cli
cli copied to clipboard
snyk
[Snyk-dev] Fix for 32 vulnerabilities
This PR was automatically created by Snyk using the credentials of a real user.
Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.
Changes included in this PR
- Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- test/fixtures/demo-os/package.json
Vulnerabilities that will be fixed
With an upgrade:
| Severity | Priority Score (*) | Issue | Breaking Change | Exploit Maturity |
|---|---|---|---|---|
 |
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3 |
Prototype Pollution SNYK-JS-AWSSDK-1059424 |
Yes | Proof of Concept |
|
706/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.7 |
Remote Memory Exposure SNYK-JS-BL-608877 |
No | Proof of Concept |
|
671/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7 |
Remote Code Execution (RCE) SNYK-JS-HANDLEBARS-1056767 |
Yes | Proof of Concept |
 |
601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6 |
Prototype Pollution SNYK-JS-HANDLEBARS-1279029 |
Yes | Proof of Concept |
|
579/1000 Why? Has a fix available, CVSS 7.3 |
Prototype Pollution SNYK-JS-HANDLEBARS-173692 |
Yes | No Known Exploit |
|
646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5 |
Prototype Pollution SNYK-JS-HANDLEBARS-567742 |
Yes | Proof of Concept |
|
584/1000 Why? Has a fix available, CVSS 7.4 |
Regular Expression Denial of Service (ReDoS) SNYK-JS-HAWK-2808852 |
No | No Known Exploit |
|
479/1000 Why? Has a fix available, CVSS 5.3 |
Regular Expression Denial of Service (ReDoS) SNYK-JS-JSBEAUTIFY-2311652 |
Yes | No Known Exploit |
|
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3 |
Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905 |
No | Proof of Concept |
|
681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2 |
Command Injection SNYK-JS-LODASH-1040724 |
No | Proof of Concept |
|
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3 |
Prototype Pollution SNYK-JS-LODASH-450202 |
No | Proof of Concept |
|
731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2 |
Prototype Pollution SNYK-JS-LODASH-567746 |
No | Proof of Concept |
|
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3 |
Prototype Pollution SNYK-JS-LODASH-608086 |
No | Proof of Concept |
|
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3 |
Prototype Pollution SNYK-JS-LODASH-73638 |
No | Proof of Concept |
|
541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4 |
Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639 |
No | Proof of Concept |
|
589/1000 Why? Has a fix available, CVSS 7.5 |
Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-1019388 |
Yes | No Known Exploit |
 |
506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7 |
Prototype Pollution SNYK-JS-MINIMIST-2429795 |
No | Proof of Concept |
|
601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6 |
Prototype Pollution SNYK-JS-MINIMIST-559764 |
No | Proof of Concept |
|
479/1000 Why? Has a fix available, CVSS 5.3 |
Regular Expression Denial of Service (ReDoS) SNYK-JS-UGLIFYJS-1727251 |
Yes | No Known Exploit |
|
399/1000 Why? Has a fix available, CVSS 3.7 |
Regular Expression Denial of Service (ReDoS) npm:debug:20170905 |
No | No Known Exploit |
|
579/1000 Why? Has a fix available, CVSS 7.3 |
Prototype Pollution npm:extend:20180424 |
No | No Known Exploit |
|
479/1000 Why? Has a fix available, CVSS 5.3 |
Cross-site Scripting (XSS) npm:handlebars:20151207 |
Yes | No Known Exploit |
|
399/1000 Why? Has a fix available, CVSS 3.7 |
Regular Expression Denial of Service (ReDoS) npm:hawk:20160119 |
No | No Known Exploit |
|
636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3 |
Prototype Pollution npm:hoek:20180212 |
No | Proof of Concept |
|
539/1000 Why? Has a fix available, CVSS 6.5 |
Timing Attack npm:http-signature:20150122 |
No | No Known Exploit |
|
636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3 |
Prototype Pollution npm:lodash:20180130 |
No | Proof of Concept |
|
589/1000 Why? Has a fix available, CVSS 7.5 |
Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620 |
Yes | No Known Exploit |
|
479/1000 Why? Has a fix available, CVSS 5.3 |
Regular Expression Denial of Service (ReDoS) npm:ms:20151024 |
No | No Known Exploit |
|
399/1000 Why? Has a fix available, CVSS 3.7 |
Regular Expression Denial of Service (ReDoS) npm:ms:20170412 |
No | No Known Exploit |
|
589/1000 Why? Has a fix available, CVSS 7.5 |
Regular Expression Denial of Service (ReDoS) npm:negotiator:20160616 |
No | No Known Exploit |
|
589/1000 Why? Has a fix available, CVSS 7.5 |
Prototype Override Protection Bypass npm:qs:20170213 |
No | No Known Exploit |
|
576/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.1 |
Uninitialized Memory Exposure npm:tunnel-agent:20170305 |
No | Proof of Concept |
(*) Note that the real score may have changed since the PR was raised.
Commit messages
Package name: body-parser
The new version differs by 197 commits.- b2659a7 1.18.2
- 6339bf7 perf: remove argument reassignment
- d5f9a4a deps: [email protected]
- d041563 1.18.1
- 9efa9ab deps: content-type@~1.0.4
- f1ef6cc deps: [email protected]
- e438db5 deps: [email protected]
- 15c3585 deps: [email protected]
- adfa01c 1.18.0
- 0632e2f Include the "type" property on all generated errors
- b8f97cd Include the "body" property on verify errors
- c659e8a tests: add test for err.body on json parse error
- 4e15325 tests: reorganize json error tests
- 5bd7ed5 tests: reorganize json strict option tests
- 3cb380b tests: store server on mocha context instead of variable shadowing
- 29c8cd0 docs: document too many parameters error
- 7b9cb14 Use http-errors to set status code on errors
- 29a27f1 docs: fix typo in jsdoc comment
- 448dc57 Fix JSON strict violation error to match native parse error
- 87df7e6 tests: add leading whitespace strict json test
- 1841248 deps: [email protected]
- e666dbe deps: http-errors@~1.6.2
- c2a110a deps: [email protected]
- a1a2e31 build: [email protected]
Package name: bookshelf
The new version differs by 250 commits.- 3afecc4 Prepare for release
- a81945a Merge pull request #1305 from tgriesser/feature/gh-pages-script
- b497ce0 Remove test from `prepublish`.
- ea66c18 Try to fix tests
- 1822e74 Add postpublish script to tag and push
- 96b7668 gh-pages script
- ab426d9 Update changelog for next release
- 6a77562 Merge pull request #1287 from acburdine/lodash-4
- 4c7212f update changelog
- 12c9af8 cleanup extend function and super method calls
- 937eb59 deps: [email protected]
- 619414c Merge pull request #1294 from chamini2/registry
- bb8300f Changed registry plugin to re-implement only the _relation method
- 0124c0b Merge pull request #1288 from vellotis/fix-beolngs_to_many-jsdocs
- 4f48a7f Fix belongsToMany jsdocs
- 54c2237 Merge pull request #1279 from 1mike12/1mike12-patch-1
- e92f5f4 fix typo in docs
- adeccde Merge pull request #1273 from vellotis/fix-linter-warnings
- 637ea90 Merge pull request #1271 from vellotis/restore-postinstall-script
- a099e98 Remove two linter warnings
- 382f2c4 Fix Travis CI by restoring `postinstall` script in package.json
- 89b888c Merge pull request #1107 from gergelyke/master
- cbb8fef Merge pull request #1268 from jadengore/fix/documentation-model-where
- 1182485 Add missing fetch() in Model#where
Package name: compression
The new version differs by 117 commits.- 93586e7 1.7.1
- bd3fa8a deps: [email protected]
- e1ce980 deps: vary@~1.1.2
- d0f7eab deps: [email protected]
- 931c346 build: [email protected]
- 8c8e36a deps: compressible@~2.0.11
- 8a5e773 deps: accepts@~1.3.4
- 7b4a7e2 build: [email protected]
- de30e3a build: [email protected]
- 8c3f7ea 1.7.0
- c27dc0f build: support Node.js 8.x
- d886306 build: [email protected]
- 598d876 Use safe-buffer for improved Buffer API
- 47fca12 build: [email protected]
- 3c78e39 build: [email protected]
- 6c4c539 deps: [email protected]
- 6d2de08 deps: compressible@~2.0.10
- ac13bc4 deps: [email protected]
- 527907c deps: [email protected]
- 6488fc2 build: [email protected]
- 55532e1 build: [email protected]
- 0e4ad01 build: [email protected]
- be58132 deps: compressible@~2.0.10
- 4d5238e deps: vary@~1.1.1
Package name: cookie-session
The new version differs by 43 commits.- 9e9c681 1.3.2
- 62a6ec8 deps: [email protected]
- 3d81629 1.3.1
- 269e5dd build: [email protected]
- 84414e9 docs: fix date of 1.3.0 release
- 6d6c0b5 docs: add some comparison to express-session
- 0718b0b deps: [email protected]
- 096353e 1.3.0
- dfe1279 build: [email protected]
- ef47255 build: [email protected]
- 3cf0b6c build: support Node.js 4.x - 8.x
- 0739b01 deps: [email protected]
- f8c02a3 build: support io.js 3.x
- a53eb76 deps: on-headers@~1.0.1
- 7eb6a41 build: reduce runtime versions to one per major
- 64de88f build: [email protected]
- f11ffdc deps: [email protected]
- c8867bc build: remove unnecessary Travis CI command
- 92608fb build: [email protected]
- e7613aa build: fix running Node.js 0.8 tests on Travis CI
- 24334af 1.2.0
- caf462d Make req.sessionOptions a shallow clone to override per-request
- 5117478 docs: expand req.session documentation
- 5d3a73c perf: remove argument reassignments
Package name: glob
The new version differs by 76 commits.- 3a7e71d v5.0.15
- 841fda0 use latest minimatch
- 4ba54a8 Skip some tests on Windows, make others pass
- 3936e1e Build: Add build for node v4
- c47d451 v5.0.14
- 821fac8 Handle ENOTSUP for sync glob as well as async
- 9625618 Test for when readdir raises ENOTSUP
- 0a2b519 Generate fixtures more effectively, with -O instead of eval
- f96190b Use js for benchmark cleanup
- 957fd93 Fix some 'use strict' errors
- bf3381e Treat ENOTSUP like ENOTDIR in readdir
- 507733d v5.0.13
- f5878af Do not emit 'match' events for ignored items
- 9439afd v5.0.12
- 6071f3a Revert "Use graceful-fs if available"
- 38ff16c v5.0.11
- f09292b Use graceful-fs if available
- 4f39b60 Remove duplicate option description
- e3cdccc v5.0.10
- 480da05 ignore .nyc_output, upgrade tap, use coverage, rm fixtures
- 155124b add more sync cb thrower tests
- f7302ca Test base-matching
- 7530e88 v5.0.9
- b185987 reduce cases where tests need to be regenerated
Package name: request
The new version differs by 250 commits.- 02fc5b1 Update changelog
- de1ed5a 2.87.0
- a6741d4 Replace hawk dependency with a local implemenation (#2943)
- a7f0a36 2.86.1
- 8f2fd4d Update changelog
- 386c7d8 2.86.0
- 76a6e5b Merge pull request #2885 from ChALkeR/patch-1
- db76838 Merge branch 'patch-1' of github.com:ChALkeR/request
- fb7aeb3 Merge pull request #2942 from simov/fix-tests
- e47ce95 Add Node v10 build target explicitly
- 0c5db42 Skip status code 105 on Node > v10
- d555bd7 Generate server certificates for Node > v10
- 81f8cb5 Remove redundant code
- db17497 Use Buffer.from and Buffer.alloc in tests
- 0d29635 Merge pull request #2923 from gareth-robinson/cifixes
- 3745cec Correction for Windows OS identification
- 219a298 Alterations for failing CI tests
- bbb3a0b 2.85.1
- 21ef363 Update changelog
- 5dad86e 2.85.0
- 5ba8eb4 Revert "Update hawk to 7.0.7 (#2880)"
- b191514 2.84.1
- d77c839 Update changelog
- 4b46a13 2.84.0
Check the changes in this PR to ensure they won't cause issues with your project.
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📚 Read more about Snyk's upgrade and patch logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Remote Code Execution (RCE) 🦉 Prototype Pollution 🦉 Cross-site Scripting (XSS) 🦉 More lessons are available in Snyk Learn
