Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 5 vulnerabilities #6

Open
wants to merge 1 commit into
base: public
Choose a base branch
from
Open

[Snyk] Fix for 5 vulnerabilities #6

wants to merge 1 commit into from

Conversation

rish2497
Copy link

@rish2497 rish2497 commented Oct 7, 2022

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • app/package.json
    • app/package-lock.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
medium severity 484/1000
Why? Has a fix available, CVSS 5.4		 Open Redirect
SNYK-JS-GOT-2932019		 Yes No Known Exploit
medium severity 479/1000
Why? Has a fix available, CVSS 5.3		 Denial of Service (DoS)
SNYK-JS-JOSE-3018688		 No No Known Exploit
high severity 671/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7		 Prototype Pollution
SNYK-JS-MONGOOSE-2961688		 No Proof of Concept
medium severity 454/1000
Why? Has a fix available, CVSS 4.8		 Session Fixation
SNYK-JS-PASSPORT-2840631		 No No Known Exploit
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5		 Denial of Service (DoS)
SNYK-JS-SQLITE3-2388645		 Yes Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: jose The new version differs by 5 commits.
  • a38040d chore(release): 3.20.4
  • 1895f9e chore: lock down build deps
  • d530c30 fix: limit default PBES2 alg's computational expense
  • 5309e00 ci: full-ci triggers all actions on PRs
  • 82105d6 ci: update release to make to tag on npm and not push to main

See the full diff

Package name: mongoose The new version differs by 250 commits.
  • 5449ab9 chore: release 6.4.6
  • b8c99cf Merge pull request #11892 from Automattic/netlify-functions-example
  • 2751883 fix tests
  • eced2c7 Merge branch 'master' into netlify-functions-example
  • 92cb6fb Merge branch 'master' into vkarpov15/gh-12085
  • 422f9da test(schema): add coverage for calling `plugin()` with options
  • 2262a77 fix(document): avoid mutating original object passed to $set() when applying defaults to nested properties
  • 2e6b064 made requested changes
  • b70a0dc Merge pull request #12123 from LokeshKanumoori/patch-1
  • 086bd9f fix(query): apply lean transform option to top-level document
  • 1344214 Update migrating_to_6.md
  • a45cfb6 fix(schema): disallow setting __proto__ when creating schema with dotted properties
  • bc302f4 chore: release 6.4.5
  • 44530a6 Merge pull request #12116 from Automattic/revert-12103-upgrade-mongo-driver
  • 80b7d53 Revert "chore: upgrade mongodb driver to 4.8.0"
  • 0156d5e style: fix lint
  • 9524f89 fix(types): make `$addToSet` fields mutable to allow programatically constructing $addToSet
  • 201071b fix(types): allow any value for AddFields
  • 5301deb fix: cleanup and various updates
  • 118c97a Merge branch 'master' into netlify-functions-example
  • 1306d00 Merge pull request #12086 from hasezoey/modelJSDOCTouchup
  • f95373d Merge pull request #12110 from skrtheboss/fix/is-atlas-check
  • 1445c20 Merge pull request #12112 from pathei-kosmos/master
  • 250b01b fix(types): avoid treating `| undefined` types as `any` in `Require_id` to better support `_id: String` with auto-typed schemas

See the full diff

Package name: oidc-provider The new version differs by 102 commits.
  • 286b8d8 chore(release): 7.0.0
  • 238786b docs: update readme
  • 5efbf9b chore: move package json fields to rc files
  • ee74dcf feat: control whether underlying Grant gets destroyed during logout and revocation
  • 9dc7921 feat: allow pre-existing Grants to be loaded during authorization
  • efd3dab feat: The key used to asymmetrically sign PASETO Access Tokens can now be chosen based on its Key ID.
  • 2e78582 feat: PASETO Access Tokens can now be encrypted with a symmetric secret shared with the recipient using v1.local
  • dff2a72 feat: PASETO Access Tokens now support both v1.public and v2.public
  • 4efe741 feat: PASETO Access Tokens are now just issued and not stored anymore
  • d1ee6b7 feat: JWT Access Tokens are now just issued and not stored anymore
  • 8b32707 feat: The key used to asymmetrically sign JWT Access Tokens can now be chosen based on its Key ID.
  • d2a63b7 feat: JWT Access Tokens can now be encrypted with an asymmetric public key of the recipient
  • 0f76c65 feat: JWT Access Tokens can now be encrypted with a symmetric secret shared with the recipient
  • 5041158 feat: JWT Access Tokens can now be HMAC-signed with a symmetric secret shared with the recipient
  • f48a44e ci: only download failed certification html results
  • ceb3cd1 fix: remap `invalid_redirect_uri` as `invalid_request` in PAR
  • d1d9421 refactor: idToken.issue() now requires the `use` option
  • 5572e0e refactor: use jose@3 instead of jose@2
  • bf8abdb refactor: use private class fields in favour of weakmap where possible
  • 72058a5 feat: helper function to decide whether to validate client.sector_identifier_uri
  • 202e4c5 feat: sector_identifier_uri can be used without pairwise subject_type
  • 59d6c52 ci: continue on lint errors
  • 33f3a83 feat: PAR no longer requires otherwise enabled `features.requestObjects`
  • a1f7466 refactor: use clearer allow/block list definitions

See the full diff

Package name: passport The new version differs by 100 commits.

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Denial of Service (DoS)
🦉 Prototype Pollution
🦉 Denial of Service (DoS)
🦉 More lessons are available in Snyk Learn

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rish2497 @snyk-bot