search

MailOnline / videojs-vast-vpaid

video.js vast plugin
MIT License
296 stars 231 forks source link

[Snyk] Fix for 2 vulnerabilities #341

Open claudiorodriguez opened 1 year ago

claudiorodriguez commented 1 year ago

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

#### Changes included in this PR - Changes to the following files to upgrade the vulnerable dependencies to a fixed version: - package.json #### Vulnerabilities that will be fixed ##### With an upgrade: Severity | Priority Score (*) | Issue | Breaking Change | Exploit Maturity :-------------------------:|-------------------------|:-------------------------|:-------------------------|:------------------------- ![medium severity](https://res.cloudinary.com/snyk/image/upload/w_20,h_20/v1561977819/icon/m.png "medium severity") | **551/1000**
**Why?** Recently disclosed, Has a fix available, CVSS 5.3 | Regular Expression Denial of Service (ReDoS)
[SNYK-JS-MINIMATCH-3050818](https://snyk.io/vuln/SNYK-JS-MINIMATCH-3050818) | Yes | No Known Exploit ![high severity](https://res.cloudinary.com/snyk/image/upload/w_20,h_20/v1561977819/icon/h.png "high severity") | **589/1000**
**Why?** Has a fix available, CVSS 7.5 | Regular Expression Denial of Service (ReDoS)
[SNYK-JS-MOCHA-2863123](https://snyk.io/vuln/SNYK-JS-MOCHA-2863123) | Yes | No Known Exploit (*) Note that the real score may have changed since the PR was raised.
Commit messages
Package name: browserify-istanbul The new version differs by 12 commits.
  • 50af37b Merge pull request #35 from alexindigo/v2.0.0
  • ca38f1a What does mocha say to windows? Not today!
  • e286705 Housecleaning
  • eda1a8d Merge pull request #34 from zaygraveyard/issue33
  • c7dbde8 Fix: Only `require()` `istanbul` when `options.instrumenter` is not set. (fixes #33)
  • bfafcbc 1.0.0
  • ab27c00 Merge pull request #31 from zaygraveyard/issue30
  • d4bb901 Merge pull request #27 from alexindigo/master
  • 830f12a Add support for passing options to `minimatch` using `minimatchOptions` option. (fixes #30)
  • 6aabdde Made it installed istanbul friendly.
  • b1c19aa Merge pull request #19 from peter-mouland/feature/bower_components-readme
  • 9b3afeb add `'**/bower_components/**',` to readme after update
See the full diff
Package name: gulp The new version differs by 134 commits.
  • 55eb23a Release: 4.0.0
  • 173a532 Docs: Fix the installation instructions
  • ec54d09 Docs: Improve note about out-of-date docs
  • 03b7c98 Docs: Update recipes to install gulp@next
  • 2eba29e Docs: Remove run-sequence from recipes
  • 76eb4d6 Docs: Add installation instructions & update badges
  • fbc162f Docs: Remove references to gulp-util
  • 3011cf9 Scaffold: Normalize repository
  • f27be05 Update: Remove graceful-fs from test suite
  • 361ab63 Upgrade: Update glob-watcher
  • 064d100 Build: Avoid broken node 9
  • 057df59 Release: 4.0.0-alpha.3
  • c1ba80c Breaking: Upgrade major versions of glob-watcher, gulp-cli & vinyl-fs
  • 89acc5c Docs: Improve ES2015 task exporting examples (#1999)
  • 0ac9e04 Docs: Add "Project structure" section to CONTRIBUTING.md (#1859)
  • 723cbc4 Docs: Fix syntax in recipe example (#1715)
  • d420a6a Docs: Have gulp.lastRun take a function to avoid task registration (#1828)
  • 29ece6f Upgrade: Update undertaker
  • e931cb0 Docs: Fix changelog typos (#1696)
  • 477db84 Docs: Add a "BrowserSync with Gulp 4" recipe (#1659)
  • d4ed3c7 Docs: Add options.cwd for gulp.src API (#1645)
  • 5dc3b07 Docs: Update gulp.watch API to align with glob-watcher
  • 0c66069 Breaking: Replace chokidar as gulp.watch with glob-watcher wrapper
  • c3dbc10 Docs: Clarify incremental builds example (#1609)
See the full diff
Package name: karma-browserify The new version differs by 10 commits.
  • 9081a68 chore(project): release v5.0.0
  • 3417225 chore(project): add browserify 13 compatibility
  • 47b8a43 docs(README): document browserify and watchify dependencies
  • ffd145c chore(bro): make watchify an optional dependency
  • 84138e2 chore(example): add explicit browserify/watchify versions
  • b9ad424 chore(travis): test against stable Node.JS
  • 6d91d86 chore(deps): depend on browserify + watchify as peer dependencies
  • 1537cd7 Add missing dev dependencies
  • 13e74e2 chore(deps): bump dependencies to latest version(s)
  • ace2dfb feat(bro): throw bundle error in client
See the full diff
Package name: mocha The new version differs by 250 commits.
  • 5f96d51 build(v10.1.0): release
  • ed74f16 build(v10.1.0): update CHANGELOG
  • 51d4746 chore(devDeps): update 'ESLint' to v8 (#4926)
  • 4e06a6f fix(browser): increase contrast for replay buttons (#4912)
  • 41567df Support prefers-color-scheme: dark (#4896)
  • 61b4b92 fix the regular expression for function `clean` in `utils.js` (#4770)
  • 77c18d2 chore: use standard 'Promise.allSettled' instead of polyfill (#4905)
  • 84b2f84 chore(ci): upgrade GH actions to latest versions (#4899)
  • 023f548 build(v10.0.0): release
  • 62b1566 build(v10.0.0): update CHANGELOG
  • fbe7a24 chore: update dependencies (#4878)
  • 2b98521 docs: replace 'git.io' short links (#4877) [ci skip]
  • 007fa65 chore(ci): add Node v18 to test matrix (#4876)
  • f6695f0 chore(esm): remove code for Node v12 (#4874)
  • 59f6192 chore(ci): conditionally skip 'push' event (#4872)
  • b863359 docs: fix 'fgrep' url (#4873)
  • baaa41a chore(ci): ignore changes to docs files (#4871)
  • ac81cc5 refactor!: drop support of 'growl' notification (#4866)
  • 3946453 chore(deps)!: upgrade 'minimatch' (#4865)
  • 592905b refactor!: rename 'bin/mocha' to 'bin/mocha.js' (#4863)
  • b7b849b refactor!: remove deprecated Runner signature (#4861)
  • 0608fa3 chore(site): fix supporters' download (#4859)
  • 785aeb1 chore(test): drop AMD/'requirejs' (#4857)
  • ed640c4 chore(devDeps): upgrade 'coffee-script' (#4856)
See the full diff
Check the changes in this PR to ensure they won't cause issues with your project. ------------ **Note:** *You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.* For more information: 🧐 [View latest project report](https://app.snyk.io/org/mailonline-jus/project/a9427ced-8d3c-4b3d-b2fb-12323168fd3d?utm_source=github&utm_medium=referral&page=fix-pr) 🛠 [Adjust project settings](https://app.snyk.io/org/mailonline-jus/project/a9427ced-8d3c-4b3d-b2fb-12323168fd3d?utm_source=github&utm_medium=referral&page=fix-pr/settings) 📚 [Read more about Snyk's upgrade and patch logic](https://support.snyk.io/hc/en-us/articles/360003891078-Snyk-patches-to-fix-vulnerabilities) [//]: # (snyk:metadata:{"prId":"53204610-c64a-4e73-b63a-15d91c158d8a","prPublicId":"53204610-c64a-4e73-b63a-15d91c158d8a","dependencies":[{"name":"browserify-istanbul","from":"0.2.1","to":"2.0.0"},{"name":"gulp","from":"3.9.1","to":"4.0.0"},{"name":"karma-browserify","from":"4.4.2","to":"5.0.0"},{"name":"mocha","from":"2.5.3","to":"10.1.0"}],"packageManager":"npm","projectPublicId":"a9427ced-8d3c-4b3d-b2fb-12323168fd3d","projectUrl":"https://app.snyk.io/org/mailonline-jus/project/a9427ced-8d3c-4b3d-b2fb-12323168fd3d?utm_source=github&utm_medium=referral&page=fix-pr","type":"auto","patch":[],"vulns":["SNYK-JS-MINIMATCH-3050818","SNYK-JS-MOCHA-2863123"],"upgrade":["SNYK-JS-MINIMATCH-3050818","SNYK-JS-MOCHA-2863123"],"isBreakingChange":true,"env":"prod","prType":"fix","templateVariants":["priorityScore"],"priorityScoreList":[551,589]}) --- **Learn how to fix vulnerabilities with free interactive lessons:** 🦉 [Regular Expression Denial of Service (ReDoS)](https://learn.snyk.io/lessons/redos/javascript//?loc=fix-pr) 🦉 [Regular Expression Denial of Service (ReDoS)](https://learn.snyk.io/lessons/redos/javascript//?loc=fix-pr)