Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 1 vulnerabilities #138

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Fix for 1 vulnerabilities #138

wants to merge 1 commit into from

Conversation

Omrisnyk
Copy link
Owner

@Omrisnyk Omrisnyk commented Jan 9, 2024

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • large-file/package.json
    • large-file/package-lock.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
medium severity 109/1000
Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: None, Scope: Changed, Exploit Maturity: Proof of Concept, User Interaction (UI): Required, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 0, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 4.54, Likelihood: 2.39, Score Version: V5		 Cross-site Scripting (XSS)
SNYK-JS-SERIALIZEJAVASCRIPT-6147607		 Yes Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Release notes
Package name: compression-webpack-plugin
  • 8.0.1 - 2021-06-25

    8.0.1 (2021-06-25)

    Chore

    • update serialize-javascript
  • 8.0.0 - 2021-05-21

    8.0.0 (2021-05-21)

    ⚠ BREAKING CHANGES

    • minimum supported Node.js version is 12.13.0
  • 7.1.2 - 2021-01-11

    7.1.2 (2021-01-11)

    Bug Fixes

    • crash when filename and algorithm options are functions (#241) (f33424a)
  • 7.1.1 - 2020-12-25

    7.1.1 (2020-12-25)

    Bug Fixes

  • 7.1.0 - 2020-12-18

    7.1.0 (2020-12-18)

    Features

    • compress assets added later by plugins (5b8b356)

    Bug Fixes

    • compatibility with workbox-webpack-plugin (#234) (5d54128)
    • perf
  • 7.0.0 - 2020-12-02

    7.0.0 (2020-12-02)

    ⚠ BREAKING CHANGES

    • minimum supported webpack version is ^5.1.0
    • the cache option was removed, the plugin respects caching from configurations, please read
  • 6.1.2 - 2023-12-26
  • 6.1.1 - 2020-11-12

    6.1.1 (2020-11-12)

    Bug Fixes

    • compatibility with child compilations (5e3bb95)
  • 6.1.0 - 2020-11-09

    6.1.0 (2020-11-09)

    Features

    • added the keep-source-maps value to the deleteOriginalAssets option (#216) (bd60650)
  • 6.0.5 - 2020-11-02

    6.0.5 (2020-11-02)

    Bug Fixes

    • allowed compressed assets to overwrite original assets using the deleteOriginalAssets option (62d3d0a)
  • 6.0.4 - 2020-10-26

    6.0.4 (2020-10-26)

    Bug Fixes

    • always set compression level to maximum for the custom algorithm (483f328)
  • 6.0.3 - 2020-10-09
  • 6.0.2 - 2020-09-19
  • 6.0.1 - 2020-09-16
  • 6.0.0 - 2020-09-14
  • 5.0.2 - 2020-09-02
  • 5.0.1 - 2020-08-22
  • 5.0.0 - 2020-08-17
  • 4.0.1 - 2020-08-12
  • 4.0.0 - 2020-05-12
from compression-webpack-plugin GitHub release notes
Package name: serialize-javascript
  • 6.0.2 - 2024-01-09

    v6.0.1...v6.0.2

  • 6.0.1 - 2023-01-15

    What's Changed

    New Contributors

    Full Changelog: v6.0.0...v6.0.1

  • 6.0.0 - 2021-06-21

    Changelog

    • Add support for URL's (#123)
    • Bump mocha from 9.0.0 to 9.0.1 (#124)
    • Bump mocha from 8.4.0 to 9.0.0 (#121)
    • Update Node.js CI matrix (#122)
    • Bump mocha from 8.3.2 to 8.4.0 (#120)
    • Bump lodash from 4.17.19 to 4.17.21 (#119)
    • Bump y18n from 4.0.0 to 4.0.1 (#116)
    • Bump chai from 4.3.3 to 4.3.4 (#115)
    • Bump mocha from 8.3.1 to 8.3.2 (#114)
    • Bump mocha from 8.3.0 to 8.3.1 (#113)
    • Bump chai from 4.3.1 to 4.3.3 (#112)
    • Bump chai from 4.2.0 to 4.3.1 (#111)
    • Bump mocha from 8.2.1 to 8.3.0 (#109)
    • Bump mocha from 8.1.3 to 8.2.1 (#105)
    • Drop Travis CI settings (#100)
    • Change default branch name to main (#99)
    • GitHub Aactions (#98)

    Behavior changes for URL objects

    It serializes URL objects as follows since this version. The result of serialization may be changed if you are passing URL object values into the serialize-javascript.

    http://example.com/")}); // '{"u":new URL("http://example.com/")}'">
    const serialize = require("serialize-javascript");
    

    serialize({u: new URL("http://example.com/")}); // '{"u":new URL("http://example.com/")}'

    Thank you @ rrdelaney for this release.

  • 5.0.1 - 2020-09-10

    Changelog

    • Exclude .vscode and .github directories from package (#97)
  • 5.0.0 - 2020-09-09

    Changelog

    • Bump mocha from 8.1.2 to 8.1.3 (#96)
    • Support sparse arrays (#95)
    • Bump mocha from 8.1.1 to 8.1.2 (#94)
    • Bump mocha from 8.1.0 to 8.1.1 (#92)
    • Create Dependabot config file (#91)
    • Bump mocha from 8.0.1 to 8.1.0 (#90)
    • Bump lodash from 4.17.15 to 4.17.19 (#89)
    • Bump mocha from 7.2.0 to 8.0.1 (#88)

    Behavior changes for sparse arrays

    It serializes sparse arrays as follows since this version. The result of serialization may be changed if you are passing sparse arrays values into the serialize-javascript.

    const serialize = require('serialize-javascript');

    var a = [1, 2, 3, 4, 5, 6, 7, 8, 9, 10];
    delete a[0];
    a.length = 3;
    a[5] = 'wat';
    serialize(a) // 'Array.prototype.slice.call({"1":2,"2":3,"5":"wat","length":6})'

    Thank you @ victorporof for this release.

  • 4.0.0 - 2020-06-08

    Changelog

    • Bump nyc from 15.0.1 to 15.1.0 (#85)
    • support for bigint (#80)

    Behavior changes for BigInt

    It serializes BigInt values as follows since this version. The result of serialization may be changed if you are passing BigInt values into the serialize-javascript.

    v4.x:

    const serialize = require('serialize-javascript');

    serialize({big: BigInt('10')}); // '{"big":BigInt("10")}'

    v3.x:

    const serialize = require('serialize-javascript');

    serialize({big: BigInt('10')}); // throws error

    Thank you @ mum-never-proud for this release.

  • 3.1.0 - 2020-05-28
    • Bump mocha from 7.1.2 to 7.2.0 (#83)
    • Bump mocha from 7.1.1 to 7.1.2 (#82)
    • Bump nyc from 15.0.0 to 15.0.1 (#81)
    • Don't replace regex / function placeholders within string literals (#79)
    • [Security] Bump minimist from 1.2.0 to 1.2.5 (#78)
    • Bump mocha from 7.1.0 to 7.1.1 (#77)
    • Bump mocha from 7.0.1 to 7.1.0 (#74)
    • Update example in README (#73)

    Note: the randombytes has been added to the dependency package to improve the generation of UIDs. Check the #22 for more information. Thanks to @ JordanMilne and @ Siebes for this change.

from serialize-javascript GitHub release notes
Package name: webpack
  • 4.26.0 - 2018-11-19

    Features

    • Switch from uglify-es to terser as default minimizer

    Note: While they are officially backward-compatible, it can still happen that a new bugs occurs with terser, which break your production builds. Make sure to validate your production builds after upgrading to this version. (Note that it's always a good idea to test your output assets before deploying.)

    If you want to report bugs to terser (https://github.com/terser-js/terser), please provide a minimal repro case with minimized and non-minimized code. You can configure webpack to generate non-minimized code in production mode by setting optimization.minimize: false. When reporting a bug to terser, best report a repro case which doesn't require running webpack and is reproducible with only the terser command line.

    See optimization.minimizers configuration option to switch back to uglify-es or provide additional minimize options for terser.

  • 4.25.1 - 2018-11-05

    Bugfixes

    • fix replacement of compile-time constant expression when expression is a wrapped expression (string prefix and/or suffix).
  • 4.25.0 - 2018-11-05

    Features

    • add format option to DllPlugin to allow generating formated manifest json
    • add flags to ProgressPlugin to add and remove information
      • entrypoint counter was added, but disabled by default to avoid breaking change

    Bugfixes

    • fix code generation for context dependencies when replacing compile-time constant expressions
    • disable the effect of the ProvidePlugin for .mjs
  • 4.24.0 - 2018-11-02

    Features

    • allow to pass no dependencies to DefinePlugin runtime value
      • DefinePlugin.runtimeValue(() => {...}, true) is always evaluated
    • add module argument to DefinePlugin.runtimeValue

    Bugfixes

    • update webassemblyjs dependency
    • fix bug when using entry names that look like numbers with HMR
  • 4.23.1 - 2018-10-25

    Bugfixes

    • add space when replacing expression with constant
      • i. e. for code like return'development'===process.env.NODE_ENV&&'foo'
  • 4.23.0 - 2018-10-24

    Features

    • add watchMode flag to Compiler to be able to detect watch mode in plugins
    • Prefer chunk names of entrypoints when merging chunks
    • add removedFiles property to Compiler to detect removed files

    Bugfixes

    • publish declarations to npm
    • upgrade @ webassemblyjs/* for bugfix
    • fix crash when using a side-effect-free wasm module in production mode

    Internal changes

    • test on node.js 12
    • fix memory leak in test suite
  • 4.22.0 - 2018-10-21

    Features

    • Add support for evaluating && and || expressions

    Bugfixes

    • fix problems where order of things where not deterministic

    Performance

    • improve performance of chunk graph creation
      • this will improve rebuild performance in watch mode
  • 4.21.0 - 2018-10-17

    Features

    • add output.libraryTarget: "amd-require" which generates a AMD require([], ...) wrapper instead of a define([], ...) wrapper
    • support arrays of strings passed to output.library, which exposes the library to a subproperty

    Bugfixes

    • fix cases where __webpack_require__.e is used at runtime but is not defined in the bundle
    • fix behavior of externals of global type

    Performance

    • Some performance improvements to the chunk graph generation
  • 4.20.2 - 2018-09-25

    Bugfixes

    • keep comments in export default in concatenated modules
  • 4.20.1 - 2018-09-25

    Bugfixes

    • fix crash when using libraryTarget: "amd" without library name
  • 4.20.0 - 2018-09-25
  • 4.19.1 - 2018-09-18
  • 4.19.0 - 2018-09-13
  • 4.18.1 - 2018-09-13
  • 4.18.0 - 2018-09-10
  • 4.17.3 - 2018-09-10
  • 4.17.2 - 2018-09-03
  • 4.17.1 - 2018-08-22
  • 4.17.0 - 2018-08-21
  • 4.16.5 - 2018-08-06
  • 4.16.4 - 2018-08-02
  • 4.16.3 - 2018-07-27
  • 4.16.2 - 2018-07-23
  • 4.16.1 - 2018-07-16
  • 4.16.0 - 2018-07-11
  • 4.15.1 - 2018-07-05
  • 4.15.0 - 2018-07-04
  • 4.14.0 - 2018-06-29
  • 4.13.0 - 2018-06-28
  • 4.12.2 - 2018-06-27
  • 4.12.1 - 2018-06-24
  • 4.12.0 - 2018-06-08
  • 4.11.1 - 2018-06-06
  • 4.11.0 - 2018-06-05
  • 4.10.2 - 2018-05-30
  • 4.10.1 - 2018-05-29
  • 4.10.0 - 2018-05-28
  • 4.9.2 - 2018-05-28
  • 4.9.1 - 2018-05-25
  • 4.9.0 - 2018-05-25
  • 4.8.3 - 2018-05-12
  • 4.8.2 - 2018-05-11
  • 4.8.1 - 2018-05-07
  • 4.8.0 - 2018-05-07
  • 4.7.0 - 2018-05-04
from webpack GitHub release notes
Commit messages
Package name: compression-webpack-plugin The new version differs by 62 commits.

See the full diff

Package name: serialize-javascript The new version differs by 61 commits.

@Omrisnyk Omrisnyk mentioned this pull request Apr 30, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Omrisnyk @snyk-bot