[Snyk] Security upgrade url-parse from 1.5.0 to 1.5.6 - Githubissues

ExtensionEngine / tailor

Content authoring platform

MIT License

31 stars 10 forks source link

[Snyk] Security upgrade url-parse from 1.5.0 to 1.5.6 #954

Closed snyk-bot closed 2 years ago

snyk-bot commented 2 years ago

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

merge advice

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
- package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	713/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 6.4	Access Restriction Bypass SNYK-JS-URLPARSE-2401205	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: url-parse

The new version differs by 36 commits.

4c9fa23 1.5.6
7b0b8a6 Merge pull request #223 from unshiftio/fix/at-sign-handling-in-userinfo
e4a5807 1.5.5
193b44b [minor] Simplify whitespace regex
319851b [fix] Remove CR, HT, and LF
4e53a8c [doc] Document that the returned hostname might be invalid
9be7ee8 [fix] Correctly handle userinfo containing the at sign
f7774f6 [security] Fix typos in SECURITY.md
82c4908 [dist] 1.5.4
e324874 [doc] Remove dependency status badge
5e8a444 [ci] Test on node 17
a72a5c6 [doc] Remove "made by" and IRC badges
e9a8353 [ci] Update coverallsapp/github-action action to version 1.1.3
36dd8b4 [minor] Remove redundant assignment
5472388 [minor] Remove dead code
53d4d6d [fix] Handle the `username` and `password` properties
0be9572 [test] Test that `Url#set()` correctly handles the `auth` property
15b1dbd [fix] Do not lose the password in the stringification process
993acbe [fix] Handle the `auth` property (#213)
d9e332b [fix] Do not add spurious slashes
78f7017 [pkg] Update mocha to version 9.0.3
ad44493 [dist] 1.5.3
c798461 [fix] Fix host parsing for file URLs (#210)
201034b [dist] 1.5.2

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: 🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

underscope commented 2 years ago

Resolved on the latest develop