cloudboost icon indicating copy to clipboard operation
cloudboost copied to clipboard
verified publisher icon CloudBoost

[Snyk] Security upgrade prerender-node from 1.2.1 to 3.4.0

Open nawazdhandala opened this issue 2 years ago • 0 comments

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • home-ui/package.json
    • home-ui/package-lock.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
medium severity 646/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.5		 Prototype Pollution
SNYK-JS-TOUGHCOOKIE-5672873		 Yes Proof of Concept
medium severity 424/1000
Why? Has a fix available, CVSS 4.2		 Insecure Randomness
npm:node-uuid:20160328		 Yes No Known Exploit
medium severity 646/1000
Why? Mature exploit, Has a fix available, CVSS 5.2		 Uninitialized Memory Exposure
npm:stringstream:20180511		 Yes Mature
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Regular Expression Denial of Service (ReDoS)
npm:tough-cookie:20160722		 Yes No Known Exploit
medium severity 509/1000
Why? Has a fix available, CVSS 5.9		 Regular Expression Denial of Service (ReDoS)
npm:tough-cookie:20170905		 Yes No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: prerender-node The new version differs by 154 commits.
  • a6df8d9 Merge pull request #217 from prerender/bump-version
  • 5315f41 bump to v3.4.0
  • 5aedadf Merge pull request #216 from 123NeNaD/master
  • 7e25ac4 Replacing "let" with "const"
  • cb4738e Dynamically use "http" or "https" module
  • 60f20f8 Updating package-lock.json
  • df6c0f9 Removing "request" from package.json
  • 404677b Changing deprecated "url.parse" with recommended WHATWG URL API
  • bad12a0 Removing "request" package code
  • 8b2d7e1 Replacing "request" package with native https modules
  • 41bcaee Merge pull request #215 from prerender/feature/add-telegram-bot
  • 431eba4 chore: bump version
  • 55e11f8 feat: add telegram user agent
  • dcd5059 some changes to the README
  • 6530768 dont commit DS_Store files
  • b8bd824 bump to v3.2.5
  • 8c3de6f updated lodash and mocha to resolve security vulnerability warning
  • ace385a bump to v3.2.4
  • 7dc4c82 update changelog for v3.2.4
  • 5a33d6f upgraded devDependencies to their latest versions
  • be5f272 bump to v3.2.3
  • 1aad301 added changelog entry for v3.2.3
  • bf7d45d make sure request is at ^v2.88.0 and add package-lock.json file
  • 2f93fbe bump to v3.2.2

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: 🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution 🦉 Regular Expression Denial of Service (ReDoS) 🦉 Insecure Randomness

nawazdhandala avatar Dec 19 '23 15:12 nawazdhandala