Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Fix for 2 vulnerabilities #19

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

Arul-
Copy link
Owner

@Arul- Arul- commented Nov 25, 2023

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json
    • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5
Regular Expression Denial of Service (ReDoS)
SNYK-JS-ANSIREGEX-1583908
No Proof of Concept
high severity 761/1000
Why? Mature exploit, Has a fix available, CVSS 7.5
Denial of Service (DoS)
SNYK-JS-DICER-2311764
Yes Mature

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: apollo-server-express The new version differs by 250 commits.

See the full diff

Package name: graphql-upload The new version differs by 84 commits.
  • cd9e4f1 Version 15.0.0.
  • ef566f3 Simplify error handling within the function `processRequest`.
  • f1ffd27 Use the `on` method instead of `once` to listen for `busboy` parser `error` events.
  • 7906f95 Add a test for the function `processRequest` with a maliciously malformed multipart request.
  • 5d4c758 Update the `busboy` dependency to v1.
  • ab06b20 Update the `typescript` dev dependency.
  • e682fb9 Version 14.0.0.
  • 558dfc7 Use `substring` instead of the deprecated string method `substr` in tests.
  • 500545b Update dev dependencies.
  • 6da4fb2 Update URLs in documentation.
  • 9e426a1 Configure TypeScript `compilerOptions.maxNodeModuleJsDepth`.
  • c0db80e Make Express and Koa types optional peer dependencies.
  • f6a621c Update dev dependencies.
  • e9f9668 Update the `graphql` peer dependency and avoid deprecated `GraphQLError` constructor parameters.
  • 695397e Correct the changelog entry.
  • 2575397 Readme correction.
  • 8ba2c7b Add a `license.md` MIT License file.
  • d643e7c Implement TypeScript types via JSDoc comments.
  • 8d23234 Use the `Readable` property `readableEncoding` instead of `_readableState.encoding`.
  • aff25c3 Remove the `formdata-node` dev dependency.
  • 0c74d58 Remove the `hard-rejection` dev dependency.
  • f561b21 Use the `.js` file extension in `require` paths.
  • 1bcd630 Remove the package main index module.
  • 0acc5b1 Shorten public module deep import paths.

See the full diff

Package name: pg-monitor The new version differs by 8 commits.

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants