Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Fix for 1 vulnerabilities #304

Closed
wants to merge 57 commits into from

Conversation

snyk-bot
Copy link

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json
    • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 768/1000
Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 7.5
Regular Expression Denial of Service (ReDoS)
SNYK-JS-NODEFETCH-2964180
Yes Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: next The new version differs by 250 commits.

See the full diff

Package name: node-fetch The new version differs by 24 commits.

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

snyk-bot and others added 30 commits April 20, 2022 19:56
Bumps [@types/react](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react) from 17.0.38 to 18.0.9.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react)

---
updated-dependencies:
- dependency-name: "@types/react"
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [dotenv](https://github.com/motdotla/dotenv) from 10.0.0 to 16.0.1.
- [Release notes](https://github.com/motdotla/dotenv/releases)
- [Changelog](https://github.com/motdotla/dotenv/blob/master/CHANGELOG.md)
- [Commits](motdotla/dotenv@v10.0.0...v16.0.1)

---
updated-dependencies:
- dependency-name: dotenv
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/github-script](https://github.com/actions/github-script) from 2b34a689ec86a68d8ab9478298f91d5401337b7d to 6.1.0. This release includes the previously tagged commit.
- [Release notes](https://github.com/actions/github-script/releases)
- [Commits](actions/github-script@2b34a68...7a5c598)

---
updated-dependencies:
- dependency-name: actions/github-script
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [helmet](https://github.com/helmetjs/helmet) from 4.6.0 to 5.1.0.
- [Release notes](https://github.com/helmetjs/helmet/releases)
- [Changelog](https://github.com/helmetjs/helmet/blob/main/CHANGELOG.md)
- [Commits](helmetjs/helmet@v4.6.0...v5.1.0)

---
updated-dependencies:
- dependency-name: helmet
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps node from 16.13.2-alpine to 18.2.0-alpine.

---
updated-dependencies:
- dependency-name: node
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [got](https://github.com/sindresorhus/got) from 11.8.2 to 12.1.0.
- [Release notes](https://github.com/sindresorhus/got/releases)
- [Commits](sindresorhus/got@v11.8.2...v12.1.0)

---
updated-dependencies:
- dependency-name: got
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [puppeteer](https://github.com/puppeteer/puppeteer) from 9.1.1 to 14.1.2.
- [Release notes](https://github.com/puppeteer/puppeteer/releases)
- [Changelog](https://github.com/puppeteer/puppeteer/blob/main/CHANGELOG.md)
- [Commits](puppeteer/puppeteer@v9.1.1...v14.1.2)

---
updated-dependencies:
- dependency-name: puppeteer
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [@primer/react](https://github.com/primer/react) from 34.6.0 to 35.2.2.
- [Release notes](https://github.com/primer/react/releases)
- [Changelog](https://github.com/primer/react/blob/main/CHANGELOG.md)
- [Commits](primer/react@v34.6.0...v35.2.2)

---
updated-dependencies:
- dependency-name: "@primer/react"
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
…imer/react-35.2.2

Bump @primer/react from 34.6.0 to 35.2.2
…ppeteer-14.1.2

Bump puppeteer from 9.1.1 to 14.1.2
Bumps [@primer/css](https://github.com/primer/css) from 19.4.0 to 20.2.2.
- [Release notes](https://github.com/primer/css/releases)
- [Changelog](https://github.com/primer/css/blob/main/CHANGELOG.md)
- [Commits](primer/css@v19.4.0...v20.2.2)

---
updated-dependencies:
- dependency-name: "@primer/css"
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [lint-staged](https://github.com/okonet/lint-staged) from 12.3.3 to 13.0.0.
- [Release notes](https://github.com/okonet/lint-staged/releases)
- [Commits](lint-staged/lint-staged@v12.3.3...v13.0.0)

---
updated-dependencies:
- dependency-name: lint-staged
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 2.5.1 to 3.3.0.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](actions/setup-node@1f8c6b9...eeb10cf)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
…actions/setup-node-3.3.0

Bump actions/setup-node from 2.5.1 to 3.3.0
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 2.9.0 to 3.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](docker/build-push-action@7f9d37f...e551b19)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) from 3.12.1 to 4.0.4.
- [Release notes](https://github.com/peter-evans/create-pull-request/releases)
- [Commits](peter-evans/create-pull-request@f22a7da...923ad83)

---
updated-dependencies:
- dependency-name: peter-evans/create-pull-request
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
…peter-evans/create-pull-request-4.0.4

Bump peter-evans/create-pull-request from 3.12.1 to 4.0.4
…docker/build-push-action-3

Bump docker/build-push-action from 2.9.0 to 3
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 1.0.31 to 2.1.12.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@1a927e9...27ea8f8)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [peter-evans/find-comment](https://github.com/peter-evans/find-comment) from 1.3.0 to 2.
- [Release notes](https://github.com/peter-evans/find-comment/releases)
- [Commits](peter-evans/find-comment@d2dae40...1769778)

---
updated-dependencies:
- dependency-name: peter-evans/find-comment
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
…github/codeql-action-2.1.12

Bump github/codeql-action from 1.0.31 to 2.1.12
…peter-evans/find-comment-2

Bump peter-evans/find-comment from 1.3.0 to 2
…nt-staged-13.0.0

Bump lint-staged from 12.3.3 to 13.0.0
MarcelRaschke and others added 19 commits June 11, 2022 09:38
…lmet-5.1.0

Bump helmet from 4.6.0 to 5.1.0
…actions/github-script-7a5c598405937d486b0331594b5da2b14db670da

Bump actions/github-script from 2b34a689ec86a68d8ab9478298f91d5401337b7d to 6.1.0
…tenv-16.0.1

Bump dotenv from 10.0.0 to 16.0.1
…1984ffa8b78b6d3

[Snyk] Security upgrade debian from 9.5-slim to 9-slim
…0359c8ec4aaa6fc

[Snyk] Security upgrade debian from 9.5-slim to 9-slim
…e80f836b3fa9107

[Snyk] Security upgrade debian from 9.5-slim to 9-slim
Bumps [husky](https://github.com/typicode/husky) from 7.0.4 to 8.0.1.
- [Release notes](https://github.com/typicode/husky/releases)
- [Commits](typicode/husky@v7.0.4...v8.0.1)

---
updated-dependencies:
- dependency-name: husky
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [@jest/globals](https://github.com/facebook/jest/tree/HEAD/packages/jest-globals) from 27.4.6 to 28.1.1.
- [Release notes](https://github.com/facebook/jest/releases)
- [Changelog](https://github.com/facebook/jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/facebook/jest/commits/v28.1.1/packages/jest-globals)

---
updated-dependencies:
- dependency-name: "@jest/globals"
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/cache](https://github.com/actions/cache) from 2.1.7 to 3.0.4.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](actions/cache@937d244...c3f1317)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 1.6.0 to 2.
- [Release notes](https://github.com/docker/setup-buildx-action/releases)
- [Commits](docker/setup-buildx-action@94ab11c...dc7b971)

---
updated-dependencies:
- dependency-name: docker/setup-buildx-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
…st/globals-28.1.1

build(deps-dev): bump @jest/globals from 27.4.6 to 28.1.1
…docker/setup-buildx-action-2

build(deps): bump docker/setup-buildx-action from 1.6.0 to 2
…actions/cache-3.0.4

build(deps): bump actions/cache from 2.1.7 to 3.0.4
…pes/react-18.0.9

Bump @types/react from 17.0.38 to 18.0.9
…sky-8.0.1

Bump husky from 7.0.4 to 8.0.1
Bumps [puppeteer](https://github.com/puppeteer/puppeteer) from 14.1.2 to 15.3.0.
- [Release notes](https://github.com/puppeteer/puppeteer/releases)
- [Changelog](https://github.com/puppeteer/puppeteer/blob/main/CHANGELOG.md)
- [Commits](puppeteer/puppeteer@v14.1.2...v15.3.0)

---
updated-dependencies:
- dependency-name: puppeteer
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
…ppeteer-15.3.0

build(deps): bump puppeteer from 14.1.2 to 15.3.0
@MarcelRaschke MarcelRaschke linked an issue Jan 1, 2024 that may be closed by this pull request
@MarcelRaschke MarcelRaschke added this to the main milestone Jan 1, 2024
@MarcelRaschke MarcelRaschke added ⤵️ pull dependencies Pull requests that update a dependency file labels Jan 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
⤵️ pull dependencies Pull requests that update a dependency file
Projects
Status: Done
Status: Closed
Development

Successfully merging this pull request may close these issues.

Fix code scanning alert - Incomplete string escaping or encoding
2 participants