[Snyk] Fix for 2 vulnerabilities #386
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-AXIOS-1038255 - https://snyk.io/vuln/SNYK-JS-LODASH-590103
elnyry-sam-k
approved these changes
Jan 15, 2021
|
Hey @elnyry-sam-k I don't think we should have merged this... CI/CD was failing |
gibaros
added a commit
that referenced
this pull request
Jan 22, 2021
kleyow
added a commit
that referenced
this pull request
Feb 22, 2021
* Updated versions for error-handler, etc... (#342) * Bugfix/send request span finishing before function completed (#352) * Initial Commit. * Upload domain/participant test. * Upload domain/participant test. * fixes for getParticipantsByTypeId test failing. now functioning properly removed validator file as it isn't used may be required in MSISDN oracle as it validated mobile number formats * Checking in testing code. * removal of vscode config * updated gitignore * fixes for stubbing issues * fix for bug mojaloop/project#797 Fixes for sonarQube code sanity i.e removing function names that aren't needed, changing let to const, reordering functions in file Changed unique constraint on oracleEndpoint which is now working correctly * fix for only retrieving default entries return undefined for currency when it is not available * fix for returning null for valid oracle lookup * correct database port * removal of isOracle for header validation * fix for incorrect endpoint being requested for callback response * updated with pre-commit to manage dependencies * Updated versions of ALS dependencies and updated standard changes * incorrect port for database being set * Fix for bug: mojaloop/project#1412 Updated dependencies * revert port change * fixes for incorrect span used and fspiop error not set. Fixes removed await for participants requests Co-authored-by: Henk Kodde <[email protected]> * Updated api_swagger.json as per version 1.1 of the FSPIOP spec and re… (#348) * Updated api_swagger.json as per version 1.1 of the FSPIOP spec and removed unused type definitions * Updated audit decisions * Updated audit decisions * Update src/interface/api_swagger.json Co-authored-by: Sam <[email protected]> * Fixed references to type definitions in api_swagger * Bumped version number to 10.4.0 Co-authored-by: Neal Donnan <[email protected]> Co-authored-by: Sam <[email protected]> * Feature/validation for name place accents (#353) * updated ALS to use new openapi-backend framework updated dependencies fix tests * refactored to cater as per @lewisdaly suggestions * Made changes to have completely different flows for API and Admin initialisation as per @lewisdaly * fix audit issues from central-services-health * Updated python in Circle CI (#357) * Initial Commit. * Upload domain/participant test. * Upload domain/participant test. * fixes for getParticipantsByTypeId test failing. now functioning properly removed validator file as it isn't used may be required in MSISDN oracle as it validated mobile number formats * Checking in testing code. * removal of vscode config * updated gitignore * fixes for stubbing issues * fix for bug mojaloop/project#797 Fixes for sonarQube code sanity i.e removing function names that aren't needed, changing let to const, reordering functions in file Changed unique constraint on oracleEndpoint which is now working correctly * fix for only retrieving default entries return undefined for currency when it is not available * fix for returning null for valid oracle lookup * correct database port * removal of isOracle for header validation * fix for incorrect endpoint being requested for callback response * updated with pre-commit to manage dependencies * Updated versions of ALS dependencies and updated standard changes * incorrect port for database being set * updated ALS to use new openapi-backend framework updated dependencies fix tests * refactored to cater as per @lewisdaly suggestions * Made changes to have completely different flows for API and Admin initialisation as per @lewisdaly * fix audit issues from central-services-health * Changes: Updated python in circle CI Co-authored-by: Henk Kodde <[email protected]> * Updated dependencies for issue: mojaloop/project#1378 (#359) * #1484: Update FSPIOP API version (#367) * Update FSPIOP API version * Resolve audit issues * Update src/interface/admin_swagger.json Co-authored-by: Sam <[email protected]> * Feature/updated shared library to cater for delete (#368) * updated dependencies, added the delete payyload fix * Feature/updated openapi backend version (#369) updated version of central-services-shared to cater for the fix in openapi-backend library * updated shared lib version to allow configurable resource versions (#370) * updated shared lib version to allow configurable resource versions * added example .env for resource versions Co-authored-by: Valentin <[email protected]> * updated shared lib version (#371) Co-authored-by: Valentin <[email protected]> * Updating dependencies for new helm release (#373) * Initial Commit. * Upload domain/participant test. * Upload domain/participant test. * fixes for getParticipantsByTypeId test failing. now functioning properly removed validator file as it isn't used may be required in MSISDN oracle as it validated mobile number formats * Checking in testing code. * removal of vscode config * updated gitignore * fixes for stubbing issues * fix for bug mojaloop/project#797 Fixes for sonarQube code sanity i.e removing function names that aren't needed, changing let to const, reordering functions in file Changed unique constraint on oracleEndpoint which is now working correctly * fix for only retrieving default entries return undefined for currency when it is not available * fix for returning null for valid oracle lookup * correct database port * removal of isOracle for header validation * fix for incorrect endpoint being requested for callback response * updated with pre-commit to manage dependencies * Updated versions of ALS dependencies and updated standard changes * incorrect port for database being set * updated dependencies and version for new helm release Co-authored-by: Henk Kodde <[email protected]> * feat(security): November security review (#374) * chore(deps): update dependencies to latest versions * chore(package): bump package to `11.1.3 * Fix /documentation and /swagger.json endpoints (#375) * Replace wildcard routes with explicit routes and fix API documentation endpoints (#376) * #1885: Update API documenation (#379) * Update API documenattion * Restore default configs * Fix integration test. * Fix audit * Fix integration test config * [Security] Bump node-notifier from 8.0.0 to 8.0.1 (#381) Bumps [node-notifier](https://github.com/mikaelbr/node-notifier) from 8.0.0 to 8.0.1. **This update includes a security fix.** - [Release notes](https://github.com/mikaelbr/node-notifier/releases) - [Changelog](https://github.com/mikaelbr/node-notifier/blob/v8.0.1/CHANGELOG.md) - [Commits](mikaelbr/node-notifier@v8.0.0...v8.0.1) Signed-off-by: dependabot-preview[bot] <[email protected]> Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> * chore: update license file (#377) Co-authored-by: Sam <[email protected]> * fix: package.json & package-lock.json to reduce vulnerabilities (#386) The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-AXIOS-1038255 - https://snyk.io/vuln/SNYK-JS-LODASH-590103 * chore: fix broken links in readme (#387) * Revert "fix: package.json & package-lock.json to reduce vulnerabilities (#386)" (#388) This reverts commit 9eccdf5. * Add codeowners for the core repo (#390) * feat(ci/cd): add pr title check (#395) * feat: allow multiple fsps per msisdn, instead of sending request for first party (#385) * MultipleDfspPerMsisdn: Instead of sending request for first party only, iterate partyList and send request for each party on the list. Also update dep and devDep versions minus central-service-health which breaks the unit tests * feature/multipledfspspermsisdn: Bump versions to latest except central-services-health that if bumped to next version 11.0.0 breaks unit tests per mojaloop issue 1987 Co-authored-by: Sam <[email protected]> * fix: proper status code for health check (#396) * fix: Core handler services that have a dependency on central-services-database are not loading all tables on startup #816 fix for mojaloop/project#1888. Fix issue by changing all `Db.<table>.*` syntax function operations to `Db.from('<table>').*`. The issue was caused by the central-services-database Database class on Db.connect() loading all tables via an SQL request, and creating a Class property (`Db.<table>`) to reference the Table object. The issue here being that the query to fetch all the tables from the database does not return all tables (to be investigated in future). `Db.from('<table>').*` ensures that the table object is created properly. * chore: fix circleci Co-authored-by: Adrian Enns <[email protected]> Co-authored-by: Rajiv Mothilal <[email protected]> Co-authored-by: Henk Kodde <[email protected]> Co-authored-by: ndonnan <[email protected]> Co-authored-by: Neal Donnan <[email protected]> Co-authored-by: Sam <[email protected]> Co-authored-by: Steven Oderayi <[email protected]> Co-authored-by: Sam <[email protected]> Co-authored-by: Valentin Genev <[email protected]> Co-authored-by: Valentin <[email protected]> Co-authored-by: Lewis Daly <[email protected]> Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> Co-authored-by: Snyk bot <[email protected]> Co-authored-by: Juan Correa <[email protected]> Co-authored-by: shashi165 <[email protected]> Co-authored-by: vijayg10 <[email protected]>
kleyow
added a commit
that referenced
this pull request
Feb 22, 2021
* Updated versions for error-handler, etc... (#342) * Bugfix/send request span finishing before function completed (#352) * Initial Commit. * Upload domain/participant test. * Upload domain/participant test. * fixes for getParticipantsByTypeId test failing. now functioning properly removed validator file as it isn't used may be required in MSISDN oracle as it validated mobile number formats * Checking in testing code. * removal of vscode config * updated gitignore * fixes for stubbing issues * fix for bug mojaloop/project#797 Fixes for sonarQube code sanity i.e removing function names that aren't needed, changing let to const, reordering functions in file Changed unique constraint on oracleEndpoint which is now working correctly * fix for only retrieving default entries return undefined for currency when it is not available * fix for returning null for valid oracle lookup * correct database port * removal of isOracle for header validation * fix for incorrect endpoint being requested for callback response * updated with pre-commit to manage dependencies * Updated versions of ALS dependencies and updated standard changes * incorrect port for database being set * Fix for bug: mojaloop/project#1412 Updated dependencies * revert port change * fixes for incorrect span used and fspiop error not set. Fixes removed await for participants requests Co-authored-by: Henk Kodde <[email protected]> * Updated api_swagger.json as per version 1.1 of the FSPIOP spec and re… (#348) * Updated api_swagger.json as per version 1.1 of the FSPIOP spec and removed unused type definitions * Updated audit decisions * Updated audit decisions * Update src/interface/api_swagger.json Co-authored-by: Sam <[email protected]> * Fixed references to type definitions in api_swagger * Bumped version number to 10.4.0 Co-authored-by: Neal Donnan <[email protected]> Co-authored-by: Sam <[email protected]> * Feature/validation for name place accents (#353) * updated ALS to use new openapi-backend framework updated dependencies fix tests * refactored to cater as per @lewisdaly suggestions * Made changes to have completely different flows for API and Admin initialisation as per @lewisdaly * fix audit issues from central-services-health * Updated python in Circle CI (#357) * Initial Commit. * Upload domain/participant test. * Upload domain/participant test. * fixes for getParticipantsByTypeId test failing. now functioning properly removed validator file as it isn't used may be required in MSISDN oracle as it validated mobile number formats * Checking in testing code. * removal of vscode config * updated gitignore * fixes for stubbing issues * fix for bug mojaloop/project#797 Fixes for sonarQube code sanity i.e removing function names that aren't needed, changing let to const, reordering functions in file Changed unique constraint on oracleEndpoint which is now working correctly * fix for only retrieving default entries return undefined for currency when it is not available * fix for returning null for valid oracle lookup * correct database port * removal of isOracle for header validation * fix for incorrect endpoint being requested for callback response * updated with pre-commit to manage dependencies * Updated versions of ALS dependencies and updated standard changes * incorrect port for database being set * updated ALS to use new openapi-backend framework updated dependencies fix tests * refactored to cater as per @lewisdaly suggestions * Made changes to have completely different flows for API and Admin initialisation as per @lewisdaly * fix audit issues from central-services-health * Changes: Updated python in circle CI Co-authored-by: Henk Kodde <[email protected]> * Updated dependencies for issue: mojaloop/project#1378 (#359) * #1484: Update FSPIOP API version (#367) * Update FSPIOP API version * Resolve audit issues * Update src/interface/admin_swagger.json Co-authored-by: Sam <[email protected]> * Feature/updated shared library to cater for delete (#368) * updated dependencies, added the delete payyload fix * Feature/updated openapi backend version (#369) updated version of central-services-shared to cater for the fix in openapi-backend library * updated shared lib version to allow configurable resource versions (#370) * updated shared lib version to allow configurable resource versions * added example .env for resource versions Co-authored-by: Valentin <[email protected]> * updated shared lib version (#371) Co-authored-by: Valentin <[email protected]> * Updating dependencies for new helm release (#373) * Initial Commit. * Upload domain/participant test. * Upload domain/participant test. * fixes for getParticipantsByTypeId test failing. now functioning properly removed validator file as it isn't used may be required in MSISDN oracle as it validated mobile number formats * Checking in testing code. * removal of vscode config * updated gitignore * fixes for stubbing issues * fix for bug mojaloop/project#797 Fixes for sonarQube code sanity i.e removing function names that aren't needed, changing let to const, reordering functions in file Changed unique constraint on oracleEndpoint which is now working correctly * fix for only retrieving default entries return undefined for currency when it is not available * fix for returning null for valid oracle lookup * correct database port * removal of isOracle for header validation * fix for incorrect endpoint being requested for callback response * updated with pre-commit to manage dependencies * Updated versions of ALS dependencies and updated standard changes * incorrect port for database being set * updated dependencies and version for new helm release Co-authored-by: Henk Kodde <[email protected]> * feat(security): November security review (#374) * chore(deps): update dependencies to latest versions * chore(package): bump package to `11.1.3 * Fix /documentation and /swagger.json endpoints (#375) * Replace wildcard routes with explicit routes and fix API documentation endpoints (#376) * #1885: Update API documenation (#379) * Update API documenattion * Restore default configs * Fix integration test. * Fix audit * Fix integration test config * [Security] Bump node-notifier from 8.0.0 to 8.0.1 (#381) Bumps [node-notifier](https://github.com/mikaelbr/node-notifier) from 8.0.0 to 8.0.1. **This update includes a security fix.** - [Release notes](https://github.com/mikaelbr/node-notifier/releases) - [Changelog](https://github.com/mikaelbr/node-notifier/blob/v8.0.1/CHANGELOG.md) - [Commits](mikaelbr/node-notifier@v8.0.0...v8.0.1) Signed-off-by: dependabot-preview[bot] <[email protected]> Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> * chore: update license file (#377) Co-authored-by: Sam <[email protected]> * fix: package.json & package-lock.json to reduce vulnerabilities (#386) The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-AXIOS-1038255 - https://snyk.io/vuln/SNYK-JS-LODASH-590103 * chore: fix broken links in readme (#387) * Revert "fix: package.json & package-lock.json to reduce vulnerabilities (#386)" (#388) This reverts commit 9eccdf5. * Add codeowners for the core repo (#390) * feat(ci/cd): add pr title check (#395) * feat: allow multiple fsps per msisdn, instead of sending request for first party (#385) * MultipleDfspPerMsisdn: Instead of sending request for first party only, iterate partyList and send request for each party on the list. Also update dep and devDep versions minus central-service-health which breaks the unit tests * feature/multipledfspspermsisdn: Bump versions to latest except central-services-health that if bumped to next version 11.0.0 breaks unit tests per mojaloop issue 1987 Co-authored-by: Sam <[email protected]> * fix: proper status code for health check (#396) * fix: Core handler services that have a dependency on central-services-database are not loading all tables on startup #816 fix for mojaloop/project#1888. Fix issue by changing all `Db.<table>.*` syntax function operations to `Db.from('<table>').*`. The issue was caused by the central-services-database Database class on Db.connect() loading all tables via an SQL request, and creating a Class property (`Db.<table>`) to reference the Table object. The issue here being that the query to fetch all the tables from the database does not return all tables (to be investigated in future). `Db.from('<table>').*` ensures that the table object is created properly. Co-authored-by: Adrian Enns <[email protected]> Co-authored-by: Rajiv Mothilal <[email protected]> Co-authored-by: Henk Kodde <[email protected]> Co-authored-by: ndonnan <[email protected]> Co-authored-by: Neal Donnan <[email protected]> Co-authored-by: Sam <[email protected]> Co-authored-by: Steven Oderayi <[email protected]> Co-authored-by: Sam <[email protected]> Co-authored-by: Valentin Genev <[email protected]> Co-authored-by: Valentin <[email protected]> Co-authored-by: Lewis Daly <[email protected]> Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> Co-authored-by: Snyk bot <[email protected]> Co-authored-by: Juan Correa <[email protected]> Co-authored-by: shashi165 <[email protected]> Co-authored-by: vijayg10 <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.
Changes included in this PR
Vulnerabilities that will be fixed
With an upgrade:
Why? Proof of Concept exploit, Has a fix available, CVSS 5.9
SNYK-JS-AXIOS-1038255
Why? Has a fix available, CVSS 9.8
SNYK-JS-LODASH-590103
(*) Note that the real score may have changed since the PR was raised.
Commit messages
Package name: @mojaloop/central-services-shared
The new version differs by 4 commits.See the full diff
Check the changes in this PR to ensure they won't cause issues with your project.
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
🛠 Adjust project settings
📚 Read more about Snyk's upgrade and patch logic