Skip to content

[Snyk] Fix for 8 vulnerabilities

Eric Husband requested to merge snyk-fix-cf49b8adc7147b5df434f068c4ddc828 into master

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this Merge Request

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json
    • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5		 Denial of Service (DoS)
SNYK-JS-DECODEURICOMPONENT-3149970 		Yes Proof of Concept
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5		 Prototype Pollution
SNYK-JS-DOTTIE-3332763 		Yes Proof of Concept
medium severity 479/1000
Why? Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-MINIMATCH-3050818 		No No Known Exploit
low severity 506/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 3.7		 Prototype Pollution
SNYK-JS-MINIMIST-2429795 		Yes Proof of Concept
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Directory Traversal
SNYK-JS-MOMENT-2440688 		Yes No Known Exploit
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-MOMENT-2944238 		Yes Proof of Concept
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-SEMVER-3247795 		Yes Proof of Concept
high severity 761/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 8.8		 Information Exposure
SNYK-JS-SIMPLEGET-2361683 		Yes Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: check-dependencies The new version differs by 61 commits.
  • 03c8847 Tag 2.0.0
  • 65d9ef5 Set Node.js requirement in package.json engines to >=18.3
  • 4917ab0 Simplify the spawn logic
  • fc04cc8 Drop support for the callback interface
  • 28257dd Tweak ESLint settings
  • dc16e8a Drop the bluebird devDependency
  • 412337a Drop fs-extra & graceful-fs devDependencies
  • 091279a Drop the findup-sync dependency
  • 10ac9c5 Drop lodash.camelcase & minimist dependencies
  • 35dce52 Update dependencies
  • 2929ba7 Update tested Node.js versions
  • 1f514eb Don't invoke `npm prune`, `npm install` is already enough
  • 65107d2 Drop support for Bower & the `checkCustomPackageNames` option
  • f28ba1b Avoid `git://` URLs, they're no longer supported
  • 8fdc6ad Limit allowed `packageManager` values
  • 9809f13 Bump word-wrap from 1.2.3 to 1.2.4 (#58)
  • e522471 Bump semver from 7.3.8 to 7.5.2 (#57)
  • 031416d Bump yaml from 2.2.1 to 2.2.2 (#56)
  • dff3ab9 Build: Fix running tests on Windows
  • 062005f Build: Update the GitHub Actions config
  • ecf138f Build: Update dependencies
  • 15c13b3 Build: Remove AppVeyor
  • 89b9df0 Build: Update .gitattributes to files always use LF line endings
  • db8c172 Build: Tweak GitHub Actions workflow code style

See the full diff

Package name: grunt-contrib-compress The new version differs by 5 commits.
  • bd9fc8e v2.0.0
  • b8565a9 Update Archiver (#232)
  • f6815bf Update deps and remove nodeunit loading (#231)
  • b70c1d9 Update tests and dependencies (#230)
  • 5759edd Bump ini from 1.3.5 to 1.3.7 (#228)

See the full diff

Package name: i18n The new version differs by 93 commits.
  • 02dd49d tests: use arrow function
  • fa50268 eslint refactor var -> const,let
  • abb05ec refactor to arrow functions
  • 5855724 drop node support < 10
  • 9e6559a Merge branch 'gajus-master'
  • 234b94b (re-)added tests fast-printf #453
  • ef5675c Merge branch 'master' of git://github.com/gajus/i18n-node into gajus-master
  • 2461a97 typo
  • 737b67d refactored test to cover mf plurals
  • 42f12d3 Merge branch 'calmonr-fix-messageformat'
  • 0faeee0 Merge branch 'fix-messageformat' of https://github.com/calmonr/i18n-node into calmonr-fix-messageformat
  • 6018b9f Merge tag '0.13.4'
  • 9683cc6 Merge branch 'release/0.13.4' into npm
  • bdce606 v0.13.4
  • 4e6963f upgrade tested
  • 3139881 save update
  • aa60ac7 upgraded devDeps
  • b6e672d Merge pull request #482 from Justman10000/patch-1
  • ed5c03f should fix coverage report
  • 10daf65 publish coverage
  • 84008b8 sad to see travis go paid only
  • d433ebe Update node.js.yml
  • 7b4a0a2 Create node.js.yml
  • 5a08ecc #486 - test path traversal vulnerability

See the full diff

Package name: sequelize The new version differs by 213 commits.
  • 901bceb 6.1.0
  • 6b32821 6.0.0-beta.7
  • 0ca8d72 docs: prepare for v6 release (#12416)
  • 663261b feat(sequelize): allow passing dialectOptions.options from url (#12404)
  • c6e4192 fix(postgres): parse enums correctly when describing a table (#12409)
  • e33d2bd fix(reload): include default scope (#12399)
  • 5611ef0 build: update dependencies (#12395)
  • e80501d fix(types): transactionType in Options (#12377)
  • 4914367 fix(types): add clientMinMessages to Options interface (#12375)
  • b71cd05 fix(query): preserve cls context for logger (#12328)
  • 95f7fb5 fix(mssql): empty order array generates invalid FETCH statement (#12261)
  • ed2d7a9 fix(model.destroy): return 0 with truncate (#12281)
  • 72925cf fix: add missing fields to 'FindOrCreateType' (#12338)
  • f367191 fix(query-generator): do not generate GROUP BY clause if options.group is empty (#12343)
  • 7afd589 docs(sequelize): omitNull only works for CREATE/UPDATE queries
  • f9e660f docs: update feature request template
  • 2bf7f7b fix(typings): add support for optional values in "where" clauses (#12337)
  • 65a9e1e fix(types): add Association into OrderItem type (#12332)
  • 1b86729 docs: responsive (#12308)
  • 59b8a7b fix(include): check if attributes specified for included through model (#12316)
  • 6d87cc5 docs(associations): belongs to many create with through table
  • a2dcfa0 fix(query): ensure correct return signature for QueryTypes.RAW (#12305)
  • 0769aea refactor: cleanup query generators (#12304)
  • 4d9165b feat(postgres): native upsert (#12301)

See the full diff

Package name: sqlite3 The new version differs by 44 commits.
  • 573784b v5.0.3
  • e5a24fd Deleted `examples/` folder
  • b05f459 Added note about GitHub Releases to CHANGELOG.md
  • 33d0656 Modernised Usage example in README
  • 9d05c55 Fixed up more README nits
  • 08d6319 Fixed link to API docs
  • 0e2235a Altered wording in README
  • 76b6c56 Altered README header
  • e3df365 Updated README
  • 426930f Enabled CI to run when pushing tags
  • a21d41f Fixed uploading binaries to commit artifacts
  • bc978c7 Fixed CI step wording
  • 7f744a1 Added prebuilt binaries via GitHub Releases
  • b4b3c3a Deleted `scripts/` directory
  • 71bbdea Pinned dev dependencies (#1558)
  • a597383 Updated badges in README
  • 0eb4a0f Deleted Travis and Appveyor configs
  • b58d341 Downgraded `mocha` and `eslint`
  • f39b10d Added missing Node versions to CI
  • 8db96d4 Replaced Python extraction script with JS (#1570)
  • 11c988c Fixed Windows build architecture in CI
  • 8e63848 Updated Windows CI runner to `windows-latest`
  • d9e7d8b Fixed building on MacOS Monterey 12.3
  • 859b95b Updated `node-gyp` to v8.x

See the full diff

Check the changes in this Merge Request to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: 🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Denial of Service (DoS) 🦉 Prototype Pollution 🦉 Directory Traversal

Merge request reports