Thanks to visit codestin.com
Credit goes to github.com

[Snyk] Fix for 8 vulnerabilities #56

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Open

enterstudio wants to merge 1 commit into develop from snyk-fix-4f62601e710a18578464bfe96d6a7576

Owner

enterstudio commented Nov 28, 2023

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- src/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-SOCKETIOPARSER-1056752	Yes	Proof of Concept
	704/1000 Why? Has a fix available, CVSS 9.8	Improper Input Validation SNYK-JS-SOCKETIOPARSER-3091012	Yes	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Yes	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:parsejson:20170908	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: cheerio

The new version differs by 18 commits.

35c4917 Release 0.21.0
1d2e8a7 Return undefined in .prop if given an invalid element or tag (Occasional error that causes "disconnect" ether/etherpad-lite#880)
df55c93 Merge pull request Allow the word 'Pad' to be customized / configurable / abstracted ether/etherpad-lite#884 from cheeriojs/readme-cleanup
bbceb09 readme updates
010b718 Merge pull request Add userJoinOrUpdate hook ether/etherpad-lite#881 from piamancini/patch-1
4997e70 Added backers and sponsors from OpenCollective
4ccb41b Use jQuery from the jquery module in benchmarks (Use Tinycon to display chat mentions in favicon. ether/etherpad-lite#871)
54359c9 Document, test, and extend static `$.text` method (toolbars overlaping if you have small size of browser window ether/etherpad-lite#855)
c6612f3 Fix typo on calling _.extend (API method setText crashes the server ether/etherpad-lite#861)
ed60b34 0.21.0
79d4e5e Update versions (Do we really need post/pre and splitting plugins into multiple parts ether/etherpad-lite#870)
e7d18af Use individual lodash functions (Merge bugfixes ether/etherpad-lite#864)
e65ad72 Added `.serialize()` support. Fixes [Snyk] Security upgrade express from 4.13.4 to 4.20.0 #69 (Add in padUsersCount method and API call ether/etherpad-lite#827)
df39f33 Update Readme.md (Config section for plugins in settings.json ether/etherpad-lite#857)
7b59afb add extension for JSON require call
d0551dc remove gittask badge
f500197 Merge pull request Drop require authorization setting ether/etherpad-lite#672 from underdogio/dev/checkbox.radio.values.sqwished
046071a Added default value for checkboxes/radios

See the full diff

Package name: npm

The new version differs by 250 commits.

3b4ba65 7.0.0
bbfc75d chore: fix weird .gitignore thing that happened somehow
8a2d375 docs: changelog for v7.0.0
365f2e7 [email protected]
fafb348 [email protected]
9306c68 [email protected]
569cd64 [email protected]
ac9fde7 Integration code for @ npmcli/[email protected]
704b9cd @ npmcli/[email protected]
3955bb9 [email protected]
da240ef fix: patch config.js to remove duplicate values
9ae45a8 [email protected]
41ab36d [email protected]
c474a15 [email protected]
efc6786 fix: make sure publishConfig is passed through
1e4e6e9 docs: v7 using npm config refresh
5c1c2da fix: init config aliases
5bc7eb2 docs: v7 npm-install refresh
1a35d87 7.0.0-rc.4
7a5a557 docs: changelog for v7.0.0-rc.4
f0cf859 chore: dedupe deps
0273745 [email protected]
7bd47ca @ npmcli/[email protected]
9320b8e only escape arguments, not the command name

See the full diff

Package name: request

The new version differs by 250 commits.

f422111 2.80.0
bce66a5 Merge pull request Fix minor typo in safeRun.sh email report ether/etherpad-lite#2571 from JamesMGreene/fix_ipv6_host_header
ff6d6c6 Correctly format the Host header for IPv6 addresses
667e923 Merge pull request How to test if an attribute is set at a range ether/etherpad-lite#2558 from request/FredKSchott-patch-1
6862553 Merge pull request Support SQLite ether/etherpad-lite#2221 from calamarico/change_readme
8d78bd0 Update README.md example snippet
60f6a00 Merge pull request Support ejs 2.0 ether/etherpad-lite#2452 from nicjansma/master
da077f7 Merge pull request Merge branch master back to develop ether/etherpad-lite#2553 from request/issue-template
921ebee small change to template wording
256deea add ISSUE_TEMPLATE, move PR template
fec1f2b reorder PULL_REQUEST_TEMPLATE sections
2046cf3 Merge pull request Non-working dead keys in Firefox ether/etherpad-lite#2539 from request/FredKSchott-patch-1
0ea3d47 Merge pull request Large .etherpad files cause Maximum range exceeded error ether/etherpad-lite#2524 from request/greenkeeper-caseless-0.12.0
3f57975 Use performance-now instead of custom solution
a9ad38a Ensure only the properties we expect are there
d9e8c3d Added deprecated notes
a60be68 Create PULL_REQUEST_TEMPLATE.md
223f44b Merge pull request Silent data loss when editing nested unordered list with more than 8 levels ether/etherpad-lite#2460 from OwnageIsMagic/patch-1
d40f9af Merge pull request Deleting the first item of a numbered list causes all items to be number one ether/etherpad-lite#2514 from humphd/package.json-keywords
dfd777a chore(package): update caseless to version 0.12.0
4901f96 Change tags to keywords in package.json
f009af2 Merge pull request Update CHANGELOG.md ether/etherpad-lite#2492 from addaleax/lenient-gzip
71081b6 More lenient gzip decompression
21e315d Removed extra space

See the full diff

Package name: socket.io

The new version differs by 53 commits.

3367eaa [chore] Release 2.0.0
6c0705f [docs] Add an example of custom parser (Pass through the "item" parameter to registerAceCommand callbacks. ether/etherpad-lite#2929)
1980fb4 [chore] Merge history of 1.7.x and 0.9.x branches (copyPad + revertPad causes server crash ether/etherpad-lite#2930)
0d07c47 [chore] Added backers and sponsors on the README (Unordered to ordered list bug ether/etherpad-lite#2933)
a086588 [chore] Bump dependencies (Update author when removing line attribute from line ether/etherpad-lite#2926)
87b06ad [feat] Move binary detection to the parser (Save Only On First Revision #2740 ether/etherpad-lite#2923)
199eec6 [docs] Replace non-breaking space with proper whitespace (Add LibreJS support ether/etherpad-lite#2913)
f1b39a6 [docs] Update emit cheatsheet (Blockdiag integration ether/etherpad-lite#2906)
240b154 [docs] Explicitly document that Server extends EventEmitter (Etherpad integration with Moodle 2.8 ether/etherpad-lite#2874)
c5b7738 [docs] Add server.engine.generateId attribute (not starting on windows 10 ether/etherpad-lite#2880)
03f3bc9 [docs] Fix wrong space character in README (Missing buttons on mobile iOS 9 - iPhone 6 ether/etherpad-lite#2900)
e40accf [docs] Fix documentation for 'connect' event (Highlight and link more URI schemes: about, geo, tel ether/etherpad-lite#2898)
01a4623 [feat] Allow to join several rooms at once (How to set another default font in pads ? ether/etherpad-lite#2879)
2d5b002 [docs] Add webpack build example (Update installDeps.sh ether/etherpad-lite#2828)
5ae06e6 [chore] Bump socket.io-adapter to version 1.0.0 (All special characters suddenly converted to ??? ether/etherpad-lite#2867)
4d8f68c [chore] Bump engine.io to version 2.0.2 (Import a PDF file not working ether/etherpad-lite#2864)
5b79ab1 [docs] Update the wording to match the code example (Text color not set ether/etherpad-lite#2853)
54ff591 [feature] Merge Engine.IO and Socket.IO handshake packets (Compilation of socket.io fails due to the too old nan dependency ether/etherpad-lite#2833)
e1facd5 [docs] Small addition to the Express Readme Part (Using proper ellipsis in l10n files ether/etherpad-lite#2846)
3b92cc2 [feature] Allow the use of custom parsers (How to Merge Contents of Mulitple Pads into an HTML Document or PDF? ether/etherpad-lite#2829)
3d695c6 [chore] Bump engine.io to version 2.0.0 (Copy Paste Lists from Libre office ether/etherpad-lite#2832)
3b5f433 [fix] Use path.resolve by default and require.resolve as a fallback (Give better error message when rebuildPad.js hits a non-existing rev. ether/etherpad-lite#2797)
23c9dd3 [docs] Add a 'Features' section in the README (Support Nodejs v5.0.0.0 ether/etherpad-lite#2824)
e28b475 [docs] Add httpd cluster example (Fix for #2809 ether/etherpad-lite#2819)

See the full diff

Package name: ueberdb2

The new version differs by 250 commits.

756b29d 3.0.0
d9af0b4 elasticsearch: Switch to supported client library
a282660 tests: Include elasticsearch in tests
e9ef2e9 elasticsearch: Complete rewrite to fix bugs
3df7115 elasticsearch: Simplify response handling
0a65d6b elasticsearch: Move client into instance object
ae0f1bb elasticsearch: Move settings into instance object
239a752 elasticsearch: Remove console logging
1766f4f elasticsearch: Promisify
92cd33d Evict old cache entries after every write
6b86065 tests: Increase speed test timeout
20b5bf0 build(deps-dev): bump mocha from 9.2.2 to 10.0.0
29721ff lint: Update ESLint dependencies and config
5bbe3f0 Bump minimum required Node.js to v14.15.0
adc150f Mention database dependency updates
a4cca58 build(deps): bump simple-git from 3.7.0 to 3.7.1
d85ad1a build(deps): bump sqlite3 from 5.0.4 to 5.0.6
6521701 build(deps): bump elasticsearch from 16.7.2 to 16.7.3
6f58073 build(deps): bump simple-git from 3.6.0 to 3.7.0
0392047 build(deps): bump pg from 8.7.1 to 8.7.3
6a27ce5 build(deps-dev): bump cli-table from 0.3.8 to 0.3.11
57dc964 build(deps): bump nano from 9.0.5 to 10.0.0
2aca88f build(deps): bump async from 3.2.2 to 3.2.3
49ce914 build(deps): bump sqlite3

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Server-side Request Forgery (SSRF)
🦉 Improper Input Validation
🦉 More lessons are available in Snyk Learn


          fix: src/package.json to reduce vulnerabilities

7c55c16

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908
- https://snyk.io/vuln/SNYK-JS-REQUEST-3361831
- https://snyk.io/vuln/SNYK-JS-SOCKETIOPARSER-1056752
- https://snyk.io/vuln/SNYK-JS-SOCKETIOPARSER-3091012
- https://snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873
- https://snyk.io/vuln/npm:debug:20170905
- https://snyk.io/vuln/npm:ms:20170412
- https://snyk.io/vuln/npm:parsejson:20170908

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet