Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Upgrade: , , , react, react-dom, , algoliasearch, isomorphic-unfetch, koa, koa-session, next, snyk, webpack #893

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

aubreyyan
Copy link
Owner

snyk-top-banner

Snyk has created this PR to upgrade multiple dependencies.

👯‍♂ The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name Versions Released on

@babel/polyfill
from 7.4.4 to 7.12.1 | 9 versions ahead of your current version | 4 years ago
on 2020-10-15
@material-ui/core
from 4.3.1 to 4.12.4 | 48 versions ahead of your current version | 2 years ago
on 2022-04-03
@material-ui/icons
from 4.2.1 to 4.11.3 | 6 versions ahead of your current version | 2 years ago
on 2022-04-03
react
from 16.8.6 to 16.14.0 | 11 versions ahead of your current version | 4 years ago
on 2020-10-14
react-dom
from 16.8.6 to 16.14.0 | 11 versions ahead of your current version | 4 years ago
on 2020-10-14
@material-ui/styles
from 4.3.0 to 4.11.5 | 21 versions ahead of your current version | 2 years ago
on 2022-04-03
algoliasearch
from 3.33.0 to 3.35.1 | 3 versions ahead of your current version | 5 years ago
on 2019-10-08
isomorphic-unfetch
from 3.0.0 to 3.1.0 | 1 version ahead of your current version | 4 years ago
on 2020-09-29
koa
from 2.7.0 to 2.15.2 | 19 versions ahead of your current version | 6 months ago
on 2024-03-21
koa-session
from 5.12.2 to 5.13.1 | 3 versions ahead of your current version | 5 years ago
on 2020-02-01
next
from 9.2.1 to 9.5.5 | 284 versions ahead of your current version | 4 years ago
on 2020-10-10
snyk
from 1.278.0 to 1.1292.4 | 1174 versions ahead of your current version | a month ago
on 2024-08-12
webpack
from 4.39.1 to 4.47.0 | 22 versions ahead of your current version | a year ago
on 2023-09-06

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
critical severity Incomplete List of Disallowed Inputs
SNYK-JS-BABELTRAVERSE-5962462
786 Proof of Concept
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-SSRI-1246392
786 Proof of Concept
medium severity Cross-site Scripting (XSS)
SNYK-JS-PARSEURL-2935944
786 Proof of Concept
medium severity Information Exposure
SNYK-JS-PARSEURL-2935947
786 Proof of Concept
critical severity Server-side Request Forgery (SSRF)
SNYK-JS-PARSEURL-2936249
786 Proof of Concept
high severity Code Injection
SNYK-JS-LODASHTEMPLATE-1088054
786 Proof of Concept
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-ACORN-559469
786 No Known Exploit
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-ACORN-559469
786 No Known Exploit
high severity Prototype Pollution
SNYK-JS-AJV-584908
786 No Known Exploit
high severity Prototype Pollution
SNYK-JS-AJV-584908
786 No Known Exploit
high severity Remote Memory Exposure
SNYK-JS-BL-608877
786 Proof of Concept
high severity Prototype Pollution
SNYK-JS-AJV-584908
786 No Known Exploit
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-ANSIHTML-1296849
786 Proof of Concept
high severity Server-side Request Forgery (SSRF)
SNYK-JS-IP-6240864
786 Proof of Concept
high severity Remote Code Execution (RCE)
SNYK-JS-PACRESOLVER-1564857
786 Proof of Concept
high severity Authorization Bypass Through User-Controlled Key
SNYK-JS-PARSEPATH-2936439
786 Proof of Concept
high severity Cross-site Scripting (XSS)
SNYK-JS-SERIALIZEJAVASCRIPT-536840
786 No Known Exploit
high severity Arbitrary Code Injection
SNYK-JS-SERIALIZEJAVASCRIPT-570062
786 Proof of Concept
high severity Cross-site Scripting (XSS)
SNYK-JS-SERIALIZEJAVASCRIPT-6056521
786 No Known Exploit
high severity Prototype Pollution
SNYK-JS-NCONF-2395478
786 Proof of Concept
high severity Server-side Request Forgery (SSRF)
SNYK-JS-NETMASK-1089716
786 Proof of Concept
high severity Server-side Request Forgery (SSRF)
SNYK-JS-NETMASK-6056519
786 Proof of Concept
high severity Path Traversal
SNYK-JS-WEBPACKDEVMIDDLEWARE-6476555
786 Proof of Concept
high severity Code Injection
SNYK-JS-LODASH-1040724
786 Proof of Concept
high severity Prototype Pollution
SNYK-JS-LODASH-567746
786 Proof of Concept
high severity Prototype Pollution
SNYK-JS-LODASH-608086
786 Proof of Concept
high severity Prototype Pollution
SNYK-JS-LODASH-6139239
786 Proof of Concept
high severity Prototype Pollution
SNYK-JS-LODASHSET-1320032
786 Proof of Concept
medium severity Cross-site Scripting (XSS)
SNYK-JS-PARSEURL-2942134
786 Proof of Concept
medium severity Server-side Request Forgery (SSRF)
SNYK-JS-PARSEURL-3023021
786 Proof of Concept
medium severity Improper Input Validation
SNYK-JS-PARSEURL-3024398
786 Proof of Concept
medium severity Command Injection
SNYK-JS-SNYK-3038622
786 Proof of Concept
medium severity Code Injection
SNYK-JS-SNYK-3111871
786 No Known Exploit
medium severity Command Injection
SNYK-JS-SNYKDOCKERPLUGIN-3039679
786 Proof of Concept
medium severity Command Injection
SNYK-JS-SNYKGOPLUGIN-3037316
786 Proof of Concept
medium severity Command Injection
SNYK-JS-SNYKGRADLEPLUGIN-3038624
786 Proof of Concept
medium severity Command Injection
SNYK-JS-SNYKMVNPLUGIN-3038623
786 Proof of Concept
medium severity Command Injection
SNYK-JS-SNYKPYTHONPLUGIN-3039677
786 Proof of Concept
medium severity Command Injection
SNYK-JS-SNYKSBTPLUGIN-3038626
786 Proof of Concept
medium severity Command Injection
SNYK-JS-SNYKSNYKCOCOAPODSPLUGIN-3038625
786 Proof of Concept
medium severity Prototype Pollution
SNYK-JS-DOTPROP-543489
786 Proof of Concept
medium severity Open Redirect
SNYK-JS-GOT-2932019
786 No Known Exploit
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-HOSTEDGITINFO-1088355
786 Proof of Concept
critical severity Incomplete List of Disallowed Inputs
SNYK-JS-BABELTRAVERSE-5962462
786 Proof of Concept
medium severity Path Traversal
SNYK-JS-NEXT-561584
786 Proof of Concept
medium severity Server-Side Request Forgery (SSRF)
SNYK-JS-IP-7148531
786 Proof of Concept
medium severity Denial of Service (DoS)
SNYK-JS-JSZIP-1251497
786 Proof of Concept
medium severity Arbitrary File Write via Archive Extraction (Zip Slip)
SNYK-JS-JSZIP-3188562
786 No Known Exploit
medium severity Command Injection
SNYK-JS-SNYK-3037342
786 Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-PATHTOREGEXP-7925106
786 Proof of Concept
medium severity Prototype Pollution
SNYK-JS-XML2JS-5414874
786 Proof of Concept
medium severity Prototype Pollution
SNYK-JS-XML2JS-5414874
786 Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-1018905
786 Proof of Concept
low severity Cross-site Scripting
SNYK-JS-SEND-7926862
786 No Known Exploit
Release notes
Package name: @babel/polyfill
  • 7.12.1 - 2020-10-15
  • 7.11.5 - 2020-08-31
  • 7.10.4 - 2020-06-30
  • 7.10.1 - 2020-05-27
  • 7.8.7 - 2020-03-05
  • 7.8.3 - 2020-01-13
  • 7.8.0 - 2020-01-12
  • 7.7.0 - 2019-11-05
  • 7.6.0 - 2019-09-06
  • 7.4.4 - 2019-04-26
from @babel/polyfill GitHub release notes
Package name: @material-ui/core
  • 4.12.4 - 2022-04-03
  • 4.12.3 - 2021-07-30
  • 4.12.2 - 2021-07-19
  • 4.12.1 - 2021-07-07
  • 4.12.0 - 2021-07-06
  • 4.11.4 - 2021-04-27
  • 4.11.3 - 2021-01-24
  • 4.11.3-deprecations.1 - 2021-01-25
  • 4.11.3-deprecations.0 - 2021-01-24
  • 4.11.2 - 2020-12-02
  • 4.11.1 - 2020-11-24
  • 4.11.0 - 2020-06-30
  • 4.10.2 - 2020-06-11
  • 4.10.1 - 2020-06-01
  • 4.10.0 - 2020-05-23
  • 4.9.14 - 2020-05-11
  • 4.9.13 - 2020-05-04
  • 4.9.12 - 2020-04-26
  • 4.9.11 - 2020-04-18
  • 4.9.10 - 2020-04-11
  • 4.9.9 - 2020-04-04
  • 4.9.8 - 2020-03-28
  • 4.9.7 - 2020-03-18
  • 4.9.6 - 2020-03-18
  • 4.9.5 - 2020-02-29
  • 4.9.4 - 2020-02-23
  • 4.9.3 - 2020-02-16
  • 4.9.2 - 2020-02-09
  • 4.9.1 - 2020-02-02
  • 4.9.0 - 2020-01-22
  • 4.8.3 - 2020-01-06
  • 4.8.2 - 2019-12-30
  • 4.8.1 - 2019-12-24
  • 4.8.0 - 2019-12-14
  • 4.7.2 - 2019-12-07
  • 4.7.1 - 2019-12-01
  • 4.7.0 - 2019-11-22
  • 4.6.1 - 2019-11-12
  • 4.6.0 - 2019-11-05
  • 4.5.2 - 2019-10-28
  • 4.5.1 - 2019-10-12
  • 4.5.0 - 2019-10-02
  • 4.4.3 - 2019-09-22
  • 4.4.2 - 2019-09-11
  • 4.4.1 - 2019-09-08
  • 4.4.0 - 2019-08-31
  • 4.3.3 - 2019-08-21
  • 4.3.2 - 2019-08-10
  • 4.3.1 - 2019-08-03
from @material-ui/core GitHub release notes
Package name: @material-ui/icons
  • 4.11.3 - 2022-04-03
  • 4.11.2 - 2020-12-02
  • 4.9.1 - 2020-02-02
  • 4.5.1 - 2019-10-12
  • 4.4.3 - 2019-09-22
  • 4.4.1 - 2019-09-08
  • 4.2.1 - 2019-06-23
from @material-ui/icons GitHub release notes
Package name: react from react GitHub release notes
Package name: react-dom from react-dom GitHub release notes
Package name: @material-ui/styles
  • 4.11.5 - 2022-04-03
  • 4.11.4 - 2021-04-27
  • 4.11.3 - 2021-01-24
  • 4.11.3-deprecations.1 - 2021-01-25
  • 4.11.3-deprecations.0 - 2021-01-24
  • 4.11.2 - 2020-12-02
  • 4.11.1 - 2020-11-24
  • 4.10.0 - 2020-05-23
  • 4.9.14 - 2020-05-11
  • 4.9.13 - 2020-05-04
  • 4.9.10 - 2020-04-11
  • 4.9.6 - 2020-03-18
  • 4.9.0 - 2020-01-22
  • 4.8.2 - 2019-12-30
  • 4.7.1 - 2019-12-01
  • 4.6.0 - 2019-11-05
  • 4.5.2 - 2019-10-28
  • 4.5.0 - 2019-10-02
  • 4.4.3 - 2019-09-22
  • 4.4.1 - 2019-09-08
  • 4.3.3 - 2019-08-21
  • 4.3.0 - 2019-07-28
from @material-ui/styles GitHub release notes
Package name: algoliasearch
  • 3.35.1 - 2019-10-08
  • 3.35.0 - 2019-09-26
  • 3.34.0 - 2019-08-29
  • 3.33.0 - 2019-05-09
from algoliasearch GitHub release notes
Package name: isomorphic-unfetch from isomorphic-unfetch GitHub release notes
Package name: koa
  • 2.15.2 - 2024-03-21

    Release 2.15.2

  • 2.15.1 - 2024-03-15

    Release 2.15.1

  • 2.15.0 - 2023-12-29

    Release 2.15.0

  • 2.14.2 - 2023-04-12

    Release 2.14.2

  • 2.14.1 - 2022-12-07

    Release 2.14.1

  • 2.14.0 - 2022-12-06

    Release 2.14.0

  • 2.13.4 - 2021-10-19

    Release 2.13.4

  • 2.13.3 - 2021-09-24
  • 2.13.2 - 2021-09-24
  • 2.13.1 - 2021-01-04
  • 2.13.0 - 2020-06-21
  • 2.12.1 - 2020-06-13
  • 2.12.0 - 2020-05-17
  • 2.11.0 - 2019-10-28
  • 2.10.0 - 2019-10-12
  • 2.9.0 - 2019-10-12
  • 2.8.2 - 2019-09-28
  • 2.8.1 - 2019-08-19
  • 2.8.0 - 2019-08-19
  • 2.7.0 - 2019-01-28
from koa GitHub release notes
Package name: koa-session from koa-session GitHub release notes
Package name: next
  • 9.5.5 - 2020-10-10

    Core Changes

    • Update to have default locale matched on root: #17669
    • Handle css-loader file resolving change: #17724

    Example Changes

    • Fix with-apollo example : #17686
    • Fix with-msw example: #17695

    Credits

    Huge thanks to @ HaNdTriX, and @ jensmeindertsma for helping!

  • 9.5.5-canary.1 - 2020-10-09

    Core Changes

    • Update to generate auto static pages with all locales: #17730
  • 9.5.5-canary.0 - 2020-10-08

    Core Changes

    • Add initial changes for i18n support: #17370
    • Update to have default locale matched on root: #17669
    • Handle css-loader file resolving change: #17724

    Example Changes

    • Fix with-apollo example : #17686
    • Fix with-msw example: #17695

    Credits

    Huge thanks to @ HaNdTriX and @ jensmeindertsma for helping!

  • 9.5.4 - 2020-10-07

    This upgrade is completely backwards compatible and recommended for all users on versions below 9.5.4. For future security related communications of our OSS projects, please join this mailing list.

    A security team from one of our partners noticed an issue in Next.js that allowed for open redirects to occur.

    Specially encoded paths could be used with the trailing slash redirect to allow an open redirect to occur to an external site.

    In general, this redirect does not directly harm users although can allow for phishing attacks by redirecting to an attackers domain from a trusted domain.

    We recommend upgrading to the latest version of Next.js to improve the overall security of your application.

    How to Upgrade

    • We have released patch versions for both the stable and canary channels of Next.js.
    • To upgrade run npm install next@latest --save

    Impact

    • Affected: Users of Next.js between 9.5.0 and 9.5.3
    • Not affected: Deployments on Vercel (https://vercel.com) are not affected
    • Not affected: Deployments using next export

    We recommend everyone to upgrade regardless of whether you can reproduce the issue or not.

    How to Assess Impact

    If you think users could have been affected, you can filter logs of affected sites by %2F with a 308 response.

    What is Being Done

    As Next.js has grown in popularity, it has received the attention of security teams and auditors. We are thankful to those that reached out for their investigation and discovery of the original bug and subsequent responsible disclosure.

    We've landed a patch that ensures encoding is handled properly for these types of redirects so the open redirect can no longer occur.

    Regression tests for this attack were added to the security integration test suite.

    • We have notified known Next.js users in advance of this publication.
    • A public CVE was released.
    • If you want to stay on top of our security related news impacting Next.js or other Vercel projects, please join this mailing list.
    • We encourage responsible disclosure of future issues. Please email us at [email protected]. We are actively monitoring this mailbox.

    Core Changes

    • Make the image post-processor ignore SVG images: #16732
    • Only update lookups for dev overlay if mounted: #16776
    • Ensure interpolating dynamic href values works correctly: #16774
    • Add automatic reloading when editing GS(S)P methods: #16744
    • Update to show build indicator while re-fetching GS(S)P data in dev: #16789
    • make parseRelativeUrl return a UrlObject: #16809
    • Add tests for searchParams dev warning: #16798
    • Fix invalid config export errors: #16834
    • Correct client rewrite resolving with query: #16860
    • Fix href resolving with trailing slash enabled: #16873
    • Divide export build output into 4 segments instead of showing it one by one: #16815
    • Include additional query values when interpolating href: #16878
    • Correct page path for GS(S)P data refreshing: #16939
    • Fix align documentation with the code: #16843
    • Remove next-head-count: #16758
    • Add Support for CSS Module Value Imports:

Snyk has created this PR to upgrade:
  - @babel/polyfill from 7.4.4 to 7.12.1.
    See this package in npm: https://www.npmjs.com/package/@babel/polyfill
  - @material-ui/core from 4.3.1 to 4.12.4.
    See this package in npm: https://www.npmjs.com/package/@material-ui/core
  - @material-ui/icons from 4.2.1 to 4.11.3.
    See this package in npm: https://www.npmjs.com/package/@material-ui/icons
  - react from 16.8.6 to 16.14.0.
    See this package in npm: https://www.npmjs.com/package/react
  - react-dom from 16.8.6 to 16.14.0.
    See this package in npm: https://www.npmjs.com/package/react-dom
  - @material-ui/styles from 4.3.0 to 4.11.5.
    See this package in npm: https://www.npmjs.com/package/@material-ui/styles
  - algoliasearch from 3.33.0 to 3.35.1.
    See this package in npm: https://www.npmjs.com/package/algoliasearch
  - isomorphic-unfetch from 3.0.0 to 3.1.0.
    See this package in npm: https://www.npmjs.com/package/isomorphic-unfetch
  - koa from 2.7.0 to 2.15.2.
    See this package in npm: https://www.npmjs.com/package/koa
  - koa-session from 5.12.2 to 5.13.1.
    See this package in npm: https://www.npmjs.com/package/koa-session
  - next from 9.2.1 to 9.5.5.
    See this package in npm: https://www.npmjs.com/package/next
  - snyk from 1.278.0 to 1.1292.4.
    See this package in npm: https://www.npmjs.com/package/snyk
  - webpack from 4.39.1 to 4.47.0.
    See this package in npm: https://www.npmjs.com/package/webpack

See this project in Snyk:
https://app.snyk.io/org/aubrey-y/project/7731ed6d-b58c-4a96-8361-c8336c6a2781?utm_source=github&utm_medium=referral&page=upgrade-pr
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants