Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Upgrade: dotenv, farmhash, fs-extra, fuse.js, js2xmlparser, rate-limiter-flexible, request-ip, svcorelib, url-parse, xss #38

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

usernamerandom11
Copy link
Owner

snyk-top-banner

Snyk has created this PR to upgrade multiple dependencies.

👯‍♂ The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name Versions Released on

dotenv
from 8.2.0 to 8.6.0 | 5 versions ahead of your current version | 3 years ago
on 2021-05-05
farmhash
from 3.1.0 to 3.3.1 | 6 versions ahead of your current version | 5 months ago
on 2024-04-17
fs-extra
from 9.0.1 to 9.1.0 | 1 version ahead of your current version | 4 years ago
on 2021-01-19
fuse.js
from 6.4.1 to 6.6.2 | 12 versions ahead of your current version | 2 years ago
on 2022-05-11
js2xmlparser
from 4.0.1 to 4.0.2 | 1 version ahead of your current version | 3 years ago
on 2021-10-31
rate-limiter-flexible
from 2.2.1 to 2.4.2 | 19 versions ahead of your current version | a year ago
on 2023-07-27
request-ip
from 2.1.3 to 2.2.0 | 1 version ahead of your current version | 2 years ago
on 2022-06-01
svcorelib
from 1.11.1 to 1.18.2 | 12 versions ahead of your current version | 2 years ago
on 2023-02-20
url-parse
from 1.4.7 to 1.5.10 | 11 versions ahead of your current version | 3 years ago
on 2022-02-22
xss
from 1.0.8 to 1.0.15 | 7 versions ahead of your current version | 6 months ago
on 2024-03-03

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-ANSIREGEX-1583908
696 Proof of Concept
high severity Improper Input Validation
SNYK-JS-URLPARSE-2407770
696 Proof of Concept
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-XSS-1584355
696 No Known Exploit
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-ANSIREGEX-1583908
696 Proof of Concept
high severity Information Exposure
SNYK-JS-SIMPLEGET-2361683
696 Proof of Concept
medium severity Authorization Bypass
SNYK-JS-URLPARSE-2407759
696 Proof of Concept
medium severity Authorization Bypass Through User-Controlled Key
SNYK-JS-URLPARSE-2412697
696 Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-MINIMATCH-3050818
696 No Known Exploit
medium severity Improper Input Validation
SNYK-JS-URLPARSE-1078283
696 No Known Exploit
medium severity Open Redirect
SNYK-JS-URLPARSE-1533425
696 Proof of Concept
medium severity Access Restriction Bypass
SNYK-JS-URLPARSE-2401205
696 Proof of Concept
Release notes
Package name: dotenv from dotenv GitHub release notes
Package name: farmhash from farmhash GitHub release notes
Package name: fs-extra from fs-extra GitHub release notes
Package name: fuse.js
  • 6.6.2 - 2022-05-11

    Bug Fixes

    • value fetched at the end must be a string (1de1dff), closes #661
  • 6.6.1 - 2022-05-06

    Bug Fixes

    • typescript: Change fieldNormWeight to be optional, fixes [#658]
    • typescript: type definition for FuseOptionKeyObject, fixes [#655] and [#656]
  • 6.6.0 - 2022-05-03

    Features

    • allow passing getFn for a specific key (1d445b9), closes #627

    Bug Fixes

    • excessive splitting in parseQuery (2c78022)
    • type mismatch on toJSON (f5425ea)
  • 6.5.3 - 2021-12-23

    6.5.3 (2021-12-23)

    Bug Fixes

    • logical: scoring for logical OR (6f6af51), closes #593
  • 6.5.2 - 2021-12-23

    6.5.2 (2021-12-23)

    Purely created this version as minification failed in the prior one.

  • 6.5.1 - 2021-12-23

    6.5.1 (2021-12-23)

    Bug Fixes

    • rollback min node version (9918f67)
  • 6.5.0 - 2021-12-22

    chore(release): 6.5.0

  • 6.4.6 - 2021-01-05

    Bug Fixes

    • typescript: fix search typings (94766b2), closes #527
  • 6.4.5 - 2021-01-01

    Bug Fixes

    • typescript: export FuseIndex type (2e60bee), closes #519
  • 6.4.4 - 2020-12-29

    Bug Fixes

    • extended: correctly score include-match results (443c863), closes #522
  • 6.4.3 - 2020-10-30
  • 6.4.2 - 2020-10-20
  • 6.4.1 - 2020-07-26
from fuse.js GitHub release notes
Package name: js2xmlparser
  • 4.0.2 - 2021-10-31
    • Update dependencies
    • Export options interfaces in main module
    • Update example to include root attribute
  • 4.0.1 - 2020-02-02
    • Update dependencies
    • Use ESLint instead of TSLint
    • Use npm instead of gulp
from js2xmlparser GitHub release notes
Package name: rate-limiter-flexible
  • 2.4.2 - 2023-07-27
  • 2.4.1 - 2022-10-24

    Thank you @ dmozgovoi for the quick improvement.

  • 2.4.0 - 2022-10-21

    In some cases especially with insuranceLimiter set it is important to reject requests quickly based on Redis client status being not ready. Thanks @ dmozgovoi

  • 2.3.12 - 2022-10-13

    Thank you @ svsool

  • 2.3.11 - 2022-09-25
    • RateLimiterQueue getTokensRemaining with RateLimiterPostgres fixed. #125
    • clear timeout on key delete from memory storage. #146 Thank you @ jiddmeye
    • clearExpiredByTimeout is added to TS types for MySQL and Postgres limiters. #156
    • fix negative remaining points in memory limiter. #172 Thank you @ MiniKraken-Team
    • added browser package.json settings to allow bundling. 6ce34b3 Thank you @ achingbrain
    • use nodejs.util.inspect.custom for Symbol flexibility. 2c8bedb Thank you @ shlavik
    • inmemoryBlockOnConsumed and inmemoryBlockDuration options are renamed to inMemoryBlockOnConsumed and inMemoryBlockDuration. Old options are still supported, but deprecated and will be removed in v3 major release. #106
  • 2.3.10 - 2022-09-12
  • 2.3.9 - 2022-09-06
  • 2.3.8 - 2022-07-29
  • 2.3.7 - 2022-05-01
  • 2.3.6 - 2021-12-01
  • 2.3.5 - 2021-11-21
  • 2.3.4 - 2021-11-09
    • MongoDB version detection is fixed for mongoose client. Thank you @ adrianvlupu
    • MongoDB version detection is fixed for 3.6.7+. Thank you @ pavittarx
    • Internal fix of get method. It incorrectly processed undefined result from a store. Thank you @ animir
    • .editorconfig added. Thank you @ vinibeloni
    • TypeScript type for RateLimiterQueueError added. Thank you @ adilhafeez
    • TypeScript type for deleteInMemoryBlockedAll method is added. Thank you @ animir
  • 2.3.3 - 2021-11-01
  • 2.3.2 - 2021-10-26
  • 2.3.1 - 2021-10-02
  • 2.3.0 - 2021-09-28
    • replace replaceOne with findOneAndUpdate to fix a bug related to absent ops attribute in MongoDB client v4+. Thank you @ vdiez
    • delete method on any store limiter deletes inMemoryBlocked key if it is there. Thank you @ evan361425
    • new deleteInMemoryBlockedAll method added to clean up all blocked keys at once. Thank you @ evan361425 again :-)
    • @ evan361425 also added tests to cover new lines 🥇
  • 2.2.4 - 2021-07-24
  • 2.2.3 - 2021-07-10
    • Missing get/set Typescript types added and documentation improved. Thanks @ rijkvanzanten
    • mongodb client v4 support. Thank you @ backflip
  • 2.2.2 - 2021-05-04
  • 2.2.1 - 2021-01-10
    • TypeORM Support for RateLimitPostgres, thank you @ seromenho
    • Readme links fixed, thanks @ mriedem
    • RateLimiterQueue TS types fixed
    • Fix postgres consumed points increment on block, issue #95
from rate-limiter-flexible GitHub release notes
Package name: request-ip from request-ip GitHub release notes
Package name: svcorelib
  • 1.18.2 - 2023-02-20

    Fixes:

    • Made system.inDebugger() no longer dependant on V8's inspector module which errored in environments like pkg
    • Corrected wrong color code for colors.fat
    • Fixed docs in a few places
  • 1.18.1 - 2022-10-11

    Fixes:

    • Fix some TS typings
  • 1.18.0 - 2022-10-11
    • Additions
      • splitIntoParts() function to split an array into n parts
      • splitIntoPartsOfLength() function to split an array into parts of n length
    • Fixes
      • Reverted dynamic imports issue #51
      • Support Error options issue #52
  • 1.17.0 - 2022-08-13
    • Additions
      • Added function allInstanceOf() to check if all items in an array are an instance of a class
      • Added function isClass() to check if a value is a reference to a class
      • Added function randomItemIndex() to get a random item and its index from an array
      • Added function takeRandomItem() to delete a random item from an array and return it
      • colors
        • Added colors.fgb and colors.bgb for bright colors
        • Added dim, underscore, reverse and hidden
    • Breaking changes
      • Changed state fulfilled to resolved in StatePromise
      • colors
        • Removed brightness modifier from colors.fg and colors.bg
        • Renamed colors.fat to colors.bright
    • Fixes
      • Added missing documentation for allOfType()
      • Fixed docs in various places
  • 1.16.0 - 2022-06-29
    • Additions
      • Added clamp() to ensure a number is between a min and max limit
    • Fixes
      • randRange() now doesn't depend on the performance module anymore
      • Updated deps
  • 1.15.0 - 2022-06-15
    • Breaking changes
      • Shortened namespace names:
        • generateUUID -> uuid
        • filesystem -> files
      • Renamed functions:
        • seededRNG.generateRandomSeed() -> seededRNG.randomSeed()
        • seededRNG.generateRandomNumbers() -> seededRNG.generateNumbers()
        • pause() -> system.pause()
    • Additions
      • Added function halves() to get the two halves of an array
      • Added function parseDuration() to parse out time units from a passed duration in milliseconds
      • Added function formatDuration() to convert a duration in milliseconds to a string with custom format
      • Added function files.existsSync() as a synchronous counterpart to files.exists()
      • SelectionMenu now supports EventEmitter's .on("submit") method
    • Fixes
      • reserialize() now keeps the type of the passed object (#38)
      • seededRNG.validateSeed() now returns false when a seed starts with 0 (#34)
      • Fixed missing argument in system.inDebugger() (#37)
      • Updated dependencies
  • 1.14.2 - 2021-08-08
    • Fixes
      • Fixed .d.ts type declarations (#27)
      • Fixed system.inDebugger() not detecting debugger (#30)
      • Set mysql as a peer dependency (#29)
      • Improved documentation a little bit
    • Internal stuff
      • Added CodeQL analysis workflow
  • 1.14.1 - 2021-06-07

    Fixed bug where filesystem.exists() wasn't exported (see #25)

  • 1.14.0 - 2021-05-11
    • Additions
      • Added class StatePromise that keeps track of the state of a promise
      • Added single-parameter overload to randRange()
      • Added string array overload to generateUUID.custom(), deprecated older overload
      • softShutdown() now accepts a Promise for async code execution before shutdown
    • Changes
      • Moved repository to @ Sv443-Network
      • Improved type declaration file (.d.ts) by a lot
    • Security
      • Audited dependencies
  • 1.13.1 - 2021-03-30
  • 1.13.0 - 2021-03-17

    Migration warnings:

    • You will need to modify all occurrences of FolderDaemon with the new syntax shown in the docs
    • The namespace of a few functions has changed (see changes)



    Added functions:

    • filesystem.exists() to provide a reimplementation to fs' deprecated exists() function (#14)
    • filesystem.ensureDirs() to ensure a set of directories exists (#18)
    • filesystem.ensureDirsSync() as a synchronous counterpart to ensureDirs() (#18)
    • system.usedHeap() to get the current heap usage in percent (#19)

    Changes:

    • Replaced FolderDaemon's configuration parameters with a single settings object (#13)
    • Added base class SCLError to all errors to implement the date property (#17)
    • Moved a few functions to the new system namespace:
      • noShutdown() - moved to system
      • yesShutdown() - moved to system
      • softShutdown() - moved to system
      • inDebugger() - moved to system
      • setWindowTitle() - moved to system

    Fixed bugs:

    • isEmpty() with value null threw a TypeError (#15)
    • Package mysql isn't included in the dependencies (#21)
    • Definition of system.softShutdown()'s callback function was wrong (#20)
  • 1.12.0 - 2021-01-26
  • 1.11.1 - 2020-08-31
from svcorelib GitHub release notes
Package name: url-parse from url-parse GitHub release notes
Package name: xss from xss GitHub release notes

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • This PR was automatically created by Snyk using the credentials of a real user.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

Snyk has created this PR to upgrade:
  - dotenv from 8.2.0 to 8.6.0.
    See this package in npm: https://www.npmjs.com/package/dotenv
  - farmhash from 3.1.0 to 3.3.1.
    See this package in npm: https://www.npmjs.com/package/farmhash
  - fs-extra from 9.0.1 to 9.1.0.
    See this package in npm: https://www.npmjs.com/package/fs-extra
  - fuse.js from 6.4.1 to 6.6.2.
    See this package in npm: https://www.npmjs.com/package/fuse.js
  - js2xmlparser from 4.0.1 to 4.0.2.
    See this package in npm: https://www.npmjs.com/package/js2xmlparser
  - rate-limiter-flexible from 2.2.1 to 2.4.2.
    See this package in npm: https://www.npmjs.com/package/rate-limiter-flexible
  - request-ip from 2.1.3 to 2.2.0.
    See this package in npm: https://www.npmjs.com/package/request-ip
  - svcorelib from 1.11.1 to 1.18.2.
    See this package in npm: https://www.npmjs.com/package/svcorelib
  - url-parse from 1.4.7 to 1.5.10.
    See this package in npm: https://www.npmjs.com/package/url-parse
  - xss from 1.0.8 to 1.0.15.
    See this package in npm: https://www.npmjs.com/package/xss

See this project in Snyk:
https://app.snyk.io/org/mail-in4/project/98814f29-04d4-4b2c-ae9b-87ecf84a61a2?utm_source=github&utm_medium=referral&page=upgrade-pr
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
2 participants