code-push-server icon indicating copy to clipboard operation
code-push-server copied to clipboard

Published 20 hours ago verified publisher icon lisong

[Snyk] Fix for 2 vulnerabilities

Open snyk-bot opened this issue 2 years ago • 0 comments

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json
    • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
critical severity 776/1000
Why? Recently disclosed, Has a fix available, CVSS 9.8		 Arbitrary File Upload
SNYK-JS-FORMIDABLE-2838956		 Yes No Known Exploit
high severity 803/1000
Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 8.2		 Prototype Pollution
SNYK-JS-PROTOBUFJS-2441248		 No Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: aliyun-sdk The new version differs by 16 commits.
  • 3f0c2be 1.12.2
  • 6db2525 x-oss-object-acl
  • 3a3214b fix dependency
  • 17ba115 BatchCompute增加getAvailable接口
  • 06dd64d 1.12.0
  • 3c14590 Merge pull request #177 from aliyun-UED/cname_request_payer
  • c42e269 feat: support canme and requestpayer for oss
  • 3303b86 update version to 1.11.12
  • 66e03b2 Merge pull request #173 from liketic/add-new-alert-api
  • 4846276 Remove redundant required tag
  • 00b8c29 Fix method name
  • 29dc9a7 Update alert api
  • d60ce9e Merge pull request #172 from Chunlin-Li/master
  • 5d26f8b 1.11.11
  • 104d3f1 feat(APIs): 更新 SLS 中 alert 和 savedsearch 相关的 API
  • 704fcf8 update version to 1.11.10

See the full diff

Package name: formidable The new version differs by 250 commits.
  • 143e473 chore: prepare release
  • 2f553b4 docs: use slugify in the example
  • 9969c25 refactor: code style
  • 5103d09 feat: stop extension from being '.'
  • 67c6a3f feat: allow numbers in file extensions
  • 78de849 feat: stop at first invalid char
  • 5fdb2d0 fix: replace regex with reliable filtering
  • d2bd18d tests: add a test case that proves that the regex was always bad
  • 703bec4 tests: add comment
  • 15afa8a docs: add comment
  • d3a05e9 add failing test case
  • 971e3a7 chore: publish
  • 92df3c8 fix: IncomingForm end event emitted twice (#852)
  • 21efa7d chore(deps): bump istanbul-reports from 3.0.2 to 3.1.4 (#844)
  • 8009584 chore(kodiak): always update PRs
  • d6c17f1 chore: fix dependabot error
  • 7ea655e chore: do not add reviewers to dep update prs (#845)
  • 635b4f8 chore: add Dependabot settings (#837)
  • a93060c chore: fix kodiak config (#838)
  • 7fbf974 chore: add KodiakHQ service (#836)
  • 786f2e1 chore(deps): bump ansi-regex from 4.1.0 to 4.1.1 (#835)
  • 4718b78 chore(security): meta, add CodeQL action (#832)
  • db22330 chore: remove auto-comment bot (#833)
  • ab698ff chore(meta): remove LabelSponsors Action (#834)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: 🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution

snyk-bot avatar May 24 '22 21:05 snyk-bot