some-comments icon indicating copy to clipboard operation
some-comments copied to clipboard

Published 20 hours ago verified publisher icon fiddur

[Snyk] Fix for 2 vulnerabilities

Open fiddur opened this issue 4 years ago • 0 comments

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
medium severity 658/1000
Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-1018905		 Yes Proof of Concept
high severity 753/1000
Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 7.2		 Command Injection
SNYK-JS-LODASH-1040724		 Yes Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: knex The new version differs by 250 commits.
  • 40c80b3 release 0.11.0
  • 415d008 Prepare for 0.11.0
  • 8a303f1 Merge pull request #1342 from h0vhannes/mssql-conn-urls
  • 9903e7d Merge pull request #1372 from mdrmuhaimin/patch-1
  • 4d88e1d Update package.json to use latest node-postures
  • d990708 Merge pull request #1362 from wolfgang42/mssql-fixes
  • a7f609a mssql dialect: Fix integration tests that check for quoted wrappers.
  • aa3c1c2 mssql dialect: make createTableIfNotExists actually work.
  • 85403e8 Merge pull request #1343 from wubzz/bugfix/pool.ping_for_mssql
  • 14eca7a Fix MSSQL ping function, calling resource.request().query instead of resource.query.
  • 8e41a33 Add parse URL connection string tests for MSSQL
  • e49b0d4 Correct connection URL parsing for MSSQL
  • 1f09df8 Merge pull request #1296 from wubzz/default_pool_ping_fn_and_rollback_handler
  • a223858 Increase rollback timeout to 5secs
  • abfff60 Update documentation regarding default `ping` function.
  • fa12571 A default `ping` fn in default pool settings, and silently ignore errors when querying 'ROLLBACK' on a dead connection by using Promise.Timeout.
  • a104cc0 Merge pull request #1315 from wubzz/bugfix/missing_error_event_for_mysql2
  • bb9663f Merge pull request #1326 from wubzz/bugfix/renameCol_drops_default_value
  • d3b1fcc Fixed test, forgot ES6 is not supported in the test suite.
  • 0b45356 .renameColumn should not drop defaultValue or nullable state. Currently this happens for mysql. Fixes #933
  • 2fad6d1 Mysql2 should also listen to 'error' events.
  • b8c8572 Merge pull request #1313 from jurko-gospodnetic/code-cleanup
  • 34d9a76 Merge pull request #1269 from wubzz/bugfix/fix_valuesForUndefined_actual_query
  • e9ebf6f touch up wording in warning message about manually removing migration locks

See the full diff

Package name: objection The new version differs by 192 commits.
  • 1027cb9 v0.5.0
  • 86d55d9 update examples for objection 0.5.0
  • 6ca624e minor fixes
  • e8e4acd Merge pull request #148 from gitter-badger/gitter-badge
  • 6a1eb13 Add Gitter badge
  • 2874434 Merge pull request #142 from rafaljanicki/master
  • b1ffc1d Bumped up knex version
  • 066c6d1 Bumped up maximum knex version
  • 2612519 0.5.0-rc.5
  • 01e6498 0.5.0-rc.4
  • a5b4f4e fix #127
  • fd28e63 0.5.0-rc.3
  • b57a11e fix #124
  • 03949e7 add knex as a peerDependency so that compatibility can be assured
  • 0749cb1 remove some dead code
  • bb1c817 removing node 6 from travis for now. sqlite isn't updated to support it yet
  • 6be4858 0.5.0-rc.2
  • 5ed0e88 add alias option for joinRelation method. closes #121
  • 1d22fc4 add modify, options and columnInfo query builder methods. fixes #119
  • 10c654f add links to eager query blog post. closes #115
  • 9167176 add node 6 to travis config
  • 485ca3f fix babel build on pre 6 nodes
  • 5d006f2 change *Method to *Operation
  • a2a91f5 optimize babel build

See the full diff

Package name: request-promise The new version differs by 42 commits.
  • 21db39f Version 2.0.1
  • faaef8e updated dev dependencies
  • a847331 improved error output
  • 2373d58 Merge pull request #94 from ratson/master
  • 6b6f826 Update lodash to v4
  • 7174f7b Version 2.0.0
  • 9c454b5 feat: added node 5
  • 05b6314 Merge pull request #75 from hildjj/cls-depend
  • bf90827 As suggested in #70
  • ea0fd0c fix: specific jshint version for node 0.10 build
  • 791b920 Updated devDependencies
  • dbdeaba Version 1.0.2 (see issue #70)
  • 2552ed0 Corrected typos (issue #67)
  • e2d8dfa Reverted continuation-local-storage as peer dependency
  • ae5aa91 Version 1.0.1
  • 16fd16f continuation-local-storage as peer dependency to fix npm warning
  • 8823970 Documented missing braking change in v1.0.0
  • ca35c5f Version 1.0.0
  • ba7cf85 Adjusted test coverage measurement
  • d91340f Added comments
  • f31c36f Updated tests for examples
  • d6b5e84 Documented manual steps
  • f5201b0 Third part of fresh up
  • ff7c73e Second part of fresh up

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: 🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

fiddur avatar Feb 23 '21 04:02 fiddur