Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 1 vulnerabilities #41

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Fix for 1 vulnerabilities #41

wants to merge 1 commit into from

Conversation

ekmixon
Copy link
Owner

@ekmixon ekmixon commented Apr 16, 2024

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 768/1000
Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 7.5		 Prototype Pollution
SNYK-JS-LODASH-6139239		 Yes Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: browser-sync The new version differs by 209 commits.
  • e7ced1b 2.13.0
  • d9063d6 deps: update eazy-logger micromatch serve-static
  • dcba582 docs: remove ref to anymatch. re: https://github.com/Chokidar or Anymatch for glob patterns? BrowserSync/browser-sync#1122#issuecomment-224199203
  • a3e115d remove invalid invocation ofl enableDestroy;
  • 4b17d60 fix(socket/server): Allow .exit() to immediately shut down all servers as expected
  • 2282cad fix(files): implement a more robust (correct) debounce, along with throttle & delay - re: #982 #1121
  • 66be45c dev-deps: update bs-html-injector
  • 4467e87 2.12.12
  • 38ce6ba Add legacy property to plugins options - fix #1120
  • 3b7ea77 2.12.11
  • 400f10f Add legacy `moduleName` property to plugins options - fix #1120
  • 1159244 deps: Add bs-latency for dev
  • 5a0ed9d 2.12.10
  • cbcb642 Merge branch '1109-directory'
  • d0d0c3d test: allow all
  • c771362 Merge pull request #1110 from donaldpipowitch/patch-1
  • c62cd55 support falsey values for directory setting
  • 379b7fc 2.12.9
  • 32c927d test: added failing test for #1109
  • 50e740c ci: ignore custom lodash build for coverage report
  • d5efbd8 ci: Remove lodash dependency from test files
  • fbccc2f perf: custom lodash build to reduce start-up time
  • 223ae23 Merge pull request #1101 from zhongdeliu/patch-1
  • 54f1765 only a comment fix for proxyReq variable

See the full diff

Package name: gulp The new version differs by 134 commits.
  • 55eb23a Release: 4.0.0
  • 173a532 Docs: Fix the installation instructions
  • ec54d09 Docs: Improve note about out-of-date docs
  • 03b7c98 Docs: Update recipes to install gulp@next
  • 2eba29e Docs: Remove run-sequence from recipes
  • 76eb4d6 Docs: Add installation instructions & update badges
  • fbc162f Docs: Remove references to gulp-util
  • 3011cf9 Scaffold: Normalize repository
  • f27be05 Update: Remove graceful-fs from test suite
  • 361ab63 Upgrade: Update glob-watcher
  • 064d100 Build: Avoid broken node 9
  • 057df59 Release: 4.0.0-alpha.3
  • c1ba80c Breaking: Upgrade major versions of glob-watcher, gulp-cli & vinyl-fs
  • 89acc5c Docs: Improve ES2015 task exporting examples (#1999)
  • 0ac9e04 Docs: Add "Project structure" section to CONTRIBUTING.md (#1859)
  • 723cbc4 Docs: Fix syntax in recipe example (#1715)
  • d420a6a Docs: Have gulp.lastRun take a function to avoid task registration (#1828)
  • 29ece6f Upgrade: Update undertaker
  • e931cb0 Docs: Fix changelog typos (#1696)
  • 477db84 Docs: Add a "BrowserSync with Gulp 4" recipe (#1659)
  • d4ed3c7 Docs: Add options.cwd for gulp.src API (#1645)
  • 5dc3b07 Docs: Update gulp.watch API to align with glob-watcher
  • 0c66069 Breaking: Replace chokidar as gulp.watch with glob-watcher wrapper
  • c3dbc10 Docs: Clarify incremental builds example (#1609)

See the full diff

Package name: gulp-angular-filesort The new version differs by 8 commits.

See the full diff

Package name: gulp-jshint The new version differs by 28 commits.
  • c277434 2.0.3
  • 711f3f0 test fix
  • 0045278 dep updates
  • bee3a83 [readme] spruce things up a bit
  • 2cb429b 2.0.2
  • f1f3fc2 Merge pull request #150 from VictorVation/master
  • 4f1f1cb update minimatch
  • 6c9cadd Merge pull request #140 from rtack/patch-1
  • 6532823 fix typo
  • 4a7f304 2.0.1
  • 5c1d63f move to explicitly imported lodash functions
  • 81c7498 Merge pull request #139 from rkurbatov/upgrade-lodash
  • 631e7ed Update .gitignore
  • 368f267 Upgrade lodash version, fix 'repository' field to correct form
  • 0d91672 Create CHANGELOG.md
  • d7cc9ea version 2.0.0
  • 02c4053 added note about jshint peerDependency
  • 226ea3b Merge pull request #120 from spalger/jshintAsPeer
  • 44c06bb version 1.12.0
  • 5b73861 Merge pull request #123 from IcanDivideBy0/reporter_relative_path
  • 69c9c17 Use relative file path in reporter
  • a1c0be4 [npm] install jshint on travis, for old npm and future npm
  • 3e7ad84 [npm] move jshint to peerDependencies
  • a380282 Merge pull request #118 from ljknight/master

See the full diff

Package name: gulp-useref The new version differs by 23 commits.
  • b2358b8 Update .npmignore.
  • 79c2a0e 2.0.0
  • 8d6e5eb Fix failing tests.
  • cbc0716 Merge branch 'hadrienk-master'
  • 0937855 Merge branch 'master' of https://github.com/hadrienk/gulp-useref into hadrienk-master
  • 2858b57 Update README.
  • 1360869 Fix issue with files being lost.
  • b15579d Update vinyl-fs.
  • 3b9c0fe Update dependencies.
  • 8bb699c Update gulp and jscs packages.
  • 297e138 1.3.0
  • feaba4e Merge branch 'timdp-support-absolute-paths'
  • 4eee0ef Supporting absolute search paths
  • 76d2eea Add gulp task for JSCS support.
  • 7f7d8d8 Code clean up.
  • fa193e7 Merge branch 'jbblanchet-master'
  • e44d144 Add external streams to assets
  • 3734de5 Merge pull request #113 from stevemao/markdown
  • cdff97e Fix markdown syntax highlight
  • 39cd93d Merge pull request #112 from stevemao/patch-1
  • a1b7595 Add missing `useref()` api
  • d9acf23 Add the mustexist option to make the stream emit and error if a file is missing
  • 0b64feb Add tests for the pull request

See the full diff

Package name: main-bower-files The new version differs by 30 commits.
  • 3e72915 Merge branch 'nathanaelnsmith-master'
  • c10c547 Updated README.md and added unit test for exclude group feature
  • 7597ec7 2.12.0
  • 795e59b Finished implementing excluding group from bower file list.
  • ff9ae8a Fixed issue with variable referenced out of order
  • fa9b96d Exclude group from dependencies
  • 8f4bb2c updated vinyl-fs
  • 8ef5cf6 version 2.11.1
  • 74c146e Merge branch 'pwang2-fix-bower-main-slash'
  • d49d53d Merge branch 'fix-bower-main-slash' of https://github.com/pwang2/main-bower-files into pwang2-fix-bower-main-slash
  • 78e91cd updated tern config file
  • 580e540 add test for slash path deny
  • 4e2a320 Deny absolute bower main file,
  • b9cb4fc prove giving wrong message when main path start with /
  • 5eb5072 version 2.11.0
  • 75d0445 Merge pull request #123 from ball6847/feature-deps-group
  • 73faa81 add semicolon to the missing line
  • 39524a7 add more test and document about group option
  • 09e230e add tests for group options
  • e918565 make it supports node v0.10, as travis-ci run on this version
  • d9dff42 add dependency group options
  • bafd804 Merge pull request #120 from red2678/patch-1
  • f2f53e1 Fix Typos
  • 22db94e Fixed readme linebreaks

See the full diff

Package name: wiredep The new version differs by 50 commits.
  • 3416e1e 4.0.0
  • d4d23b9 tests: fix cached config from multiple runs
  • 58b9441 update lodash and fix breaking changes from it
  • 4d98906 split wiredep-cli into its own module
  • e4cb7a6 update devDeps
  • 9b72b7a update safe main deps
  • dc88ab0 warn on invalid or missing bowerJson file
  • b649193 use appropriate log methods for cli
  • b5f6644 only use the fixtures for real cli tests
  • 851483f refactor wiredep-cli to reduce loops and double checks
  • 366e655 expanded wiredep_cli testing
  • becb3d6 DRY cli args
  • fa5ad59 add code coverage reports
  • 649afc8 OS-ify the cli file
  • 3fea870 remove beforeEach def
  • 8e859b6 split cli test suite
  • cf11f71 allow multiple test runs (--watch)
  • e4b48ad add badges
  • 8712b18 travis newer
  • ae0271f Unmaintained notice
  • eab46b8 3.0.0
  • 0f5e9b4 Merge pull request #223 from danielsiwiec/master
  • c84c057 Fix a problem with CLI -b argument misbehaving
  • 5339a49 Merge pull request #206 from ahmednuaman/patch-1

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution

@snyk-bot
fix: package.json to reduce vulnerabilities
41fe687 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-LODASH-6139239
@secure-code-warrior-for-github Secure Code Warrior for GitHub
Copy link

Micro-Learning Topic: Prototype pollution (Detected by phrase)

Matched on "Prototype Pollution"

What is this? (2min video)

By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf).

Try a challenge in Secure Code Warrior

sourcery-ai[bot]
sourcery-ai bot reviewed Apr 16, 2024
View reviewed changes
Copy link

@sourcery-ai sourcery-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have skipped reviewing this pull request. Here's why:

  • It seems to have been created by a bot ('[Snyk]' found in title). We assume it knows what it's doing!
  • We don't review packaging changes - Let us know if you'd like us to change this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ekmixon @snyk-bot