New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 12 vulnerabilities #51

Open

AyushG3112 wants to merge 1 commit into master from snyk-fix-18d478d74e44c486b6f3d62cdf0cb769

Owner

AyushG3112 commented Feb 2, 2024

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
- package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	619/1000 Why? Has a fix available, CVSS 8.1	Prototype Pollution SNYK-JS-AJV-584908	No	No Known Exploit
	584/1000 Why? Has a fix available, CVSS 7.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-HAWK-2808852	No	No Known Exploit
	644/1000 Why? Has a fix available, CVSS 8.6	Prototype Pollution SNYK-JS-JSONSCHEMA-1920922	No	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Directory Traversal SNYK-JS-MOMENT-2440688	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOMENT-2944238	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Poisoning SNYK-JS-QS-3153490	No	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Insecure Randomness npm:cryptiles:20180710	No	No Known Exploit
	579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution npm:extend:20180424	Yes	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:hoek:20180212	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:sshpk:20180409	No	Proof of Concept
	646/1000 Why? Mature exploit, Has a fix available, CVSS 5.2	Uninitialized Memory Exposure npm:stringstream:20180511	No	Mature

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: metalsmith-layouts

The new version differs by 31 commits.

d7b7863 2.3.1
cdc12fa Prepare 2.3.1
69a3f52 Add test for filename prefix on rendering error message (checksums nodejs/nodejs.org#171)
6604a57 Prepend the current filename to the transformer error message. (Add proper color for a:hover code nodejs/nodejs.org#169)
0b71788 Update readme (add proper color for a:hover code nodejs/nodejs.org#170)
891552e 2.3.0
4ef617f Prepare 2.3.0
a17c50a Supporting async-only jstransformers; fixes Download for Mac OS X 64 not working nodejs/nodejs.org#166 (load versions on build nodejs/nodejs.org#167)
1e633cb 2.2.0
db47820 Prepare 2.2.0
5e805bb Align new feature with in-place
3525a5f Add suppressNoFilesError add NODE_MODULE_VERSION column to the releases table nodejs/nodejs.org#160 (Add "Installing Node.js via package manager" nodejs/nodejs.org#163)
45800cf Update jest
084f132 Ignore dev dependencies for greenkeeper
70800f9 Update links to metalsmith org
b697107 Remove shields.io badges (No documentation for installing with a package manager nodejs/nodejs.org#158)
8b7ade0 Update eslint-airbnb-base (Adopt JS Standard Style nodejs/nodejs.org#157)
4a3072c Update to node 10 in .travis.yml (Remove dead community links nodejs/nodejs.org#155)
c815ba9 Update license (Code fragments have color issues nodejs/nodejs.org#151)
d683301 chore(package): update lint-staged to version 7.0.0 (Windows installer for 64-bit installs 32-bit version of node 4.0? nodejs/nodejs.org#150)
128b5ab Prepare 2.1.0 (Add weekly posts from 21st August to 4th September. nodejs/nodejs.org#149)
fe65697 Add debug information (fix broken link to TC info nodejs/nodejs.org#148)
590429b Update other plugins (Minor text change as part of code & learn nodejs/nodejs.org#145)
299c834 Update readme (/about/working-groups anchors don't work nodejs/nodejs.org#144)

See the full diff

Package name: metalsmith-permalinks

The new version differs by 60 commits.

94edea2 2.2.0
e9edcbd Added ability to extend slugify; Docs added
c74449b Packages updated: transliteration api changed - fixtures updated accordingly
a3ff451 2.1.0
34044fc History Updated for release
a92ba00 Merge pull request Added SunOS and ARM binaries to download matrix nodejs/nodejs.org#87 from segmentio/duplicate-path-28
08186a5 Updated Travis with v10
4eb90a0 Adds functionality to make URIs unique and report when clashes occur
5a7e279 Tests: Removed boilerplate code where practical
295e38f 2.0.1
4e140b5 Updated history
2572aa0 Merge pull request Enable custom 404 page in nginx nodejs/nodejs.org#86 from segmentio/permalink-fix-81
3496d70 Fixes css: Fix default background-color nodejs/nodejs.org#81 - Permalink override frontmatter option
bee779a Duplicated test: Removed
7e06551 2.0.0
1b33a81 History updated
4275c92 Merge pull request New site is live with 0.12.7 everywhere, except link to changelog nodejs/nodejs.org#84 from segmentio/add-test-for-paths
67e6af3 Add test for paths: Fixes replace logo-light.png with original nodejs/nodejs.org#74
476460d Add test for paths: Fixes replace logo-light.png with original nodejs/nodejs.org#74
2c6a0cc Merge pull request rephrasing in get involved view nodejs/nodejs.org#83 from segmentio/migrate-to-slugify
8204751 Slug replaced with actively developed slugify: Fixes fixed typo in home nodejs/nodejs.org#82
925c9e1 1.0.0
7c44016 Merge branch 'gaggle-sibling-folder-strategy'
edede6e Prettier applied

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Directory Traversal
🦉 More lessons are available in Snyk Learn


          fix: package.json & package-lock.json to reduce vulnerabilities

55d26ba

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-AJV-584908
- https://snyk.io/vuln/SNYK-JS-HAWK-2808852
- https://snyk.io/vuln/SNYK-JS-JSONSCHEMA-1920922
- https://snyk.io/vuln/SNYK-JS-MINIMATCH-3050818
- https://snyk.io/vuln/SNYK-JS-MOMENT-2440688
- https://snyk.io/vuln/SNYK-JS-MOMENT-2944238
- https://snyk.io/vuln/SNYK-JS-QS-3153490
- https://snyk.io/vuln/npm:cryptiles:20180710
- https://snyk.io/vuln/npm:extend:20180424
- https://snyk.io/vuln/npm:hoek:20180212
- https://snyk.io/vuln/npm:sshpk:20180409
- https://snyk.io/vuln/npm:stringstream:20180511

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet