Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Security upgrade formidable from 1.2.1 to 3.2.4 #198

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

snyk-bot
Copy link
Contributor

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

merge advice

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json
    • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
critical severity 776/1000
Why? Recently disclosed, Has a fix available, CVSS 9.8
Arbitrary File Upload
SNYK-JS-FORMIDABLE-2838956
Yes No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: formidable The new version differs by 250 commits.
  • 143e473 chore: prepare release
  • 2f553b4 docs: use slugify in the example
  • 9969c25 refactor: code style
  • 5103d09 feat: stop extension from being '.'
  • 67c6a3f feat: allow numbers in file extensions
  • 78de849 feat: stop at first invalid char
  • 5fdb2d0 fix: replace regex with reliable filtering
  • d2bd18d tests: add a test case that proves that the regex was always bad
  • 703bec4 tests: add comment
  • 15afa8a docs: add comment
  • d3a05e9 add failing test case
  • 971e3a7 chore: publish
  • 92df3c8 fix: IncomingForm end event emitted twice (#852)
  • 21efa7d chore(deps): bump istanbul-reports from 3.0.2 to 3.1.4 (#844)
  • 8009584 chore(kodiak): always update PRs
  • d6c17f1 chore: fix dependabot error
  • 7ea655e chore: do not add reviewers to dep update prs (#845)
  • 635b4f8 chore: add Dependabot settings (#837)
  • a93060c chore: fix kodiak config (#838)
  • 7fbf974 chore: add KodiakHQ service (#836)
  • 786f2e1 chore(deps): bump ansi-regex from 4.1.0 to 4.1.1 (#835)
  • 4718b78 chore(security): meta, add CodeQL action (#832)
  • db22330 chore: remove auto-comment bot (#833)
  • ab698ff chore(meta): remove LabelSponsors Action (#834)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant