New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 6 vulnerabilities #85

Open

baby636 wants to merge 1 commit into main from snyk-fix-8115a1ac344f17f5561eb4319adfa1db

Owner

baby636 commented Apr 13, 2023

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json

⚠️

Warning

Failed to update the package-lock.json, please update manually before merging.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Poisoning SNYK-JS-QS-3153490	No	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-REDIS-1255645	No	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Validation Bypass SNYK-JS-SANITIZEHTML-1070780	Yes	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Access Restriction Bypass SNYK-JS-SANITIZEHTML-1070786	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-SANITIZEHTML-2957526	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090600	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: express

The new version differs by 117 commits.

3d7fce5 4.17.3
f906371 build: update example dependencies
6381bc6 deps: qs@6.9.7
a007863 deps: body-parser@1.19.2
e98f584 Revert "build: use minimatch@3.0.4 for Node.js < 4"
a659137 tests: use strict mode
a39e409 tests: prevent leaking changes to NODE_ENV
82de4de examples: fix path traversal in downloads example
12310c5 build: use nyc for test coverage
884657d examples: remove bitwise syntax for includes check
7511d08 build: use minimatch@3.0.4 for Node.js < 4
2585f20 tests: fix test missing assertion
9d09762 build: supertest@6.2.2
43cc56e build: clean up gitignore
1c7bbcc build: Node.js@14.19
9cbbc8a deps: cookie@0.4.2
6fbc269 pref: remove unnecessary regexp for trust proxy
2bc734a deps: accepts@~1.3.8
89bb531 docs: fix typo in res.download jsdoc
744564f tests: add test for multiple ips in "trust proxy"
da6cb0e tests: add range tests to res.download
00ad5be tests: add more tests for app.request & app.response
141914e tests: fix tests that did not bubble errors
bd4fdfe tests: remove global dependency on should

See the full diff

Package name: redis

The new version differs by 31 commits.

fc28860 Bump version to 3.1.1 (An in-range update of sinon is breaking the build 🚨 opencollective/opencollective-frontend#1597)
2d11b6d fix Update styled-system to the latest version 🚀 opencollective/opencollective-frontend#1569 - improve monitor_regex (Fix "Ready to pay" filter in host dashboard opencollective/opencollective-frontend#1595)
7e77de8 Add Chat (CI: Remove duplicate build:langs opencollective/opencollective-frontend#1594)
5d3e995 Merge branch 'master' of https://github.com/NodeRedis/node-redis
b797cf2 add user to README.md
79f34c2 Bump version to 3.1.0 (Update cross-fetch to the latest version 🚀 opencollective/opencollective-frontend#1590)
7fdc54e fix for 428e1c8a7b2322c2650294638cb1663ac5692728 - fix auth retry when redis is in loading state
09f0fe8 "fix" tests
428e1c8 Add support for Redis 6 `auth pass [user]` (Pledges internationalization opencollective/opencollective-frontend#1508)
bb208d0 Add codeclimate badge (Update react to the latest version 🚀 opencollective/opencollective-frontend#1572)
47e2e38 Exclude examples from deepsource (Update react-apollo to the latest version 🚀 opencollective/opencollective-frontend#1579)
fbca5cd Upgrade node and dependencies (Update styled-system to version 4.0.8 opencollective/opencollective-frontend#1578)
2188744 Create codeql-analysis.yml (Update styled-system to the latest version 🚀 opencollective/opencollective-frontend#1577)
32861b5 Create .deepsource.toml (Delete account opencollective/opencollective-frontend#1574)
2a34d41 Add LGTM badge (Support Page opencollective/opencollective-frontend#1571)
69b7094 Workflows fixes (Update polished to the latest version 🚀 opencollective/opencollective-frontend#1570)
49c4131 Merge pull request Update apollo-link to the latest version 🚀 opencollective/opencollective-frontend#1531 from marnikvde/improve-docs
3c8ff5c Merge branch 'master' into improve-docs
685a72d Merge pull request Contribute Flow: fix lead paragraph opencollective/opencollective-frontend#1277 from dcharbonnier/patch-1
055f5c5 Merge branch 'master' into patch-1
c78b6d5 Merge pull request Update dotenv to the latest version 🚀 opencollective/opencollective-frontend#1527 from heynikhil/patch-1
53f1468 Merge branch 'master' into patch-1
232f191 Merge pull request Properly set country for events and use new location opencollective/opencollective-frontend#1563 from lebseu/patch-1
e4cb073 Update README.md

See the full diff

Package name: sanitize-html

The new version differs by 166 commits.

b4682c1 Merge pull request Update eslint to the latest version 🚀 opencollective/opencollective-frontend#557 from apostrophecms/release-2.7.1
b6c4971 release 2.7.1 (with security fix previously tested and approved by Miro)
6683aad remove DoS vulnerability
7c7ccb4 credit
994f962 Merge pull request Fix double budget section bug opencollective/opencollective-frontend#555 from paweljq/fix_protocol_relative_script_tag
3c3f075 Merge pull request Update grid-styled to the latest version 🚀 opencollective/opencollective-frontend#556 from cha147/patch-1
8e3b00f fix typos in readme
329dae7 Fix protocol relative url in scripts tags #531
3cdc262 release 2.7.0 (Losslessly compress PNG files. opencollective/opencollective-frontend#534)
72989f1 Merge pull request Mixed content warning in homepage opencollective/opencollective-frontend#530 from apostrophecms/zade-credit
208cdb4 zade credit
7338f8b Merge pull request Update moment-timezone to 0.5.20 opencollective/opencollective-frontend#529 from zadeviggers/patch-1
1971a57 Update defaults in readme
43f28f3 Update changelog
5fccedb Allow srcset
be9c90d Add common image attributes
379b55b Bumps version (feat(AddFundsForm): Add notice with instructions for fees to the form opencollective/opencollective-frontend#523)
da9767f Fixes important stripping (fix(AddFundsForm): Fix adding funds to hosted collectives opencollective/opencollective-frontend#522)
d077c9f Merge pull request feat(OrderForm): Add prepaid card balance to credit card combo descri… opencollective/opencollective-frontend#521 from alex-rantos/fix-trailing-text
d905b3b typo on changelog
836c5ab add CHANGELOG entry
c1112fb fix trailing text issue
d737f39 Bumps version (Tweaks for add funds to org form opencollective/opencollective-frontend#520)
e5027ef Merge pull request new OrderFormContributionDetails component using grid-styled opencollective/opencollective-frontend#515 from apostrophecms/revert-505-504-whatwg-url

See the full diff

Package name: validator

The new version differs by 69 commits.

47ee5ad 13.7.0
496fc8b fix(rtrim): remove regex to prevent ReDOS attack (Modal Redesign opencollective/opencollective-frontend#1738)
45901ec Merge pull request chore(deps): bump @material-ui/core from 3.9.3 to 4.0.1 opencollective/opencollective-frontend#1851 from validatorjs/chore/fix-merge-conflicts
83cb7f8 chore: merge conflict clean-up
f17e220 feat(isMobilePhone): add El Salvador es-SV locale
5b06703 feat(isMobilePhone): add Palestine ar-PS locale
a3faa83 feat(isMobilePhone): add Botswana en-BW locale
26605f9 feat(isMobilePhone): add Turkmenistan tk-TM
0e5d5d4 feat(isMobilePhone): add Guyana en-GY locale
f7ff349 feat(isMobilePhone): add Frech Polynesia fr-PF locale
8627e48 feat(isMobilePhone): add Kiribati en-KI locale
ed60123 feat(isMobilePhone): add Tajikistan tg-TJ locale (Update API GraphQL to v14 opencollective/opencollective-frontend#1846)
c96d805 feat(isMobilePhone): add Maldives dv-MV locale
5c2d69e feat(isMobilePhone): regex for Burkina Faso fr-BF and Namibia en-NA locales
fc0fefc feat(isMobilePhone): add Bhutan dz-BT locale (chore(deps): bump graphql from 14.2.1 to 14.3.0 opencollective/opencollective-frontend#1770)
01d3da3 feat(isMobilePhone): add Tajikistan tg-TJ locale (Update API GraphQL to v14 opencollective/opencollective-frontend#1846)
af2b43c feat(isUUID): add support for validation of version v1 and v2 (New Crowdin translations opencollective/opencollective-frontend#1848)
769f6d5 feat(contains): add possibility to check that string contains seed multiple times (chore(deps): bump validator from 10.11.0 to 11.0.0 opencollective/opencollective-frontend#1836)
f2381e0 feat: (isMobilePhone): add Cameroon fr-CM locale (chore(deps-dev): bump lint-staged from 8.1.4 to 8.1.6 opencollective/opencollective-frontend#1772)
5773869 feat(isVAT): add dutch NL locale (Remove add funds restriction for hosts opencollective/opencollective-frontend#1825)
de1cb29 fix: Russian passport number regex (chore(deps-dev): bump react-styleguidist from 9.0.4 to 9.1.2 opencollective/opencollective-frontend#1810)
7bee611 add CDN use option with unpkg (Show contributors on tier page opencollective/opencollective-frontend#1844)
57cc14e feat(isIdentityCard): add finnish locale (chore(deps): bump react-mde from 6.0.0 to 7.3.2 opencollective/opencollective-frontend#1838)
2201869 feat: added finnish locale to isAlpha and isAlphanumeric (chore(deps-dev): bump cypress from 3.3.0 to 3.3.1 opencollective/opencollective-frontend#1837)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Poisoning
🦉 Regular Expression Denial of Service (ReDoS)


          fix: package.json to reduce vulnerabilities

f65b3b6

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-QS-3153490
- https://snyk.io/vuln/SNYK-JS-REDIS-1255645
- https://snyk.io/vuln/SNYK-JS-SANITIZEHTML-1070780
- https://snyk.io/vuln/SNYK-JS-SANITIZEHTML-1070786
- https://snyk.io/vuln/SNYK-JS-SANITIZEHTML-2957526
- https://snyk.io/vuln/SNYK-JS-VALIDATOR-1090600

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet