[Snyk] Fix for 15 vulnerabilities#19

Open

hajjiTarik wants to merge 1 commit intomasterfrom

snyk-fix-0c1a9a2bcf14aca632edf2fecc1eb256

Owner

hajjiTarik commented Oct 6, 2022

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	No	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	No	Proof of Concept
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	No	Proof of Concept
	541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	No	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-MERGE-1040469	Yes	No Known Exploit
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-MERGE-1042987	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	No	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	No	Proof of Concept
	676/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.1	Improper Privilege Management SNYK-JS-SHELLJS-2332187	No	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:braces:20180219	Yes	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: chalk

The new version differs by 53 commits.

3fca615 2.0.0
f66271e Add tagged template literal (Update babel-core to version 6.7.2 🚀 commitizen/cz-cli#163)
23ef1c7 fix linter errors
c015568 add rainbow example
09fb2d8 Re-implement `chalk.enabled` (fix(lib): keep newline at the end of package.json commitizen/cz-cli#160)
608242a spoof supports-color
18f2e7c add host information output
523b998 Revert "TEMPORARY: emergency travis CI fix (see comments)"
54975fb TEMPORARY: emergency travis CI fix (see comments)
1d73b21 Improve readme
6f4d6b3 Bump dependencies
8702496 Remove `chalk.styles`
0412cdf Minor code improvements
249b9ac ES2015ify the codebase
cb3f230 Add RGB (256/Truecolor) support (Update babel to version 6.5.2 🚀 commitizen/cz-cli#140)
dbae68d Update dependent package count in the readme (fix: make gulp depedencies available for prod installs commitizen/cz-cli#154)
9b60021 Drop support for Node.js 0.10 and 0.12
0d21449 check parent builder object for enabled status (Update lodash to version 4.4.0 🚀 commitizen/cz-cli#142)
5a69476 add XO badge
492f11f add example file
4ce73b6 make XO happy
7c02cf4 Add log statement to chalk examples (Fail a build if the commit is not in the standard format commitizen/cz-cli#129)
835ca3d You've just reached 10,000 dependent modules. (Update chai to version 3.5.0 🚀 commitizen/cz-cli#122)
74c087d minor doc improvements (Update mocha to version 2.4.3 🚀 commitizen/cz-cli#120)

See the full diff

Package name: find-node-modules

The new version differs by 13 commits.

d7a1ff0 Merge pull request [Snyk] Security upgrade find-node-modules from 1.0.4 to 2.1.1 #13 from PunChaFeng/upgrade-merge
2cdfee5 Update package-lock.json
5d91ac5 Update package.json
2f4a0dd 2.1.0
891bfcf Add package-lock.json
dc65c2e Merge pull request [Snyk] Security upgrade find-node-modules from 1.0.4 to 2.1.1 #11 from sebelga/chore/update-findup-sync-dep
4bcc026 chore(deps): update findup-sync from 3.0.0 to 4.0.0
73a6a52 2.0.0
badcd1a Merge pull request [Snyk] Security upgrade lodash from 4.17.2 to 4.17.17 #10 from seantrane/update-findup-sync
9b1f999 chore(deps): update findup-sync from 0.4.2 to 3.0.0
5002f7d 1.0.5
442ddf1 Merge pull request [Snyk] Security upgrade lodash from 4.17.2 to 4.17.20 #9 from YOU54F/updateDepMerge
fd864bc update dep - merge 1.2.0 > 1.2.1

See the full diff

Package name: inquirer

The new version differs by 67 commits.

68fcbcb 3.2.0
e16575c Bump dependencies
3f2c74b fix(package): update chalk to version 2.0.0
2e9eb3e Allow non-string values as a list default option (git cz just opens the local editor commitizen/cz-cli#558)
5dbd186 [fix] Update lodash to version 4.14.0 🚀 commitizen/cz-cli#293 Exit script when SIGINT signal received (Error in Readme: npx git-cz installs wrong package commitizen/cz-cli#564)
625965e Fixed typo (git-cz doesn't finish, doesn't return the prompt commitizen/cz-cli#563)
babdfb2 Add Plugins Section to README.md (Git bash on windows: cannot read property 'get' of undefined commitizen/cz-cli#559)
810c138 fix(package): update strip-ansi to version 4.0.0
13d3100 3.1.1
60b27f0 Setup coverage in codacy
62fde13 Bump dev dependencies
3f465b4 Move eslint configs to own file (easier to integrate in third party)
948f8dc Keep password prompt silenced after error - Fix fix(deps): update dependency glob to v7.1.3 - autoclosed commitizen/cz-cli#553 Om commit, Nano editor is getting open. No commitizen dialogs at all commitizen/cz-cli#546
11f5854 chore(package): update sinon to version 2.3.4 (Is there a way to override standard git commit? commitizen/cz-cli#550)
e612cc5 3.1.0
148cb71 Update eslint-config-xo-space to the latest version 🚀 (chore(deps): update dependency proxyquire to v2 - autoclosed commitizen/cz-cli#516)
3b93dd5 call chalk.reset() after message prompt (Open Collective CLI Breaks Build on CI commitizen/cz-cli#544)
3ff39a6 chore(package): update chai to version 4.0.1 (fix(deps): update dependency inquirer to v6 commitizen/cz-cli#541)
76f1bfe upgrade external-editor to 2.0.4 (chore(deps): pin dependencies commitizen/cz-cli#535)
da4eceb pass current answers hash to filter (Open Collective Objectives commitizen/cz-cli#533)
f99b398 Use rx-lite-aggregates instead of full rx (docs(readme): add npx use examples commitizen/cz-cli#532)
20119a2 fix(package): update ansi-escapes to version 2.0.0 (Locally installation messed up with Yarn commitizen/cz-cli#527)
e294e16 Update validate fn param docs (chore(deps): pin dependency in-publish to v2.0.0 - autoclosed commitizen/cz-cli#526)
5b3a4a2 Add masked password example

See the full diff

Package name: shelljs

The new version differs by 108 commits.

70668a4 0.8.5
d919d22 fix(exec): lockdown file permissions (#1060)
fcf1651 0.8.4
a1111ee Silence potentially upcoming circular dependency warning (bug: issue with LRU cache, cannot execute git-cz commitizen/cz-cli#973)
d4d1317 0.8.3
db317bf Add test case for sed on empty file (updated 404 url commitizen/cz-cli#904)
0d5ecb6 docs(changelog): updated by Nate Fischer [ci skip]
6b3c7b1 refactor: don't expose tempdir in common.state (chore(deps): update all non-major dependencies commitizen/cz-cli#903)
4bd22e7 chore(ci): fix codecov on travis (Why are there no releases anymore? commitizen/cz-cli#897)
2b3b781 fix: silent exec (chore(deps) Update dependency semantic-release to v19 - autoclosed commitizen/cz-cli#892)
37acb86 chore(npm): add ci-or-install script (chore(deps): update all non-major dependencies to v7.17.0 commitizen/cz-cli#896)
4e861db chore(appveyor): run entire test matrix (chore(deps): update dependency conventional-changelog-conventionalcommits to v4.6.2 commitizen/cz-cli#886)
d079515 docs: remove gitter badge (chore: remove unused Travis-CI config commitizen/cz-cli#880)
4113a72 grep includes the i flag (chore(deps) Update dependency strip-json-comments to v4 commitizen/cz-cli#876)
8dae55f Fix(which): match only executable files (fix(deps): update dependency inquirer to v8 commitizen/cz-cli#874)
6d66a1a chore: rename some tests (chore(deps): update dependency sinon to v12 commitizen/cz-cli#871)
131b88f Fix cp from readonly source (chore(deps): update dependency sinon to v11 - autoclosed commitizen/cz-cli#870)
1dd437e fix(mocks): fix conflict between mocks and skip (Ownership of find-node-modules commitizen/cz-cli#863)
72ff790 chore: bump dev dependencies and add package-lock (build(node versions): - Deprecates Node 10 and adds current LTS versions commitizen/cz-cli#864)
93bbf68 Prevent require-ing bin/shjs (filter type input commitizen/cz-cli#848)
aa9d443 chore: output npm version in travis (signed-off-by commitizen/cz-cli#850)
4733a32 chore(appveyor): do not use latest npm (git commit -m to pre-fill commit title commitizen/cz-cli#847)
dd5551d chore: update shelljs-release version (cz.json version mismatch merge conflict commitizen/cz-cli#846)
97a4df8 docs(changelog): updated by Nate Fischer [ci skip]

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Prototype Pollution
🦉 More lessons are available in Snyk Learn


          fix: package.json to reduce vulnerabilities

ae566fa

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908
- https://snyk.io/vuln/SNYK-JS-LODASH-1018905
- https://snyk.io/vuln/SNYK-JS-LODASH-1040724
- https://snyk.io/vuln/SNYK-JS-LODASH-450202
- https://snyk.io/vuln/SNYK-JS-LODASH-567746
- https://snyk.io/vuln/SNYK-JS-LODASH-608086
- https://snyk.io/vuln/SNYK-JS-LODASH-73638
- https://snyk.io/vuln/SNYK-JS-LODASH-73639
- https://snyk.io/vuln/SNYK-JS-MERGE-1040469
- https://snyk.io/vuln/SNYK-JS-MERGE-1042987
- https://snyk.io/vuln/SNYK-JS-MINIMIST-2429795
- https://snyk.io/vuln/SNYK-JS-MINIMIST-559764
- https://snyk.io/vuln/SNYK-JS-SHELLJS-2332187
- https://snyk.io/vuln/npm:braces:20180219
- https://snyk.io/vuln/npm:lodash:20180130

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet