Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Upgrade @slack/webhook from 5.0.4 to 7.0.3 #339

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

mikolajroszak
Copy link
Owner

snyk-top-banner

Snyk has created this PR to upgrade @slack/webhook from 5.0.4 to 7.0.3.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.


⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

  • The recommended version is 6 versions ahead of your current version.

  • The recommended version was released on 2 months ago.

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
high severity Improper Input Validation
SNYK-JS-FOLLOWREDIRECTS-6141137
586 Proof of Concept
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-AXIOS-1579269
586 Proof of Concept
high severity Cross-site Request Forgery (CSRF)
SNYK-JS-AXIOS-6032459
586 Proof of Concept
medium severity Information Exposure
SNYK-JS-FOLLOWREDIRECTS-2332181
586 Proof of Concept
medium severity Information Exposure
SNYK-JS-FOLLOWREDIRECTS-6444610
586 Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-AXIOS-6124857
586 Proof of Concept
low severity Information Exposure
SNYK-JS-FOLLOWREDIRECTS-2396346
586 No Known Exploit
Release notes
Package name: @slack/webhook
  • 7.0.3 - 2024-08-15
  • 7.0.2 - 2024-01-02
  • 7.0.1 - 2023-10-30
  • 7.0.0 - 2023-10-04
  • 6.1.0 - 2022-01-12
  • 6.0.0 - 2021-01-12
  • 5.0.4 - 2021-01-05
from @slack/webhook GitHub release notes

Important

  • Warning: This PR contains a major version upgrade, and may be a breaking change.
  • Check the changes in this PR to ensure they won't cause issues with your project.
  • This PR was automatically created by Snyk using the credentials of a real user.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

Snyk has created this PR to upgrade @slack/webhook from 5.0.4 to 7.0.3.

See this package in npm:
@slack/webhook

See this project in Snyk:
https://app.snyk.io/org/mikolaj-roszak/project/89fafb7b-1110-4112-b075-f376a919f601?utm_source=github&utm_medium=referral&page=upgrade-pr
Copy link

cloudflare-workers-and-pages bot commented Oct 24, 2024

Deploying snyk-1 with  Cloudflare Pages  Cloudflare Pages

Latest commit: b3818a4
Status:🚫  Build failed.

View logs

Micro-Learning Topic: Regular expression denial of service (Detected by phrase)

Matched on "Regular Expression Denial of Service"

What is this? (2min video)

Denial of Service (DoS) attacks caused by Regular Expression which causes the system to hang or cause them to work very slowly when attacker sends a well-crafted input(exponentially related to input size).Denial of service attacks significantly degrade the service quality experienced by legitimate users. These attacks introduce large response delays, excessive losses, and service interruptions, resulting in direct impact on availability.

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Weak input validation (Detected by phrase)

Matched on "Improper Input Validation"

Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Try a challenge in Secure Code Warrior

Helpful references

Micro-Learning Topic: Cross-site request forgery (Detected by phrase)

Matched on "Cross-site Request Forgery"

What is this? (2min video)

Session-related but not session-based, this attack is based on the ability of an attacker to force an action on a user’s browser (commonly in the form of a POST request) to perform an unauthorized action on behalf of the user. This can often occur without the user even noticing it… or only noticing when it is too late. The root cause is that browsers automatically send session cookies with all requests to a given domain, regardless of where the source of the request came from, and the application server cannot differentiate between a request that came from pages it served or a request that came from an unrelated page.

Try a challenge in Secure Code Warrior

Helpful references

Micro-Learning Topic: Denial of service (Detected by phrase)

Matched on "Denial of Service"

The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Information disclosure (Detected by phrase)

Matched on "Information Exposure"

Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser. Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Try a challenge in Secure Code Warrior

Copy link

New dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/@octokit/[email protected] Transitive: network +18 3.74 MB octokitbot
npm/@pagerduty/[email protected] Transitive: network +4 399 kB bzmwillemsen
npm/@slack/[email protected] Transitive: environment, filesystem, network +12 5.09 MB e-zim
npm/[email protected] None 0 60.7 MB typescript-bot

View full report↗︎

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants