Skip to content

[Snyk] Fix for 5 vulnerabilities #12

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Fix for 5 vulnerabilities #12

wants to merge 1 commit into from

Conversation

@snyk-bot
Copy link

@snyk-bot snyk-bot commented Oct 20, 2021

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • packages/storage/package.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-ANSIREGEX-1583908		 Yes Proof of Concept
medium severity 554/1000
Why? Has a fix available, CVSS 6.8		 Cryptographic Issues
SNYK-JS-ELLIPTIC-1064899		 No No Known Exploit
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-1018905		 No Proof of Concept
high severity 681/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.2		 Command Injection
SNYK-JS-LODASH-1040724		 No Proof of Concept
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-SCHEMAINSPECTOR-1088010		 No No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: @stacks/auth The new version differs by 250 commits.
  • f1dbba6 v2.0.0
  • d25a618 chore: Replace buffer usages in sdk-wallet with buffer export by common
  • 8753431 chore: make wallet-sdk test configuration similar to other packages
  • 05d6c03 chore: fix build errors
  • d92388e chore: fix linting errors
  • e40785c feat: add @ stacks/wallet-sdk package
  • 8e99b76 fix: always return string quoted integer rather than `number | string` depending on bit size
  • e349e49 chore: update bns and stacking package BN usage
  • ae87071 chore: redundant type in `IntegerType` union
  • c644d52 chore: remove unused code
  • 4d686ed chore(ci): lint fix
  • 1d0908e feat: refactor all js `number` and `bn.js` usages in Clarity integer values to native bigint
  • c2262cc fix: The transaction ABI validation should accept lists that are less than or equal to the max size specified in the arguments type
  • 3548cc7 chore: rebase fixes
  • d205807 chore(ci): npm node_modules cache potentially creating flaky CI failures
  • 786c3b2 fix: bn.js lib accepts strings containing non-integer values and results in weird behavior
  • 7e794c0 chore: allow odd-length hex strings that certain libs output
  • 639bc37 chore: add a few more test vectors for intCV test
  • b10c82c chore: simplify intCV parsing for unpadded byte array inputs -- bn.js will take care of it as long as we operate on 8-bit boundaries
  • 5155195 chore: fix cvToValue throws exception for uint with more than 53 bits stx-labs/stacks.js#983 and bugs with Clarity int/uint value encoding
  • cef1d5a fix: verify that the public key is a secp256k1 point
  • 9045f57 fix: prettify
  • dbcbcf9 fix: use stacks.js repo url
  • 3b46674 fix: handle empty list in getCVTypeString (getCVTypeString of empty list fails stx-labs/stacks.js#1033)

See the full diff

Package name: @stacks/encryption The new version differs by 35 commits.

See the full diff

Package name: jest The new version differs by 250 commits.
  • 343532a v26.0.0
  • 075854a chore: update changelog for release
  • 68b65af v26.0.0-alpha.2
  • d30a586 fix: disallow hook definitions in tests (#9957)
  • 3375ac3 chore: remove unused prettier uninstall step from CI
  • 0a63d40 fix: absolute path moduleNameMapper + jest.mock issue (#8727)
  • 03dbb2f chore: fix watch mode test with utimes (#9967)
  • 68d12d5 chore: skip broken test on windows (#9966)
  • e8e8146 align circus with jasmine's top-to-bottom execution order (#9965)
  • 968a301 Fix invalid re-run of tests in watch mode (#7347)
  • 5d1be03 chore: fix windows CI (#9964)
  • 2bac04f v26.0.0-alpha.1
  • c665f22 feat: add `createMockFromModule` to replace `genMockFromModule` (#9962)
  • 8147af1 chore: improve error on module not found (#9963)
  • 71631f6 feat: add new 'modern' implementation of Fake Timers (#7776)
  • d7f3427 chore: rename LolexFakeTimers to ModernFakeTimers (#9960)
  • 2c7682c Update index.js (#9095)
  • 5a16415 docs: Updated Testing Frameworks guide with React; make it generic (#9106)
  • 4216b86 updated docs regarding testSequencer (#9174)
  • 2e8f8d5 fix: handle `null` being passed to `createTransformer` (#9955)
  • 7a3c997 jest-circus: throw if a test / hook is defined asynchronously (#8096)
  • 42f920c chore: update ts-eslint (#9953)
  • 3078172 Updated config docs with default transform value (#8583)
  • b6052e0 Update jest-phabricator documentation (#8662)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

cvToValue throws exception for uint with more than 53 bits

2 participants

@snyk-bot