New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 6 vulnerabilities #8

Open

iliutastoica wants to merge 1 commit into master from snyk-fix-7f842239378b35e563ed631c69cfa561

Owner

iliutastoica commented Oct 5, 2022

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	616/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.9	Server-Side Request Forgery (SSRF) SNYK-JS-AXIOS-1038255	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-AXIOS-1579269	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Information Exposure SNYK-JS-FOLLOWREDIRECTS-2332181	No	Proof of Concept
	344/1000 Why? Has a fix available, CVSS 2.6	Information Exposure SNYK-JS-FOLLOWREDIRECTS-2396346	No	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKDOWNIT-2331914	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKDOWNIT-459438	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: axios

The new version differs by 250 commits.

e367be5 [Releasing] 0.21.3
83ae383 Correctly add response interceptors to interceptor chain (#4013)
c0c8761 [Updating] changelog to include links to issues and contributors
619bb46 [Releasing] v0.21.2
82c9455 Create SECURITY.md (#3981)
5b45711 Security fix for ReDoS (#3980)
5bc9ea2 Update ECOSYSTEM.md (#3817)
e72813a Fixing README.md (#3818)
e10a027 Fix README typo under Request Config (#3825)
e091491 Update README.md (#3936)
b42fbad Removed un-needed bracket
520c8dc Updating CI status badge (#3953)
4fbeecb Adding CI on Github Actions. (#3938)
e9965bf Fixing the sauce labs tests (#3813)
dbc634c Remove charset in tests (#3807)
3958e9f Add explanation of cancel token (#3803)
69949a6 Adding custom return type support to interceptor (#3783)
49509f6 Create FUNDING.yml (#3796)
199c8aa Adding parseInt to config.timeout (#3781)
94fc4ea Adding isAxiosError typeguard documentation (#3767)
0ece97c Fixing quadratic runtime when setting a maxContentLength (#3738)
a18a0ec Updating `lib/core/README.md` about Dispatching requests (#3772)
59fa614 [Updated] follow-redirects to the latest version (#3771)
7821ed2 Feat/json improvements (#3763)

See the full diff

Package name: jstransformer-markdown-it

The new version differs by 21 commits.

fe1c279 Update to markdown-it @^13.0.1
b1c9f19 Merge pull request #32 from shakeelmohamed/vuln/CVE-2022-21670
52e7cca Upgrade markdown-it to 12.3.2
9695ecb Goodbye Greenkeeper 👋 (#29)
a5679ec Update Boilerplate
8c3d5e0 update markdown-it
cc57e8b Merge pull request #58 from jstransformers/boilerplate/node-12
cd40bce boilerplate: Add Node.js 12 testing
068e3d3 Merge pull request #57 from jstransformers/boilerplate/node-7-deprecate
8abb790 boilerplate: Remove testing of Node.js 7
2ecbb00 Merge pull request #54 from jstransformers/codecov
900829e Merge pull request #55 from jstransformers/travis-node-11
dbb903a travis: Add Node.js 11
45ee51d boilerplate: Remove CodeCoverage
3719e69 travis: Remove Node 6
94efdbc Merge pull request #22 from jstransformers/eslint-update
ccdefec Fix eslint styling
17559e9 Merge branch 'master' of github.com:jstransformers/boilerplate
1e218bd Merge pull request #52 from jstransformers/travis-node-4
2ec8b9a boilerplate: Add Node.js 10 to Travis testing
3dbf0c8 boilerplate: Remove Travis testing of Node.js 4

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Regular Expression Denial of Service (ReDoS)
🦉 More lessons are available in Snyk Learn


          fix: package.json to reduce vulnerabilities

a6401ac

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-AXIOS-1038255
- https://snyk.io/vuln/SNYK-JS-AXIOS-1579269
- https://snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-2332181
- https://snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-2396346
- https://snyk.io/vuln/SNYK-JS-MARKDOWNIT-2331914
- https://snyk.io/vuln/SNYK-JS-MARKDOWNIT-459438

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet