npminstall icon indicating copy to clipboard operation
npminstall copied to clipboard
verified publisher icon cnpm

[Snyk] Fix for 1 vulnerabilities

Open fengmk2 opened this issue 1 year ago • 2 comments

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 823/1000
Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 8.6		 Server-side Request Forgery (SSRF)
SNYK-JS-IP-6240864		 Yes Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: node-gyp The new version differs by 27 commits.
  • 9acb4c7 chore: release 10.0.0
  • 3032e10 chore: run tests after release please PR
  • 864a979 feat!: use .npmignore file to limit which files are published (#2921)
  • 4e493d4 chore: misc testing fixes (#2930)
  • d52997e feat: convert internal classes from util.inherits to classes
  • 355622f feat: convert all internal functions to async/await
  • 1b3bd34 feat!: drop node 14 support (#2929)
  • e388255 deps: [email protected] (#2928)
  • 059bb6f deps: [email protected] (#2927)
  • 4bef1ec deps: [email protected] (#2926)
  • 21a7249 chore: add check engines script to CI (#2922)
  • 707927c feat(gyp): update gyp to v0.16.1 (#2923)
  • d644ce4 docs: update applicable GitHub links from master to main (#2843)
  • 4a50fe3 chore: empty commit to add changelog entries from #2770
  • 26683e9 chore: GitHub Workflows security hardening (#2740)
  • 91fd8ff Python lint: ruff --format is now --output-format
  • b3d41ae doc: Add note about Python symlinks (PR 2362) to CHANGELOG.md for 9.1.0 (#2783)
  • 5746691 test: update expired certs (#2908)
  • d3615c6 Fix incorrect Xcode casing in README (#2896)
  • bb93b94 docs: README.md Do not hardcode the supported versions of Python (#2880)
  • 0f1f667 fix: create Python symlink only during builds, and clean it up after (#2721)
  • 445c28f test: increase mocha timeout (#2887)
  • 1bfb083 Fix Python lint error by using an f-string (#2886)
  • c9caa2e docs: Update windows installation instructions in README.md (#2882)

See the full diff

Package name: pacote The new version differs by 27 commits.
  • 18e760f chore: release 17.0.4
  • ba8f790 deps: bump @ npmcli/promise-spawn from 6.0.2 to 7.0.0
  • 2c0d3ae deps: bump @ npmcli/run-script from 6.0.2 to 7.0.0
  • 7aa2062 chore: release 17.0.3
  • ace7c28 deps: bump npm-packlist from 7.0.4 to 8.0.0
  • f1efd0c chore: release 17.0.2
  • c3b892d deps: bump sigstore from 1.3.0 to 2.0.0
  • c75d7d5 chore: release 17.0.1
  • 6ddae13 deps: bump npm-registry-fetch from 15.0.0 to 16.0.0
  • 42bf787 deps: bump npm-pick-manifest from 8.0.2 to 9.0.0
  • 9fa2de9 chore: release 17.0.0
  • e9e964b deps: bump read-package-json from 6.0.4 to 7.0.0
  • f69d844 chore: [email protected]
  • 5d26500 deps: bump npm-package-arg from 10.1.0 to 11.0.0
  • d13bb9c deps: bump @ npmcli/git from 4.1.0 to 5.0.0
  • 7a25e39 deps: bump cacache from 17.1.4 to 18.0.0
  • 2db2fb5 fix: drop node 16.13.x support
  • 5cdbfd1 chore: release 16.0.0
  • 8dc6a32 deps: bump minipass from 5.0.0 to 7.0.2
  • 7cebf19 deps: bump npm-registry-fetch from 14.0.5 to 15.0.0
  • 73b6297 fix: drop node14 support (#290)
  • 53cf17e chore: postinstall for dependabot template-oss PR
  • 865d5c7 chore: bump @ npmcli/template-oss from 4.17.0 to 4.18.0
  • 040add9 chore: postinstall for dependabot template-oss PR

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: 🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Server-side Request Forgery (SSRF)

fengmk2 avatar Feb 11 '24 19:02 fengmk2

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/@npmcli/[email protected] environment, filesystem, network Transitive: shell +93 7.2 MB gar
npm/[email protected] environment, shell Transitive: filesystem, network +36 4.6 MB lukekarrys
npm/[email protected] environment, filesystem, network Transitive: shell +68 5.71 MB npm-cli-ops

🚮 Removed packages: npm/@npmcli/[email protected], npm/[email protected], npm/[email protected]

View full report↗︎

socket-security[bot] avatar Feb 11 '24 19:02 socket-security[bot]

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Comparison is base (4c2cc3b) 91.03% compared to head (11e4770) 91.03%. Report is 1 commits behind head on master.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master     #474   +/-   ##
=======================================
  Coverage   91.03%   91.03%           
=======================================
  Files          31       31           
  Lines        4831     4831           
  Branches      953      955    +2     
=======================================
  Hits         4398     4398           
  Misses        433      433

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

codecov[bot] avatar Feb 11 '24 19:02 codecov[bot]