Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Fix for 10 vulnerabilities #79

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

JEStaubach
Copy link
Collaborator

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json
    • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
critical severity 786/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 9.3
Incomplete List of Disallowed Inputs
SNYK-JS-BABELTRAVERSE-5962462
No Proof of Concept
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3
Regular Expression Denial of Service (ReDoS)
SNYK-JS-HTTPCACHESEMANTICS-3248783
Yes Proof of Concept
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3
Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-1018905
No Proof of Concept
high severity 681/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.2
Command Injection
SNYK-JS-LODASH-1040724
No Proof of Concept
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3
Prototype Pollution
SNYK-JS-LODASH-450202
No Proof of Concept
high severity 731/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 8.2
Prototype Pollution
SNYK-JS-LODASH-567746
No Proof of Concept
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3
Prototype Pollution
SNYK-JS-LODASH-608086
No Proof of Concept
medium severity 539/1000
Why? Has a fix available, CVSS 6.5
Information Exposure
SNYK-JS-NODEFETCH-2342118
Yes No Known Exploit
medium severity 520/1000
Why? Has a fix available, CVSS 5.9
Denial of Service
SNYK-JS-NODEFETCH-674311
Yes No Known Exploit
low severity 506/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 3.7
Regular Expression Denial of Service (ReDoS)
npm:debug:20170905
No Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: apollo The new version differs by 250 commits.
  • ad937df Release
  • a02582a Automate publishing via Git tag triggered CircleCI workflow. (#1501)
  • 6adc2a3 chore(deps): update dependency symlink-dir to v3.1.1 (#1511)
  • bb5722f chore(deps): update dependency @ babel/types to v7.6.1 (#1507)
  • 3899b4e chore(deps): update dependency @ types/lodash to v4.14.138 (#1496)
  • 5dde0b7 Stop pinning Lerna to pre v3.14.0. (#1505)
  • 36955b8 Update codegen types (#1506)
  • b7cf55e Update maintainers
  • 30ad29d service:check add null check for validation config (#1471)
  • eedce0f chore(deps): update dependency @ types/node to v8.10.52 (#1486)
  • b94846d chore(deps): update dependency jest-environment-node to v24.9.0 (#1477)
  • 49eed6d chore(deps): update dependency @ oclif/command to v1.5.18 (#1423)
  • 9ca3bdb chore(deps): update dependency @ types/jest to v24.0.18 (#1485)
  • 58266ed Shorten client:check and service:check output in CI (#1404)
  • 8456f71 update changelog with release
  • d15f97d Publish
  • 205987d Add client schema support to vscode extension (#1433)
  • 605610e upodate changelog with file extension
  • b514738 Feat/file extension (#1130)
  • cb0b782 chore(deps): update dependency jest to v24.9.0 (#1467)
  • f17a53b chore(deps): update dependency jest-matcher-utils to v24.9.0 (#1478)
  • 02e8c71 chore(deps): update dependency @ oclif/plugin-help to v2.2.1 (#1473)
  • cb08da0 chore(deps): update dependency @ oclif/config to v1.13.3 (#1476)
  • 320656c chore(deps): update dependency @ oclif/plugin-not-found to v1.2.3 (#1474)

See the full diff

Package name: apollo-datasource The new version differs by 250 commits.
  • 36ecbb1 Release
  • a640e91 Finalizing docs fixes, rework CHANGELOG entries
  • 9387cba Update caching docs (#6547)
  • b6fda1b Add changelog entry
  • 549070e Reinstate bounded documentStore (#6548)
  • ac8f9bf Warn on unconfigured `cache` (#6545)
  • 999adf5 Remove caching packages (#6541)
  • f66fddc Add `cache: "bounded"` configuration option (#6536)
  • 67d9036 Implement simple `UnboundedCache` (#6535)
  • 29bb2f7 Use new `KeyValueCache` and friends from `@ apollo/utils.keyvaluecache` (#6522)
  • 5bd3d69 chore(deps): update dependency nock to v13.2.7 (#6574)
  • 6cc2c28 chore(deps): update dependency @ types/express-serve-static-core to v4.17.29 (#6570)
  • 76675b6 chore(deps): update dependency prettier to v2.7.0 (#6568)
  • 0050495 chore(deps): update all non-major dependencies (#6565)
  • 54416e2 fix: add missing await to catch errors thrown in parsingDidEnd() (#6559)
  • e0bc3ca Fix mistake in docs (#6560)
  • 482f0d7 chore(deps): update all non-major dependencies (#6561)
  • 30a2231 chore(deps): update dependency @ types/aws-lambda to v8.10.100 (#6557)
  • 72f663e Fix typo about request/response (#6540)
  • ea8578c renovate: we are not upgrading Fastify in AS3
  • ad8555c chore(deps): update dependency @ types/aws-lambda to v8.10.99 (#6539)
  • 12f0f6d chore(deps): update all non-major dependencies (#6533)
  • bdd9153 Update @ apollo/federation -> @ apollo/subgraph (#6538)
  • 6a5242a chore(deps): update all non-major dependencies (#6531)

See the full diff

Package name: apollo-datasource-rest The new version differs by 250 commits.
  • c8ebdc7 Release
  • ade3a0f Update CHANGELOG before publish
  • 8838d4a chore(deps): update dependency @ types/async-retry to v1.4.5 (#6833)
  • 8cc8437 Rename property for RESTDataSource (#6834)
  • 3b017c6 [apollo-datasource-rest] Add option to disable GET cache (#6650)
  • 1bd0d0b chore(deps): update all non-major dependencies (#6832)
  • 9389da7 chore(deps): update dependency @ types/lodash to v4.14.183 (#6821)
  • efeb74b chore(deps): update all non-major dependencies (#6811)
  • f678cc3 renovate.json5: fix spell check
  • 7983343 renovate: add comments
  • 96b917b renovate: pin gateway versions
  • bf2346e chore(deps): update dependency rollup to v2.77.3 (#6796)
  • fd07f45 chore(deps): update all non-major dependencies (#6793)
  • e6097d6 Release
  • 68a439b Merge pull request from GHSA-2fvv-qxrq-7jq6
  • 27ded2a chore(deps): update dependency @ types/aws-lambda to v8.10.102 (#6790)
  • d171c05 renovate: pin @ graphql-tools/schema to v8 for AS3
  • 8353514 chore(deps): update all non-major dependencies to v8.7.2 (#6782)
  • 3f218e7 chore(deps): update dependency @ graphql-codegen/typescript-operations to v2.5.3 (#6773)
  • 1058a13 chore(deps): update dependency @ rollup/plugin-commonjs to v22.0.2 (#6769)
  • 6140880 Usage reporting: fix TS declaration of fieldLevelInstrumentation (#6763)
  • bd49975 Update error message when graph ref and variant are specified (#6709)
  • 10bc167 chore(deps): update all non-major dependencies (#6743)
  • 3bfe4e5 chore(deps): update dependency rollup to v2.77.2 (#6739)

See the full diff

Package name: apollo-server The new version differs by 250 commits.

See the full diff

Package name: babel-eslint The new version differs by 6 commits.
  • 4bd049e 10.1.0
  • 2c754a8 Update Babel to ^7.7.0 and enable Flow enums parsing (#812)
  • 183d13e 10.0.3
  • 354953d fix: require eslint dependencies from eslint base (#794)
  • 48f6d78 10.0.2
  • 0241b48 removed unused file reference (#773)

See the full diff

Package name: datasource-sql The new version differs by 34 commits.

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Command Injection
🦉 Prototype Pollution

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants