json-api
json-api copied to clipboard
ethanresnick
[Snyk] Security upgrade qs from 6.5.2 to 6.5.3
Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.
Changes included in this PR
- Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
- package-lock.json
Vulnerabilities that will be fixed
With an upgrade:
| Severity | Priority Score (*) | Issue | Breaking Change | Exploit Maturity |
|---|---|---|---|---|
 |
768/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 7.5 |
Prototype Pollution SNYK-JS-QS-3153490 |
No | Proof of Concept |
(*) Note that the real score may have changed since the PR was raised.
Commit messages
Package name: qs
The new version differs by 24 commits.- 298bfa5 v6.5.3
- ed0f5dc [Fix] `parse`: ignore `__proto__` keys (#428)
- 691e739 [Robustness] `stringify`: avoid relying on a global `undefined` (#427)
- 1072d57 [readme] remove travis badge; add github actions/codecov badges; update URLs
- 12ac1c4 [meta] fix README.md (#399)
- 0338716 [actions] backport actions from main
- 5639c20 Clean up license text so itβs properly detected as BSD-3-Clause
- 51b8a0b add FUNDING.yml
- 45f6759 [Fix] fix for an impossible situation: when the formatter is called with a non-string value
- f814a7f [Dev Deps] backport from main
- fd950b0 [Tests] always use `String(x)` over `x.toString()`
- 31bcb32 [Fix] `utils.merge`: avoid a crash with a null target and an array source
- 98c93d6 [Refactor] `utils`: reduce observable [[Get]]s
- 49ad67f [Fix]` `utils.merge`: avoid a crash with a null target and a truthy non-array source
- ef27de4 [Refactor] use cached `Array.isArray`
- 107c302 [Docs] Clarify the need for "arrayLimit" option
- fafc2d2 [Fix] correctly parse nested arrays
- 55d217b [refactor] `stringify`: Avoid arr = arr.concat(...), push to the existing instance (#269)
- c1c2a9d [Fix] `stringify`: fix a crash with `strictNullHandling` and a custom `filter`/`serializeDate` (#279)
- d1d1a97 [Fix] `utils`: `merge`: fix crash when `source` is a truthy primitive & no options are provided
- b6956c9 [Tests] remove nonexistent tape option
- f85bce6 [Fix] when `parseArrays` is false, properly handle keys ending in `[]`
- eee72e3 [Tests] up to `node` `v10.1`, `v9.11`, `v8.11`, `v6.14`, `v4.9`; pin included builds to LTS
- 1bfe04c [Refactor] `parse`: only need to reassign the var once
Check the changes in this PR to ensure they won't cause issues with your project.
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
π§ View latest project report
π Read more about Snyk's upgrade and patch logic
Learn how to fix vulnerabilities with free interactive lessons:
π¦ Prototype Pollution
Codecov Report
Base: 91.11% // Head: 91.11% // No change to project coverage :thumbsup:
Coverage data is based on head (
d651e0d) compared to base (745d36d). Patch has no changes to coverable lines.
Additional details and impacted files
@@ Coverage Diff @@
## master #217 +/- ##
=======================================
Coverage 91.11% 91.11%
=======================================
Files 58 58
Lines 2250 2250
Branches 500 500
=======================================
Hits 2050 2050
Misses 200 200
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.
:umbrella: View full report at Codecov.
:loudspeaker: Do you have feedback about the report comment? Let us know in this issue.
![codecov[bot] avatar](https://avatars.githubusercontent.com/in/254?v=4 "Published by a pub.dev verified publisher"){kind=small}