Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Fix for 62 vulnerabilities #55

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

SibuStephen
Copy link
Owner

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

    • package.json
  • Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
    Find out more.

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5
Regular Expression Denial of Service (ReDoS)
SNYK-JS-ANSIREGEX-1583908
Yes Proof of Concept
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5
Prototype Pollution
SNYK-JS-ASYNC-2441827
Yes Proof of Concept
high severity 630/1000
Why? Has a fix available, CVSS 8.1
Internal Property Tampering
SNYK-JS-BSON-561052
Yes No Known Exploit
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5
Denial of Service (DoS)
SNYK-JS-ENGINEIO-1056749
Yes Proof of Concept
high severity 579/1000
Why? Has a fix available, CVSS 7.3
Arbitrary File Overwrite
SNYK-JS-FSTREAM-174725
No No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5
Prototype Pollution
SNYK-JS-GETOBJECT-1054932
Yes No Known Exploit
medium severity 636/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.3
Directory Traversal
SNYK-JS-GRUNT-2635969
Yes Proof of Concept
medium severity 646/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.5
Race Condition
SNYK-JS-GRUNT-2813632
Yes Proof of Concept
high severity 569/1000
Why? Has a fix available, CVSS 7.1
Arbitrary Code Execution
SNYK-JS-GRUNT-597546
Yes No Known Exploit
medium severity 509/1000
Why? Has a fix available, CVSS 5.9
Denial of Service (DoS)
SNYK-JS-JSYAML-173999
No No Known Exploit
high severity 619/1000
Why? Has a fix available, CVSS 8.1
Arbitrary Code Execution
SNYK-JS-JSYAML-174129
Yes No Known Exploit
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3
Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-1018905
Yes Proof of Concept
high severity 681/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.2
Command Injection
SNYK-JS-LODASH-1040724
Yes Proof of Concept
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3
Prototype Pollution
SNYK-JS-LODASH-450202
Yes Proof of Concept
high severity 731/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 8.2
Prototype Pollution
SNYK-JS-LODASH-567746
Yes Proof of Concept
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3
Prototype Pollution
SNYK-JS-LODASH-608086
Yes Proof of Concept
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3
Prototype Pollution
SNYK-JS-LODASH-73638
Yes Proof of Concept
medium severity 541/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 4.4
Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-73639
Yes Proof of Concept
high severity 589/1000
Why? Has a fix available, CVSS 7.5
Regular Expression Denial of Service (ReDoS)
SNYK-JS-MINIMATCH-1019388
Yes No Known Exploit
low severity 506/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 3.7
Prototype Pollution
SNYK-JS-MINIMIST-2429795
No Proof of Concept
medium severity 601/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.6
Prototype Pollution
SNYK-JS-MINIMIST-559764
No Proof of Concept
high severity 589/1000
Why? Has a fix available, CVSS 7.5
Regular Expression Denial of Service (ReDoS)
SNYK-JS-MOCHA-561476
Yes No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5
Denial of Service (DoS)
SNYK-JS-MONGODB-473855
Yes No Known Exploit
medium severity 601/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.6
Prototype Pollution
SNYK-JS-MONGOOSE-1086688
Yes Proof of Concept
high severity 671/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7
Prototype Pollution
SNYK-JS-MONGOOSE-2961688
Yes Proof of Concept
medium severity 601/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.6
Prototype Pollution
SNYK-JS-MPATH-1577289
Yes Proof of Concept
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3
Prototype Pollution
SNYK-JS-MQUERY-1050858
Yes Proof of Concept
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5
Prototype Pollution
SNYK-JS-MQUERY-1089718
Yes Proof of Concept
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3
Prototype Pollution
SNYK-JS-NCONF-2395478
Yes Proof of Concept
high severity 751/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 8.6
Command Injection
SNYK-JS-NODEMAILER-1038834
Yes Proof of Concept
medium severity 636/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.3
HTTP Header Injection
SNYK-JS-NODEMAILER-1296415
Yes Proof of Concept
medium severity 454/1000
Why? Has a fix available, CVSS 4.8
Session Fixation
SNYK-JS-PASSPORT-2840631
Yes No Known Exploit
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3
Insecure Defaults
SNYK-JS-SOCKETIO-1024859
Yes Proof of Concept
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5
Denial of Service (DoS)
SNYK-JS-SOCKETIOPARSER-1056752
Yes Proof of Concept
high severity 624/1000
Why? Has a fix available, CVSS 8.2
Arbitrary File Overwrite
SNYK-JS-TAR-1536528
No No Known Exploit
high severity 624/1000
Why? Has a fix available, CVSS 8.2
Arbitrary File Overwrite
SNYK-JS-TAR-1536531
No No Known Exploit
low severity 410/1000
Why? Has a fix available, CVSS 3.7
Regular Expression Denial of Service (ReDoS)
SNYK-JS-TAR-1536758
No No Known Exploit
high severity 639/1000
Why? Has a fix available, CVSS 8.5
Arbitrary File Write
SNYK-JS-TAR-1579147
No No Known Exploit
high severity 639/1000
Why? Has a fix available, CVSS 8.5
Arbitrary File Write
SNYK-JS-TAR-1579152
No No Known Exploit
high severity 639/1000
Why? Has a fix available, CVSS 8.5
Arbitrary File Write
SNYK-JS-TAR-1579155
No No Known Exploit
high severity 726/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 8.1
Arbitrary File Overwrite
SNYK-JS-TAR-174125
No Proof of Concept
medium severity 596/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.5
Arbitrary Code Injection
SNYK-JS-UNDERSCORE-1080984
No Proof of Concept
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3
Regular Expression Denial of Service (ReDoS)
SNYK-JS-VALIDATOR-1090599
Yes Proof of Concept
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3
Regular Expression Denial of Service (ReDoS)
SNYK-JS-VALIDATOR-1090600
Yes Proof of Concept
medium severity /1000
Why?
Regular Expression Denial of Service (ReDoS)
SNYK-JS-VALIDATOR-1090601
Yes Proof of Concept
medium severity /1000
Why?
Regular Expression Denial of Service (ReDoS)
SNYK-JS-VALIDATOR-1090602
Yes Proof of Concept
medium severity /1000
Why?
Regular Expression Denial of Service (ReDoS)
SNYK-JS-WS-1296835
Yes Proof of Concept
low severity 399/1000
Why? Has a fix available, CVSS 3.7
Regular Expression Denial of Service (ReDoS)
npm:debug:20170905
Yes No Known Exploit
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3
Prototype Pollution
npm:deep-extend:20180409
No Proof of Concept
critical severity 704/1000
Why? Has a fix available, CVSS 9.8
Arbitrary Code Injection
npm:growl:20160721
Yes No Known Exploit
low severity 506/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 3.7
Regular Expression Denial of Service (ReDoS)
npm:jasmine-core:20180216
Yes Proof of Concept
medium severity 636/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.3
Prototype Pollution
npm:lodash:20180130
Yes Proof of Concept
high severity 589/1000
Why? Has a fix available, CVSS 7.5
Regular Expression Denial of Service (ReDoS)
npm:minimatch:20160620
Yes No Known Exploit
medium severity 479/1000
Why? Has a fix available, CVSS 5.3
Regular Expression Denial of Service (ReDoS)
npm:ms:20151024
No No Known Exploit
low severity 399/1000
Why? Has a fix available, CVSS 3.7
Regular Expression Denial of Service (ReDoS)
npm:ms:20170412
Yes No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5
Prototype Override Protection Bypass
npm:qs:20170213
Yes No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5
Symlink File Overwrite
npm:tar:20151103
No No Known Exploit
medium severity 479/1000
Why? Has a fix available, CVSS 5.3
Buffer Overflow
npm:validator:20160218
Yes No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: cfenv The new version differs by 13 commits.
  • fb0a2aa update dependencies, now at version 1.2.4
  • 63e072a version 1.2.3
  • 02bb92d Issue 45 Remove '.cfignore'
  • 4103a3e version 1.2.2
  • b07a59e handle ports race condition by returning 3000
  • 6927628 version 1.2.1
  • 3f19f12 Upgrade js-yaml to avoid Denial of Service
  • a5dbceb version 1.2.0
  • 1a730e3 Stop using outdated manifest stanza; use random-route instead
  • f8b0392 Upgrade underscore version 1.9.x
  • b60ef7c add test for local vcapFile port usage
  • c6262a6 Locally use the options to read the port
  • 3490eda add support for vcapFile option

See the full diff

Package name: chalk The new version differs by 53 commits.

See the full diff

Package name: connect-mongo The new version differs by 171 commits.

See the full diff

Package name: forever The new version differs by 91 commits.

See the full diff

Package name: helmet The new version differs by 172 commits.
  • c2d0810 3.8.2
  • 3da2f55 Update changelog for 3.8.2 release
  • 35e7d97 Update connect to 3.6.5
  • 5587ecc 3.8.1
  • 3b95345 Prepare for 3.8.1 release
  • 3ca8991 3.8.0
  • 33fff29 Update to [email protected]
  • 146594f 3.7.0
  • 39b7f11 Update changelog for 3.7.0 release
  • d46443a Update helmet-csp to 2.5.0
  • fb407df Update security reporting instructions
  • f6270e3 Minor: fix typo in test description
  • 0624fea Update changelog for incorrect usage change
  • 35a247f Update error message when doing `app.use(helmet)`
  • 4ecf148 Add a test when called directly
  • e213d87 warn if a helmet constructor is used directly as handler
  • 7255042 Travis: test on Node 8
  • d09b414 Add some useless Markdown files to npmignore
  • d5dce64 Minor: move default middleware definition into index.js
  • 267ac75 Use `--fix` flag with Standard to auto-fix errors
  • 64e815b Minor: clean up main function for clarity
  • f034913 Update Sinon and Standard
  • 60db9c5 3.6.1
  • 621ff8f Update changelog for 3.6.1 release

See the full diff

Package name: jasmine-core The new version differs by 109 commits.
  • 557fb4e proper links in release notes
  • ee52023 Bump version to 3.1
  • 91296a4 Remove Safari 7 from Travis matrix
  • 1923461 Ignore more browser fields when formatting Errors
  • 71116d3 don't lock to 2.99 in dev
  • 63cc7ca Use Jasmine's arrayContains, instead of includes for better support
  • fdecf02 Merge branch 'print_exception_properties' of https://github.com/jbunton-atlassian/jasmine into jbunton-atlassian-print_exception_properties
  • 11f4d89 Merge branch 'node-load-errors'
  • 1149d4e Use j$.pp instead of JSON.stringify() for pretty printing
  • 9ee85c3 Remove duplicate ignored property
  • 0367ca5 Merge branch 'patch-closing-statement' of https://github.com/Sylhare/jasmine
  • 763a83c Display error properties for failed specs
  • 7fb53dc Fixing missing semi-colons
  • a9a112e Fixed release notes link
  • 0184808 Updated README for 3.0
  • 1ac2a6f Allow node to report load time errors
  • 785f62c Fix naming and check functions for empty/notEmpty specs
  • d8c154a Update empty and notEmpty specs for better IE11 support
  • c974c47 Merge branch 'master' of https://github.com/sjolicoeur/jasmine into sjolicoeur-master
  • 2b27bd3 Add API docs for async reporters
  • 3b77f38 Return <anonymous> for functions that have no actual words between keyword and (
  • 1182757 Moved toHaveClass matcher into core so that it can be used in Karma
  • 8326ecf Merge branch 'deprecation-object' of https://github.com/UziTech/jasmine into UziTech-deprecation-object
  • cd6a0de Merge pull request new login page meanjs/mean#1505 from codetriage-readme-bot/codetriage-badge

See the full diff

Package name: mocha The new version differs by 250 commits.
  • 42303e2 Release v6.0.0
  • a553ca7 punctuation updates for changelog v6.0.0
  • c710792 grammar updates for changelog v6.0.0
  • 9f9293a update changelog for v6.0.0
  • a540eb0 remove "projects" section from MAINTAINERS.md [ci skip]
  • 52b5c42 Uppercased JSON reporter name in `describe` title (#3739)
  • 82307fb Fix `.globals` to remove falsy values (#3737)
  • 56dc28e Remove unnecessary post-processing code having no effect; closes #3708 (#3733)
  • 16b4281 Documentation updates (#3728)
  • 5d9d3eb Update nyc
  • 118c9ae Refactor out usages of Suite#_onlyTests and Suite#_onlyTests (#3689) (#3707)
  • 0dacd1f Add ability to unload files from `require` cache (redux) (#3726)
  • 66a52f2 update release steps [ci skip]
  • 45ae014 Refactor `lookupFiles` and `files` (#3722)
  • 94c9320 fix --reporter-option to allow comma-separated options; closes #3706
  • 0f546fc Refactor checkGlobals() error message creation (#3711)
  • 2d21fd6 add missing user reference in CHANGELOG.md [ci skip]
  • 6cb4e27 add all changes since v6.0.0-1 to CHANGELOG.md [ci skip]
  • 186ca36 add createInvalidArgumentError(); see #3676 (#3677)
  • 3a7fa37 Revert 00ca06b0e957ec4f067268c98053782ac5dcb69f; closes #3414 (#3715)
  • 21ba5ce fix --inspect and its ilk; closes #3681 (#3699)
  • 52b9a5f refactor: use constants for event names instead of string literals
  • 29aa611 Eliminated variable shadowing from test event listeners (runner.spec.js) (#3712)
  • e01a54e update usage info in docs [ci skip]

See the full diff

Package name: mongoose The new version differs by 250 commits.
  • ca7996b chore: release 5.13.15
  • e75732a Merge pull request #12307 from Automattic/vkarpov15/fix-5x-build
  • a1144dc test: run node 7 tests with upgraded npm re: #12297
  • dfc4ad7 test: try upgrading npm for node v4 tests re: #12297
  • b9e985c test: more strict @ types/node version
  • 4d813fa test: fix @ types/node version in tests re: #12297
  • 99b4189 Merge pull request #12297 from shubanker/issue/prototype-pollution-5.x-patch
  • 5eb11dd made function non async
  • 6a19731 fix(schema): disallow setting __proto__ when creating schema with dotted properties
  • a2ec28d Merge pull request #11366 from laissonsilveira/5.x
  • 05ce577 Fix broken link from findandmodify method deprecation
  • d2b846f chore: release 5.13.14
  • 69c1f6c docs(models): fix up nModified example for 5.x
  • 4cfc4d6 fix(timestamps): avoid setting `createdAt` on documents that already exist but dont have createdAt
  • a738440 chore: release 5.13.13
  • 4d12a62 Merge pull request #10942 from jneal-afs/fix-query-set-ts-type
  • c3463c4 Merge pull request #10916 from iovanom/gh-10902-v5
  • ff5ddb5 fix: hardcode base 10 for nodeMajorVersion parseInt() call
  • d205c4d make value optional
  • c6fd7f7 Fix ts types for query set
  • 22e9b3b [gh-10902 v5] Add node major version to utils
  • 5468642 [gh-10902 v5] Emit end event in before close
  • 271bc60 Merge pull request #10910 from lorand-horvath/patch-2
  • b7ebeec Update mongodb driver to 3.7.3

See the full diff

Package name: multer The new version differs by 28 commits.

See the full diff

Package name: node-pre-gyp The new version differs by 250 commits.

See the full diff

Package name: nodemailer The new version differs by 250 commits.

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908
- https://snyk.io/vuln/SNYK-JS-ASYNC-2441827
- https://snyk.io/vuln/SNYK-JS-BSON-561052
- https://snyk.io/vuln/SNYK-JS-ENGINEIO-1056749
- https://snyk.io/vuln/SNYK-JS-FSTREAM-174725
- https://snyk.io/vuln/SNYK-JS-GETOBJECT-1054932
- https://snyk.io/vuln/SNYK-JS-GRUNT-2635969
- https://snyk.io/vuln/SNYK-JS-GRUNT-2813632
- https://snyk.io/vuln/SNYK-JS-GRUNT-597546
- https://snyk.io/vuln/SNYK-JS-JSYAML-173999
- https://snyk.io/vuln/SNYK-JS-JSYAML-174129
- https://snyk.io/vuln/SNYK-JS-LODASH-1018905
- https://snyk.io/vuln/SNYK-JS-LODASH-1040724
- https://snyk.io/vuln/SNYK-JS-LODASH-450202
- https://snyk.io/vuln/SNYK-JS-LODASH-567746
- https://snyk.io/vuln/SNYK-JS-LODASH-608086
- https://snyk.io/vuln/SNYK-JS-LODASH-73638
- https://snyk.io/vuln/SNYK-JS-LODASH-73639
- https://snyk.io/vuln/SNYK-JS-MINIMATCH-1019388
- https://snyk.io/vuln/SNYK-JS-MINIMIST-2429795
- https://snyk.io/vuln/SNYK-JS-MINIMIST-559764
- https://snyk.io/vuln/SNYK-JS-MOCHA-561476
- https://snyk.io/vuln/SNYK-JS-MONGODB-473855
- https://snyk.io/vuln/SNYK-JS-MONGOOSE-1086688
- https://snyk.io/vuln/SNYK-JS-MONGOOSE-2961688
- https://snyk.io/vuln/SNYK-JS-MPATH-1577289
- https://snyk.io/vuln/SNYK-JS-MQUERY-1050858
- https://snyk.io/vuln/SNYK-JS-MQUERY-1089718
- https://snyk.io/vuln/SNYK-JS-NCONF-2395478
- https://snyk.io/vuln/SNYK-JS-NODEMAILER-1038834
- https://snyk.io/vuln/SNYK-JS-NODEMAILER-1296415
- https://snyk.io/vuln/SNYK-JS-PASSPORT-2840631
- https://snyk.io/vuln/SNYK-JS-SOCKETIO-1024859
- https://snyk.io/vuln/SNYK-JS-SOCKETIOPARSER-1056752
- https://snyk.io/vuln/SNYK-JS-TAR-1536528
- https://snyk.io/vuln/SNYK-JS-TAR-1536531
- https://snyk.io/vuln/SNYK-JS-TAR-1536758
- https://snyk.io/vuln/SNYK-JS-TAR-1579147
- https://snyk.io/vuln/SNYK-JS-TAR-1579152
- https://snyk.io/vuln/SNYK-JS-TAR-1579155
- https://snyk.io/vuln/SNYK-JS-TAR-174125
- https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984
- https://snyk.io/vuln/SNYK-JS-VALIDATOR-1090599
- https://snyk.io/vuln/SNYK-JS-VALIDATOR-1090600
- https://snyk.io/vuln/SNYK-JS-VALIDATOR-1090601
- https://snyk.io/vuln/SNYK-JS-VALIDATOR-1090602
- https://snyk.io/vuln/SNYK-JS-WS-1296835
- https://snyk.io/vuln/npm:debug:20170905
- https://snyk.io/vuln/npm:deep-extend:20180409
- https://snyk.io/vuln/npm:growl:20160721
- https://snyk.io/vuln/npm:jasmine-core:20180216
- https://snyk.io/vuln/npm:lodash:20180130
- https://snyk.io/vuln/npm:minimatch:20160620
- https://snyk.io/vuln/npm:ms:20151024
- https://snyk.io/vuln/npm:ms:20170412
- https://snyk.io/vuln/npm:qs:20170213
- https://snyk.io/vuln/npm:tar:20151103
- https://snyk.io/vuln/npm:validator:20160218


The following vulnerabilities are fixed with a Snyk patch:
- https://snyk.io/vuln/npm:debug:20170905
- https://snyk.io/vuln/npm:hoek:20180212
- https://snyk.io/vuln/npm:ms:20170412
- https://snyk.io/vuln/npm:request:20160119
- https://snyk.io/vuln/npm:tough-cookie:20170905
- https://snyk.io/vuln/npm:uglify-js:20151024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants