New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Security upgrade web-ext from 4.3.0 to 7.1.1 #265

Open

snyk-bot wants to merge 1 commit into master from snyk-fix-84ffc12a7c3211af1f70890dd36405b4

snyk-bot commented Nov 11, 2022

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- packages/react-devtools-extensions/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Issue	Breaking Change	Exploit Maturity
	Directory Traversal SNYK-JS-ADMZIP-1065796	Yes	No Known Exploit
	Prototype Pollution SNYK-JS-AJV-584908	Yes	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	Prototype Pollution SNYK-JS-ASYNC-2441827	Yes	Proof of Concept
	Remote Code Execution (RCE) SNYK-JS-BUNYAN-573166	Yes	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	Open Redirect SNYK-JS-GOT-2932019	Yes	No Known Exploit
	Denial of Service (DoS) SNYK-JS-JSZIP-1251497	Yes	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-POSTCSS-1090595	Yes	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-POSTCSS-1255640	Yes	Proof of Concept
	Improper Privilege Management SNYK-JS-SHELLJS-2332187	Yes	Proof of Concept
	Remote Code Execution (RCE) SNYK-JS-SHELLQUOTE-1766506	Yes	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	Yes	Proof of Concept

Commit messages

Package name: web-ext

The new version differs by 250 commits.

0d9f5e1 chore: Bump package version for release 7.1.1
c0f5848 chore(deps): update dependency flow-bin to v0.182.0 (Trailing commas break old IE versions facebook/react#2452)
8cb4d8c fix: firefoxPreview option should be set to mv3 only when explicitly requested (<input type="range" onChange /> fire too often facebook/react#2454)
7f2346a chore: updated package-lock file (fix npm audit failure due to sec-advisory from moment transitive dep). (<input type="range" orient="vertical" /> doesn't work facebook/react#2453)
3796316 chore: package lock refresh (Misunderstanding project targets in wiki facebook/react#2450)
3419920 fix(deps): update dependency addons-linter to v5.10.0 (Warn when second argument to render is null and document.body is null as well facebook/react#2448)
f3f0c7c chore(deps): update commitlint monorepo to v17.0.3 (Add 'use strict' to statisfy linter rules facebook/react#2446)
fa910a6 chore(deps): update dependency flow-bin to v0.181.2 (Separate React Composite and Class facebook/react#2445)
debfe78 chore(deps): update babel monorepo to v7.18.6 (React.addons.Perf and "undefined" facebook/react#2447)
4116dd0 chore(deps): update dependency eslint to v8.19.0 (allow components to render abstract elements(feature request) facebook/react#2449)
7605afa fix(deps): update dependency update-notifier to v6 (Problem with event.target.value for input with fixed value facebook/react#2444)
f2a00e9 chore: Bump package version for release 7.1.0
b0fd4c3 fix(deps): update dependency ws to v8.8.0 (custom elements, as implied in lower-case-convention.md, not working facebook/react#2430)
624718a fix(deps): update dependency addons-linter to v5.9.0 (Children are removed when using cloneWithProps facebook/react#2441)
40b912c chore(deps): update dependency flow-bin to v0.180.1 (Support SVG vector-effect attribute facebook/react#2442)
bcadb94 chore(deps): update dependency eslint to v8.18.0 (Merge className when using spread operator facebook/react#2440)
89ccc55 feat: introduce a --firefox-preview flag for 'web-ext run' (Warning: This JSX uses a plain function. Only React components are valid in React's JSX transform. facebook/react#2436)
78039fd chore(deps): update dependency testdouble to v3.16.6 (React Docs Outdated facebook/react#2438)
7897d7d chore: Disabled commitlint rule body-max-line-length (Cleanup a couple unused variables facebook/react#2437)
f8c91c5 chore(deps): update dependency @ babel/core to v7.18.5 (Update deprecated propTypes facebook/react#2434)
474f05a fix(deps): update dependency addons-linter to v5.8.0 (Use dump cache and remove factory from ReactElement-test facebook/react#2435)
1edc680 chore: rewrite scripts/develop to use ESM (Bring in jsfiddle integration script, add harmony facebook/react#2433)
8e91380 chore(deps): update dependency flow-bin to v0.180.0 (Extending period in which click events are ignored facebook/react#2431)
f5dfa19 chore: Bump package version for release 7.0.0

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Directory Traversal
🦉 Prototype Pollution
🦉 Regular Expression Denial of Service (ReDoS)
🦉 More lessons are available in Snyk Learn


          fix: packages/react-devtools-extensions/package.json to reduce vulner…

896193e

…abilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-ADMZIP-1065796
- https://snyk.io/vuln/SNYK-JS-AJV-584908
- https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908
- https://snyk.io/vuln/SNYK-JS-ASYNC-2441827
- https://snyk.io/vuln/SNYK-JS-BUNYAN-573166
- https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905
- https://snyk.io/vuln/SNYK-JS-GOT-2932019
- https://snyk.io/vuln/SNYK-JS-JSZIP-1251497
- https://snyk.io/vuln/SNYK-JS-POSTCSS-1090595
- https://snyk.io/vuln/SNYK-JS-POSTCSS-1255640
- https://snyk.io/vuln/SNYK-JS-SHELLJS-2332187
- https://snyk.io/vuln/SNYK-JS-SHELLQUOTE-1766506
- https://snyk.io/vuln/SNYK-JS-WS-1296835

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet