[Snyk] Security upgrade simple-git from 3.5.0 to 3.15.0 #56

naiba4 · 2024-04-23T19:09:42Z

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json

⚠️

Warning

Failed to update the package-lock.json, please update manually before merging.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Remote Code Execution (RCE) SNYK-JS-SIMPLEGIT-3112221	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: simple-git

The new version differs by 96 commits.

e1d66b6 Merge pull request Register mce plugin scripts WordPress/gutenberg#863 from steveukx/changeset-release/main
d4764bf Version Packages
7746480 Chore: bump lerna, jest and create prettier workflow (Chrome: Adding the trash post link to the sidebar WordPress/gutenberg#862)
47030d5 Merge pull request Show UI on text selection WordPress/gutenberg#861 from steveukx/security/protocols
6b3c631 Create the `unsafe` plugin to configure how `simple-git` treats known potentially unsafe operations.
3324eed Merge pull request Sidebar: Add Featured Image panel WordPress/gutenberg#855 from steveukx/changeset-release/main
e459622 Version Packages
2ea0231 Merge pull request Sidebar: Categories & Tags panel WordPress/gutenberg#854 from steveukx/chore/update-lerna
5a2e7e4 Add version parsing support for non-numeric patches (to include built… (Sidebar: Link to latest revision WordPress/gutenberg#853)
88fee05 Chore: bump lerna to latest `5.5.1`
0f964ba Merge pull request Add full-content tests for parsing + blocks list + serialization WordPress/gutenberg#849 from steveukx/changeset-release/main
6460a1f Version Packages
4259b26 Create interface for retrieving git version information (Add/147 table block (alternate vision) WordPress/gutenberg#850)
19029fc Abort plugin (Fix a few issues with saving post titles, dirty handling, etc. WordPress/gutenberg#848)
1cd0dac Merge pull request Docs and API: clarify naming around block registration WordPress/gutenberg#842 from steveukx/changeset-release/main
ee801ae Version Packages
d0dceda Allow using just one of `from` and `to` in the `git.log` options. (Add accessibleFocus utility. WordPress/gutenberg#846)
6b3e05c Share test utilities (Quote: add citation placeholder. WordPress/gutenberg#843)
a975980 Merge pull request Chrome: Adding the post date picker to schedule posts WordPress/gutenberg#841 from steveukx/feat/remove-legacy-promise
87b0d75 Changeset
670d854 Remove `/promise` type definitions, allow JavaScript to `require('simple-git/promise')` with deprecation notice written to `console.error`
bf97246 Revert "Remove ability to import `/promise` types and throw when required."
1631776 Remove legacy promise integration test
2ac1d3f Remove ability to import `/promise` types and throw when required.

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Remote Code Execution (RCE)

The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221

vercel · 2024-04-23T19:09:46Z

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
gutenberg	❌ Failed (Inspect)			Apr 23, 2024 7:17pm
gutenberg-wd9x	❌ Failed (Inspect)			Apr 23, 2024 7:17pm

socket-security · 2024-04-23T19:10:32Z

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@actions/core@1.9.1	environment, filesystem Transitive: network	`+2`	260 kB	thboop
npm/@actions/github@5.0.0	environment, filesystem Transitive: network	`+13`	4.49 MB	thboop
npm/@ariakit/react@0.3.12	None	`+5`	3.57 MB	ariakit-bot
npm/@ariakit/test@0.3.7	None	`+1`	1.46 MB	ariakit-bot
npm/@axe-core/puppeteer@4.0.0	None	`0`	44.4 kB	npmdeque
npm/@babel/core@7.16.0	environment, filesystem, unsafe	`+32`	8.06 MB	nicolo-ribaudo
npm/@babel/eslint-parser@7.16.0	unsafe	`+1`	127 kB	nicolo-ribaudo
npm/@babel/plugin-proposal-export-namespace-from@7.18.9	None	`+2`	18.8 kB	nicolo-ribaudo
npm/@babel/plugin-syntax-jsx@7.16.0	None	`+1`	14.6 kB	nicolo-ribaudo
npm/@babel/plugin-transform-runtime@7.16.0	unsafe Transitive: environment	`+5`	2.57 MB	nicolo-ribaudo
npm/@babel/runtime-corejs3@7.16.0	None	`0`	216 kB	nicolo-ribaudo
npm/@babel/traverse@7.16.0	Transitive: environment	`+18`	5.56 MB	nicolo-ribaudo
npm/@emotion/babel-plugin@11.3.0	environment	`+7`	2.78 MB	emotion-release-bot
npm/@emotion/cache@11.7.1	environment	`+3`	151 kB	emotion-release-bot
npm/@emotion/css@11.7.1	environment	`+10`	3.2 MB	emotion-release-bot
npm/@emotion/jest@11.7.1	environment	`+2`	144 kB	emotion-release-bot
npm/@emotion/native@11.0.0	environment	`+3`	212 kB	emotion-release-bot
npm/@emotion/react@11.7.1	environment	`+2`	587 kB	emotion-release-bot
npm/@emotion/serialize@1.1.2	environment	`+1`	65.6 kB	emotion-release-bot
npm/@emotion/styled@11.6.0	environment	`+1`	227 kB	emotion-release-bot
npm/@emotion/utils@1.2.1	environment	`0`	18.3 kB	emotion-release-bot
npm/@geometricpanda/storybook-addon-badges@2.0.1	Transitive: environment, eval, filesystem, network, unsafe	`+48`	10.1 MB	geometricpandadev
npm/@octokit/request-error@2.1.0	None	`0`	21.9 kB	octokitbot
npm/@octokit/rest@16.26.0	Transitive: network	`+6`	2.81 MB	octokitbot
npm/@octokit/types@6.34.0	None	`+1`	1.76 MB	octokitbot
npm/@octokit/webhooks-types@5.6.0	None	`0`	162 kB	octokitbot
npm/@octokit/webhooks@7.1.0	None	`0`	210 kB	octokitbot
npm/@playwright/test@1.39.0	None	`0`	25.3 kB	aslushnikov
npm/@pmmmwh/react-refresh-webpack-plugin@0.5.11	environment, filesystem Transitive: network	`+2`	441 kB	pmmmwh
npm/@react-native-clipboard/clipboard@1.11.2	None	`0`	176 kB	naturalclar
npm/@react-native-community/blur@4.2.0	None	`0`	300 kB	titozzz
npm/@react-native-masked-view/masked-view@0.2.9	None	`0`	58.2 kB	naturalclar
npm/@react-native/gradle-plugin@0.72.11	None	`0`	155 kB	react-native-bot
npm/@react-navigation/core@5.12.0	environment	`0`	971 kB	satya164
npm/@react-navigation/native@6.0.14	environment	`+3`	1.49 MB	satya164
npm/@react-navigation/routers@5.4.9	None	`0`	237 kB	satya164
npm/@react-navigation/stack@6.3.5	Transitive: environment	`+1`	1.14 MB	satya164
npm/@react-spring/web@9.5.5	environment	`+5`	448 kB	tdfka_rick
npm/@storybook/addon-a11y@7.2.2	Transitive: environment, eval, network	`+42`	8.7 MB	shilman
npm/@storybook/addon-actions@7.2.2	Transitive: environment, eval, network	`+39`	8.51 MB	shilman
npm/@storybook/addon-controls@7.2.2	Transitive: environment, eval, filesystem, network, unsafe	`+48`	10 MB	shilman
npm/@storybook/addon-docs@7.2.2	Transitive: environment, eval, filesystem, network, unsafe	`+79`	23.5 MB	shilman
npm/@storybook/addon-toolbars@7.2.2	Transitive: environment, eval, network	`+39`	8.49 MB	shilman
npm/@storybook/addon-viewport@7.2.2	Transitive: environment, eval, network	`+39`	8.5 MB	shilman
npm/@storybook/react-webpack5@7.2.2	Transitive: environment, eval, filesystem, network, shell, unsafe	`+122`	21.3 MB	shilman
npm/@storybook/react@7.2.2	Transitive: environment, filesystem, network, unsafe	`+16`	3.94 MB	shilman
npm/@storybook/source-loader@7.2.2	filesystem	`+3`	351 kB	shilman

🚮 Removed packages: npm/@docusaurus/core@2.4.1, npm/@docusaurus/module-type-aliases@2.4.1, npm/@docusaurus/preset-classic@2.4.1, npm/@mdx-js/react@1.6.22, npm/clsx@1.2.1, npm/docusaurus-lunr-search@2.4.1, npm/prism-react-renderer@1.3.5, npm/react-dom@17.0.2, npm/react@17.0.2

View full report↗︎

socket-security · 2024-04-23T19:10:35Z

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	Source
Filesystem access	npm/puppeteer-core@2.1.1	Module: fs Location: Package overview	orphan: npm/puppeteer-core@2.1.1
Environment variable access	npm/puppeteer-core@2.1.1	Env Vars: PUPPETEER_CHROMIUM_REVISION Location: Package overview	orphan: npm/puppeteer-core@2.1.1
Environment variable access	npm/puppeteer-core@2.1.1	Env Vars: PUPPETEER_EXECUTABLE_PATH Location: Package overview	orphan: npm/puppeteer-core@2.1.1
Environment variable access	npm/puppeteer-core@2.1.1	Env Vars: npm_config_puppeteer_executable_path Location: Package overview	orphan: npm/puppeteer-core@2.1.1
Environment variable access	npm/puppeteer-core@2.1.1	Env Vars: npm_package_config_puppeteer_executable_path Location: Package overview	orphan: npm/puppeteer-core@2.1.1
Environment variable access	npm/puppeteer-core@2.1.1	Env Vars: npm_package_config_puppeteer_product Location: Package overview	orphan: npm/puppeteer-core@2.1.1
Environment variable access	npm/puppeteer-core@2.1.1	Env Vars: npm_config_puppeteer_product Location: Package overview	orphan: npm/puppeteer-core@2.1.1
Environment variable access	npm/puppeteer-core@2.1.1	Env Vars: PUPPETEER_PRODUCT Location: Package overview	orphan: npm/puppeteer-core@2.1.1
Uses eval	npm/puppeteer-core@2.1.1	Eval Type: Function Location: Package overview	orphan: npm/puppeteer-core@2.1.1
Network access	npm/puppeteer-core@2.1.1	Module: https Location: Package overview	orphan: npm/puppeteer-core@2.1.1
Network access	npm/puppeteer-core@2.1.1	Module: https-proxy-agent Location: Package overview	orphan: npm/puppeteer-core@2.1.1
New author	npm/puppeteer-core@2.1.1	New Author: hanselfmu Previous Author: mathias	orphan: npm/puppeteer-core@2.1.1
Environment variable access	npm/puppeteer-core@2.1.1	Env Vars: Location: Package overview	orphan: npm/puppeteer-core@2.1.1
Shell access	npm/puppeteer-core@2.1.1	Module: child_process Location: Package overview	orphan: npm/puppeteer-core@2.1.1
Network access	npm/puppeteer-core@2.1.1	Module: http Location: Package overview	orphan: npm/puppeteer-core@2.1.1
Network access	npm/puppeteer-core@2.1.1	Module: globalThis["fetch"] Location: Package overview	orphan: npm/puppeteer-core@2.1.1
Uses eval	npm/puppeteer-core@2.1.1	Eval Type: Function Location: Package overview	orphan: npm/puppeteer-core@2.1.1
Uses eval	npm/puppeteer-core@2.1.1	Eval Type: Function Location: Package overview	orphan: npm/puppeteer-core@2.1.1
Uses eval	npm/puppeteer-core@2.1.1	Eval Type: Function Location: Package overview	orphan: npm/puppeteer-core@2.1.1
Filesystem access	npm/prettier@2.8.8	Module: fs Location: Package overview	orphan: npm/prettier@2.8.8
Debug access	npm/prettier@2.8.8	Module: module Location: Package overview	orphan: npm/prettier@2.8.8
Dynamic require	npm/prettier@2.8.8	Location: Package overview	orphan: npm/prettier@2.8.8
High entropy strings	npm/prettier@2.8.8	Location: Package overview	orphan: npm/prettier@2.8.8
High entropy strings	npm/prettier@2.8.8	Location: Package overview	orphan: npm/prettier@2.8.8
Environment variable access	npm/prettier@2.8.8	Env Vars: Location: Package overview	orphan: npm/prettier@2.8.8
Environment variable access	npm/prettier@2.8.8	Env Vars: TERM Location: Package overview	orphan: npm/prettier@2.8.8
Environment variable access	npm/util@0.12.5	Env Vars: NODE_DEBUG Location: Package overview	orphan: npm/util@0.12.5
Unmaintained	npm/doctrine@3.0.0	Last Publish: 11/10/2018, 2:38:01 AM	`package-lock.json` `package.json`
New author	npm/convert-source-map@2.0.0	New Author: phated Previous Author: thlorenz	`package-lock.json` `package.json`
Environment variable access	npm/execa@1.0.0	Env Vars: comspec Location: Package overview	orphan: npm/execa@1.0.0
Filesystem access	npm/write-file-atomic@4.0.2	Module: fs Location: Package overview	`package-lock.json` `package.json`
New author	npm/validate-npm-package-name@3.0.0	New Author: chrisdickinson Previous Author: zkat	orphan: npm/validate-npm-package-name@3.0.0
Network access	npm/ws@8.13.0	Module: http Location: Package overview	orphan: npm/ws@8.13.0
Network access	npm/ws@8.13.0	Module: net Location: Package overview	orphan: npm/ws@8.13.0
Network access	npm/ws@8.13.0	Module: https Location: Package overview	orphan: npm/ws@8.13.0
Network access	npm/ws@8.13.0	Module: tls Location: Package overview	orphan: npm/ws@8.13.0
Environment variable access	npm/ws@8.13.0	Env Vars: WS_NO_UTF_8_VALIDATE Location: Package overview	orphan: npm/ws@8.13.0
Environment variable access	npm/ws@8.13.0	Env Vars: WS_NO_BUFFER_UTIL Location: Package overview	orphan: npm/ws@8.13.0
Filesystem access	npm/@kwsites/file-exists@1.1.1	Module: fs Location: Package overview	orphan: npm/@kwsites/file-exists@1.1.1
Environment variable access	npm/yargs@17.7.2	Env Vars: Location: Package overview	orphan: npm/yargs@17.7.2
Dynamic require	npm/yargs@17.7.2	Location: Package overview	orphan: npm/yargs@17.7.2
Dynamic require	npm/yargs@17.7.2	Location: Package overview	orphan: npm/yargs@17.7.2
Filesystem access	npm/yargs@17.7.2	Module: fs Location: Package overview	orphan: npm/yargs@17.7.2
Environment variable access	npm/yargs@17.7.2	Env Vars: key Location: Package overview	orphan: npm/yargs@17.7.2
Dynamic require	npm/yargs@17.7.2	Location: Package overview	orphan: npm/yargs@17.7.2
Minified code	npm/yargs@17.7.2	Confidence: 1.00 Location: Package overview	orphan: npm/yargs@17.7.2
Environment variable access	npm/yargs@17.7.2	Env Vars: t Location: Package overview	orphan: npm/yargs@17.7.2
Filesystem access	npm/yargs@17.7.2	Module: fs Location: Package overview	orphan: npm/yargs@17.7.2
Environment variable access	npm/yargs@17.7.2	Env Vars: YARGS_MIN_NODE_VERSION Location: Package overview	orphan: npm/yargs@17.7.2
Filesystem access	npm/y18n@5.0.8	Module: fs Location: Package overview	orphan: npm/y18n@5.0.8
Environment variable access	npm/yargs-parser@21.1.1	Env Vars: YARGS_MIN_NODE_VERSION Location: Package overview	orphan: npm/yargs-parser@21.1.1
Dynamic require	npm/yargs-parser@21.1.1	Location: Package overview	orphan: npm/yargs-parser@21.1.1
Environment variable access	npm/yargs-parser@21.1.1	Env Vars: Location: Package overview	orphan: npm/yargs-parser@21.1.1
Filesystem access	npm/yargs-parser@21.1.1	Module: fs Location: Package overview	orphan: npm/yargs-parser@21.1.1
Filesystem access	npm/tmp@0.2.1	Module: fs Location: Package overview	orphan: npm/tmp@0.2.1
Network access	npm/source-map@0.7.4	Module: globalThis["fetch"] Location: Package overview	`package-lock.json` `package.json` `packages/scripts/package.json`
New author	npm/source-map@0.7.4	New Author: eemeli Previous Author: loganfsmyth	`package-lock.json` `package.json` `packages/scripts/package.json`
Filesystem access	npm/source-map@0.7.4	Module: fs Location: Package overview	`package-lock.json` `package.json` `packages/scripts/package.json`
Environment variable access	npm/watchpack@2.4.0	Env Vars: WATCHPACK_WATCHER_LIMIT Location: Package overview	orphan: npm/watchpack@2.4.0
Environment variable access	npm/watchpack@2.4.0	Env Vars: WATCHPACK_RECURSIVE_WATCHER_LOGGING Location: Package overview	orphan: npm/watchpack@2.4.0
Environment variable access	npm/watchpack@2.4.0	Env Vars: WATCHPACK_POLLING Location: Package overview	orphan: npm/watchpack@2.4.0
Filesystem access	npm/watchpack@2.4.0	Module: fs Location: Package overview	orphan: npm/watchpack@2.4.0
Shell access	npm/@aw-web-design/x-default-browser@1.4.126	Module: child_process Location: Package overview	orphan: npm/@aw-web-design/x-default-browser@1.4.126
Deprecated	npm/@babel/plugin-proposal-export-namespace-from@7.18.9	Reason: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-export-namespace-from instead.	`package-lock.json` `package.json`
Environment variable access

guardrails · 2024-04-23T19:11:47Z

⚠️ We detected 1 security issue in this pull request:

Vulnerable Libraries (1)

Severity	Details
Critical	pkg:npm/simple-git@3.5.0 (t) upgrade to: 3.16.0

More info on how to fix Vulnerable Libraries in JavaScript.

👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.

fix: package.json to reduce vulnerabilities

1e1acbf

The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221

vercel bot had a problem deploying to Preview – gutenberg-wd9x April 23, 2024 19:17 Failure

vercel bot had a problem deploying to Preview – gutenberg April 23, 2024 19:17 Failure

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Snyk] Security upgrade simple-git from 3.5.0 to 3.15.0 #56

[Snyk] Security upgrade simple-git from 3.5.0 to 3.15.0 #56

naiba4 commented Apr 23, 2024

vercel bot commented Apr 23, 2024 •

edited

Loading

socket-security bot commented Apr 23, 2024

socket-security bot commented Apr 23, 2024

guardrails bot commented Apr 23, 2024

[Snyk] Security upgrade simple-git from 3.5.0 to 3.15.0 #56

Are you sure you want to change the base?

[Snyk] Security upgrade simple-git from 3.5.0 to 3.15.0 #56

Conversation

naiba4 commented Apr 23, 2024

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Vulnerabilities that will be fixed

With an upgrade:

vercel bot commented Apr 23, 2024 • edited Loading

socket-security bot commented Apr 23, 2024

socket-security bot commented Apr 23, 2024

guardrails bot commented Apr 23, 2024

vercel bot commented Apr 23, 2024 •

edited

Loading