[Snyk] Fix for 13 vulnerabilities by jmatsushita · Pull Request #20 · contentascode/nodegit
This PR was automatically created by Snyk using the credentials of a real user.
Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.
Changes included in this PR
- Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
- package-lock.json
Vulnerabilities that will be fixed
With an upgrade:
| Severity | Priority Score (*) | Issue | Breaking Change | Exploit Maturity |
|---|---|---|---|---|
 |
619/1000 Why? Has a fix available, CVSS 8.1 |
Prototype Pollution SNYK-JS-AJV-584908 |
Yes | No Known Exploit |
|
579/1000 Why? Has a fix available, CVSS 7.3 |
Arbitrary File Overwrite SNYK-JS-FSTREAM-174725 |
Yes | No Known Exploit |
|
584/1000 Why? Has a fix available, CVSS 7.4 |
Regular Expression Denial of Service (ReDoS) SNYK-JS-HAWK-2808852 |
Yes | No Known Exploit |
|
644/1000 Why? Has a fix available, CVSS 8.6 |
Prototype Pollution SNYK-JS-JSONSCHEMA-1920922 |
Yes | No Known Exploit |
 |
479/1000 Why? Has a fix available, CVSS 5.3 |
Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818 |
Yes | No Known Exploit |
 |
506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7 |
Prototype Pollution SNYK-JS-MINIMIST-2429795 |
Yes | Proof of Concept |
|
601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6 |
Prototype Pollution SNYK-JS-MINIMIST-559764 |
Yes | Proof of Concept |
|
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5 |
Prototype Poisoning SNYK-JS-QS-3153490 |
Yes | Proof of Concept |
|
726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1 |
Arbitrary File Overwrite SNYK-JS-TAR-174125 |
Yes | Proof of Concept |
|
479/1000 Why? Has a fix available, CVSS 5.3 |
Insecure Randomness npm:cryptiles:20180710 |
Yes | No Known Exploit |
|
579/1000 Why? Has a fix available, CVSS 7.3 |
Prototype Pollution npm:extend:20180424 |
Yes | No Known Exploit |
|
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5 |
Regular Expression Denial of Service (ReDoS) npm:sshpk:20180409 |
Yes | Proof of Concept |
|
646/1000 Why? Mature exploit, Has a fix available, CVSS 5.2 |
Uninitialized Memory Exposure npm:stringstream:20180511 |
Yes | Mature |
(*) Note that the real score may have changed since the PR was raised.
Commit messages
Package name: node-gyp
The new version differs by 246 commits.- 989abc7 v8.0.0: bump version and update changelog
- 0da2e01 gyp: update gyp to v0.8.1 (#2355)
- 0093ec8 gyp: Improve our flake8 linting tests
- 06ddde2 deps: sync mutual dependencies with npm
- a5fd1f4 doc: add downloads badge (#2352)
- 0d8a6f1 ci: update actions/setup-node to v2 (#2302)
- 1bd18f3 lib: drop Python 2 support in find-python.js (#2333)
- e81602e lib: migrate requests to fetch (#2220)
- a78b584 gyp: remove support for Python 2 (#2300)
- 392b776 lib: avoid changing process.config (#2322)
- c3c510d gyp: update gyp to v0.8.0 (#2318)
- cc1cbce doc: update macOS_Catalina.md (#2293)
- 9e1397c gyp: update gyp to v0.7.0 (#2284)
- 6287118 doc: updated README.md to copy easily (#2281)
- 15a5c7d ci: migrate deprecated grammar (#2285)
- 66c0f04 doc: add missing `sudo` to Catalina doc
- 19e0f3c v7.1.1: bump version and update changelog
- 096e3ad gyp: update gyp to 0.6.2
- 54f97cd doc: add cmd to reset `xcode-select` to initial state
- b9e3ad2 v7.1.1: bump version and update changelog
- 18bf2d1 deps: update deps to match npm@7
- ee6a837 gyp: update gyp to 0.6.1
- 3e7f8cc lib: better log message when ps fails
- 7fb3143 test: GitHub Actions: Test on Python 3.9
Package name: node-pre-gyp
The new version differs by 42 commits.- 13c5ad0 bump to v0.9.0
- 07e7ee5 Merge pull request WIP: Refactor publishing nodegit/nodegit#350 from cktang88/master
- 9a9089b Replace request with needle
- 2844fa4 bump to v0.8.0 with N-API support
- b22612c remove node-pre-gyp dep from app7 package.json
- 9bb97af Merge pull request Update dependency node-pre-gyp to ~0.6 nodegit/nodegit#345 from inspiredware/napi-support
- c31cce4 Merge branch 'master' into napi-support
- cf3ebb6 bump to v0.7.1 with tar v4.x
- 9bc1ff3 avoid double declare of tape in devDeps
- b1ce220 fix package.json syntax
- e9fb2e5 Merge pull request Module fails to load nodegit/nodegit#299 from isaacs/master
- 81f2e60 Merge branch 'master' into master
- e7bb6cd bump to v0.7.0 / drop node v0.10.x support
- 837c48b update versions
- af507d1 Merge pull request Added checkout head method and tests nodegit/nodegit#347 from krotscheck/hawk
- eda90e0 Remove dependency on hawk, upgrade request
- 9684ef6 Another CI build tweak
- 9870491 Addresses CI build errors
- b2ed35a update with latest versions
- e352a05 kick travis
- 37eb637 bump to v0.6.40
- 8f7c497 CI tweaks
- 488ac7b Fix for code cleanup
- 82a641e Code cleanup.
Check the changes in this PR to ensure they won't cause issues with your project.
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📚 Read more about Snyk's upgrade and patch logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Prototype Pollution
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Insecure Randomness