[Snyk] Fix for 9 vulnerabilities #74

coolgk · 2024-02-03T04:24:17Z

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
- package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Priority Score (*)	Issue	Breaking Change	Exploit Maturity
619/1000 Why? Has a fix available, CVSS 8.1	Prototype Pollution SNYK-JS-AJV-584908	Yes	No Known Exploit
644/1000 Why? Has a fix available, CVSS 8.6	Prototype Pollution SNYK-JS-JSONSCHEMA-1920922	Yes	No Known Exploit
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	No	Proof of Concept
681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	No	Proof of Concept
731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	No	Proof of Concept
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	No	Proof of Concept
506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Poisoning SNYK-JS-QS-3153490	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: phantom

The new version differs by 85 commits.

b7f48d7 6.3.0
44c5091 Adds --local-url-access
e885a94 Update README.md (#899)
a568fe3 Bump prettier-eslint from 8.8.2 to 9.0.0 (#881)
18ef5f3 Fixes security problems
958570b Bump jest from 23.6.0 to 24.8.0 (#865)
1c39995 Bump babel-eslint from 10.0.1 to 10.0.2 (#882)
1c2907d Bump eslint-plugin-flowtype from 3.6.1 to 3.10.4 (#884)
f5e0811 [Security] Bump lodash.merge from 4.6.1 to 4.6.2 (#892)
7d4e9c8 [Security] Bump lodash from 4.17.11 to 4.17.14 (#893)
7c00f2d Updates pacakges
1cd5138 Fixes yaml
3567acc Removes node 7
fd24979 Update README.md (#862)
f6e90da Bump flow-bin from 0.95.1 to 0.96.0 (#848)
53b63ec Bump eslint from 5.15.3 to 5.16.0 (#845)
27dbb9d Bump eslint-plugin-flowtype from 3.4.2 to 3.6.1 (#856)
7ec45c9 Updates readme
1a24e8d 6.2.0
41365c7 Fixes lint
7f2e6c4 6.1.0
b09cbc4 Adds npm bin
ac852a1 6.0.6
54bf127 Skips clean up

See the full diff

Package name: request-promise-native

The new version differs by 23 commits.

578970f Version 1.0.9
8388f42 chore: bumped request-promise-core due to security vulnerability of lodash
f53ac09 docs: reference to request deprecation and alternative libs
1165c4e Merge pull request [Snyk] Security upgrade google-auth-library from 1.6.1 to 3.0.0 #58 from shisama/readme-shows-deprecation
086632b docs: deprecated as well as request
6498be1 Version 1.0.8
3e8df67 Merge branch 'master' of https://github.com/request/request-promise-native
1592a31 chore: updated request-promise-core that updates lodash
171f3b5 Merge pull request Bump ini from 1.3.5 to 1.3.7 #46 from tbjgolden/docs/clarify-es6-finally
239ce46 docs: es6+, finally
2ae195a Version 1.0.7
ecf8621 fix: tough-cookie version
7c5f721 chore: updated publish-please config
7ad655a Version 1.0.6 (now really)
1240b80 fix: updated indirect lodash dependency to fix security vulnerability
80947a1 Version 1.0.6
ad529a3 chore: fix ci build for node v8+
c2c54c4 Merge pull request [Snyk] Fix for 1 vulnerable dependencies #33 from jasonmit/u/jasonmit/fix-node-6
67f7ed2 Merge branch 'master' into u/jasonmit/fix-node-6
4633d4c fix: breaking change in tough-cookie v3
14aa6ee chore: added node 8 and 10 to ci build
9cfcaaa Update package.json
049152b fix: target tough-cookie 2.x to preserve node 6 support

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Command Injection

The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-AJV-584908 - https://snyk.io/vuln/SNYK-JS-JSONSCHEMA-1920922 - https://snyk.io/vuln/SNYK-JS-LODASH-1018905 - https://snyk.io/vuln/SNYK-JS-LODASH-1040724 - https://snyk.io/vuln/SNYK-JS-LODASH-567746 - https://snyk.io/vuln/SNYK-JS-LODASH-608086 - https://snyk.io/vuln/SNYK-JS-MINIMIST-2429795 - https://snyk.io/vuln/SNYK-JS-MINIMIST-559764 - https://snyk.io/vuln/SNYK-JS-QS-3153490

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[Snyk] Fix for 9 vulnerabilities #74

[Snyk] Fix for 9 vulnerabilities #74

Uh oh!

coolgk commented Feb 3, 2024

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

[Snyk] Fix for 9 vulnerabilities #74

Are you sure you want to change the base?

[Snyk] Fix for 9 vulnerabilities #74

Uh oh!

Conversation

coolgk commented Feb 3, 2024

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Vulnerabilities that will be fixed

With an upgrade:

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants