Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 15 vulnerabilities #18

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Fix for 15 vulnerabilities #18

wants to merge 1 commit into from

Conversation

Bhanditz
Copy link
Owner

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json
    • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-ANSIREGEX-1583908		 Yes Proof of Concept
critical severity 679/1000
Why? Has a fix available, CVSS 9.3		 Incomplete List of Disallowed Inputs
SNYK-JS-BABELTRAVERSE-5962463		 Yes No Known Exploit
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-1018905		 Yes Proof of Concept
high severity 681/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.2		 Command Injection
SNYK-JS-LODASH-1040724		 Yes Proof of Concept
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3		 Prototype Pollution
SNYK-JS-LODASH-450202		 Yes Proof of Concept
high severity 731/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 8.2		 Prototype Pollution
SNYK-JS-LODASH-567746		 Yes Proof of Concept
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3		 Prototype Pollution
SNYK-JS-LODASH-608086		 Yes Proof of Concept
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3		 Prototype Pollution
SNYK-JS-LODASH-73638		 Yes Proof of Concept
medium severity 541/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 4.4		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-73639		 Yes Proof of Concept
medium severity 646/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.5		 Server-side Request Forgery (SSRF)
SNYK-JS-REQUEST-3361831		 Yes Proof of Concept
medium severity 646/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.5		 Prototype Pollution
SNYK-JS-TOUGHCOOKIE-5672873		 Yes Proof of Concept
medium severity 539/1000
Why? Has a fix available, CVSS 6.5		 Improper Input Validation
SNYK-JS-XMLDOM-1534562		 Yes No Known Exploit
high severity 639/1000
Why? Has a fix available, CVSS 8.5		 Prototype Pollution
SNYK-JS-XMLDOM-3042242		 Yes No Known Exploit
critical severity 811/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 9.8		 Improper Input Validation
SNYK-JS-XMLDOM-3092935		 Yes Proof of Concept
medium severity 636/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.3		 Prototype Pollution
npm:lodash:20180130		 Yes Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: fonteditor-core The new version differs by 63 commits.
  • 4f64575 update xmldom to ^0.8.3, fix demo deps
  • caa0b86 update xmldom dep
  • e341d6d chore: up to 2.1.8
  • c238aea lint: modify lint rules
  • d22e702 chore: upgrade version
  • 2dc5b7a can lower, upper latin char same time.
  • 9e43033 chore: upgrade xmldom
  • c4510f4 fix: fix using in webworker
  • da8b2d5 fix: fix spelling searchRenge to searchRange
  • 9c4d224 Update index.d.ts
  • 21e27b7 feat: support index.d.ts
  • aa54155 Merge pull request #41 from ericpaulbishop/silence_woff2_output
  • 4c2a08b Silence unwanted console logging of woff2 component. Closes Stray console.logs when converting to WOFF2 kekee000/fonteditor-core#29. Modification to compressed woff2.js ModuleLoader javascript was done by replacing both the string 'console.warn.bind(console)' and 'console.log.bind(console)' with 'function(){}' No other changes wore made except for those two replacements (one instance of each). Because the file is compressed, way more is included in the diff output than was actually altered.
  • 690bad1 Merge remote-tracking branch 'kekee000/master' into master
  • 495faab Merge pull request #39 from ericpaulbishop/correct-node-version-for-travis-ci
  • 9e320b1 Merge pull request #40 from ericpaulbishop/test-new-svg2ttf-fix
  • 38167f4 Merge branch 'test-new-svg2ttf-fix' into master
  • bff6a50 update tests to include test for issue resolved by recent fix for svg2ttf code
  • 85cf5fe Currently Travis CI is set to use Node versions 0.10 and 0.12. Note the first digit. Current common versions are 10.x and 12.x. We're testing with ancient versions of node, from the time that dinosaurs roamed the earth. Let's just test with the latest stable Node, represented by node in .travis.yml, so that if we just ignore Travis for awhile as the development of Node marches on, this should still work and be relevant.
  • 144edbd feat: use eslint to lint codes
  • 6d8c4b5 Merge pull request #38 from ericpaulbishop/master
  • 4049e6d Merge pull request The domain fontplop.com has expired matthewgonzalez/fontplop#31 from QWOO-SAS/spaceFix
  • 45a50c1 clean the cache when doing travis build
  • 2a28af5 fix .travis.yml

See the full diff

Package name: react-hot-loader The new version differs by 250 commits.
  • b36b842 chore(release): 4.0.0
  • 9ef4c35 Merge pull request #876 from gaearon/next
  • 34077b7 docs(readme): update it
  • 8da0c85 chore: fix merge master
  • 2de4e58 fix: proper children reconcile for nested tags, fixes #869 (#871)
  • 4b13ed1 Merge pull request #870 from oliviertassinari/patch-2
  • a429374 Fix IE 11 issue
  • a36c4d3 chore(release): 4.0.0-rc.0
  • f7ca913 chore(release): 4.0.0-beta.23
  • 284d573 chore: upgrade deps (#864)
  • 0b7997f fix: transfer original prototype methods (#859)
  • ffe0035 fix: disable RHL when HMR is not activated (#863)
  • 572e803 Merge pull request #861 from philipnilsson/patch-1
  • 1a06535 Add null check
  • 8fa1d42 fix: fix various bugs (#857)
  • 99da77b chore(release): 4.0.0-beta.22
  • daf044c chore: make CI stop on error (#853)
  • 963677f fix: fix reconciler warnings (#852)
  • 7580552 feat: ship flat bundles (#844)
  • bf519d4 chore(changelog): update
  • 577335c v4.0.0-beta.21
  • 9bb8251 fix: fix proxy adapter (#842)
  • d29f484 chore(changelog): update
  • 8cd1272 v4.0.0-beta.20

See the full diff

Package name: ttf2woff2 The new version differs by 54 commits.
  • 35c0688 Release v4.0.4
  • c548333 Remove Node 15 from test matrix (non-LTS)
  • d124e00 Merge pull request #71 from akx/dep-upgrades
  • bce364d Update package-lock.json
  • 926c0a8 Update jest, mocha, node-gyp
  • cbb76c2 Update Babel configuration
  • a5d7901 Update un-pinned dependencies
  • 0087c70 Release v4.0.3
  • 4aecf10 Update package-lock.json
  • f1e7fd6 Run test.yml on pull_request
  • b8a8986 Merge pull request #70 from nfroidure/node16
  • 03e7580 Update package-lock.json
  • 881556a Remove C++11 flags
  • dcd18ad Add Node 16 to test matrix
  • 48684f0 Merge pull request #69 from nfroidure/github-actions
  • c9d0bd0 Use Github Actions for CI
  • 4d38035 4.0.2
  • acb62c5 fix(docs): fix the readme
  • b43beb2 Merge pull request #64 from andersk/emscripten-catch
  • 0298d2d Merge branch 'master' into emscripten-catch
  • 8971c72 Merge pull request #65 from andersk/scripts
  • 7bcc5c5 build: remove unneeded install script
  • d42f07a build: add prepare script to allow installation from Git
  • 5184725 Disable Emscripten NODEJS_CATCH_EXIT and NODEJS_CATCH_REJECTION flags

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Server-side Request Forgery (SSRF)
🦉 More lessons are available in Snyk Learn

@snyk-bot
fix: package.json & package-lock.json to reduce vulnerabilities
cd90374 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908
- https://snyk.io/vuln/SNYK-JS-BABELTRAVERSE-5962463
- https://snyk.io/vuln/SNYK-JS-LODASH-1018905
- https://snyk.io/vuln/SNYK-JS-LODASH-1040724
- https://snyk.io/vuln/SNYK-JS-LODASH-450202
- https://snyk.io/vuln/SNYK-JS-LODASH-567746
- https://snyk.io/vuln/SNYK-JS-LODASH-608086
- https://snyk.io/vuln/SNYK-JS-LODASH-73638
- https://snyk.io/vuln/SNYK-JS-LODASH-73639
- https://snyk.io/vuln/SNYK-JS-REQUEST-3361831
- https://snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873
- https://snyk.io/vuln/SNYK-JS-XMLDOM-1534562
- https://snyk.io/vuln/SNYK-JS-XMLDOM-3042242
- https://snyk.io/vuln/SNYK-JS-XMLDOM-3092935
- https://snyk.io/vuln/npm:lodash:20180130
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Stray console.logs when converting to WOFF2
2 participants
@Bhanditz @snyk-bot