search

BiancoRoyal / node-red-contrib-iiot-opcua

deprecated - very new developed by PLUS for Node-RED - https://plus4nodered.com
https://www.npmjs.com/package/node-red-contrib-iiot-opcua
BSD 3-Clause "New" or "Revised" License
34 stars 9 forks source link

[Snyk] Upgrade vm2 from 3.9.15 to 3.9.19 #242

Closed biancode closed 1 year ago

biancode commented 1 year ago

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to upgrade vm2 from 3.9.15 to 3.9.19.

:information_source: Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
- The recommended version is **4 versions** ahead of your current version. - The recommended version was released **a month ago**, on 2023-05-16. The recommended version fixes: Severity | Issue | PriorityScore (*) | Exploit Maturity | :-------------------------:|:-------------------------|-------------------------|:------------------------- | Sandbox Escape
[SNYK-JS-VM2-5422057](https://snyk.io/vuln/SNYK-JS-VM2-5422057) | **811/1000**
**Why?** Proof of Concept exploit, Has a fix available, CVSS 9.8 | Proof of Concept | Improper Handling of Exceptional Conditions
[SNYK-JS-VM2-5426093](https://snyk.io/vuln/SNYK-JS-VM2-5426093) | **811/1000**
**Why?** Proof of Concept exploit, Has a fix available, CVSS 9.8 | No Known Exploit | Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
[SNYK-JS-VM2-5537079](https://snyk.io/vuln/SNYK-JS-VM2-5537079) | **811/1000**
**Why?** Proof of Concept exploit, Has a fix available, CVSS 9.8 | Proof of Concept | Sandbox Bypass
[SNYK-JS-VM2-5537100](https://snyk.io/vuln/SNYK-JS-VM2-5537100) | **811/1000**
**Why?** Proof of Concept exploit, Has a fix available, CVSS 9.8 | Proof of Concept (*) Note that the real score may have changed since the PR was raised.
Release notes
Package name: vm2
  • 3.9.19 - 2023-05-16

    Fixes

    cfa3fc6: Fix resolver issue.

      </li>
  <li>
    <b>3.9.18</b> - <a href="https://snyk.io/redirect/github/patriksimek/vm2/releases/tag/3.9.18">2023-05-15</a></br><p><strong>New Features</strong></p>

    dd81ff6: Add resolver API to create a shared resolver for multiple NodeVM instances allowing to cache scripts and increase sandbox startup times.
    4d662e3: Allow to pass a function to require.context which is called with the filename allowing to specify the context pre file. (Thanks to @ blakebyrnes)

    Fixes

    d88105f: Fix issue leaking host array through Proxy. (Thanks to @ arkark (Takeshi Kaneko) of GMO Cybersecurity by Ierae, Inc.)
    5206ba2: Fix issue with inspect being writeable. (Thanks to @ arkark (Takeshi Kaneko) of GMO Cybersecurity by Ierae, Inc.)

      </li>
  <li>
    <b>3.9.17</b> - <a href="https://snyk.io/redirect/github/patriksimek/vm2/releases/tag/3.9.17">2023-04-17</a></br><p><strong>Fixes</strong></p>

    4b22e87: Fix issue in catch block protection. (Thanks to Xion (SeungHyun Lee) of KAIST Hacking Lab.)
    f3db4de: Fix issue with host exceptions thrown in async functions leaking though the Promise.

      </li>
  <li>
    <b>3.9.16</b> - <a href="https://snyk.io/redirect/github/patriksimek/vm2/releases/tag/3.9.16">2023-04-11</a></br><p><strong>Fixes</strong></p>

    24c724d: Fix issue in transformer issue by reworking replacement logic. (Thanky to Xion (SeungHyun Lee) of KAIST Hacking Lab.)

      </li>
  <li>
    <b>3.9.15</b> - <a href="https://snyk.io/redirect/github/patriksimek/vm2/releases/tag/3.9.15">2023-04-06</a></br><p><strong>Fixes</strong></p>

    d534e57: Ensure no host objects are passed through to Error.prepareStackTrace. (Thanky to Seongil Wi from KAIST WSP Lab)

      </li>
</ul>
from <a href="https://snyk.io/redirect/github/patriksimek/vm2/releases">vm2 GitHub release notes</a>

Commit messages
Package name: vm2
  • 1663f23 Release 3.9.19
  • cfa3fc6 Fix resolver issue
  • 2f446e5 Release 3.9.18
  • 587bb13 Add tests for past vulnerabilities
  • f5a129a Merge branch 'master' of https://github.com/patriksimek/vm2
  • dd81ff6 Merge pull request #519 from XmiliaH/resolver-api
  • af983a8 Merge remote-tracking branch 'upstream/master' into resolver-api
  • 5206ba2 Inspect method should be readonly
  • d88105f Ensure host array does not leak through proxy
  • 4d662e3 Merge pull request #521 from ulixee/pathContext
  • 1728bdf chore: simplify default function for path context
  • 7d16a56 Merge branch 'patriksimek:master' into pathContext
  • e085219 feat: default pathContext to sandbox
  • cbd42bc fix: alter test to verify module context
  • fb71483 fix: simplify api interface for pathContext
  • 1b8b855 fix: pass pathContext to DefaultResolver
  • 294ce23 feat: allow per-module choice for vm context
  • 4f63dc2 Release 3.9.17
  • f3db4de Handle host errors captured in Promises
  • 4b22e87 Ensure every catch block is protected
  • 7b4eeab Add tests
  • e5cfcdc Reduce resolver API and add docu
  • 9e2b605 Make resolver API public
  • 24c724d Release 3.9.16
Compare

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

github-actions[bot] commented 1 year ago

Greet Contributors Bot
Thank you for taking your time and effort for your contribution, we truly value it. :tada:

The amazing contributor in this pull request is @snyk-bot