Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Fix for 10 vulnerabilities #1833

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

DonJayamanne
Copy link
Owner

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json
    • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 619/1000
Why? Has a fix available, CVSS 8.1
Prototype Pollution
SNYK-JS-AJV-584908
No No Known Exploit
high severity 644/1000
Why? Has a fix available, CVSS 8.6
Prototype Pollution
SNYK-JS-JSONSCHEMA-1920922
No No Known Exploit
low severity 506/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 3.7
Prototype Pollution
SNYK-JS-MINIMIST-2429795
No Proof of Concept
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5
Prototype Poisoning
SNYK-JS-QS-3153490
No Proof of Concept
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5
Regular Expression Denial of Service (ReDoS)
SNYK-JS-SEMVER-3247795
No Proof of Concept
medium severity 596/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.5
Arbitrary Code Injection
SNYK-JS-UNDERSCORE-1080984
No Proof of Concept
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3
Regular Expression Denial of Service (ReDoS)
SNYK-JS-VALIDATOR-1090599
No Proof of Concept
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3
Regular Expression Denial of Service (ReDoS)
SNYK-JS-VALIDATOR-1090600
No Proof of Concept
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3
Regular Expression Denial of Service (ReDoS)
SNYK-JS-VALIDATOR-1090601
No Proof of Concept
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3
Regular Expression Denial of Service (ReDoS)
SNYK-JS-VALIDATOR-1090602
No Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: azure-storage The new version differs by 52 commits.
  • 30a84ff Merge pull request #711 from EmmaZhu/readme
  • 9c91937 Remove details about of the readme to only redirect to latest storage JS SDKs and indicate that the package is deprecated.
  • 1f29b33 Merge pull request #708 from EmmaZhu/migrationguide
  • dc4a53b Add migration guide link into readme.
  • a1d23d4 Merge pull request #707 from ramya-rao-a/patch-4
  • f40c22d Indicate that azure-storage is legacy package
  • 2571d0f Merge pull request #705 from EmmaZhu/dependencies
  • 3eaa32a Update dependency mark to make it use more recent version automatically.
  • 34aabd8 Merge pull request #706 from ramya-rao-a/patch-2
  • 2e530df Bring more attention to the note on newer packages
  • ad8472f Merge pull request #702 from EmmaZhu/master
  • ddc7e8b Upgrade json-schema to 0.4.0. fixed an issue where customized retry interval doesn't take effact.
  • 7a42c7b Merge pull request #699 from Azure/dependabot/npm_and_yarn/validator-13.7.0
  • 5c5f836 Bump validator from 13.6.0 to 13.7.0
  • c422631 Merge pull request #695 from EmmaZhu/validator
  • cf37807 Update package version to 2.10.5
  • 35676b4 Upgrade validator 13.6.0.
  • c2656be Merge pull request #684 from Azure/dependabot/npm_and_yarn/lodash-4.17.21
  • d813bde Merge pull request #690 from Azure/dependabot/npm_and_yarn/postcss-7.0.36
  • 58c92d1 Bump lodash from 4.17.19 to 4.17.21
  • b120cd5 Merge pull request #692 from Azure/dependabot/npm_and_yarn/path-parse-1.0.7
  • 0036af3 Merge pull request #682 from Azure/dependabot/npm_and_yarn/handlebars-4.7.7
  • 92dac84 Merge pull request #681 from Azure/dependabot/npm_and_yarn/grunt-1.3.0
  • 9efb7bc Merge pull request #674 from Azure/dependabot/npm_and_yarn/elliptic-6.5.4

See the full diff

Package name: vscode-extension-telemetry The new version differs by 83 commits.
  • 21d7c13 Missed a place bumping the version
  • 41bc647 Update version for release
  • c561107 Lower target to support more legacy codebases
  • 4911887 Fix #88
  • 1551186 Update build to node LTS
  • 081c624 Remove whitespace expansion due to perf reasons
  • 188ee72 Merge pull request #73 from radeksimko/f-collect-arch
  • ddeafdb common.arch -> common.nodeArch
  • 4d7a45b common: Collect architecture as a common property
  • bdbab89 Remove first party explicitness from readme
  • 068ddd9 Fix compilation
  • 1ca205c Update level enum
  • e0f1cca Bump version to prepare for a release
  • 389b8b2 Fix #76
  • 0e1a889 Switch to npm 6
  • 1099714 Update package.json with new esbuild
  • 7174c44 Merge pull request #75 from radeksimko/f-raw-telemetry-event
  • 92d1291 rename: TelemetryRawEventProperties -> RawTelemetryEventProperties
  • c3ea7fc simplify object notation
  • c4d17f1 Add codespaces as a remote authority
  • 91e1e18 fix typo Telemtry -> Telemetry
  • 7d2d3e4 Introduce 'sendRawTelemetryEvent'
  • bb8286d Run on macos latest
  • 7bf72ee Update ansi regex

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Arbitrary Code Injection

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants