This repository has been archived by the owner on May 16, 2024. It is now read-only.

[Snyk] Fix for 6 vulnerabilities #263

Closed

nellyk wants to merge 1 commit into main from snyk-fix-9814f8b2e58ea7f3a75f700bd0bfce16

Owner

nellyk commented Feb 9, 2024

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
- package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	372/1000 Why? Proof of Concept exploit, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	631/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.2	Missing Release of Resource after Effective Lifetime SNYK-JS-INFLIGHT-6095116	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Improper Input Validation SNYK-JS-POSTCSS-5926692	Yes	No Known Exploit
	412/1000 Why? Proof of Concept exploit, CVSS 6.1	Cross-site Scripting (XSS) SNYK-JS-SERIALIZEJAVASCRIPT-6147607	Yes	Proof of Concept
	375/1000 Why? CVSS 7.5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @americanexpress/one-app-bundler

The new version differs by 19 commits.

a8a5937 chore(release): publish packages
79c8cf2 chore(release): publish packages
c9ab840 feat(oneAppBundler): Migrate to Webpack v5
ccca758 chore(release): publish packages (chore(deps-dev): bump @babel/cli from 7.15.7 to 7.16.0 americanexpress/one-app#607)
90eef46 chore(deps): upgrade to babel-preset-amex@4 (chore(release): v5.12.0 release americanexpress/one-app#602)
53c6932 chore(release): publish packages
a1bb975 chore(release): publish packages
1c7f4a6 feat(devBundler): expose css loading system for reuse (chore(deps): bump node from 12 to 17 americanexpress/one-app#604)
a078627 fix(webpack): include typescript files in purgecss loader (One App Prepare Release americanexpress/one-app#601)
5b9701b fix(build-stats): esbuild and webpack stats under build-stats dir (chore(deps-dev): bump find-up from 5.0.0 to 6.1.0 americanexpress/one-app#595)
8c3f402 chore(release): publish packages
0a65c2f fix: runner failed to start with node 12 images (One App Prepare Release americanexpress/one-app#597)
1ed8877 chore(changelog): reference package changelogs (chore(deps): bump opossum from 5.1.2 to 6.2.1 americanexpress/one-app#596)
13dd381 Merge branch 'main' into chore/update-top-level-changelog
fcf1567 fix(one-app-bundler): packages don't include package.json in exports (chore(deps-dev): bump @babel/cli from 7.12.10 to 7.15.7 americanexpress/one-app#594)
de7760d chore(changelog): reference package changelogs
e769426 fix(one-app-runner): suppress npm update notifications (One App Prepare Release americanexpress/one-app#589)
4c1f99e chore(release): publish packages (One App Prepare Release americanexpress/one-app#587)
4938125 fix: disable native fetch in node (chore(deps-dev): bump @rollup/plugin-node-resolve from 8.0.1 to 13.0.4 americanexpress/one-app#586)

See the full diff

Package name: @fastify/static

The new version differs by 8 commits.

f1a248b Bumped v7.0.0
9e56e07 Upgrade glob to v10 (feat(metrics): track intl cache size americanexpress/one-app#406)
bcf5664 chore: improve types for `setHeaders` option (One App Prepare Release americanexpress/one-app#428)
a34d6a2 chore(package): fix repository url (fix(middleware): use util.format in createRequestHtmlFragment americanexpress/one-app#429)
5de6d94 docs(readme): replace `fastify.io` links with `fastify.dev` (One App Prepare Release americanexpress/one-app#426)
1d788e4 docs(readme): replace `fastify.io` links with `fastify.dev` (docs(guides): rename from recipes americanexpress/one-app#425)
e6f6124 build(deps-dev): bump tsd from 0.29.0 to 0.30.0 (chore(releasemd): update to release md americanexpress/one-app#424)
37056ce Bumped v6.12.0

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Improper Input Validation
🦉 Cross-site Scripting (XSS)
🦉 More lessons are available in Snyk Learn


          fix: package.json & package-lock.json to reduce vulnerabilities

0f24ead

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908
- https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905
- https://snyk.io/vuln/SNYK-JS-INFLIGHT-6095116
- https://snyk.io/vuln/SNYK-JS-POSTCSS-5926692
- https://snyk.io/vuln/SNYK-JS-SERIALIZEJAVASCRIPT-6147607
- https://snyk.io/vuln/SNYK-JS-UNSETVALUE-2400660

github-actions bot added the one-app-team-review-requested label

github-actions bot commented Mar 11, 2024

This pull request is stale because it has been open 30 days with no activity.

github-actions bot added the stale-pr label

github-actions bot removed the stale-pr label

github-actions bot commented May 3, 2024

This pull request is stale because it has been open 30 days with no activity.

github-actions bot added the stale-pr label

nellyk closed this

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

one-app-team-review-requested stale-pr