From ccf15eb4681f031baf328fe232cedcb85bb3fc74 Mon Sep 17 00:00:00 2001 From: Sam Stefan Date: Fri, 29 Apr 2022 13:24:17 +0100 Subject: [PATCH] fix: security vulnerability CVE-2021-3765 in validator.js (#63) This is to fix the security vulnerability CVE-2021-3765 in validator.js < 13.7.0 https://github.com/advisories/GHSA-qgmg-gppg-76g5 I've also fixed sequelize-typescript at version 2.1.2 as 2.1.3 is not compatible with sequelize 6.10.0 due to this change https://github.com/RobinBuschmann/sequelize-typescript/pull/1202 --- package.json | 12 +++---- yarn.lock | 89 +++++++++++++++++++++++++++++++--------------------- 2 files changed, 59 insertions(+), 42 deletions(-) diff --git a/package.json b/package.json index b70cb5ac..c36f9092 100644 --- a/package.json +++ b/package.json @@ -21,28 +21,28 @@ "@types/validator": "^13.1.3", "@typescript-eslint/eslint-plugin": "^3.1.0", "@typescript-eslint/parser": "^3.1.0", + "casbin": "<=5.9.0 || >5.9.1", "coveralls": "^3.1.0", - "npm-run-all": "^4.1.5", - "rimraf": "^3.0.2", "eslint": "^7.2.0", "eslint-config-prettier": "^6.11.0", "husky": "^4.2.5", "jest": "^26.0.1", "lint-staged": "^10.2.9", "mysql2": "^2.1.0", + "npm-run-all": "^4.1.5", "prettier": "^2.0.5", + "rimraf": "^3.0.2", "ts-jest": "^26.1.0", "tslint": "^6.1.2", - "typescript": "^3.9.5", - "casbin": "<=5.9.0 || >5.9.1" + "typescript": "^3.9.5" }, "peerDependencies": { "casbin": "<=5.9.0 || >5.9.1" }, "dependencies": { "reflect-metadata": "^0.1.13", - "sequelize": "6.6.2", - "sequelize-typescript": "^2.1.0" + "sequelize": "6.10.0", + "sequelize-typescript": "2.1.2" }, "files": [ "lib", diff --git a/yarn.lock b/yarn.lock index cf5ab6db..c44418c9 100644 --- a/yarn.lock +++ b/yarn.lock @@ -1137,16 +1137,15 @@ capture-exit@^2.0.0: dependencies: rsvp "^4.8.4" -casbin@^5.0.3: - version "5.6.0" - resolved "https://registry.npmjs.org/casbin/-/casbin-5.6.0.tgz#5bee4a23f60cda00c0748773163283a8efebe470" - integrity sha512-HfahsZgDSnYqT1MjTrYNtH4ll94sfMcZgrNZB5d3vwfffEYgdaPj8POSja9xMrB03APAtSkxh1fx63aELaoZFg== +"casbin@<=5.9.0 || >5.9.1": + version "5.15.1" + resolved "https://registry.yarnpkg.com/casbin/-/casbin-5.15.1.tgz#c46945eb0390737fcdee3bbd38a895b63c95782a" + integrity sha512-QkoJxel+kowIIwlIM1+zi7sCKmanyaYPevlOLmzSLE3CzWX6EZxNHIkTRkeOkYY7WDDaagOzJVz/1NcyyOsOxA== dependencies: await-lock "^2.0.1" csv-parse "^4.15.3" - expression-eval "^2.0.0" - ip "^1.1.5" - micromatch "^4.0.2" + expression-eval "^4.0.0" + picomatch "^2.2.3" caseless@~0.12.0: version "0.12.0" @@ -1813,10 +1812,10 @@ expect@^26.6.2: jest-message-util "^26.6.2" jest-regex-util "^26.0.0" -expression-eval@^2.0.0: - version "2.1.0" - resolved "https://registry.npmjs.org/expression-eval/-/expression-eval-2.1.0.tgz#422915caa46140a7c5b5f248650dea8bf8236e62" - integrity sha512-FUJO/Akvl/JOWkvlqZaqbkhsEWlCJWDeZG4tzX96UH68D9FeRgYgtb55C2qtqbORC0Q6x5419EDjWu4IT9kQfg== +expression-eval@^4.0.0: + version "4.0.0" + resolved "https://registry.yarnpkg.com/expression-eval/-/expression-eval-4.0.0.tgz#d6a07c93e8b33e635710419d4a595d9208b9cc5e" + integrity sha512-YHSnLTyIb9IKaho2IdQbvlei/pElxnGm48UgaXJ1Fe5au95Ck0R9ftm6rHJQuKw3FguZZ4eXVllJFFFc7LX0WQ== dependencies: jsep "^0.3.0" @@ -2073,7 +2072,19 @@ glob-parent@^5.0.0: dependencies: is-glob "^4.0.1" -glob@7.1.6, glob@^7.1.1, glob@^7.1.2, glob@^7.1.3, glob@^7.1.4, glob@^7.1.6: +glob@7.2.0: + version "7.2.0" + resolved "https://registry.yarnpkg.com/glob/-/glob-7.2.0.tgz#d15535af7732e02e948f4c41628bd910293f6023" + integrity sha512-lmLf6gtyrPq8tTjSmrO94wBeQbFR3HbLHbuyD69wuyQkImp2hWqMGB47OX65FBkPffO641IP9jWa1z4ivqG26Q== + dependencies: + fs.realpath "^1.0.0" + inflight "^1.0.4" + inherits "2" + minimatch "^3.0.4" + once "^1.3.0" + path-is-absolute "^1.0.0" + +glob@^7.1.1, glob@^7.1.2, glob@^7.1.3, glob@^7.1.4, glob@^7.1.6: version "7.1.6" resolved "https://registry.npmjs.org/glob/-/glob-7.1.6.tgz#141f33b81a7c2492e125594307480c46679278a6" integrity sha512-LwaxwyZ72Lk7vZINtNNrywX0ZuLyStrdDtabefZKAY5ZGJhVtgdznluResxNmPitE0SAO+O26sWTHeKSI2wMBA== @@ -2277,10 +2288,10 @@ indent-string@^4.0.0: resolved "https://registry.npmjs.org/indent-string/-/indent-string-4.0.0.tgz#624f8f4497d619b2d9768531d58f4122854d7251" integrity sha512-EdDDZu4A2OyIK7Lr/2zG+w5jmbuk1DVBnEwREQvBzspBJkCEbRa8GxU1lghYcaGJCnRWibjDXlq779X1/y5xwg== -inflection@1.12.0: - version "1.12.0" - resolved "https://registry.npmjs.org/inflection/-/inflection-1.12.0.tgz#a200935656d6f5f6bc4dc7502e1aecb703228416" - integrity sha1-ogCTVlbW9fa8TcdQLhrstwMihBY= +inflection@1.13.1: + version "1.13.1" + resolved "https://registry.yarnpkg.com/inflection/-/inflection-1.13.1.tgz#c5cadd80888a90cf84c2e96e340d7edc85d5f0cb" + integrity sha512-dldYtl2WlN0QDkIDtg8+xFwOS2Tbmp12t1cHa5/YClU6ZQjTFm7B66UcVbh9NQB+HvT5BAd2t5+yKsBkw5pcqA== inflight@^1.0.4: version "1.0.6" @@ -2295,11 +2306,6 @@ inherits@2: resolved "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz#0fa2c64f932917c3433a0ded55363aae37416b7c" integrity sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ== -ip@^1.1.5: - version "1.1.5" - resolved "https://registry.npmjs.org/ip/-/ip-1.1.5.tgz#bdded70114290828c0a039e72ef25f5aaec4354a" - integrity sha1-vd7XARQpCCjAoDnnLvJfWq7ENUo= - is-accessor-descriptor@^0.1.6: version "0.1.6" resolved "https://registry.npmjs.org/is-accessor-descriptor/-/is-accessor-descriptor-0.1.6.tgz#a9e12cb3ae8d876727eeef3843f8a0897b5c98d6" @@ -3776,11 +3782,21 @@ performance-now@^2.1.0: resolved "https://registry.npmjs.org/performance-now/-/performance-now-2.1.0.tgz#6309f4e0e5fa913ec1c69307ae364b4b377c9e7b" integrity sha1-Ywn04OX6kT7BxpMHrjZLSzd8nns= +pg-connection-string@^2.5.0: + version "2.5.0" + resolved "https://registry.yarnpkg.com/pg-connection-string/-/pg-connection-string-2.5.0.tgz#538cadd0f7e603fc09a12590f3b8a452c2c0cf34" + integrity sha512-r5o/V/ORTA6TmUnyWZR9nCj1klXCO2CEKNRlVuJptZe85QuhFayC7WeMic7ndayT5IRIR0S0xFxFi2ousartlQ== + picomatch@^2.0.4, picomatch@^2.0.5: version "2.2.2" resolved "https://registry.npmjs.org/picomatch/-/picomatch-2.2.2.tgz#21f333e9b6b8eaff02468f5146ea406d345f4dad" integrity sha512-q0M/9eZHzmr0AulXyPwNfZjtwZ/RBZlbN3K3CErVrk50T2ASYI7Bye0EvekFY3IP1Nt2DHu0re+V2ZHIpMkuWg== +picomatch@^2.2.3: + version "2.3.1" + resolved "https://registry.yarnpkg.com/picomatch/-/picomatch-2.3.1.tgz#3ba3833733646d9d3e4995946c1365a67fb07a42" + integrity sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA== + pidtree@^0.3.0: version "0.3.1" resolved "https://registry.npmjs.org/pidtree/-/pidtree-0.3.1.tgz#ef09ac2cc0533df1f3250ccf2c4d366b0d12114a" @@ -4178,30 +4194,31 @@ sequelize-pool@^6.0.0: resolved "https://registry.npmjs.org/sequelize-pool/-/sequelize-pool-6.1.0.tgz#caaa0c1e324d3c2c3a399fed2c7998970925d668" integrity sha512-4YwEw3ZgK/tY/so+GfnSgXkdwIJJ1I32uZJztIEgZeAO6HMgj64OzySbWLgxj+tXhZCJnzRfkY9gINw8Ft8ZMg== -sequelize-typescript@^2.1.0: - version "2.1.0" - resolved "https://registry.npmjs.org/sequelize-typescript/-/sequelize-typescript-2.1.0.tgz#7d42dac368f32829a736acc4f0c9f3b79fc089bb" - integrity sha512-wwPxydBQ/wIZ92pFxDQEAhW8uRHqwFZGm6JkPmpsCjrODWrH8TANZiOCjwGouygFMgBwCNK91RNwLe5TYoy5pg== +sequelize-typescript@2.1.2: + version "2.1.2" + resolved "https://registry.yarnpkg.com/sequelize-typescript/-/sequelize-typescript-2.1.2.tgz#fcc2d3263ccc622710328c278f83e89f632a6d5a" + integrity sha512-+vhugJk1LLq5EVeLWi/UrkpGLrJGVD0R3UpEGHYouf6qeLRBL1V7QCIZr0pHZA57+nJPoK4PPTD+sGHS11uvvw== dependencies: - glob "7.1.6" + glob "7.2.0" -sequelize@^6.6.2: - version "6.6.2" - resolved "https://registry.npmjs.org/sequelize/-/sequelize-6.6.2.tgz#3681b0a4aeb106e31079d3a537d88542051dab2e" - integrity sha512-H/zrzmTK+tis9PJaSigkuXI57nKBvNCtPQol0yxCvau1iWLzSOuq8t3tMOVeQ+Ep8QH2HoD9/+FCCIAqzUr/BQ== +sequelize@6.10.0: + version "6.10.0" + resolved "https://registry.yarnpkg.com/sequelize/-/sequelize-6.10.0.tgz#570307a35d9c9837148834af3f6948f683b5ff2c" + integrity sha512-vqKcteQZFSh+LkEBGWMZLwnE609FXTFFuyD7plJNlm8wPi3XQJ7ciUyVTC/3F+uxVHeyB2VSP9qz1ws7YqsqNw== dependencies: debug "^4.1.1" dottie "^2.0.0" - inflection "1.12.0" + inflection "1.13.1" lodash "^4.17.20" moment "^2.26.0" moment-timezone "^0.5.31" + pg-connection-string "^2.5.0" retry-as-promised "^3.2.0" semver "^7.3.2" sequelize-pool "^6.0.0" toposort-class "^1.0.1" uuid "^8.1.0" - validator "^10.11.0" + validator "^13.7.0" wkx "^0.5.0" set-blocking@^2.0.0: @@ -4865,10 +4882,10 @@ validate-npm-package-license@^3.0.1: spdx-correct "^3.0.0" spdx-expression-parse "^3.0.0" -validator@^10.11.0: - version "10.11.0" - resolved "https://registry.npmjs.org/validator/-/validator-10.11.0.tgz#003108ea6e9a9874d31ccc9e5006856ccd76b228" - integrity sha512-X/p3UZerAIsbBfN/IwahhYaBbY68EN/UQBWHtsbXGT5bfrH/p4NQzUCG1kF/rtKaNpnJ7jAu6NGTdSNtyNIXMw== +validator@^13.7.0: + version "13.7.0" + resolved "https://registry.yarnpkg.com/validator/-/validator-13.7.0.tgz#4f9658ba13ba8f3d82ee881d3516489ea85c0857" + integrity sha512-nYXQLCBkpJ8X6ltALua9dRrZDHVYxjJ1wgskNt1lH9fzGjs3tgojGSCBjmEPwkWS1y29+DrizMTW19Pr9uB2nw== verror@1.10.0: version "1.10.0"