[Snyk] Security upgrade url-parse from 1.5.3 to 1.5.6 #407

snyk-bot · 2022-02-16T07:20:03Z

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- packages/pwa-kit-react-sdk/package.json
- packages/pwa-kit-react-sdk/package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	713/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 6.4	Access Restriction Bypass SNYK-JS-URLPARSE-2401205	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: url-parse

The new version differs by 21 commits.

4c9fa23 1.5.6
7b0b8a6 Merge pull request [Retail App] "Out of Stock" message is not showing on mobile screens issue *FIXED* #223 from unshiftio/fix/at-sign-handling-in-userinfo
e4a5807 1.5.5
193b44b [minor] Simplify whitespace regex
319851b [fix] Remove CR, HT, and LF
4e53a8c [doc] Document that the returned hostname might be invalid
9be7ee8 [fix] Correctly handle userinfo containing the at sign
f7774f6 [security] Fix typos in SECURITY.md
82c4908 [dist] 1.5.4
e324874 [doc] Remove dependency status badge
5e8a444 [ci] Test on node 17
a72a5c6 [doc] Remove "made by" and IRC badges
e9a8353 [ci] Update coverallsapp/github-action action to version 1.1.3
36dd8b4 [minor] Remove redundant assignment
5472388 [minor] Remove dead code
53d4d6d [fix] Handle the `username` and `password` properties
0be9572 [test] Test that `Url#set()` correctly handles the `auth` property
15b1dbd [fix] Do not lose the password in the stringification process
993acbe [fix] Handle the `auth` property (Version 1.2.0-alpha.1 #213)
d9e332b [fix] Do not add spurious slashes
78f7017 [pkg] Update mocha to version 9.0.3

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

…-sdk/package-lock.json to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-URLPARSE-2401205

alexvuong · 2022-02-17T21:02:54Z

This is not an exploitable issue on production.

fix: packages/pwa-kit-react-sdk/package.json & packages/pwa-kit-react…

2644eee

…-sdk/package-lock.json to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-URLPARSE-2401205

snyk-bot requested a review from a team as a code owner February 16, 2022 07:20

salesforce-cla bot added the cla:signed label Feb 16, 2022

alexvuong closed this Feb 17, 2022

kevinxh deleted the snyk-fix-0370bd499727684b4becc3e2cccec22d branch March 9, 2022 01:58

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Snyk] Security upgrade url-parse from 1.5.3 to 1.5.6 #407

[Snyk] Security upgrade url-parse from 1.5.3 to 1.5.6 #407

snyk-bot commented Feb 16, 2022

alexvuong commented Feb 17, 2022 •

edited

Loading

[Snyk] Security upgrade url-parse from 1.5.3 to 1.5.6 #407

[Snyk] Security upgrade url-parse from 1.5.3 to 1.5.6 #407

Conversation

snyk-bot commented Feb 16, 2022

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Vulnerabilities that will be fixed

With an upgrade:

alexvuong commented Feb 17, 2022 • edited Loading

alexvuong commented Feb 17, 2022 •

edited

Loading