[Snyk] Fix for 11 vulnerabilities #211
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908 - https://snyk.io/vuln/SNYK-JS-BABELTRAVERSE-5962463 - https://snyk.io/vuln/SNYK-JS-BROWSERSLIST-1090194 - https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905 - https://snyk.io/vuln/SNYK-JS-JSON5-3182856 - https://snyk.io/vuln/SNYK-JS-LODASHTEMPLATE-1088054 - https://snyk.io/vuln/SNYK-JS-UNSETVALUE-2400660 - https://snyk.io/vuln/SNYK-JS-XMLDOM-1534562 - https://snyk.io/vuln/SNYK-JS-XMLDOM-3042242 - https://snyk.io/vuln/SNYK-JS-XMLDOM-3092935 - https://snyk.io/vuln/npm:clean-css:20180306
Micro-Learning Topic: OS command injection (Detected by phrase)Matched on "Command Injection"In many situations, applications will rely on OS provided functions, scripts, macros and utilities instead of reimplementing them in code. While functions would typically be accessed through a native interface library, the remaining three OS provided features will normally be invoked via the command line or launched as a process. If unsafe inputs are used to construct commands or arguments, it may allow arbitrary OS operations to be performed that can compromise the server. Try a challenge in Secure Code WarriorHelpful references
Micro-Learning Topic: Regular expression denial of service (Detected by phrase)Matched on "Regular Expression Denial of Service"Denial of Service (DoS) attacks caused by Regular Expression which causes the system to hang or cause them to work very slowly when attacker sends a well-crafted input(exponentially related to input size).Denial of service attacks significantly degrade the service quality experienced by legitimate users. These attacks introduce large response delays, excessive losses, and service interruptions, resulting in direct impact on availability. Try a challenge in Secure Code WarriorMicro-Learning Topic: Weak input validation (Detected by phrase)Matched on "Improper Input Validation"Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project Try a challenge in Secure Code WarriorHelpful references
Micro-Learning Topic: Denial of service (Detected by phrase)Matched on "Denial of Service"The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service Try a challenge in Secure Code WarriorMicro-Learning Topic: Prototype pollution (Detected by phrase)Matched on "Prototype Pollution"By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Try a challenge in Secure Code Warrior |
This PR was automatically created by Snyk using the credentials of a real user.
Snyk has created this PR to fix one or more vulnerable packages in the `yarn` dependencies of this project.
Changes included in this PR
Note for zero-installs users
If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the
.yarn/cache/directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to runyarnto update the contents of the./yarn/cachedirectory.If you are not using zero-install you can ignore this as your flow should likely be unchanged.
Vulnerabilities that will be fixed
With an upgrade:
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5
SNYK-JS-ANSIREGEX-1583908
Why? Has a fix available, CVSS 9.3
SNYK-JS-BABELTRAVERSE-5962463
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3
SNYK-JS-BROWSERSLIST-1090194
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3
SNYK-JS-GLOBPARENT-1016905
Why? Proof of Concept exploit, Has a fix available, CVSS 6.4
SNYK-JS-JSON5-3182856
Why? Proof of Concept exploit, Has a fix available, CVSS 7.2
SNYK-JS-LODASHTEMPLATE-1088054
Why? Has a fix available, CVSS 7.5
SNYK-JS-UNSETVALUE-2400660
Why? Has a fix available, CVSS 6.5
SNYK-JS-XMLDOM-1534562
Why? Has a fix available, CVSS 8.5
SNYK-JS-XMLDOM-3042242
Why? Proof of Concept exploit, Has a fix available, CVSS 9.8
SNYK-JS-XMLDOM-3092935
Why? Proof of Concept exploit, Has a fix available, CVSS 3.7
npm:clean-css:20180306
(*) Note that the real score may have changed since the PR was raised.
Check the changes in this PR to ensure they won't cause issues with your project.
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
🛠 Adjust project settings
📚 Read more about Snyk's upgrade and patch logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Improper Input Validation