Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Security upgrade @rudderstack/rudder-sdk-node from 1.1.1 to 2.0.7 #284

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Security upgrade @rudderstack/rudder-sdk-node from 1.1.1 to 2.0.7 #284

wants to merge 1 commit into from

Conversation

reconsumeralization
Copy link
Owner

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • packages/cli/package.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-AXIOS-6124857		 Yes Proof of Concept
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Prototype Pollution
SNYK-JS-AXIOS-6144788		 Yes No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution

@height Height
Copy link

height bot commented Jan 30, 2024

Link Height tasks by mentioning a task ID in the pull request title or commit messages, or description and comments with the keyword link (e.g. "Link T-123").

💡Tip: You can also use "Close T-X" to automatically close a task when the pull request is merged.

@github-actions GitHub Actions
Copy link

Great PR! Please pay attention to the following items before merging:

Files matching packages/**:

  • If fixing bug, added test to cover scenario.
  • If addressing forum or Github issue, added link to description.

Make sure to check off this list before asking for review.

@sweep-ai Sweep AI
Copy link

sweep-ai bot commented Jan 30, 2024
edited
Loading

Sweeping

Fixing PR: track the progress here.

I'm currently fixing this PR to address the following:

[Sweep GHA Fix] The GitHub Actions run failed on a20568a (master) with the following error logs: 

The command:
Run pnpm install --frozen-lockfile
yielded the following error:
##[error]Process completed with exit code 1.

Here are the logs:
Scope: all 10 workspace projects
ERR_PNPM_OUTDATED_LOCKFILE  Cannot install with "frozen-lockfile" because pnpm-lock.yaml is not up to date with packages/cli/package.json

Note that in CI environments this setting is true by default. If you still need to run install in such cases, use "pnpm install --no-frozen-lockfile"

Making changes according to plan... (step 3/3)

sourcery-ai[bot]
sourcery-ai bot reviewed Jan 30, 2024
View reviewed changes
Copy link

@sourcery-ai sourcery-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR Type: Enhancement

PR Summary: The pull request upgrades the @rudderstack/rudder-sdk-node package to resolve vulnerabilities identified by Snyk in the project's npm dependencies.

Decision: Comment

📝 Type: 'Enhancement' - not supported yet.
  • Sourcery currently only approves 'Typo fix' PRs.
✅ Issue addressed: this change correctly addresses the issue or implements the desired feature.
No details provided.
✅ Small diff: the diff is small enough to approve with confidence.
No details provided.

General suggestions:

  • Ensure that the upgrade of the @rudderstack/rudder-sdk-node package has been thoroughly tested, especially since it involves a major version change which might include breaking changes.
  • Verify that all functionalities that rely on the @rudderstack/rudder-sdk-node package are still working as expected after the upgrade.
  • Review the release notes or change logs of the @rudderstack/rudder-sdk-node package for any additional actions required to accommodate the new version.

Thanks for using Sourcery. We offer it for free for open source projects and would be very grateful if you could help us grow. If you like it, would you consider sharing Sourcery on your favourite social media? ✨

Share Sourcery

Help me be more useful! Please click 👍 or 👎 on each comment to tell me if it was helpful.

@sweep-ai Sweep AI
Copy link

sweep-ai bot commented Jan 30, 2024
edited
Loading

Sweeping

Fixing PR: track the progress here.

I'm currently fixing this PR to address the following:

[Sweep GHA Fix] The GitHub Actions run failed on a20568a (master) with the following error logs:

[!CAUTION]

An error has occurred: Message is too long, max tokens is -15157 (tracking ID: 102e066dad)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@reconsumeralization @snyk-bot