-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Snyk] Security upgrade puppeteer from 20.7.3 to 21.3.7 #53
base: master
Are you sure you want to change the base?
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-WORDWRAP-3149973
|
Vulnerable Libraries (1)
More info on how to fix Vulnerable Libraries in JavaScript. 馃憠 Go to the dashboard for detailed results. 馃摜 Happy? Share your feedback with us. |
Updated dependencies detected. Learn more about Socket for GitHub 鈫楋笌
|
馃毃 Potential security issues detected. Learn more about Socket for GitHub 鈫楋笌 To accept the risk, merge this PR and you will not be notified again.
Next stepsWhat is filesystem access?Accesses the file system, and could potentially read sensitive data. If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead. What is a major refactor?Package has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes. Consider waiting before upgrading to see if any issues are discovered, or be prepared to scrutinize any bugs or subtle changes the major refactor may bring. Publishers my consider publishing beta versions of major refactors to limit disruption to parties interested in the new changes. What is network access?This module accesses the network. Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. What is wrong with semver < v1?Package is not semver >=1. This means it is not stable and does not support ^ ranges. If the package sees any general use, it should begin releasing at version 1.0.0 or later to benefit from semver. What are semver anomalies?Package semver skipped several versions, this could indicate a dependency confusion attack or indicate the intention of disruptive breaking changes or major priority shifts for the project. Packages should follow semantic versions conventions by not skipping subsequent version numbers. Consumers should research the purpose of the skipped version number. Take a deeper look at the dependencyTake a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev. Remove the packageIf you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency. Mark a package as acceptable riskTo ignore an alert, reply with a comment starting with
|
This PR was automatically created by Snyk using the credentials of a real user.
Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.
Changes included in this PR
Vulnerabilities that will be fixed
With an upgrade:
Why? Proof of Concept exploit, Has a fix available, CVSS 3.7
SNYK-JS-WORDWRAP-3149973
(*) Note that the real score may have changed since the PR was raised.
Commit messages
Package name: puppeteer
The new version differs by 250 commits.See the full diff
Check the changes in this PR to ensure they won't cause issues with your project.
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:![](https://camo.githubusercontent.com/7ba92e60c8e0c36cec9a5971c6b694c4294187b664b5fec12bc32324a27bd048/68747470733a2f2f6170692e7365676d656e742e696f2f76312f706978656c2f747261636b3f646174613d65794a33636d6c305a55746c65534936496e4a79576d785a634564485932527954485a7362306c596430645563566734576b4652546e4e434f5545774969776959573576626e6c746233567a535751694f6949794f544e6a5a6a6b774e433168596a51344c54526a4d6a4574596d4e6859793031595467355a575934597a526a5a4749694c434a6c646d567564434936496c425349485a705a58646c5a434973496e42796233426c636e52705a584d694f6e736963484a4a5a434936496a49354d324e6d4f5441304c5746694e4467744e474d794d5331695932466a4c5456684f446c6c5a6a686a4e474e6b59694a3966513d3d)
馃 View latest project report
馃洜 Adjust project settings
馃摎 Read more about Snyk's upgrade and patch logic
Learn how to fix vulnerabilities with free interactive lessons:
馃 Regular Expression Denial of Service (ReDoS)