Skip to content

[Snyk] Fix for 8 vulnerabilities

Bernhard Wittmann requested to merge snyk-fix-737adff74eb3299fe8a47b08741768e8 into main

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this Merge Request

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

    • package.json
    • package-lock.json

  • Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches. Find out more.

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
medium severity 616/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.9		 Server-Side Request Forgery (SSRF)
SNYK-JS-AXIOS-1038255 		No Proof of Concept
medium severity 531/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 4.2		 Prototype Pollution
SNYK-JS-CLASSTRANSFORMER-564431 		No Proof of Concept
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-1018905 		No Proof of Concept
high severity 681/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.2		 Command Injection
SNYK-JS-LODASH-1040724 		No Proof of Concept
medium severity 601/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.6		 Prototype Pollution
SNYK-JS-MONGOOSE-1086688 		No Proof of Concept
high severity 579/1000
Why? Has a fix available, CVSS 7.3		 Prototype Pollution
SNYK-JS-MQUERY-1050858 		No No Known Exploit
high severity 768/1000
Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 7.5		 Prototype Pollution
SNYK-JS-MQUERY-1089718 		No Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: @nestjs/swagger The new version differs by 239 commits.
  • f90cb7b Merge pull request #1205 from nestjs/renovate/class-transformer-0.x
  • bd18c89 chore(deps): update dependency class-transformer to v0.4.0
  • 28127a1 Merge pull request #1251 from nestjs/renovate/nestjs-mapped-types-0.x
  • 61fecaa fix(deps): update dependency @ nestjs/mapped-types to v0.4.0
  • e4f8d2f Merge pull request #1219 from nestjs/renovate/lodash-monorepo
  • 649f666 chore(deps): update typescript-eslint monorepo to v4.17.0
  • 40cbb0f chore(deps): update dependency @ types/node to v11.15.48
  • 17e45c4 chore(deps): update dependency fastify-swagger to v4.4.0
  • 7684efd chore(deps): update dependency typescript to v4.2.3
  • e9863b0 chore(deps): update dependency ts-jest to v26.5.3
  • bef1c0e chore(deps): update dependency fastify-swagger to v4.3.3
  • 4c3059c chore(deps): update dependency fastify-swagger to v4.3.2
  • 97c68df chore(deps): update dependency husky to v5.1.3
  • 48c2555 chore(deps): update typescript-eslint monorepo to v4.16.1
  • 5012037 chore(deps): update typescript-eslint monorepo to v4.16.0
  • 91e997a chore(deps): update dependency husky to v5.1.2
  • 2004131 chore(deps): update dependency eslint to v7.21.0
  • de629e4 chore(deps): update commitlint monorepo to v12.0.1
  • 1408043 chore(deps): update dependency eslint-config-prettier to v8.1.0
  • 9c5bdf1 chore(): release v4.7.15
  • 3e3b78b Merge branch 'master' of https://github.com/nestjs/swagger
  • b417b92 fix(plugin): support typescript 4.2+
  • a54b765 chore(deps): update dependency typescript to v4.2.2
  • 27becc1 chore(): release v4.7.14

See the full diff

Package name: mongoose The new version differs by 250 commits.
  • f8d2721 chore: release 5.12.3
  • 58cad73 fix(connection): use queueing instead of event emitter for `createCollection()` and other helpers to avoid event emitter warning
  • 5382408 fix(index.d.ts): add `transform` to PopulateOptions interface
  • dca1d70 Merge branch 'master' of github.com:Automattic/mongoose
  • 2648088 fix(index.d.ts): add DocumentQuery type for backwards compatibility
  • 966770f Merge pull request #10063 from Automattic/gh-10044
  • 9e4a083 style: fix lint
  • f3cd3a8 chore: use variable instead of function
  • f24953c fix(query): add `writeConcern()` method to avoid writeConcern deprecation warning
  • 7d2e9c9 chore: upgrade mquery -> 3.2.5 re: aheckmann/mquery#121
  • d1a9a1e made requested changes
  • cf1b666 Merge pull request #10078 from pezzu/master
  • 2aef528 Merge pull request #10062 from Automattic/gh-10025
  • 452c77c Fixes #10072
  • c9bfb30 Update model.indexes.test.js
  • 6f0133a removed comments
  • 9e98cd8 Merge pull request #10055 from emrebass/patch-1
  • 1c20044 Merge pull request #10054 from coro101/add-discriminator-type
  • 4e74ea7 TIL that includes() is also not supported in all browsers
  • f231d7b should work and is designed to handle multiple text fields
  • c4897f9 TIL Object.values in not supported on all browsers
  • 391ecec collation not added to text indexes
  • 7a93c16 linter fix
  • 6deb668 fix: connection ids are now scoped

See the full diff

With a Snyk patch:
Severity Priority Score (*) Issue Exploit Maturity
medium severity 636/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.3		 Prototype Pollution
SNYK-JS-LODASH-567746 		Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this Merge Request to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: 🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Merge request reports