[Snyk] Fix for 13 vulnerabilities #24

leongold · 2022-10-05T20:25:24Z

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json

Vulnerabilities that will be fixed

With an upgrade:

Priority Score (*)	Issue	Breaking Change	Exploit Maturity
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
484/1000 Why? Has a fix available, CVSS 5.4	Open Redirect SNYK-JS-GOT-2932019	Yes	No Known Exploit
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	No	Proof of Concept
681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	No	Proof of Concept
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	No	Proof of Concept
731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	No	Proof of Concept
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	No	Proof of Concept
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	No	Proof of Concept
541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	No	Proof of Concept
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-NCONF-2395478	Yes	Proof of Concept
706/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.7	Server-side Request Forgery (SSRF) SNYK-JS-NETMASK-1089716	Yes	Proof of Concept
726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Remote Code Execution (RCE) SNYK-JS-PACRESOLVER-1564857	Yes	Proof of Concept
713/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 6.4	Command Injection SNYK-JS-SNYKGOPLUGIN-3037316	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: proxy-agent

The new version differs by 24 commits.

3f45710 5.0.0
31be875 Update "pac-proxy-agent" to v5
dabbfb3 Drop Node v6 support
13b1544 4.0.1
8e6305a Fix type definitions to account for transparent proxy discovery (Detect execution inside VSTS/TFS build agent snyk/cli#57)
9963359 Add Node.js 14 to testing matrix (#58)
f4d6ff6 README.md: Mention proxy-from-env support (#56)
b9fcf37 4.0.0
d18c6bd Update `agent-base` to v6 (#55)
4af6f5e 3.1.1
af5434d Update "pack-proxy-agent" to v3.0.1
cd18ccf Use `localhost` instead of `127.0.0.1` for tests
778ea05 Update dependencies
70ffd00 Meh…
1a1abb5 Use GH Actions instead of Travis-CI
3588645 Update `https-proxy-agent` to v3.0.0 (docs: update PR template snyk/cli#47)
10ff67b 3.1.0
063ad8f Remove `package-lock.json` file
199f29f Add TypeScript types ([Snyk] Security upgrade proxy-agent from 2.3.1 to 6.3.0 #34)
bfe9ec5 3.0.3
d32e248 Upgrade pac-proxy-agent to 3.x ([Snyk] Security upgrade proxy-agent from 2.3.1 to 4.0.0 #31)
d392bc7 Release 3.0.1 ([Snyk] Security upgrade snyk-resolve-deps from 4.0.2 to 4.8.0 #30)
d67cb23 Update `socks-proxy-agent` to v4.0.1 ([Snyk] Fix for 1 vulnerabilities #26)
65fcf7a Release 3.0.0 ([Snyk] Fix for 12 vulnerabilities #22)

See the full diff

Package name: snyk-config

The new version differs by 39 commits.

34bd34e Merge pull request #43 from snyk/fix/bundle-nconf
b9cc6b6 feat: swap yargs parser with minimist
2b3935c feat: re-enable argv parsing with yargs
3b8a4e1 feat: add the original argv module
392e6f2 fix: use vendored nconf
b90e7e7 fix: vendor nconf to remove vulnerable yargs version
f2c0e1e chore: add the original nconf library
eb0f55f Merge pull request #42 from snyk/test/add-more-test-cases
bf4231e test: add more tests for argument parsing
c10881d test: add test case for value type changing
f167704 Merge pull request chore: 'npm run build' in appveyor snyk/cli#40 from snyk/fix/less-lodash
d671a6e fix: Reduce lodash, use lodash.merge directly
136b3a9 Merge pull request #39 from snyk/feat/use-patched-lodash
a2d2453 feat: use forked lodash patched against zipObjectDeep vulnerability
b4b4912 Merge pull request #38 from snyk/fix/major-release
5c3aaef fix: trigger a major release
af60412 Merge pull request #37 from snyk/feat/service-env
d177015 docs: package name is wrong
1037183 BREAKING CHANGE: load SERVICE_ENV instead of local by default
5e90504 chore: disable lots of eslint warnings
9cac115 feat: eslint --fix
e670f86 BREAKING CHANGE: drop node 6 support
39eba76 chore: remove unused npm run semantic-release, travis runs it
6e60b3b feat: basic types

See the full diff

Package name: snyk-go-plugin

The new version differs by 102 commits.

d8dfc11 Merge pull request #99 from snyk/fix/disable-shell-for-child-processes
6cce106 fix: disable 'shell' for child processes
8fa65dc Merge pull request Fix missing quote in README.md sample snyk/cli#97 from snyk/feat/add-additional-args-option
6b18447 feat: add additional args to be sent to "go list" command.
b130876 Merge pull request #96 from snyk/jason-snyk/remove-vscode-condition
6a7223d fix: remove error for vscode terminal
8d3cba1 Merge pull request #94 from snyk/chore/fix-release
87bcad1 chore: fix release phase in circle ci
c152e19 Merge pull request #93 from snyk/fix/support-go-1-16
4e31716 feat: add support go 1.16
d698cbe Merge pull request #91 from snyk/feat/support-replace-directive
6e8bcf0 feat: support replace directive
9b7e5ce Merge pull request #89 from snyk/fix/reduce-lodash
ebd509d fix: use @ snyk/dep-graph@1.23.1 which doesnot depend on lodash
4512966 fix: use @ snyk/graphlib which uses only required lodash packages
daa5673 Merge pull request #88 from snyk/chore/update-codeowners
81aa5fc chore/codeowners -> Loki
db9ffba Merge pull request fix snyk wizard run error on last step in npm apps or yarn apps. snyk/cli#87 from snyk/fix/ignore-broken-symlinks
1fd0711 fix: ignore broken symlinks
da21cd0 Merge pull request #85 from snyk/chore/fix-release-pipeline
d700975 chore: Enable releasing
a6394cd Merge pull request [Snyk Update] New fixes for 14 vulnerable dependency paths snyk/cli#84 from snyk/fix/update-dep-graph
0bb0169 fix: Update `@ snyk/dep-graph`
da60908 Merge pull request #83 from snyk/chore/fix-release-circle-stages

See the full diff

Package name: snyk-nodejs-lockfile-parser

The new version differs by 2 commits.

2382877 Merge pull request #37 from snyk/fix/bump-vulnerable-lodash-dep
9a76d65 fix: bump vulnerable lodash 4.17.10 to ^4.17.11

See the full diff

Package name: update-notifier

The new version differs by 42 commits.

311557e 6.0.0
9183541 Require Node.js 14 and move to ESM
3fdb218 5.1.0
73c391b Upgrade dependencies
0a6027e Move to GitHub Actions
d8fa601 Rename `master` branch to `main`
f63b2eb 5.0.1
9e2b772 Update dependencies
da7c464 5.0.0
5b440c2 Require Node.js 10
3dfe42d Don't suggest to upgrade to lower version (chore: automate pkg assets publishing snyk/cli#192)
132b7ce Remove a project from "Users" section (#191)
c9d2166 4.1.1
f42fc8f Improve vertical alignment of the notifier output (chore: eslint instead of jscs snyk/cli#183)
71a3f19 Use HTTPS links
64c5236 Fix Travis
9d9f4ff 4.1.0
4062f12 Update dependencies
adbeb6e Add template support for the `message` option (#175)
adf7803 4.0.0
fb5161c Remove the `callback` option (#158)
39682de Rename `boxenOpts` option to `boxenOptions`
bc1721a Avoid showing notification if current version is the latest (wizard: fix prompts.forEach is not a function snyk/cli#174)
ccaf686 Update dependencies