New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 4 vulnerabilities #27

Open

mikhailgagarin wants to merge 1 commit into master from snyk-fix-dabcf877a2e857f002ba80832e362c51

Collaborator

mikhailgagarin commented Nov 28, 2023

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
- package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: node-zopfli-es

The new version differs by 10 commits.

61f8816 2.0.0
bd5e084 update zopfli from upstream
4d5dc1f update test files to use modules
4abddf9 bin: use "import from", get npm pkg version from process.env
b3166f0 pkg, lib: add type: module and add lib/binding.js, use "import from"
ee38571 deps: update
bbdd56f 1.0.7
e60906b remove outdated History.md
057d736 readme: update
e8b8f73 deps: update

See the full diff

Package name: razzle-plugin-svg-react-component

The new version differs by 6 commits.

077119d Bump version
7a706c2 Update docs
99174b6 Bump dependency and remove unnecessary dependency
e322d91 This works with razzle 4+ (#47)
48bf7c2 Merge pull request [Snyk] Upgrade: react, react-dom #16 from hibikiledo/master
6c82d23 Document integration with razzle-plugin-typescript

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Server-side Request Forgery (SSRF)
🦉 Prototype Pollution


          fix: package.json & package-lock.json to reduce vulnerabilities

4c52bb3

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-LODASH-1018905
- https://snyk.io/vuln/SNYK-JS-LODASH-1040724
- https://snyk.io/vuln/SNYK-JS-REQUEST-3361831
- https://snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873

vercel bot commented Nov 28, 2023 •

edited

Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
react-material-ui-koa-starter	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Nov 28, 2023 2:27pm

vercel bot deployed to Preview

November 28, 2023 14:27

View deployment

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet