Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Fix for 19 vulnerabilities #74

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

vechaurijbiko
Copy link
Owner

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • packages/react-scripts/package.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5
Regular Expression Denial of Service (ReDoS)
SNYK-JS-ANSIREGEX-1583908
Yes Proof of Concept
critical severity 679/1000
Why? Has a fix available, CVSS 9.3
Incomplete List of Disallowed Inputs
SNYK-JS-BABELTRAVERSE-5962463
Yes No Known Exploit
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3
Regular Expression Denial of Service (ReDoS)
SNYK-JS-BROWSERSLIST-1090194
Yes Proof of Concept
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3
Regular Expression Denial of Service (ReDoS)
SNYK-JS-COLORSTRING-1082939
Yes Proof of Concept
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3
Regular Expression Denial of Service (ReDoS)
SNYK-JS-GLOBPARENT-1016905
Yes Proof of Concept
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3
Regular Expression Denial of Service (ReDoS)
SNYK-JS-HTMLMINIFIER-3091181
Yes Proof of Concept
medium severity 429/1000
Why? Has a fix available, CVSS 4.3
Reverse Tabnabbing
SNYK-JS-ISTANBULREPORTS-2328088
Yes No Known Exploit
medium severity 641/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.4
Prototype Pollution
SNYK-JS-JSON5-3182856
Yes Proof of Concept
high severity 681/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.2
Command Injection
SNYK-JS-LODASHTEMPLATE-1088054
Yes Proof of Concept
high severity 589/1000
Why? Has a fix available, CVSS 7.5
Prototype Pollution
SNYK-JS-MERGE-1040469
Yes No Known Exploit
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3
Prototype Pollution
SNYK-JS-MERGE-1042987
Yes Proof of Concept
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3
Regular Expression Denial of Service (ReDoS)
SNYK-JS-POSTCSS-1255640
Yes Proof of Concept
medium severity 479/1000
Why? Has a fix available, CVSS 5.3
Improper Input Validation
SNYK-JS-POSTCSS-5926692
Yes No Known Exploit
medium severity 646/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.5
Server-side Request Forgery (SSRF)
SNYK-JS-REQUEST-3361831
Yes Proof of Concept
high severity 619/1000
Why? Has a fix available, CVSS 8.1
Cross-site Scripting (XSS)
SNYK-JS-SERIALIZEJAVASCRIPT-536840
No No Known Exploit
high severity 706/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.7
Arbitrary Code Injection
SNYK-JS-SERIALIZEJAVASCRIPT-570062
No Proof of Concept
high severity 619/1000
Why? Has a fix available, CVSS 8.1
Cross-site Scripting (XSS)
SNYK-JS-SERIALIZEJAVASCRIPT-6056521
No No Known Exploit
medium severity 646/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.5
Prototype Pollution
SNYK-JS-TOUGHCOOKIE-5672873
Yes Proof of Concept
high severity 589/1000
Why? Has a fix available, CVSS 7.5
Prototype Pollution
SNYK-JS-UNSETVALUE-2400660
Yes No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: babel-eslint The new version differs by 31 commits.
  • a0fbd50 8.0.2
  • 2004b91 require correct deps
  • fa56d21 Always use unpad (#535)
  • 295091d Allow ^ version for babel dependencies (#534)
  • d3b8519 fix(package): update babylon to version 7.0.0-beta.31 (#533)
  • 54ab4ac 8.0.1
  • c1a7882 Update README.md support (#531) [skip ci]
  • 51100c9 chore(package): update mocha to version 4.0.0 (#524)
  • 5742b71 Adding optionalCatchBinding to plugins. (#521)
  • 905887c 8.0.0
  • 49493e4 update to beta.0
  • 42d0c5b Remove already fixed workaround (#508)
  • 25bd208 8.0.0-alpha.17
  • 1468905 alpha.17
  • 57c133e 8.0.0-alpha.15
  • 1e41162 update (#504)
  • c31b577 Readme update usage section (#501) [skip ci]
  • c2626f9 Update eslint to the latest version 🚀 (#500)
  • 3c6b2de chore(package): update husky to version 0.14.0 (#498)
  • e052d5a Update install instructions to use latest stable release (#497) [skip ci]
  • 8e3e088 8.0.0-alpha.13
  • f757e22 Merge pull request #493 from danez/regression-test
  • 5736be6 Update babylon
  • 37f9242 Add Prettier (#491)

See the full diff

Package name: css-loader The new version differs by 98 commits.
  • 634ab49 chore(release): 2.0.0
  • 6ade2d0 refactor: remove unused file (#860)
  • e7525c9 test: nested url (#859)
  • 7259faa test: css hacks (#858)
  • 5e6034c feat: allow to filter import at-rules (#857)
  • 5e702e7 feat: allow filtering urls (#856)
  • 9642aa5 test: css stuff (#855)
  • 3338656 fix: reduce number of require for url (#854)
  • 533abbe test: issue 636 (#853)
  • 08c551c refactor: better warning on invalid url resolution (#852)
  • b0aa159 test: issue #589 (#851)
  • f599c70 fix: broken unucode characters (#850)
  • 1e551f3 test: issue 286 (#849)
  • 419d27b docs: improve readme (#848)
  • d94a698 refactor: webpack-default (#847)
  • b97d997 feat: schema options
  • 453248f fix: support module resolution in composes (#845)
  • 8a6ea10 refactor: postcss plugins (#844)
  • fdcf687 fix: url resolving logic (#843)
  • 889dc7f feat: allow to disable css modules and disable their by default (#842)
  • ee2d253 test: importLoaders option (#841)
  • 1dad1fb feat: reuse postcss ast from other loaders (i.e `postcss-loader`) (#840)
  • fe94ebc test: icss reserved keywords (#839)
  • 9eaba66 refactor: migrate on message api for postcss-icss-plugin (#838)

See the full diff

Package name: eslint The new version differs by 250 commits.
  • 80b8d5d 5.5.0
  • b68e403 Build: changelog update for 5.5.0
  • 6e110e6 Fix: camelcase duplicate warning bug (fixes #10801) (#10802)
  • 5103ee7 Docs: Add Brackets integration (#10813)
  • b61d2cd Update: max-params to only highlight function header (#10815)
  • 2b2f11d Upgrade: babel-code-frame to version 7 (#10808)
  • 2824d43 Docs: fix comment placement in a code example (#10799)
  • 10690b7 Upgrade: devdeps and deps to latest (#10622)
  • 80c8598 Docs: gitignore syntax updates (fixes #8139) (#10776)
  • cb946af Chore: use meta.messages in some rules (1/4) (#10764)
  • a857cd9 5.4.0
  • 8dee250 Build: changelog update for 5.4.0
  • a70909f Docs: Add jscs-dev.github.io links (#10771)
  • 034690f Fix: no-invalid-meta crashes for non Object values (fixes #10750) (#10753)
  • 11a462d Docs: Broken jscs.info URLs (fixes #10732) (#10770)
  • 985567d Chore: rm unused dep string.prototype.matchall (#10756)
  • f3d8454 Update: Improve no-extra-parens error message (#10748)
  • 562a03f Fix: consistent-docs-url crashes if meta.docs is empty (fixes #10722) (#10749)
  • 6492233 Chore: enable no-prototype-builtins in codebase (fixes #10660) (#10664)
  • 137140f Chore: use eslintrc overrides (#10677)
  • 2af6f4f 5.3.0
  • 11e70c7 Build: changelog update for 5.3.0
  • dd6cb19 Docs: Updated no-return-await Rule Documentation (fixes #9695) (#10699)
  • 6009239 Chore: rename utils for consistency (#10727)

See the full diff

Package name: fork-ts-checker-webpack-plugin The new version differs by 184 commits.

See the full diff

Package name: html-webpack-plugin The new version differs by 196 commits.
  • eb73905 chore(release): 4.0.0
  • 42a6d4a Add typing for getHooks
  • a1a37cf Release html-webpack-plugin 4.0.0-beta.14
  • 97f9fb9 fix: load script files before style files files in defer script loading mode
  • e97ce17 Release html-webpack-plugin 4.0.0-beta.13
  • e448b5d Release html-webpack-plugin 4.0.0-beta.12
  • de315eb feat: Add defer script loading
  • 7df269f feat: Provide a verbose error message if html minification failed
  • 1d66e53 feat: merge templateParameters with default template parameters
  • dfb98e7 Fix typo in template option docts
  • 096a760 Fix broken links in examples
  • a195c34 docs: Update template-option documentation
  • 40b410e docs: Update example for template parameters
  • bf017f3 chore: Release 4.0.0-beta.11
  • 2549557 test: Don't use minification for speed measurement
  • de22fc2 test: Adjust measurment for node 6 on travis
  • 24bf1b5 fix: Update references to html-minifier
  • f4eafdc chore: Release 4.0.0-beta.10
  • a2ad30a refactor: Use getAssetPath instead of calling the hook directly
  • 2595a79 chore: Release 4.0.0-beta.9
  • c66766c feat: Add support for minifying inline ES6 inside html templates
  • 655cbcd Fix README typo
  • 6de319b update lodash dependency for prototype polution vulnerability
  • 35a1541 Properly encode file names emitted as part of URLs.

See the full diff

Package name: node-sass The new version differs by 90 commits.
  • 3b556c1 7.0.2
  • c716359 Bump sass-graph@^4.0.1 (#3292)
  • 24741b3 docs(readme): fix docpad plugin link
  • 1523330 feat: Drop Node 12
  • 365d357 update https://registry.npm.taobao.org to https://registry.npmmirror.com
  • 1456114 build(deps): bump actions/upload-artifact from 2 to 3
  • b465b69 chore: bump GitHub Actions to Windows 2019 (#3254)
  • e6194b1 build(deps): bump make-fetch-happen from 9.1.0 to 10.0.4
  • 4edf594 build(deps): bump node-gyp from 8.4.1 to 9.0.0
  • 29e2344 build(deps): bump actions/checkout from 2 to 3
  • 85b0d22 build(deps): bump actions/setup-node from 2 to 3
  • 3bb51da Use make-fetch-happen instead of request (#3193)
  • adc2f8b build(deps): bump true-case-path from 1.0.3 to 2.2.1 (#3000)
  • 77d12f0 chore: disable Apline for Node 16/17 builds
  • 308d533 ci: use Python 3 for Node 12
  • c818907 ci: unpin actions/setup-node to v2
  • 99242d7 7.0.1
  • 77049d1 build(deps): bump sass-graph from 2.2.5 to 4.0.0 (#3224)
  • c929f25 build(deps): bump node-gyp from 7.1.2 to 8.4.1 (#3209)
  • 918dcb3 Lint fix
  • 0a21792 Set rejectUnauthorized to true by default (#3149)
  • e80d4af chore: Drop EOL Node 15 (#3122)
  • d753397 feat: Add Node 17 support (#3195)
  • dcf2e75 build(deps-dev): bump eslint from 7.32.0 to 8.0.0

See the full diff

Package name: precss The new version differs by 2 commits.

See the full diff

Package name: webpack The new version differs by 250 commits.
  • 610f368 5.0.0
  • 5ce65c1 update examples
  • bbe1230 Merge pull request #11628 from webpack/bugfix/real-content-hash
  • 75ecff2 5.0.0-rc.6
  • bfc35d6 Merge pull request #11603 from MayaWolf/master
  • 76e8cbd Merge pull request #11622 from webpack/dependabot/npm_and_yarn/types/node-13.13.25
  • 9fd1be2 chore(deps-dev): bump @ types/node from 13.13.23 to 13.13.25
  • 36bcfaa Merge pull request #11621 from webpack/bugfix/11619
  • 9130d10 fix called variables with ProvidePlugin
  • 3e42105 Merge pull request #11620 from webpack/bugfix/11617
  • 4709719 skip connections copied to concatenated module
  • 57b493f 5.0.0-rc.5
  • 1658e2f Merge pull request #11618 from webpack/bugfix/11615
  • a8fb45d fixes crash in SideEffectsFlagPlugin
  • 84b196d emit error instead of crashing when unexpected problem occurs
  • 5573fed Merge pull request #11601 from Hornwitser/improve-suggested-polyfill-config
  • 9b5cce9 Merge pull request #11609 from snitin315/export-types
  • 37c495c export type RuleSetUseItem
  • 39faf34 export type RuleSetUse
  • e5fd246 export type RuleSetConditionAbsolute
  • 660baad export RuleSetCondition types
  • 13e3ca5 Merge pull request #11602 from webpack/bugfix/shared-runtime-chunk
  • 9c0587e Merge pull request #11606 from webpack/dependabot/npm_and_yarn/simple-git-2.21.0
  • 502d166 Merge pull request #11607 from webpack/dependabot/npm_and_yarn/acorn-8.0.4

See the full diff

Package name: webpack-dev-server The new version differs by 250 commits.
  • c9271b9 chore(release): 4.0.0
  • 18bf369 test: fix stability (#3676)
  • cdcabb2 fix: respect protocol from browser for manual setup (#3675)
  • 1768d6b fix: initial reloading for lazy compilation (#3662)
  • 4f5bab1 docs: improve examples (#3672)
  • f2d87fb fix: improve https CLI output (#3673)
  • 0277c5e chore: remove redundant console statements (#3671)
  • 16fcdbc docs: add `ipc` example (#3667)
  • 8915fb8 test: add e2e tests for built in routes (#3669)
  • 4d1cbe1 docs: ask `version` information in issue template (#3668)
  • b6c1881 chore(deps-dev): bump core-js from 3.16.1 to 3.16.2 (#3666)
  • ffa8cc5 chore(deps-dev): bump supertest from 6.1.5 to 6.1.6 (#3665)
  • f1fdaa7 chore(release): 4.0.0-rc.1
  • c4678bc fix: legacy API (#3660)
  • d8bdd03 test: fix stability (#3661)
  • 22b1414 refactor: remove `killable` (#3657)
  • 75bafbf test: add e2e tests for module federation (#3658)
  • 493ccbd chore(deps): update `ws` (#3652)
  • ae8c523 test: add e2e test for universal compiler (#3656)
  • f94b84f chore(deps): update (#3655)
  • 1923132 test: fix cli
  • 2adfd01 test: fix todo (#3653)
  • 6e2cbde fix: proxy logging and allow to pass options without the `target` option (#3651)
  • c9ccc96 fix: respect infastructureLogging.level for client.logging (#3613)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Improper Input Validation
🦉 More lessons are available in Snyk Learn

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants