[Snyk] Fix for 2 vulnerabilities #37

abood640 · 2024-05-13T19:57:48Z

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
- package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	661/1000 Why? Recently disclosed, Has a fix available, CVSS 7.5	Uncontrolled resource consumption SNYK-JS-BRACES-6838727	Yes	No Known Exploit
	661/1000 Why? Recently disclosed, Has a fix available, CVSS 7.5	Inefficient Regular Expression Complexity SNYK-JS-MICROMATCH-6838728	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: webpack

The new version differs by 250 commits.

610f368 5.0.0
5ce65c1 update examples
bbe1230 Merge pull request repo sync github/docs#11628 from webpack/bugfix/real-content-hash
75ecff2 5.0.0-rc.6
bfc35d6 Merge pull request Additional TOTP options github/docs#11603 from MayaWolf/master
76e8cbd Merge pull request repo sync github/docs#11622 from webpack/dependabot/npm_and_yarn/types/node-13.13.25
9fd1be2 chore(deps-dev): bump @ types/node from 13.13.23 to 13.13.25
36bcfaa Merge pull request Tweak AWS OIDC instructions github/docs#11621 from webpack/bugfix/11619
9130d10 fix called variables with ProvidePlugin
3e42105 Merge pull request OIDC cloud-specific docs are missing environment variables github/docs#11620 from webpack/bugfix/11617
4709719 skip connections copied to concatenated module
57b493f 5.0.0-rc.5
1658e2f Merge pull request repo sync github/docs#11618 from webpack/bugfix/11615
a8fb45d fixes crash in SideEffectsFlagPlugin
84b196d emit error instead of crashing when unexpected problem occurs
5573fed Merge pull request Patch 2 github/docs#11601 from Hornwitser/improve-suggested-polyfill-config
9b5cce9 Merge pull request repo sync github/docs#11609 from snitin315/export-types
37c495c export type RuleSetUseItem
39faf34 export type RuleSetUse
e5fd246 export type RuleSetConditionAbsolute
660baad export RuleSetCondition types
13e3ca5 Merge pull request Beaconcha.in ETH2 API 1.0 github/docs#11602 from webpack/bugfix/shared-runtime-chunk
9c0587e Merge pull request Index.Md github/docs#11606 from webpack/dependabot/npm_and_yarn/simple-git-2.21.0
502d166 Merge pull request https://maps.app.goo.gl/?link=https://www.google.com/maps/dir///@35.7…https://maps.app.goo.gl/?link=https://www.google.com/maps/dir///@35.7761024,50.970624,10z/data%3D!4m5!4m4!1m1!4e2!1m0!3e2?entry%3Dml&apn=com.google.android.apps.maps&amv=914018424&isi=585027354&ibi=com.google.Maps&ius=comgooglemapsurl&utm_campaign=ml_promo&ct=ml-nonlu-md-dc-en&mt=8&pt=9008&cid=5697265834171445826&_fpb=CLgEEMACGgVlbi1VUw==&_cpt=cpit&_iumenbl=1&_iumchkactval=1&_plt=3691&_uit=2653&_cpb=1&_icp=1 github/docs#11607 from webpack/dependabot/npm_and_yarn/acorn-8.0.4

See the full diff

Package name: webpack-cli

The new version differs by 250 commits.

fb50f76 chore(release): publish new version
2c75aeb chore: new version of the packages
0d05c30 chore(release): publish %s
3f9e151 chore: fix lerna config
2c1e34c tests(generator): enhance init generator tests (Is it possible to migrate an OAuth app to Github app without asking users to re-authenticate? github/docs#1236)
6ee61b9 Fix loader-generator and plugin-generator tests ($fuckchrisknight 041215663 1318664565848 github/docs#1250)
52956a2 Fixing the typos and grammatical errors in Readme files (content/rest/index.mdUpdate index.md github/docs#1246)
7faaed2 chore: update Bug_report & Feature_request Templates (Improve docs to be more explanatory github/docs#1256)
7a5b33d feat(webpack-cli): added mode argument (Explain how to use environment variables in a test matrix github/docs#1253)
3715756 tests(webpack-cli): add test case for defaults flag (Explain how to use environment variables in a test matrix github/docs#1254)
a7cba2f chore: project maintanance and typescript fix (repo sync github/docs#1247)
7748472 chore: ignore package-lock.json and remove its references (Remove extraneous grammar period which breaks the compare URL github/docs#1252)
a014aa7 docs: fix supported arguments & commands link in README (Dashboard github/docs#1244)
06129a1 feat(webpack-cli): add progress bar for progress flag (repo sync github/docs#1238)
6cc6a49 chore: post refactor CLI (Update restriction github/docs#1237)
358651e chore: move cli under lerna package (Update about-the-dependency-graph.md github/docs#1225)
2dc495a fix(init): fix webpack config scaffold (Avoid use branch for example workflows github/docs#1231)
1ab62d2 tests(generator): add tests for plugin generator (repo sync github/docs#1235)
d2dd0c1 tests(sourcemap): fix flaky stats statement (SystemformNuch1991 github/docs#1232)
f6dc680 tests(loader-generator): add tests for loader generator (Fix the table overflowing sidebar github/docs#1234)
35d1381 tests(generator): enable init generator test (index.md github/docs#1233)
66cdcb6 chore(generator): remove transpiled tests (Fixes #1190 github/docs#1229)
f29a170 fix(init): fix the invalid package name (Issue: Improve existing docs github/docs#1228)
8c3a66d chore(cli): updated changelog of v3 (Add note that secret scanning endpoints should be able to handle larg… github/docs#1224)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Uncontrolled resource consumption

The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-BRACES-6838727 - https://snyk.io/vuln/SNYK-JS-MICROMATCH-6838728

socket-security · 2024-05-13T19:58:28Z

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@babel/[email protected]	environment	`0`	24.1 kB	nicolo-ribaudo
npm/@babel/[email protected]	None	`0`	4.02 kB	nicolo-ribaudo
npm/@babel/[email protected]	None	`0`	502 kB	nicolo-ribaudo
npm/@babel/[email protected]	None	`0`	6.56 kB	nicolo-ribaudo
npm/@babel/[email protected]	None	`0`	21.6 kB	nicolo-ribaudo
npm/@babel/[email protected]	None	`0`	107 kB	nicolo-ribaudo
npm/@babel/[email protected]	None	`0`	63.8 kB	nicolo-ribaudo
npm/@babel/[email protected]	None	`0`	158 kB	nicolo-ribaudo
npm/@babel/[email protected]	None	`0`	6.66 kB	nicolo-ribaudo
npm/@babel/[email protected]	None	`0`	130 kB	nicolo-ribaudo
npm/@babel/[email protected]	None	`0`	32.2 kB	nicolo-ribaudo
npm/@babel/[email protected]	None	`0`	14.1 kB	nicolo-ribaudo
npm/@babel/[email protected]	None	`0`	5.96 kB	nicolo-ribaudo
npm/@babel/[email protected]	None	`0`	10.7 kB	nicolo-ribaudo
npm/@babel/[email protected]	None	`0`	31.7 kB	nicolo-ribaudo
npm/@babel/[email protected]	None	`0`	49.2 kB	nicolo-ribaudo
npm/@babel/[email protected]	None	`0`	11.7 kB	nicolo-ribaudo
npm/@babel/[email protected]	environment	`0`	20.3 kB	nicolo-ribaudo
npm/@babel/[email protected]	None	`0`	1.89 MB	nicolo-ribaudo
npm/@babel/[email protected]	None	`0`	5.42 kB	nicolo-ribaudo
npm/@babel/[email protected]	None	`0`	4.14 kB	nicolo-ribaudo
npm/@babel/[email protected]	None	`0`	6.87 kB	nicolo-ribaudo
npm/@babel/[email protected]	None	`0`	17.7 kB	nicolo-ribaudo
npm/@babel/[email protected]	None	`0`	42.4 kB	nicolo-ribaudo
npm/@babel/[email protected]	None	`0`	201 kB	nicolo-ribaudo
npm/@babel/[email protected]	None	`0`	9.08 kB	nicolo-ribaudo
npm/@babel/[email protected]	None	`0`	21.5 kB	nicolo-ribaudo
npm/@babel/[email protected]	environment, filesystem, unsafe	`0`	62 kB	nicolo-ribaudo
npm/@babel/[email protected]	None	`0`	68.9 kB	nicolo-ribaudo
npm/@babel/[email protected]	environment	`0`	2.41 MB	nicolo-ribaudo
npm/@gar/[email protected]	None	`0`	4.2 kB	gar
npm/@graphql-tools/[email protected]	environment	`0`	125 kB	ardatan
npm/@graphql-tools/[email protected]	None	`0`	267 kB	ardatan
npm/@graphql-tools/[email protected]	None	`0`	64.8 kB	ardatan
npm/@graphql-tools/[email protected]	None	`0`	483 kB	ardatan
npm/@jridgewell/[email protected]	None	`0`	81.6 kB	jridgewell
npm/@jridgewell/[email protected]	None	`0`	53.2 kB	jridgewell
npm/@jridgewell/[email protected]	None	`0`	17.9 kB	jridgewell
npm/@jridgewell/[email protected]	None	`0`	177 kB	jridgewell
npm/@jridgewell/[email protected]	None	`0`	45.9 kB	jridgewell
npm/@jridgewell/[email protected]	None	`0`	169 kB	jridgewell
npm/@mrmlnc/[email protected]	filesystem	`0`	53.9 kB	mrmlnc
npm/@npmcli/[email protected]	filesystem	`0`	41.9 kB	nlf
npm/@types/[email protected]	None	`0`	6.27 kB	types
npm/@types/[email protected]	None	`0`	192 kB	types
npm/@types/[email protected]	None	`0`	22.6 kB	types
npm/@types/[email protected]	None	`0`	31.7 kB	types
npm/@webpack-cli/[email protected]	filesystem	`0`	159 kB	evilebottnawi
npm/@webpack-cli/[email protected]	None	`0`	6.38 kB	evilebottnawi
npm/@webpack-cli/[email protected]	None	`0`	7.32 kB	evilebottnawi
npm/@webpack-cli/[email protected]	environment	`0`	17.4 kB	evilebottnawi
npm/[email protected]	None	`0`	6.69 kB	sindresorhus
npm/[email protected]	eval	`0`	929 kB	esp
npm/[email protected]	None	`0`	16.4 kB	sindresorhus
npm/[email protected]	None	`0`	8.94 kB	75lb
npm/[email protected]	None	`0`	3.06 kB	sindresorhus
npm/[email protected]	None	`0`	484 kB	benjamn
npm/[email protected]	None	`0`	808 kB	aearly
npm/[email protected]	None	`0`	1.53 kB	loganfsmyth
npm/[email protected]	None	`0`	15.3 kB	bevryme
npm/[email protected]	filesystem	`0`	76.3 kB	nlf
npm/[email protected]	None	`0`	3.79 kB	limulus
npm/[email protected]	None	`0`	2.5 kB	sindresorhus
npm/[email protected]	filesystem	`0`	74.8 kB	runk
npm/[email protected]	None	`0`	4.37 kB	sindresorhus
npm/[email protected]	None	`0`	17.3 kB	quasistar
npm/[email protected]	environment	`0`	11.5 kB	knownasilya
npm/[email protected]	None	`0`	4.28 kB	phated
npm/[email protected]	filesystem	`0`	3.71 kB	hughsk
npm/[email protected]	None	`0`	21.8 kB	matteo.collina
npm/[email protected]	environment	`0`	39.5 kB	dabh
npm/[email protected]	None	`0`	19.7 kB	75lb
npm/[email protected]	None	`0`	3.72 kB	floatdrop
npm/[email protected]	environment, filesystem, shell	`0`	21.2 kB	satazor
npm/[email protected]	None	`0`	10.6 kB	sindresorhus
npm/[email protected]	None	`0`	15 kB	doowb
npm/[email protected]	None	`0`	622 kB	kpdecker
npm/[email protected]	network	`0`	31.4 kB	doowb
npm/[email protected]	environment	`0`	59.4 kB	bevryme
npm/[email protected]	eval, filesystem	`0`	129 kB	mde
npm/[email protected]	unsafe	`0`	210 kB	evilebottnawi
npm/[email protected]	environment, eval, filesystem, shell	`0`	162 kB	tabrindle
npm/[email protected]	None	`0`	33.6 kB	bevryme
npm/[email protected]	None	`0`	20 kB	raynos
npm/[email protected]	environment, filesystem, shell	`0`	27 kB	mrkmg
npm/[email protected]	None	`0`	12.1 kB	sindresorhus
npm/[email protected]	filesystem	`0`	18.6 kB	mde
npm/[email protected]	filesystem	`0`	7.12 kB	phated
npm/[email protected]	None	`0`	8.01 kB	sindresorhus
npm/[email protected]	None	`0`	727 kB	flowtype
npm/[email protected]	None	`0`	31.4 kB	ljharb
npm/[email protected]	environment	`0`	5.26 kB	sindresorhus
npm/[email protected]	None	`0`	3.31 kB	sindresorhus
npm/[email protected]	None	`0`	18.1 kB	nickfitzgerald
npm/[email protected]	filesystem	`0`	55.1 kB	isaacs
npm/[email protected]	environment, filesystem	`0`	32.5 kB	isaacs
npm/[email protected]	None	`0`	7.58 kB	sboudrias
npm/[email protected]	None	`0`	8.77 kB	ljharb
npm/[email protected]	network	`0`	53.1 kB	szmarczak
npm/[email protected]	unsafe	`0`	4.91 kB	sindresorhus
npm/[email protected]	None	`0`	84.5 kB	sboudrias
npm/[email protected]	None	`0`	17.2 kB	phated
npm/[email protected]	None	`0`	30.2 kB	ljharb
npm/[email protected]	None	`0`	13.6 kB	phated
npm/[email protected]	None	`0`	2.47 kB	sindresorhus
npm/[email protected]	None	`0`	2.51 kB	sindresorhus
npm/[email protected]	None	`0`	3.54 kB	sindresorhus
npm/[email protected]	None	`0`	4.34 kB	wayfind
npm/[email protected]	filesystem	`0`	12.5 kB	gjtorikian
npm/[email protected]	None	`0`	57.3 kB	bevryme
npm/[email protected]	environment, filesystem, shell	`0`	175 kB	mde
npm/[email protected]	environment, shell	`0`	66.9 kB	simenb
npm/[email protected]	None	`0`	170 kB	flowtype
npm/[email protected]	None	`0`	36.8 kB	creationix
npm/[email protected]	None	`0`	0 B
npm/[email protected]	eval, filesystem	`0`	18.4 kB	sokra
npm/[email protected]	None	`0`	4.58 kB	sindresorhus
npm/[email protected]	filesystem	`0`	17 kB	sboudrias
npm/[email protected]	None	`0`	2.83 kB	sboudrias

View full report↗︎

socket-security · 2024-05-13T19:58:31Z

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	Source
Install scripts	npm/[email protected]	Install script: postinstall Source: `node ./postinstall.js`	`package-lock.json`

View full report↗︎

Next steps

What is an install script?

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/[email protected] or ignore all packages with @SocketSecurity ignore-all

@SocketSecurity ignore npm/[email protected]

fix: package.json & package-lock.json to reduce vulnerabilities

b6089fe

The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-BRACES-6838727 - https://snyk.io/vuln/SNYK-JS-MICROMATCH-6838728

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Snyk] Fix for 2 vulnerabilities #37

[Snyk] Fix for 2 vulnerabilities #37

abood640 commented May 13, 2024

socket-security bot commented May 13, 2024

socket-security bot commented May 13, 2024

[Snyk] Fix for 2 vulnerabilities #37

Are you sure you want to change the base?

[Snyk] Fix for 2 vulnerabilities #37

Conversation

abood640 commented May 13, 2024

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Vulnerabilities that will be fixed

With an upgrade:

socket-security bot commented May 13, 2024

socket-security bot commented May 13, 2024

Next steps