Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Fix for 1 vulnerabilities #13

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

snyk-bot
Copy link

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • deps/npm/package.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
medium severity 658/1000
Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 5.3
Regular Expression Denial of Service (ReDoS)
SNYK-JS-HOSTEDGITINFO-1088355
Yes Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: hosted-git-info The new version differs by 66 commits.
  • a810463 chore(release): 3.0.8
  • bede0dc fix: simplify the regular expression for shortcut matching
  • afe2808 chore(release): 3.0.7
  • eb5bd5a fix: correctly filter out urls for tarballs in gitlab
  • d30f96e chore(release): 3.0.6
  • c067102 fix: support to github gist legacy hash length
  • c53c6ab chore(release): 3.0.5
  • 167cef2 chore: properly advertise version support
  • 47c931e update lru-cache to latest
  • 8e0b0ec chore(release): 3.0.4
  • 0835306 fix: Do not pass scp-style URLs to the WhatWG url.URL
  • 6f39e93 chore(release): 3.0.3
  • 31140a7 Ensure passwords in hosted Git URLs are correctly escaped
  • 4636ac9 chore(release): 3.0.2
  • 3e5fbec fix: do not encodeURIComponent the domain
  • 97c8caa chore(release): 3.0.1
  • e3e3054 fix: update pathmatch for gitlab
  • af4835c test: added script to get coverage report
  • d04239b test: removed unused testing structure
  • 4693b9c test: moved all github url tests together
  • a03d51e test: added refactered tests for bitbucket
  • 0aea712 test: added ignore; for 100% testing (this seems wonky)
  • b473c55 test: added basic test for ._fill() method
  • fa87af7 fix: updated pathmatch for gitlab

See the full diff

Package name: init-package-json The new version differs by 21 commits.

See the full diff

Package name: normalize-package-data The new version differs by 12 commits.

See the full diff

Package name: npm-package-arg The new version differs by 18 commits.

See the full diff

Package name: pacote The new version differs by 186 commits.
  • ed57e5c 10.1.2
  • d9bce22 git: resolved should be a git+ssh:// url, not just ssh://
  • 84535a3 git: Fall back from tgz to ssh on HTTP errors
  • 7ee23c3 git: make 'from' and 'resolved' consistent and useful
  • 10ff45f update deps to pull in newer hosted-git-info
  • 88beaab Return the requested spec as the 'from' value
  • e5b84f2 test: fix git configs for git 2.23 and above
  • 5a3bfbd typo in bin usage text
  • 04a0f0c Keep home dir out of snapshots
  • ae7c912 10.1.1
  • cb31be8 filter out .swp files from package
  • 43e239d 10.1.0
  • 3d4012a add pacote CLI
  • 99a3f21 update tap
  • dc10617 test: node 13 made errno a number again
  • e516f96 add repository field to package
  • 37f24b3 10.0.0
  • ad72e94 test: use t.testdir() instead of manually creating test dirs
  • a79846e fresh update all deps
  • 2e4482a Improve integrity consistency and handling
  • 9964c7b update tap and minipass-fetch
  • 6460b02 Remove spurious top-level dep on make-fetch-happen
  • 1f4473a Pack and unpack preserving exec perms on all package bins
  • 347c563 Cache manifest as fetcher.package

See the full diff

Package name: read-package-json The new version differs by 17 commits.
  • 9f7049d chore(release): 3.0.0
  • 19d9fbe fix: check-in updated lockfile
  • eef46fa chore: add engines definition
  • 36b7ef7 chore: remove old .travis.yml envs
  • b3a8831 globa@7.1.6
  • fb3ceae json-parse-even-better-errors@2.3.1
  • 78add03 npm-normalize-package-bin@1.0.1
  • 7595d70 normalize-package-data@3.0.0
  • 10175d8 chore(release): 2.1.2
  • fdbf082 fix: even better json errors, remove graceful-fs
  • e78afd6 chore(release): 2.1.1
  • b8cb5fa fix: normalize and sanitize pkg bin entries
  • 55382c2 chore(release): 2.1.0
  • 0a176cc Add some tests and clean up error handling for non-string bins
  • 76f6f42 feat: support bundleDependencies: true
  • 4e1e4d2 some tests for index.js parsing
  • 67f2d8d chore: update CI for current Node LTS

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant