Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Upgrade: , ws, , , axios, express, fastify, geolib, jsonwebtoken, prisma, socket.io, tsx, zod #71

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

gjovs
Copy link
Owner

@gjovs gjovs commented Sep 18, 2024

snyk-top-banner

Snyk has created this PR to upgrade multiple dependencies.

👯‍♂ The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name Versions Released on

@fastify/cors
from 8.2.1 to 8.5.0 | 5 versions ahead of your current version | 9 months ago
on 2023-12-18
ws
from 8.13.0 to 8.18.0 | 9 versions ahead of your current version | 2 months ago
on 2024-07-03
@googlemaps/google-maps-services-js
from 3.3.28 to 3.4.0 | 15 versions ahead of your current version | 5 months ago
on 2024-04-09
@prisma/client
from 4.12.0 to 4.16.2 | 651 versions ahead of your current version | a year ago
on 2023-06-30
axios
from 1.3.4 to 1.7.5 | 23 versions ahead of your current version | a month ago
on 2024-08-23
express
from 4.18.2 to 4.19.2 | 4 versions ahead of your current version | 6 months ago
on 2024-03-25
fastify
from 4.15.0 to 4.28.1 | 30 versions ahead of your current version | 3 months ago
on 2024-06-29
geolib
from 3.3.3 to 3.3.4 | 1 version ahead of your current version | a year ago
on 2023-06-01
jsonwebtoken
from 9.0.0 to 9.0.2 | 2 versions ahead of your current version | a year ago
on 2023-08-30
prisma
from 4.12.0 to 4.16.2 | 651 versions ahead of your current version | a year ago
on 2023-06-30
socket.io
from 4.6.1 to 4.7.5 | 7 versions ahead of your current version | 6 months ago
on 2024-03-14
tsx
from 3.12.6 to 3.14.0 | 6 versions ahead of your current version | a year ago
on 2023-10-17
zod
from 3.21.4 to 3.23.8 | 93 versions ahead of your current version | 4 months ago
on 2024-05-08

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-SEMVER-3247795
646 Proof of Concept
high severity Uncaught Exception
SNYK-JS-SOCKETIO-7278048
646 No Known Exploit
high severity Denial of Service (DoS)
SNYK-JS-SOCKETIOPARSER-5596892
646 No Known Exploit
high severity Cross-site Request Forgery (CSRF)
SNYK-JS-AXIOS-6032459
646 Proof of Concept
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-ZOD-5925617
646 Proof of Concept
high severity Cross-site Request Forgery (CSRF)
SNYK-JS-AXIOS-6032459
646 Proof of Concept
high severity Prototype Pollution
SNYK-JS-AXIOS-6144788
646 No Known Exploit
high severity Server-side Request Forgery (SSRF)
SNYK-JS-AXIOS-7361793
646 Proof of Concept
high severity Uncaught Exception
SNYK-JS-ENGINEIO-5496331
646 No Known Exploit
high severity Improper Input Validation
SNYK-JS-FOLLOWREDIRECTS-6141137
646 Proof of Concept
medium severity Information Exposure
SNYK-JS-FOLLOWREDIRECTS-6444610
646 Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-AXIOS-6124857
646 Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-AXIOS-6124857
646 Proof of Concept
medium severity Open Redirect
SNYK-JS-EXPRESS-6474509
646 No Known Exploit
Release notes
Package name: @fastify/cors from @fastify/cors GitHub release notes
Package name: ws
  • 8.18.0 - 2024-07-03

    Features

    • Added support for Blob (#2229).
  • 8.17.1 - 2024-06-16

    Bug fixes

    • Fixed a DoS vulnerability (#2231).

    A request with a number of headers exceeding theserver.maxHeadersCount
    threshold could be used to crash a ws server.

    const http = require('http');
    const WebSocket = require('ws');

    const wss = new WebSocket.Server({ port: 0 }, function () {
    const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
    const headers = {};
    let count = 0;

    for (let i = 0; i < chars.length; i++) {
    if (count === 2000) break;

    <span class="pl-k">for</span> <span class="pl-kos">(</span><span class="pl-k">let</span> <span class="pl-s1">j</span> <span class="pl-c1">=</span> <span class="pl-c1">0</span><span class="pl-kos">;</span> <span class="pl-s1">j</span> <span class="pl-c1">&lt;</span> <span class="pl-s1">chars</span><span class="pl-kos">.</span><span class="pl-c1">length</span><span class="pl-kos">;</span> <span class="pl-s1">j</span><span class="pl-c1">++</span><span class="pl-kos">)</span> <span class="pl-kos">{</span>
      <span class="pl-k">const</span> <span class="pl-s1">key</span> <span class="pl-c1">=</span> <span class="pl-s1">chars</span><span class="pl-kos">[</span><span class="pl-s1">i</span><span class="pl-kos">]</span> <span class="pl-c1">+</span> <span class="pl-s1">chars</span><span class="pl-kos">[</span><span class="pl-s1">j</span><span class="pl-kos">]</span><span class="pl-kos">;</span>
      <span class="pl-s1">headers</span><span class="pl-kos">[</span><span class="pl-s1">key</span><span class="pl-kos">]</span> <span class="pl-c1">=</span> <span class="pl-s">'x'</span><span class="pl-kos">;</span>
    
      <span class="pl-k">if</span> <span class="pl-kos">(</span><span class="pl-c1">++</span><span class="pl-s1">count</span> <span class="pl-c1">===</span> <span class="pl-c1">2000</span><span class="pl-kos">)</span> <span class="pl-k">break</span><span class="pl-kos">;</span>
    <span class="pl-kos">}</span>
    

    }

    headers.Connection = 'Upgrade';
    headers.Upgrade = 'websocket';
    headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
    headers['Sec-WebSocket-Version'] = '13';

    const request = http.request({
    headers: headers,
    host: '127.0.0.1',
    port: wss.address().port
    });

    request.end();
    });

    The vulnerability was reported by Ryan LaPointe in #2230.

    In vulnerable versions of ws, the issue can be mitigated in the following ways:

    1. Reduce the maximum allowed length of the request headers using the
      --max-http-header-size=size and/or the maxHeaderSize options so
      that no more headers than the server.maxHeadersCount limit can be sent.
    2. Set server.maxHeadersCount to 0 so that no limit is applied.
  • 8.17.0 - 2024-04-28

    Features

    • The WebSocket constructor now accepts the createConnection option (#2219).

    Other notable changes

    • The default value of the allowSynchronousEvents option has been changed to
      true (#2221).

    This is a breaking change in a patch release. The assumption is that the option
    is not widely used.

  • 8.16.0 - 2023-12-26

    Features

    • Added the autoPong option (01ba54e).
  • 8.15.1 - 2023-12-12

    Notable changes

    • The allowMultipleEventsPerMicrotask option has been renamed to
      allowSynchronousEvents (4ed7fe5).

    This is a breaking change in a patch release that could have been avoided with
    an alias, but the renamed option was added only 3 days ago, so hopefully it
    hasn't already been widely used.

  • 8.15.0 - 2023-12-09

    Features

    • Added the allowMultipleEventsPerMicrotask option (93e3552).
  • 8.14.2 - 2023-09-19

    Bug fixes

    • Fixed an issue that allowed errors thrown by failed assertions to be
      swallowed when running tests (7f4e1a7).
  • 8.14.1 - 2023-09-08
  • 8.14.0 - 2023-09-06
  • 8.13.0 - 2023-03-10
from ws GitHub release notes
Package name: @googlemaps/google-maps-services-js
  • 3.4.0 - 2024-04-09

    3.4.0 (2024-04-09)

    Features

    • Added Address Descriptors to Geocoding response. (#1187) (47db368)
  • 3.3.42 - 2023-12-12

    3.3.42 (2023-12-12)

    Build System

    • deps-dev: bump @ babel/traverse from 7.23.0 to 7.23.2 (#1058) (820544c)
    • deps-dev: bump @ types/jest from 29.5.5 to 29.5.7 (#1070) (8a4ec75)
    • deps-dev: bump @ types/jest from 29.5.7 to 29.5.10 (#1092) (d2b74f1)
    • deps-dev: bump @ types/node from 20.10.0 to 20.10.3 (#1102) (e6cd0e7)
    • deps-dev: bump @ types/node from 20.10.3 to 20.10.4 (#1111) (374b7b6)
    • deps-dev: bump @ types/node from 20.8.4 to 20.8.6 (#1056) (917c616)
    • deps-dev: bump @ types/node from 20.8.6 to 20.8.7 (#1059) (d2ed837)
    • deps-dev: bump @ types/node from 20.8.7 to 20.9.0 (#1080) (3c7cfda)
    • deps-dev: bump @ types/node from 20.9.0 to 20.9.2 (#1087) (d5d5521)
    • deps-dev: bump @ types/node from 20.9.2 to 20.10.0 (#1096) (40030b0)
    • deps-dev: bump @ typescript-eslint/eslint-plugin (#1055) (f1674df)
    • deps-dev: bump @ typescript-eslint/eslint-plugin (#1062) (dbf243b)
    • deps-dev: bump @ typescript-eslint/eslint-plugin (#1071) (b36384e)
    • deps-dev: bump @ typescript-eslint/eslint-plugin (#1073) (4e7ac73)
    • deps-dev: bump @ typescript-eslint/eslint-plugin (#1085) (80697e6)
    • deps-dev: bump @ typescript-eslint/eslint-plugin (#1088) (de1a052)
    • deps-dev: bump @ typescript-eslint/eslint-plugin (#1108) (3701d7e)
    • deps-dev: bump @ typescript-eslint/parser from 6.10.0 to 6.11.0 (#1084) (3e8bcdd)
    • deps-dev: bump @ typescript-eslint/parser from 6.11.0 to 6.12.0 (#1089) (895dbd3)
    • deps-dev: bump @ typescript-eslint/parser from 6.12.0 to 6.13.0 (#1095) (1c42682)
    • deps-dev: bump @ typescript-eslint/parser from 6.13.0 to 6.13.2 (#1103) (b8f1741)
    • deps-dev: bump @ typescript-eslint/parser from 6.7.5 to 6.8.0 (#1057) (1aa5649)
    • deps-dev: bump @ typescript-eslint/parser from 6.8.0 to 6.9.0 (#1063) (4dee296)
    • deps-dev: bump @ typescript-eslint/parser from 6.9.0 to 6.9.1 (#1069) (bd98de5)
    • deps-dev: bump @ typescript-eslint/parser from 6.9.1 to 6.10.0 (#1075) (781ce3e)
    • deps-dev: bump eslint from 8.51.0 to 8.52.0 (#1060) (8f7eb83)
    • deps-dev: bump eslint from 8.52.0 to 8.53.0 (#1077) (36e67f0)
    • deps-dev: bump eslint from 8.53.0 to 8.54.0 (#1090) (67c0e48)
    • deps-dev: bump eslint from 8.54.0 to 8.55.0 (#1101) (56f5d88)
    • deps-dev: bump eslint-config-prettier from 9.0.0 to 9.1.0 (#1099) (4b6f1ae)
    • deps-dev: bump eslint-plugin-jest from 27.4.2 to 27.4.3 (#1061) (e5c37be)
    • deps-dev: bump eslint-plugin-jest from 27.4.3 to 27.6.0 (#1076) (28624ad)
    • deps-dev: bump nock from 13.3.4 to 13.3.7 (#1068) (1a780bc)
    • deps-dev: bump nock from 13.3.7 to 13.3.8 (#1074) (f1bee09)
    • deps-dev: bump nock from 13.3.8 to 13.4.0 (#1094) (04ce099)
    • deps-dev: bump prettier from 3.0.3 to 3.1.0 (#1082) (3c472fd)
    • deps-dev: bump prettier from 3.1.0 to 3.1.1 (#1109) (785ff4a)
    • deps-dev: bump typedoc from 0.25.2 to 0.25.3 (#1067) (eecbe98)
    • deps-dev: bump typedoc from 0.25.3 to 0.25.4 (#1093) (cf24d22)
    • deps-dev: bump typescript from 5.2.2 to 5.3.2 (#1097) (9212502)
    • deps-dev: bump typescript from 5.3.2 to 5.3.3 (#1112) (eedf7b0)
    • deps: bump @ googlemaps/url-signature from 1.0.29 to 1.0.30 (#1110) (4400a37)
    • deps: bump axios from 1.5.1 to 1.6.0 (#1079) (c5e3c9a)
    • deps: bump axios from 1.6.0 to 1.6.1 (#1081) (392a38b)
    • deps: bump axios from 1.6.1 to 1.6.2 (#1091) (031213f)
    • deps: bump crypto-js from 4.1.1 to 4.2.0 (#1066) (51383bf)

    Miscellaneous Chores

    Tests

  • 3.3.41 - 2023-10-10

    3.3.41 (2023-10-10)

    Bug Fixes

    • add tests to prevent updating to esm-only dependencies (

Snyk has created this PR to upgrade:
  - @fastify/cors from 8.2.1 to 8.5.0.
    See this package in npm: https://www.npmjs.com/package/@fastify/cors
  - ws from 8.13.0 to 8.18.0.
    See this package in npm: https://www.npmjs.com/package/ws
  - @googlemaps/google-maps-services-js from 3.3.28 to 3.4.0.
    See this package in npm: https://www.npmjs.com/package/@googlemaps/google-maps-services-js
  - @prisma/client from 4.12.0 to 4.16.2.
    See this package in npm: https://www.npmjs.com/package/@prisma/client
  - axios from 1.3.4 to 1.7.5.
    See this package in npm: https://www.npmjs.com/package/axios
  - express from 4.18.2 to 4.19.2.
    See this package in npm: https://www.npmjs.com/package/express
  - fastify from 4.15.0 to 4.28.1.
    See this package in npm: https://www.npmjs.com/package/fastify
  - geolib from 3.3.3 to 3.3.4.
    See this package in npm: https://www.npmjs.com/package/geolib
  - jsonwebtoken from 9.0.0 to 9.0.2.
    See this package in npm: https://www.npmjs.com/package/jsonwebtoken
  - prisma from 4.12.0 to 4.16.2.
    See this package in npm: https://www.npmjs.com/package/prisma
  - socket.io from 4.6.1 to 4.7.5.
    See this package in npm: https://www.npmjs.com/package/socket.io
  - tsx from 3.12.6 to 3.14.0.
    See this package in npm: https://www.npmjs.com/package/tsx
  - zod from 3.21.4 to 3.23.8.
    See this package in npm: https://www.npmjs.com/package/zod

See this project in Snyk:
https://app.snyk.io/org/guilherme-joviniano/project/6861592c-8858-4cff-a938-3713fd0bf06e?utm_source=github&utm_medium=referral&page=upgrade-pr
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants