Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Fix for 14 vulnerabilities #4

Merged
merged 1 commit into from
Nov 25, 2022

Conversation

SmarTurtleco
Copy link
Owner

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

    • package.json
    • package-lock.json
  • Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
    Find out more.

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5
Regular Expression Denial of Service (ReDoS)
SNYK-JS-ANSIREGEX-1583908
No Proof of Concept
medium severity 554/1000
Why? Has a fix available, CVSS 6.8
Cryptographic Issues
SNYK-JS-ELLIPTIC-1064899
No No Known Exploit
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3
Regular Expression Denial of Service (ReDoS)
SNYK-JS-GLOBPARENT-1016905
No Proof of Concept
medium severity 484/1000
Why? Has a fix available, CVSS 5.4
Open Redirect
SNYK-JS-GOT-2932019
No No Known Exploit
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3
Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-1018905
No Proof of Concept
high severity 681/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.2
Command Injection
SNYK-JS-LODASH-1040724
No Proof of Concept
high severity 731/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 8.2
Prototype Pollution
SNYK-JS-LODASH-567746
No Proof of Concept
low severity 506/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 3.7
Prototype Pollution
SNYK-JS-MINIMIST-2429795
No Proof of Concept
medium severity 539/1000
Why? Has a fix available, CVSS 6.5
Information Exposure
SNYK-JS-NODEFETCH-2342118
No No Known Exploit
medium severity 520/1000
Why? Has a fix available, CVSS 5.9
Denial of Service
SNYK-JS-NODEFETCH-674311
No No Known Exploit
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5
Prototype Pollution
SNYK-JS-NUNJUCKS-1079083
No Proof of Concept
high severity 589/1000
Why? Has a fix available, CVSS 7.5
Denial of Service (DoS)
SNYK-JS-TRIMNEWLINES-1298042
No No Known Exploit
medium severity 596/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.5
Arbitrary Code Injection
SNYK-JS-UNDERSCORE-1080984
No Proof of Concept
medium severity 601/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.6
Prototype Pollution
SNYK-JS-YARGSPARSER-560381
No Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: elliptic The new version differs by 5 commits.

See the full diff

Package name: ethereum-input-data-decoder The new version differs by 20 commits.
  • 1a2484b Bump version
  • 863273a Merge branch 'roderik-master'
  • 9469a28 fix: upgrade meow to fix CVE issues
  • a19603a Bump version
  • 0c012ff Merge branch 'alexcampbelling-fix/nested-tuple-array'
  • 1613760 Merge branch 'fix/nested-tuple-array' of https://github.com/alexcampbelling/ethereum-input-data-decoder into alexcampbelling-fix/nested-tuple-array
  • 3b89e05 Update package.json
  • bfbd0c1 Merge branch 'NunoAlexandre-master'
  • e4e4cf4 Make lib importable on typescript projects
  • 2940c6e Typuple type to null
  • 736e176 Comments
  • b170a4a removed comments
  • d54eea8 builds
  • ff9b3e9 Cleaned up recursive base cases in which types were being indexed where they shouldn't be
  • a9dd15c Semver match original style
  • ed05ad0 Builds
  • 4009c02 Recursive tuple strip and 2 new tests
  • 47e5756 handle tuple array of arrays
  • 4564b82 Add cli alias
  • 7a140bd Update README

See the full diff

Package name: minimist The new version differs by 4 commits.
  • 7efb22a 1.2.6
  • ef88b93 security notice for additional prototype pollution issue
  • c2b9819 isConstructorOrProto adapted from PR
  • bc8ecee test from prototype pollution PR

See the full diff

Package name: nunjucks The new version differs by 34 commits.
  • fd50090 Release v3.2.3
  • d34fdbf Temporarily comment out codecov action
  • cefad41 Replace README.md travis badge with github actions
  • 7601ff4 Fixup github actions workflow file
  • de9dc67 Add GitHub Workflow for tests. fixes #1333
  • aa9e5b9 Fix prototype pollution security issue. fixes #1331
  • f51afa3 Move chokidar to peerDependencies and make it optional via peerDependenciesMeta (#1329)
  • f91f1c3 Fix `groupby` example formatting
  • 7ef121c Add base and default args to int filter
  • 0c02062 Use attribute getter for `sort` filter
  • c7337e7 Release v3.2.2
  • bea3a43 CHANGELOG: Fix issue link
  • 8186d4f Don't append extra newline when using |indent filter
  • 73a4eb3 Document `with context` behavior for `import` directive (fr)
  • eea081c Document `with context` behavior for `import` directive
  • bbcbaf3 Fix issue where sync render would not raise errors in included templates
  • 63c4baf Remove development files from NPM package. Fixes #984
  • 85918ef Document `if` statement with multiple conditions (fr). refs #1284
  • 7ddd747 Document `if` statement with multiple conditions
  • 1e29863 Add support for nested attributes in `groupBy` filter. Fixes #1198
  • 7087fa9 Fix precompile bin TypeError: name.replace is not a function
  • 1736334 Modify CHANGELOG message for select/reject filters
  • 62565a1 Add `reject` filter
  • 647fc11 Change version query

See the full diff

Package name: solidity-bytes-utils The new version differs by 41 commits.

See the full diff

Package name: web3 The new version differs by 169 commits.
  • 02895cb Build for 1.7.5
  • 34f6b68 v1.7.5
  • 195f01d Manual build commit for 1.7.5-rc.1
  • b640e26 v1.7.5-rc.1
  • 96a7935 npm i
  • 9476964 Merge branch '1.x' into release/1.7.5
  • 84ac9b7 Fixed unit tests & removed dead code for web3-providers-http (#5228) (#5264)
  • 2dcf142 Manual build commit for 1.7.5-rc.0
  • ba30e1d v1.7.5-rc.0
  • c93940b npm i and CHANGELOG update for 1.7.5 release
  • fc7bfcd 1.x Libs Update including parse-url (#5254)
  • ca827a7 fix Promise in Accounts.signTransaction() throwing errors that cannot be caught #4724 (#5080) (#5252)
  • 35d8f7f Update AbstractProvider with correct typing (#5206)
  • 57b6dc4 Add createAccessList type (#5146) (#5204)
  • 46b5a5b fix remove wallet using an index when an account address and address lowercase are equal #5049 (#5050) (#5202)
  • 2a1308f Fix transactionRoot -> transactionsRoot in BlockHeader (#5083) (#5197)
  • 9e0d9d1 hexToNumber: return BigInt if result is bigger than max integer (#5157)
  • 555aa0d web3-providers-http: Migrate from xhr2-cookies to cross-fetch (#5179)
  • c034b8d Update `got` dependency for `web3-bzz` package (#5178)
  • aae9d4a Updates on `README.md` Format (#5115)
  • 8f05f19 Fixed documentation for web3.eth.accounts.signTransaction (#5121)
  • 5b10473 Fix typo (#5116)
  • 18da528 fix typos in web3-eth-accounts.rst & TESTING.md #5047 (#5048)
  • e9ab4a5 Typo foudn (#5142)

See the full diff

With a Snyk patch:
Severity Priority Score (*) Issue Exploit Maturity
high severity 731/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 8.2
Prototype Pollution
SNYK-JS-LODASH-567746
Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Cryptographic Issues
🦉 Regular Expression Denial of Service (ReDoS)
🦉 More lessons are available in Snyk Learn

@SmarTurtleco SmarTurtleco merged commit acf0433 into master Nov 25, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants