libreact
libreact copied to clipboard
Published
20 hours ago •
MailOnline
MailOnline
[Snyk] Fix for 28 vulnerabilities
Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.
Changes included in this PR
-
Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
-
Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches. Find out more.
Vulnerabilities that will be fixed
With an upgrade:
| Severity | Priority Score (*) | Issue | Breaking Change | Exploit Maturity |
|---|---|---|---|---|
 |
619/1000 Why? Has a fix available, CVSS 8.1 |
Prototype Pollution SNYK-JS-AJV-584908 |
Yes | No Known Exploit |
 |
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3 |
Regular Expression Denial of Service (ReDoS) SNYK-JS-ISSVG-1085627 |
Yes | Proof of Concept |
|
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3 |
Regular Expression Denial of Service (ReDoS) SNYK-JS-ISSVG-1243891 |
Yes | Proof of Concept |
|
509/1000 Why? Has a fix available, CVSS 5.9 |
Denial of Service (DoS) SNYK-JS-JSYAML-173999 |
Yes | No Known Exploit |
|
619/1000 Why? Has a fix available, CVSS 8.1 |
Arbitrary Code Execution SNYK-JS-JSYAML-174129 |
Yes | No Known Exploit |
|
479/1000 Why? Has a fix available, CVSS 5.3 |
Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-174116 |
Yes | No Known Exploit |
|
479/1000 Why? Has a fix available, CVSS 5.3 |
Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-451540 |
Yes | No Known Exploit |
|
520/1000 Why? Has a fix available, CVSS 5.9 |
Regular Expression Denial of Service (ReDoS ) SNYK-JS-MARKED-584281 |
Yes | No Known Exploit |
|
589/1000 Why? Has a fix available, CVSS 7.5 |
Prototype Pollution SNYK-JS-MERGE-1040469 |
Yes | No Known Exploit |
|
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3 |
Prototype Pollution SNYK-JS-MERGE-1042987 |
Yes | Proof of Concept |
|
589/1000 Why? Has a fix available, CVSS 7.5 |
Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-1019388 |
Yes | No Known Exploit |
|
601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6 |
Prototype Pollution SNYK-JS-MINIMIST-559764 |
Yes | Proof of Concept |
|
589/1000 Why? Has a fix available, CVSS 7.5 |
Regular Expression Denial of Service (ReDoS) SNYK-JS-MOCHA-561476 |
Yes | No Known Exploit |
|
520/1000 Why? Has a fix available, CVSS 5.9 |
Denial of Service SNYK-JS-NODEFETCH-674311 |
No | No Known Exploit |
|
479/1000 Why? Has a fix available, CVSS 5.3 |
Regular Expression Denial of Service (ReDoS) SNYK-JS-POSTCSS-1255640 |
Yes | No Known Exploit |
|
494/1000 Why? Has a fix available, CVSS 5.6 |
Command Injection SNYK-JS-REACTDEVUTILS-1083268 |
Yes | No Known Exploit |
|
635/1000 Why? Has a fix available, CVSS 8.2 |
Information Disclosure SNYK-JS-SEMANTICRELEASE-1041706 |
Yes | No Known Exploit |
|
429/1000 Why? Has a fix available, CVSS 4.3 |
Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVERREGEX-1047770 |
Yes | No Known Exploit |
|
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5 |
Regular Expression Denial of Service (ReDoS) SNYK-JS-SSRI-1246392 |
Yes | Proof of Concept |
|
589/1000 Why? Has a fix available, CVSS 7.5 |
Regular Expression Denial of Service (ReDoS) SNYK-JS-TRIM-1017038 |
Yes | No Known Exploit |
|
601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6 |
Prototype Pollution SNYK-JS-YARGSPARSER-560381 |
Yes | Proof of Concept |
 |
506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7 |
Regular Expression Denial of Service (ReDoS) npm:braces:20180219 |
Yes | Proof of Concept |
|
676/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.1 |
Regular Expression Denial of Service (ReDoS) npm:diff:20180305 |
No | Proof of Concept |
|
469/1000 Why? Has a fix available, CVSS 5.1 |
Denial of Service (DoS) npm:mem:20180117 |
Yes | No Known Exploit |
|
589/1000 Why? Has a fix available, CVSS 7.5 |
Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620 |
Yes | No Known Exploit |
(*) Note that the real score may have changed since the PR was raised.
Commit messages
Package name: gulp
The new version differs by 134 commits.- 55eb23a Release: 4.0.0
- 173a532 Docs: Fix the installation instructions
- ec54d09 Docs: Improve note about out-of-date docs
- 03b7c98 Docs: Update recipes to install gulp@next
- 2eba29e Docs: Remove run-sequence from recipes
- 76eb4d6 Docs: Add installation instructions & update badges
- fbc162f Docs: Remove references to gulp-util
- 3011cf9 Scaffold: Normalize repository
- f27be05 Update: Remove graceful-fs from test suite
- 361ab63 Upgrade: Update glob-watcher
- 064d100 Build: Avoid broken node 9
- 057df59 Release: 4.0.0-alpha.3
- c1ba80c Breaking: Upgrade major versions of glob-watcher, gulp-cli & vinyl-fs
- 89acc5c Docs: Improve ES2015 task exporting examples (#1999)
- 0ac9e04 Docs: Add "Project structure" section to CONTRIBUTING.md (#1859)
- 723cbc4 Docs: Fix syntax in recipe example (#1715)
- d420a6a Docs: Have gulp.lastRun take a function to avoid task registration (#1828)
- 29ece6f Upgrade: Update undertaker
- e931cb0 Docs: Fix changelog typos (#1696)
- 477db84 Docs: Add a "BrowserSync with Gulp 4" recipe (#1659)
- d4ed3c7 Docs: Add options.cwd for gulp.src API (#1645)
- 5dc3b07 Docs: Update gulp.watch API to align with glob-watcher
- 0c66069 Breaking: Replace chokidar as gulp.watch with glob-watcher wrapper
- c3dbc10 Docs: Clarify incremental builds example (#1609)
Package name: mkdirp
The new version differs by 4 commits.Package name: mocha
The new version differs by 250 commits.- eb781e2 Release v6.2.3
- 10dbe94 update CHANGELOG for v6.2.3 [ci skip]
- 848d6fb security: update mkdirp, yargs, yargs-parser
- 843a322 6.2.2
- aec8b02 update CHANGELOG for v6.2.2 [ci skip]
- 7a8b95a npm audit fixes
- cebddf2 Improve reporter documentation for mocha in browser. (#4026)
- 3f7b987 uncaughtException: report more than one exception per test (#4033)
- ee82d38 modify alt text of image from Backers to Sponsors inside Sponsors section in Readme (#4046)
- e9c036c special-case parsing of "require" in unparseNodeArgs(); closes #4035 (#4063)
- 954cf0b Fix HTMLCollection iteration to make unhide function work as expected (#4051)
- 816dc27 uncaughtException: fix double EVENT_RUN_END events (#4025)
- 9650d3f add OpenJS Foundation logo to website (#4008)
- f04b81d Adopt the OpenJSF Code of Conduct (#3971)
- aca8895 Add link checking to docs build step (#3972)
- ef6c820 Release v6.2.1
- 9524978 updated CHANGELOG for v6.2.1 [ci skip]
- dfdb8b3 Update yargs to v13.3.0 (#3986)
- 18ad1c1 treat '--require esm' as Node option (#3983)
- fcffd5a Update yargs-unparser to v1.6.0 (#3984)
- ad4860e Remove extraGlobals() (#3970)
- b269ad0 Clarify effect of .skip() (#3947)
- 1e6cf3b Add Matomo to website (#3765)
- 91b3a54 fix style on mochajs.org (#3886)
Package name: react-markdown
The new version differs by 171 commits.- 45b9977 5.0.0
- eeea3c2 Update `changelog.md`
- 5d6c9f1 Refactor scripts
- d29478f Add type tests
- 4f5dbe2 Add note
- 7a5e3a1 Add `allowDangerousHtml`, preferred over `escapeHtml`
- 2675ae2 Remove docs on `source`
- 34b0883 Change default branch to `main`
- 22a5e49 Refactor and test for 100% coverage
- b3aa6e0 Rewrite readme for unified, more examples
- a9f163d Move demo to `website` branch
- 4f1a407 Change to clean project, update, refactor scripts
- ebebf51 Upgrade remark to version 8, unified to version 9
- e400f6f Upgrade to remark-parse@6
- 3260f57 Run tests on node 12
- 6eff8d1 Pass AST node to all non-tag/non-fragment renderers as prop
- ca25be1 Fix link to demo in readme
- 9b4eb84 Updated remark-parse github link (#447)
- 2d991aa 4.3.1
- 34eff54 Update CHANGELOG
- 311e2f8 Fix typescript declaration (#378)
- b274e76 4.3.0
- a608d83 Rebuilt demo
- 063b30e Update CHANGELOG
Package name: semantic-release
The new version differs by 194 commits.- 52238cb fix(deps): Require find-versions ^4.0.0 (#1722)
- af596a9 docs: semantic-release SVG logo (#1715) thanks @ bromso
- 6c7e4be docs: add semantic-release-helm plugin (#1713)
- c177d4b docs: add semantic-release-pypi plugin (#1707)
- eb70823 docs: add semantic-release-license-plugin (#1701)
- 885d87a feat(docs): note that publish token is required (#1700)
- f8f8fbc fix: escape uri encoded symbols (#1697)
- c8d38b6 style: removed line breaks to align with xo rule (#1689)
- ca90b34 fix: mask secrets when characters get uri encoded
- 63fa143 docs(plugins): add listing for new plugin (#1686)
- 2bf3771 fix: use valid git credentials when multiple are provided (#1669)
- 77a75f0 fix: don't parse port as part of the path in repository URLs (#1671)
- d74ffef docs: add npm-deprecate-old-versions in plugins list (#1667)
- 3abcbaf Revert "feat: throw an Error if package.json has duplicate "repository" key (#1656)"
- b8fb35c feat: throw an Error if package.json has duplicate "repository" key (#1656)
- 18e35b2 docs: reorder default plugins list (#1650)
- e35e5bb docs(contributing): fix commit message examples (#1648)
- 311c465 docs(README): welcome @ travi, add alumni section
- b4c5d0a fix: add logging for when ssh falls back to http (#1639)
- c982249 docs(contributing): typo fix (#1638)
- 9635f50 docs: improve github actions recipe on git plugin (#1626)
- d036a89 ci(docs): use actions/checkout@v2 (#1620)
- 9303d1d docs(resources.md): added more sematnic release article (#1610)
- b72cdb3 docs(configuration.md): Updated documentation for dry-run feature of semantic Release (#1607)
Package name: ts-jest
The new version differs by 250 commits.- 6916e7b Merge pull request #650 from kulshekhar/kulshekhar-patch-1
- 54a30eb Bump the version (minor)
- 9e61969 Merge pull request #626 from huafu/feature/upgrade-babel-and-fix-tsconfig
- ef21f50 Merge branch 'master' into feature/upgrade-babel-and-fix-tsconfig
- c67ba4d Merge pull request #649 from kulshekhar/greenkeeper/monorepo.react-16.4.2
- 9a6904f Merge branch 'master' of https://github.com/kulshekhar/ts-jest into feature/upgrade-babel-and-fix-tsconfig
- 8a94008 chore(package): update react-test-renderer to version 16.4.2
- 6e73fb9 chore(package): update react to version 16.4.2
- c947791 chore(package): update @ types/node to version 10.5.5 (#646)
- fd24ae6 Merge pull request #640 from jmheik/to-dev-deps
- e2028da Merge branch 'master' into to-dev-deps
- 4396dde Merge pull request #641 from jeznag/patch-1
- 7d78123 Merge branch 'master' into patch-1
- b38e4ca Add TypeScript ^3.0.0 as supported peer dependencies (#644)
- 1e287f3 Add more details on using module name mapper
- df71945 doc: adds troubleshooting wiki page links
- 0b2e406 Move dev only deps to devDependencies.
- fb5cd12 chore: simplify jest config test helper + moves test utils
- ddc8c32 chore: moves test-utils.ts in __helpers__ dir
- a5370cf Merge branch 'master' into feature/upgrade-babel-and-fix-tsconfig
- db590d2 Update @ types/react to the latest version 🚀 (#631)
- 4fc3933 chore: changes after GeeWee review
- fbe4f1f perf: do not hash cache key, jest does it underneath
- 5ab100c fix: resolves correctly config file path (fix #636)
Package name: webpack
The new version differs by 250 commits.- 213226e 4.0.0
- fde0183 Merge pull request #6081 from webpack/formating/prettier
- b6396e7 update stats
- f32bd41 fix linting
- 5238159 run prettier on existing code
- 518d1e0 replace js-beautify with prettier
- 4c25bfb 4.0.0-beta.3
- dd93716 Merge pull request #6296 from shellscape/fix/hmr-before-node-stuff
- 7a07901 Merge pull request #6563 from webpack/performance/assign-depth
- c7eb895 Merge pull request #6452 from webpack/update_acorn
- 9179980 Merge pull request #6551 from nveenjain/fix/templatemd
- e52f323 optimize performance of assignDepth
- 6bf5df5 Fixed template.md
- 90ab23a Merge branch 'master' into fix/hmr-before-node-stuff
- b0949cb add integration test for spread operator
- 39438c7 unittest now also walks the ast
- 15ab027 Merge pull request #6536 from jevan0307/sideEffects-selectors
- 1611ce1 Merge pull request #6561 from joshunger/patch-1
- 6e175bc Merge pull request #6549 from webpack/md4_hash
- 0637531 Add a hyperlink to create a new issue
- 0e1f9c6 Merge pull request #6554 from webpack/deps/end-of-beta
- 72477f4 upgrade versions to stable versions
- ed30285 Merge pull request #6546 from webpack/bot/review-permission
- 40ee8c7 Use MD4 for hashing
With a Snyk patch:
| Severity | Priority Score (*) | Issue | Exploit Maturity |
|---|---|---|---|
|
636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3 |
Prototype Pollution SNYK-JS-LODASH-567746 |
Proof of Concept |
|
529/1000 Why? Has a fix available, CVSS 6.3 |
Prototype Pollution npm:hoek:20180212 |
No Known Exploit |
|
589/1000 Why? Has a fix available, CVSS 7.5 |
Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620 |
No Known Exploit |
|
576/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.1 |
Uninitialized Memory Exposure npm:tunnel-agent:20170305 |
Proof of Concept |
(*) Note that the real score may have changed since the PR was raised.
Check the changes in this PR to ensure they won't cause issues with your project.
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📚 Read more about Snyk's upgrade and patch logic
