNYK-JS-MINIMIST-2429795
- https://snyk.io/vuln/SNYK-JS-NODEFETCH-2342118
- https://snyk.io/vuln/SNYK-JS-PARSELINKHEADER-1582783
- https://snyk.io/vuln/SNYK-JS-QS-3153490
- https://snyk.io/vuln/SNYK-JS-SEMVER-3247795
- https://snyk.io/vuln/SNYK-JS-TAR-1536528
- https://snyk.io/vuln/SNYK-JS-TAR-1536758
- https://snyk.io/vuln/SNYK-JS-TAR-1579147
- https://snyk.io/vuln/SNYK-JS-TAR-1579152
- https://snyk.io/vuln/SNYK-JS-TAR-1579155
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jeremylorino @snyk-bot