Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 8 vulnerabilities #1245

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Fix for 8 vulnerabilities #1245

wants to merge 1 commit into from

Conversation

snyk-bot
Copy link

@snyk-bot snyk-bot commented Jun 7, 2023

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • test/fixtures/qs-package/node_modules/request/package.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
medium severity 484/1000
Why? Has a fix available, CVSS 5.4		 Open Redirect
SNYK-JS-KARMA-2396325		 Yes No Known Exploit
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-1018905		 Yes Proof of Concept
high severity 681/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.2		 Command Injection
SNYK-JS-LODASH-1040724		 Yes Proof of Concept
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3		 Prototype Pollution
SNYK-JS-LODASH-450202		 Yes Proof of Concept
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3		 Prototype Pollution
SNYK-JS-LODASH-608086		 Yes Proof of Concept
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3		 Prototype Pollution
SNYK-JS-LODASH-73638		 Yes Proof of Concept
medium severity 541/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 4.4		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-73639		 Yes Proof of Concept
medium severity 636/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.3		 Prototype Pollution
npm:lodash:20180130		 Yes Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: karma The new version differs by 250 commits.
  • ab4b328 chore(release): 6.3.16 [skip ci]
  • ff7edbb fix(security): mitigate the "Open Redirect Vulnerability"
  • c1befa0 chore(release): 6.3.15 [skip ci]
  • d9dade2 fix(helper): make mkdirIfNotExists helper resilient to concurrent calls
  • 653c762 ci: prevent duplicate CI tasks on creating a PR
  • c97e562 chore(release): 6.3.14 [skip ci]
  • 91d5acd fix: remove string template from client code
  • 69cfc76 fix: warn when `singleRun` and `autoWatch` are `false`
  • 839578c fix(security): remove XSS vulnerability in `returnUrl` query param
  • db53785 chore(release): 6.3.13 [skip ci]
  • 5bf2df3 fix(deps): bump log4js to resolve security issue
  • 36ad678 chore(release): 6.3.12 [skip ci]
  • 41bed33 fix: remove depreciation warning from log4js
  • c985155 docs: create security.md
  • c96f0c5 chore(release): 6.3.11 [skip ci]
  • a5219c5 fix(deps): pin colors package to 1.4.0 due to security vulnerability
  • de0df2f test: fix version regex in the CLI test case
  • eddb2e8 chore(release): 6.3.10 [skip ci]
  • 0d24bd9 fix(logger): create parent folders if they are missing
  • b8eafe9 chore(release): 6.3.9 [skip ci]
  • cf318e5 test: add test case for restarting test run on file change
  • 92ffe60 fix: restartOnFileChange option not restarting the test run
  • b153355 style: fix grammar error in browser capture log message
  • 8f798d5 chore(release): 6.3.8 [skip ci]

See the full diff

Package name: karma-browserify The new version differs by 85 commits.
  • 1f03ab2 5.3.0
  • 3d1ae96 chore(package): bump dev dependencies
  • 1796716 chore(project): bump lodash dependency
  • adce20f 5.2.0
  • 2a60185 chore(project): support browserify @ 16
  • cba9ba9 chore(lint): ignore example/node_modules
  • 72af250 chore(example): bump browserify + watchify versions
  • 573db5b 5.1.3
  • ff944e7 chore(package): allow browserify@15
  • 6e0fcce 5.1.2
  • 88673c4 chore(npmignore): ignore dev configuration(s)
  • 0fed147 chore(project): remove grunt + jshint
  • 08141de chore(ci): test against node {4,6,8}
  • 21bd468 chore(project): bump dev dependencies
  • e42a5be chore(project): release v5.1.1
  • dba0a80 chore(package): allow browserify@14
  • a87c211 chore(project): release v5.1.0
  • dc49a26 feat(bro): respect externalRequireName
  • b963ae9 chore(project): add all task
  • e1f85e0 test(bro): verify TypeScript compile error behavior
  • 866680d chore(project): release v5.0.5
  • b613c00 fix(project): add missing comma to pkg
  • ae3d09f chore(project): remove node 0.10 / npm 1 support via pkg.engines / travis
  • 1ea06cb chore(project): use broader semver ranges for peer deps

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Open Redirect
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution

This was referenced Jun 21, 2023
Open
Open
Open
Open
Open
Open
This was referenced Dec 2, 2023
Open
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@snyk-bot