[Snyk] Fix for 15 vulnerabilities #273

satoshinakamoto007 · 2022-06-03T23:08:30Z

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
Find out more.

⚠️

Warning

Failed to update the package-lock.json, please update manually before merging.

Vulnerabilities that will be fixed

With an upgrade:

Priority Score (*)	Issue	Breaking Change	Exploit Maturity
619/1000 Why? Has a fix available, CVSS 8.1	Prototype Pollution SNYK-JS-AJV-584908	No	No Known Exploit
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-ASYNC-2441827	No	Proof of Concept
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-AWSSDK-1059424	No	Proof of Concept
616/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.9	Server-Side Request Forgery (SSRF) SNYK-JS-AXIOS-1038255	No	Proof of Concept
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-AXIOS-1579269	No	Proof of Concept
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Information Exposure SNYK-JS-FOLLOWREDIRECTS-2332181	No	Proof of Concept
344/1000 Why? Has a fix available, CVSS 2.6	Information Exposure SNYK-JS-FOLLOWREDIRECTS-2396346	No	No Known Exploit
539/1000 Why? Has a fix available, CVSS 6.5	Information Exposure SNYK-JS-NODEFETCH-2342118	No	No Known Exploit
520/1000 Why? Has a fix available, CVSS 5.9	Denial of Service SNYK-JS-NODEFETCH-674311	No	No Known Exploit
536/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVERREGEX-1047770	No	Proof of Concept
589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVERREGEX-1584358	No	No Known Exploit
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVERREGEX-1585624	No	Proof of Concept
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVERREGEX-2824151	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: ajv

The new version differs by 111 commits.

521c3a5 6.12.3
bd7107b Merge pull request Fixes #1190 github/docs#1229 from ajv-validator/dependabot/npm_and_yarn/mocha-8.0.1
9c26bb2 Merge pull request Fix the table overflowing sidebar github/docs#1234 from ajv-validator/dependabot/npm_and_yarn/eslint-7.3.1
c6a6daa Merge branch 'master' into dependabot/npm_and_yarn/mocha-8.0.1
15eda23 Merge branch 'master' into dependabot/npm_and_yarn/eslint-7.3.1
d6aabb8 test: remove node 8 from travis test
c4801ca Merge pull request Improve documentation issue no #1034 github/docs#1242 from ajv-validator/refactor
988982d ignore proto properties
f2b1e3d whitespace
65e3678 Merge pull request repo sync github/docs#1239 from GrahamLea/patch-1
68d72c4 update regex
9c009a9 validate numbers in multipleOf
332b30d Merge pull request calebromadan token contribution github/docs#1241 from ajv-validator/refactor
1105fd5 ignore proto properties
65b2f7d validate numbers in schemas during schema compilation
24d4f8f remove code post-processing
fd64fb4 Add link to CSP section in Security section
0e2c346 Add Contents link to CSP section
c581ff3 Clarify limitations of ajv-pack in README
0006f34 Document pre-compiled schemas for CSP in README
140cfa6 Merge pull request repo sync github/docs#1238 from cvlab/patch-1
e7f0c81 Fix mistype in README.md
54c96b0 Bump eslint from 6.8.0 to 7.3.1
854dbef Bump mocha from 7.2.0 to 8.0.1

See the full diff

Package name: aws-sdk

The new version differs by 250 commits.

8875a35 Updates SDK to v2.814.0
dd83d67 throw at invalid profile name in shared ini file (Seo github/docs#3585)
ee0c5a3 Updates SDK to v2.813.0
468d15b Updates SDK to v2.812.0
c50132f Update README.md with references to JS SDK V3 ([GitHub Desktop] Update preference/options menu github/docs#3582)
3e19b08 Updates SDK to v2.811.0
f26c00d Updates SDK to v2.810.0
b393a6e Adds automatic PreSignedUrl generation to RDS.StartDBInstanceAutomatedBackupsReplication (Affan0078 github/docs#3566)
fa57967 Updates SDK to v2.809.0
9a52018 Updates SDK to v2.808.0
1958076 Updates SDK to v2.807.0
ffcad20 Updates SDK to v2.806.0
2f37893 chore: remove cognitoidentity customizations to disable auth (https://www.google.com/url?sa=t&source=web&rct=j&url=https://github.c… github/docs#3543)
c6fe3c0 Updates SDK to v2.805.0
71d6fa9 Fix dual-callback case (Update githubs-products.md github/docs#3537)
b981971 Updates SDK to v2.804.0
332573f Updates SDK to v2.803.0
deb7bc7 Updates SDK to v2.802.0
b6401d0 Remove incorrectly named service named 'Profile' (#3562)
3364d4b Updates SDK to v2.801.0
d400577 Updates SDK to v2.800.0
21c7dc0 Updates SDK to v2.799.0
d2b8964 Updates SDK to v2.798.0
44ded82 fix: test IAM.getUser instead of listUsers (This issue is stale because it has been open 60 days with no activity. github/docs#3542)

See the full diff

Package name: husky

The new version differs by 58 commits.

b9a0917 4.3.7
839d84a update pkg-dir dependency and some devDependencies
6a1b3da Upgrade find-versions to 4.0.0 ([Snyk] Security upgrade cheerio from 1.0.0-rc.3 to 1.0.0 #837)
cbb0af7 4.3.6
eb1eeb8 fix prepare-commit-msg on windows ([Snyk] Upgrade aws-sdk from 2.610.0 to 2.1574.0 #737)
65bc6e5 Update README.md
cbd0e06 add prepare-commit-msg test
992c1e0 4.3.5
642af0c rollback do not exit with 1 if install fails
ccb71b2 Update README.md
3c43bd5 4.3.4
1e1b289 update error message
b29ee2b 4.3.3
fd0233e ignore tsconfig.tsbuildinfo
a5f1259 4.3.2
41472b7 provide workaround for npm7
6dc9a51 4.3.1
033a2ae exit with 1 if husky fails to install/uninstall
38a7163 update gitignore
eff9aa3 Update README.md
b616d84 Changed create-react-app repo url ([Snyk] Upgrade aws-sdk from 2.610.0 to 2.1598.0 #759)
bb0c414 Update README.md
b05e72f Update node.js.yml
44e02bd Update node.js.yml

See the full diff

Package name: pa11y-ci

The new version differs by 33 commits.

efad302 Fix minimum node version in README
28f161a Version 3.0.0
52fd274 Fix error with absolute paths on Windows ([Snyk] Upgrade instantsearch.js from 4.8.2 to 4.34.0 #82)
6b2d4f5 Replace chalk with kleur
4e5bc51 use https where possible
5c842cf Add support for reporters ([Snyk] Upgrade sass from 1.26.3 to 1.49.1 #129)
40ba01a Replace make with npm scripts and update Node versions ([Snyk] Security upgrade debian from 9.5-slim to stretch-slim #139)
1374cd7 Bump deps to match versions used by pa11y v6
fb86a33 Update test matrix to LTS node (12, 14, 16)
edabbeb Update package lock
e5dbbc7 Replace chalk with kleur
96a3882 Chance concurrency and incognito mode defaults
9de41f3 Version 2.4.2
7cb5bd8 Replace npmignore with allow list for consistency
fefa70b Retry launching browser if first time fails
6846233 Adds example of running pa11y-ci in Docker ([Snyk] Security upgrade debian from 9.5-slim to stretch-slim #137)
00ac4f9 refactor(npm): remove unnecessary files from package ([Snyk] Upgrade instantsearch.js from 4.8.2 to 4.37.2 #126)
18f1e60 Version 2.4.1 ([Snyk] Security upgrade debian from 9.5-slim to stretch-slim #135)
d0843ab Pin puppeteer version to avoid downloading twice ([Snyk] Security upgrade debian from 9.5-slim to stretch-slim #134)
830d5a6 Update integration tests to remove DNS dependencies ([Snyk] Upgrade: @babel/core, @babel/plugin-transform-runtime, @babel/preset-env, @babel/runtime #133)
cda8b5a Replace Travis with GH Actions
7da3907 Version 2.4.0 ([Snyk] Security upgrade debian from 9.5-slim to stretch-20211201-slim #119)
2ba2d91 Allow only bugfix update in dependencies ([Snyk] Security upgrade debian from 9.5-slim to stretch-20211201-slim #117)
eadb710 Run the changelog through markdownlint ([Snyk] Security upgrade debian from 9.5-slim to stretch-20211201-slim #118)

See the full diff

Package name: standard

The new version differs by 26 commits.

558df00 14.3.2
a8e318e Add changelog entry for 14.3.2
133a4c9 Merge pull request repo sync github/docs#1492 from standard/eslint68
a2df23b Upgrade ESLint to 6.8.x
fb7e2a3 remove sponsor
ecda198 Update README.md
4bc1671 Update README.md
e514626 add sponsor
2b86c68 spacing
a702d2e Reposition CodeFund sponsorship link (Bitcoin signed message github/docs#1446)
a28b5d0 Reposition CodeFund sponsorship link
0f86fb9 Merge pull request Bitcoin signed message github/docs#1445 from ZY2071/master
b4726d7 perf: Change the examples for rule 'No octal literals' .
4bdaa2f perf: make the rule 'No octal literals' more specific.
f5d758e Update README-ja.md for d901c54 (Update getting-started-with-github-pages.md github/docs#1435)
be249c3 Update README-ja.md for d901c54
cfb84fa Update README.md with working Typescript setup (repo sync github/docs#1434)
f4d3113 Update links to correct organization in README (repo sync github/docs#1433)
d901c54 Update README.md with working Typescript setup
809e78a Update README-ja.md for 3e6b299 (✌️💙😉 github/docs#1432)
91bc8fb Update README-ja.md for 3e6b299
3e6b299 Update README.md
d5c7ded Add CodeFund sponsorship message to README (Improve double table of contents github/docs#1425)
c4f168e fix typo ([email protected] github/docs#1423)

See the full diff

Package name: start-server-and-test

The new version differs by 4 commits.

ab5aa14 fix(deps): update dependency wait-on to v5.2.1
0d91ce9 fix(deps): update dependency debug to v4.3.1
0d3d11e fix: handle case when not running in a nodejs module dir ([Snyk] Upgrade aws-sdk from 2.610.0 to 2.1140.0 #284)
6a72aa7 fix(deps): update dependency debug to v4.2.0

See the full diff