aliyun-egg icon indicating copy to clipboard operation
aliyun-egg copied to clipboard
verified publisher icon eggjs

[Snyk] Security upgrade egg-oss from 1.1.0 to 3.0.0

Open fengmk2 opened this issue 1 year ago • 1 comments

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 823/1000
Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 8.6		 Server-side Request Forgery (SSRF)
SNYK-JS-IP-6240864		 Yes Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: egg-oss The new version differs by 10 commits.
  • b023e25 Release 3.0.0
  • cb50f24 📦 NEW: [BREAKING] Use oss-client instead of ali-oss (#15)
  • 0101225 refactor: use lifecycle on start process (#10)
  • 4659a27 docs: correct example endpoint configuration (#14)
  • e909e0d chore: update travis (#13)
  • 93a05ea test: add another client for sts clients test (#9)
  • e1d7a11 test: add sts clients testcase (#8)
  • 73cbba4 Release 2.0.0
  • 52c1043 feat: [BREAKING CHANGE] upgrade ali-oss to support async function (#6)
  • c2a67f6 test: update secure key (#7)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: 🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Server-side Request Forgery (SSRF)

fengmk2 avatar Feb 12 '24 00:02 fengmk2

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/[email protected] Transitive: environment, eval, filesystem, network, shell, unsafe +62 4.5 MB

🚮 Removed packages: npm/[email protected]

View full report↗︎

socket-security[bot] avatar Feb 12 '24 00:02 socket-security[bot]