extension icon indicating copy to clipboard operation
extension copied to clipboard

Published 20 hours ago verified publisher icon get-set-fetch

[Snyk] Security upgrade url-parse from 1.4.7 to 1.5.7

Open snyk-bot opened this issue 3 years ago • 0 comments

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

merge advice

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json
    • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
medium severity 703/1000
Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 6.2		 Authorization Bypass Through User-Controlled Key
SNYK-JS-URLPARSE-2412697		 No Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: url-parse The new version differs by 53 commits.
  • 8b3f5f2 1.5.7
  • ef45a13 [fix] Readd the empty userinfo to `url.href` (#226)
  • 88df234 [doc] Add soft deprecation notice
  • 78e9f2f [security] Fix nits
  • e6fa434 [security] Add credits for incorrect handling of userinfo vulnerability
  • 4c9fa23 1.5.6
  • 7b0b8a6 Merge pull request #223 from unshiftio/fix/at-sign-handling-in-userinfo
  • e4a5807 1.5.5
  • 193b44b [minor] Simplify whitespace regex
  • 319851b [fix] Remove CR, HT, and LF
  • 4e53a8c [doc] Document that the returned hostname might be invalid
  • 9be7ee8 [fix] Correctly handle userinfo containing the at sign
  • f7774f6 [security] Fix typos in SECURITY.md
  • 82c4908 [dist] 1.5.4
  • e324874 [doc] Remove dependency status badge
  • 5e8a444 [ci] Test on node 17
  • a72a5c6 [doc] Remove "made by" and IRC badges
  • e9a8353 [ci] Update coverallsapp/github-action action to version 1.1.3
  • 36dd8b4 [minor] Remove redundant assignment
  • 5472388 [minor] Remove dead code
  • 53d4d6d [fix] Handle the `username` and `password` properties
  • 0be9572 [test] Test that `Url#set()` correctly handles the `auth` property
  • 15b1dbd [fix] Do not lose the password in the stringification process
  • 993acbe [fix] Handle the `auth` property (#213)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: 🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

snyk-bot avatar Feb 25 '22 16:02 snyk-bot