fozzie-components icon indicating copy to clipboard operation
fozzie-components copied to clipboard

Published 20 hours ago verified publisher icon justeattakeaway

[Snyk] Fix for 8 vulnerabilities

Open ashleynolan opened this issue 1 year ago • 1 comments

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `yarn` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • packages/tools/f-vue-icons/package.json

Note for zero-installs users

If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the .yarn/cache/ directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to run yarn to update the contents of the ./yarn/cache directory. If you are not using zero-install you can ignore this as your flow should likely be unchanged.

⚠️ Warning 
Failed to update the yarn.lock, please update manually before merging.

Vulnerabilities that will be fixed

With an upgrade:
Severity Issue Breaking Change Exploit Maturity
medium severity Prototype Pollution
SNYK-JS-JSON5-3182856		 Yes Proof of Concept
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-MARKED-1070800		 Yes No Known Exploit
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-MARKED-2342073		 Yes Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-MARKED-2342082		 Yes Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-POSTCSS-1255640		 Yes Proof of Concept
high severity Cross-site Scripting (XSS)
SNYK-JS-SERIALIZEJAVASCRIPT-536840		 Yes No Known Exploit
high severity Arbitrary Code Injection
SNYK-JS-SERIALIZEJAVASCRIPT-570062		 Yes Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-TERSER-2806366		 Yes No Known Exploit

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution 🦉 Regular Expression Denial of Service (ReDoS) 🦉 Cross-site Scripting (XSS) 🦉 More lessons are available in Snyk Learn

ashleynolan avatar Aug 17 '23 15:08 ashleynolan

Fails
:no_entry_sign:

:arrow_up: This PR should include a SEMVER version bump for f-vue-icons, so that these packages can be published once merged.
:no_entry_sign: :memo: Please include a CHANGELOG entry for f-vue-icons
:no_entry_sign: :exclamation: PR title should start with the package version in the format {package-name}@v(x.x.x) (such as [email protected])

Generated by :no_entry_sign: dangerJS against 30a58974cfd7f1bf9ecaa617edf32838827cb283

fozzie-bot avatar Aug 17 '23 15:08 fozzie-bot