[Snyk] Fix for 15 vulnerabilities

snyk-bot commented 4 years ago

Snyk has created this PR to fix one or more vulnerable packages in the `yarn` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
- yarn.lock
Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches. Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Priority Score (*)	Issue	Breaking Change	Exploit Maturity
589/1000 Why? Has a fix available, CVSS 7.5	Insecure Encryption SNYK-JS-BCRYPT-572911	Yes	No Known Exploit
616/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.9	Cryptographic Issues SNYK-JS-BCRYPT-575033	Yes	Proof of Concept
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	No	Proof of Concept
636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-LODASH-567746	No	Proof of Concept
561/1000 Why? Recently disclosed, CVSS 9.8	Prototype Pollution SNYK-JS-LODASH-590103	No	No Known Exploit
544/1000 Why? Proof of Concept exploit, Recently disclosed, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	No	Proof of Concept
579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	No	No Known Exploit
434/1000 Why? Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	No	No Known Exploit
387/1000 Why? Proof of Concept exploit, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOCHA-561476	Yes	No Known Exploit
399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Yes	No Known Exploit
676/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.1	Regular Expression Denial of Service (ReDoS) npm:diff:20180305	Yes	Proof of Concept
704/1000 Why? Has a fix available, CVSS 9.8	Arbitrary Code Injection npm:growl:20160721	Yes	No Known Exploit
529/1000 Why? Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	No	No Known Exploit
479/1000 Why? Has a fix available, CVSS 5.3	Buffer Overflow npm:validator:20160218	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-LODASH-567746	Proof of Concept
	529/1000 Why? Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: 🧐 View latest project report

🛠 Adjust project settings

coveralls commented 4 years ago

Coverage decreased (-7.5%) to 32.294% when pulling 66cf59e376561a4b872f005bbb68494129013b43 on snyk-fix-2ba0f7cc8b798d11d325bf0f3b0c4315 into 2863501107151d123e04b69ea65fc05eec060c8d on master.

gil0mendes commented 4 years ago

let us invalidate this, for now, the only major thing right now is the MongoDB dependency but is on the example application. We don't use any specific driver, other than disk, on the core code.

StellarFw / stellar