New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 15 vulnerabilities #48

Open

o1898 wants to merge 1 commit into master from snyk-fix-f1660f7370cc95a599ead0a9b15698f3

Owner

o1898 commented Oct 5, 2022

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
- package-lock.json
Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	701/1000 Why? Mature exploit, Has a fix available, CVSS 6.3	Cross-site Scripting (XSS) SNYK-JS-JQUERY-565129	No	Mature
	711/1000 Why? Mature exploit, Has a fix available, CVSS 6.5	Cross-site Scripting (XSS) SNYK-JS-JQUERY-567880	No	Mature
	479/1000 Why? Has a fix available, CVSS 5.3	Improper Certificate Validation SNYK-JS-NODESASS-1059081	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-SCSSTOKENIZER-2339884	Yes	No Known Exploit
	619/1000 Why? Has a fix available, CVSS 8.1	Cross-site Scripting (XSS) SNYK-JS-SERIALIZEJAVASCRIPT-536840	No	No Known Exploit
	706/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.7	Arbitrary Code Injection SNYK-JS-SERIALIZEJAVASCRIPT-570062	No	Proof of Concept
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536528	Yes	No Known Exploit
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536531	Yes	No Known Exploit
	410/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579147	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579152	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579155	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-TRIMNEWLINES-1298042	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @rails/webpacker

The new version differs by 206 commits.

745837a 5.2.2
21e2e6a Bump deps and remove node-sass (LG-1388 webauthn hide on disabled js 18F/identity-idp#2997)
6fbacc8 Merge pull request Adds FMCSA National Registry production configuration 18F/identity-idp#2903 from pedrofurtado/5-x-stable
27a42bf Update ruby.yml
b46ce72 Update file.js (Fix utf8 errors in headers and cookies and invalid parameter errors 18F/identity-idp#2902)
2f0f955 Support to Yarn v2/berry for webpacker 5.x (Replace some AR calls to first with take 18F/identity-idp#2889)
9ec5daa 5.2.1
e0b693d Revert "set Webpacker logger to tagged when rails TaggedLogging (Fix squashed accordion icon on mobile 18F/identity-idp#1311)"
38e3028 Fix test
b7eb831 5.2.0
f929500 Update webpack dependencies (Add more email domains for .gov piv/cac support 18F/identity-idp#2692)
905b8ab Update terser-webpack-plugin (LG-834 Limit field lengths 18F/identity-idp#2687)
63ff6e4 Minor dependency bump (LG-742 Override password strength meter to not show green if < 12 chars 18F/identity-idp#2686)
370fbfd Lint
df050da Update debugging instructions (Change the indexes in Rails link in PR template 18F/identity-idp#2422)
92a1fdc environment.plugins.get('Manifest').opts is now environment.plugins.get('Manifest').options. (LG43 remove equifax from application 18F/identity-idp#2434)
04540f8 Fix doc spacing in helper.rb (Adjust response code for SMS reply 18F/identity-idp#2325)
6d64a51 Allows setting of parallelization options (Add temporary mailer 18F/identity-idp#2093)
76c174b set Webpacker logger to tagged when rails TaggedLogging (Fix squashed accordion icon on mobile 18F/identity-idp#1311)
409009b Documentation for target browsers (LG-768 Create event for personal key as 2FA 18F/identity-idp#2634)
c71dc65 Remove default from rules (LG-575 Add a phone 18F/identity-idp#2662)
82a1332 Use ruby/setup-ruby@v1 (Testing out PR creation 18F/identity-idp#2618)
8cafa21 Remove default value from transform-runtime (Deploy RC 71 to staging 18F/identity-idp#2666)
26109b3 Fix file-loader compat issue in webpacker 5 (Add mfa_enabled field to Users table 18F/identity-idp#2668)

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Denial of Service (DoS)
🦉 Arbitrary File Write
🦉 Arbitrary File Write
🦉 More lessons are available in Snyk Learn


          fix: package.json, package-lock.json & .snyk to reduce vulnerabilities

ced325e

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908
- https://snyk.io/vuln/SNYK-JS-JQUERY-565129
- https://snyk.io/vuln/SNYK-JS-JQUERY-567880
- https://snyk.io/vuln/SNYK-JS-NODESASS-1059081
- https://snyk.io/vuln/SNYK-JS-SCSSTOKENIZER-2339884
- https://snyk.io/vuln/SNYK-JS-SERIALIZEJAVASCRIPT-536840
- https://snyk.io/vuln/SNYK-JS-SERIALIZEJAVASCRIPT-570062
- https://snyk.io/vuln/SNYK-JS-TAR-1536528
- https://snyk.io/vuln/SNYK-JS-TAR-1536531
- https://snyk.io/vuln/SNYK-JS-TAR-1536758
- https://snyk.io/vuln/SNYK-JS-TAR-1579147
- https://snyk.io/vuln/SNYK-JS-TAR-1579152
- https://snyk.io/vuln/SNYK-JS-TAR-1579155
- https://snyk.io/vuln/SNYK-JS-TRIMNEWLINES-1298042


The following vulnerabilities are fixed with a Snyk patch:
- https://snyk.io/vuln/SNYK-JS-LODASH-567746

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet