New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Fix for 9 vulnerabilities #61

Open

snyk-bot wants to merge 1 commit into master from snyk-fix-7499a59657219660a614a81da187cb33

Contributor

snyk-bot commented Oct 7, 2022

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
- package-lock.json
Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-AXIOS-1579269	No	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Cross-site Scripting (XSS) SNYK-JS-BOOTSTRAP-173700	No	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Cross-site Scripting (XSS) SNYK-JS-BOOTSTRAP-72889	No	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Cross-site Scripting (XSS) SNYK-JS-BOOTSTRAP-72890	No	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-MOUT-1014544	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-MOUT-2342654	Yes	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Cross-site Scripting (XSS) npm:bootstrap:20160627	No	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Cross-site Scripting (XSS) npm:bootstrap:20180529	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: axios

The new version differs by 41 commits.

e367be5 [Releasing] 0.21.3
83ae383 Correctly add response interceptors to interceptor chain (#4013)
c0c8761 [Updating] changelog to include links to issues and contributors
619bb46 [Releasing] v0.21.2
82c9455 Create SECURITY.md (#3981)
5b45711 Security fix for ReDoS (#3980)
5bc9ea2 Update ECOSYSTEM.md (#3817)
e72813a Fixing README.md (#3818)
e10a027 Fix README typo under Request Config (#3825)
e091491 Update README.md (#3936)
b42fbad Removed un-needed bracket
520c8dc Updating CI status badge (#3953)
4fbeecb Adding CI on Github Actions. (#3938)
e9965bf Fixing the sauce labs tests (#3813)
dbc634c Remove charset in tests (#3807)
3958e9f Add explanation of cancel token (#3803)
69949a6 Adding custom return type support to interceptor (#3783)
49509f6 Create FUNDING.yml (#3796)
199c8aa Adding parseInt to config.timeout (#3781)
94fc4ea Adding isAxiosError typeguard documentation (#3767)
0ece97c Fixing quadratic runtime when setting a maxContentLength (#3738)
a18a0ec Updating `lib/core/README.md` about Dispatching requests (#3772)
59fa614 [Updated] follow-redirects to the latest version (#3771)
7821ed2 Feat/json improvements (#3763)

See the full diff

Package name: bootstrap

The new version differs by 153 commits.

68b0d23 Dist
2ccfa57 handle # selector for dropdown
a43077d Bump version to 3.4.1.
d821de2 Backport sanitize docs from v4.
5cd9ef4 Add wdm gem for Windows.
d6b8501 ES5 fixes.
2c8abb9 Add sanitize for tooltips and popovers html content.
d4129df Bump year.
0d64d6a less/modals.less: Add missing semicolon.
48c5d7b Use https.
b23e213 Update devDependencies and gems.
695c541 Fix redirects.
9206e46 Make meaning of tooltip's 'selector' option more clear in Bootstrap 3
b285ea3 Add a few redirects.
3e1b894 Fix broken link in nav version dropdown.
3e519c3 Support nuget contentFiles, used for some project types (#27856)
4c547f2 Dist.
0f1c6b0 Move the whole autoprefixer config to configBridge.json.
9332f3c Add polyfills for older browsers.
dd71b40 docs: Concat the IE files with the rest.
4a5c7f2 Update devDependencies, gems and lots of cleanup/build fixes.
7a2cdfb Center skippy.
3b82587 Restore `cursor: help` for `abbr`.
bf69f1f Backport the `abbr` fix from the updated normalize.css.

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Prototype Pollution
🦉 Prototype Pollution
🦉 More lessons are available in Snyk Learn


fix: package.json, package-lock.json & .snyk to reduce vulnerabilities

7ce3d53

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-AXIOS-1579269
- https://snyk.io/vuln/SNYK-JS-BOOTSTRAP-173700
- https://snyk.io/vuln/SNYK-JS-BOOTSTRAP-72889
- https://snyk.io/vuln/SNYK-JS-BOOTSTRAP-72890
- https://snyk.io/vuln/SNYK-JS-MOUT-1014544
- https://snyk.io/vuln/SNYK-JS-MOUT-2342654
- https://snyk.io/vuln/npm:bootstrap:20160627
- https://snyk.io/vuln/npm:bootstrap:20180529


The following vulnerabilities are fixed with a Snyk patch:
- https://snyk.io/vuln/SNYK-JS-LODASH-567746

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment