[Snyk] Security upgrade url-parse from 1.5.0 to 1.5.9 - Githubissues

ExtensionEngine / tailor

Content authoring platform

MIT License

31 stars 10 forks source link

[Snyk] Security upgrade url-parse from 1.5.0 to 1.5.9 #955

Closed snyk-bot closed 2 years ago

snyk-bot commented 2 years ago

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

merge advice

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
- package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	713/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 6.4	Authorization Bypass SNYK-JS-URLPARSE-2407759	No	Proof of Concept
	718/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 6.5	Authorization Bypass SNYK-JS-URLPARSE-2407770	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: url-parse

The new version differs by 47 commits.

ad23357 1.5.9
0e3fb54 [fix] Strip all control characters from the beginning of the URL
61864a8 [security] Add credits for CVE-2022-0686
bb0104d 1.5.8
d5c6479 [fix] Handle the case where the port is specified but empty
4f2ae67 [security] Add credits for CVE-2022-0639
8b3f5f2 1.5.7
ef45a13 [fix] Readd the empty userinfo to `url.href` (#226)
88df234 [doc] Add soft deprecation notice
78e9f2f [security] Fix nits
e6fa434 [security] Add credits for incorrect handling of userinfo vulnerability
4c9fa23 1.5.6
7b0b8a6 Merge pull request #223 from unshiftio/fix/at-sign-handling-in-userinfo
e4a5807 1.5.5
193b44b [minor] Simplify whitespace regex
319851b [fix] Remove CR, HT, and LF
4e53a8c [doc] Document that the returned hostname might be invalid
9be7ee8 [fix] Correctly handle userinfo containing the at sign
f7774f6 [security] Fix typos in SECURITY.md
82c4908 [dist] 1.5.4
e324874 [doc] Remove dependency status badge
5e8a444 [ci] Test on node 17
a72a5c6 [doc] Remove "made by" and IRC badges
e9a8353 [ci] Update coverallsapp/github-action action to version 1.1.3

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: 🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

underscope commented 2 years ago

Resolved on the latest develop