Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 5 vulnerabilities #7

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Fix for 5 vulnerabilities #7

wants to merge 1 commit into from

Conversation

luizfernandorg
Copy link
Owner

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
medium severity 646/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.5		 Server-side Request Forgery (SSRF)
SNYK-JS-REQUEST-3361831		 Yes Proof of Concept
medium severity 646/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.5		 Prototype Pollution
SNYK-JS-TOUGHCOOKIE-5672873		 Yes Proof of Concept
medium severity 539/1000
Why? Has a fix available, CVSS 6.5		 Improper Input Validation
SNYK-JS-XMLDOM-1534562		 Yes No Known Exploit
high severity 639/1000
Why? Has a fix available, CVSS 8.5		 Prototype Pollution
SNYK-JS-XMLDOM-3042242		 Yes No Known Exploit
critical severity 811/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 9.8		 Improper Input Validation
SNYK-JS-XMLDOM-3092935		 Yes Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: asar The new version differs by 80 commits.
  • 2ec15c1 Merge pull request #165 from electron/cut-snapshot
  • f567bcf chore: upgrade mocha to ^6.0.0
  • 217c5c8 chore: upgrade electron to 4.0.5
  • ceebeff feat: convert the public API to Promises
  • f490a8b chore: convert Filesystem.insertFile to Promises
  • 4e7b54d chore: rename/refactor isUnpackDir -> isUnpackedDir
  • 54d0754 chore: better variable name
  • c8e70f5 chore: convert to use tmp-promise
  • d091430 chore: use Promise.all when crawling filesystem
  • 1fbf562 chore: promisify glob usage
  • f44fe4b chore: promisify tests
  • 4a7df72 fix: typo in API docs
  • ad89e46 chore: upgrade Electron dev-dependency to a recent version
  • dd32750 chore: stick with Node 6 for now
  • 6058a1c fix: Fix standard issues and deprecations
  • 137901a chore: Update dependencies
  • f574c9c fix: Use buffer.alloc
  • 93fdf6e fix: Cut snapshot
  • 108fab1 0.14.6
  • b41c693 Update dependencies
  • 2051b9c remove stat parameter from insertLink() (#161)
  • c2d3d86 Merge pull request #159 from Appuls/Appuls/bugfix/createPackageFromFiles-regression
  • b4eeb46 Windows-style paths are only unit tested on WIndows.
  • 8026100 Normalized filepaths, added unit tests for windows path separators.

See the full diff

Package name: plist The new version differs by 30 commits.
  • 5e0d06e 3.0.4
  • fa8e184 inline xmldom@0.6.0 to avoid false positive security message. Fixes #110, #111
  • a0bd0d0 3.0.3
  • dfb43f4 Merge pull request #109 from minhnguyen0712/master
  • 5af9758 ⬆️ Bump xmldom
  • 5877ec7 remove flaky saucelabs testing status badge
  • 276c657 3.0.2
  • 9b6af11 revert mocha because newer versions don't run on node versions this old
  • e828f84 update deps
  • e7b0394 removing safari because I can't get it to run in sauce with zuul
  • c33edbe try an older version of safari
  • 1f13bd7 revert sauce connect
  • 6fa1022 specify specific tunnel id for sauce
  • ee3c545 revert zuul dependency to see if that fixes saucelabs build
  • e538eb4 reduce travis testing matrix size
  • eb28b45 adding sauceconnect to see if that solves the local tunnel problem
  • 3a8004a update saucelabs credentials in travis file
  • 56c5a74 travis: revert config
  • eaf1ca7 move saucelabs credentials to travis env variables
  • eaf1af8 update minor deps
  • 3821f55 update travis config to fix all warnings
  • 9ec848e update sauce labs integration using my account
  • af45b08 give credit to sauce labs for providing free open source testing resources
  • 1628c6e 3.0.1

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Server-side Request Forgery (SSRF)
🦉 Prototype Pollution
🦉 Improper Input Validation

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@luizfernandorg @snyk-bot