[Snyk] Fix for 41 vulnerabilities

VictorGarridoAuth0 commented 2 months ago

snyk-top-banner

Snyk has created this PR to fix 41 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

package.json
package-lock.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Server-side Request Forgery (SSRF) SNYK-JS-IP-6240864	751
	Prototype Pollution SNYK-JS-LODASH-567746	731
	Arbitrary Code Execution SNYK-JS-HANDLEBARS-534478	726
	Remote Code Execution (RCE) SNYK-JS-PACRESOLVER-1564857	726
	Server-side Request Forgery (SSRF) SNYK-JS-NETMASK-1089716	706
	Server-side Request Forgery (SSRF) SNYK-JS-NETMASK-6056519	706
	Prototype Pollution SNYK-JS-HANDLEBARS-534988	704
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	696
	Prototype Pollution SNYK-JS-LODASH-6139239	696
	Prototype Poisoning SNYK-JS-QS-3153490	696
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	696
	Prototype Pollution SNYK-JS-INI-1048974	686
	Prototype Pollution SNYK-JS-LODASH-450202	686
	Prototype Pollution SNYK-JS-LODASH-608086	686
	Prototype Pollution SNYK-JS-LODASH-73638	686
	Prototype Pollution SNYK-JS-Y18N-1021887	686
	Prototype Pollution npm:deep-extend:20180409	686
	Code Injection SNYK-JS-LODASH-1040724	681
	Remote Code Execution (RCE) SNYK-JS-HANDLEBARS-1056767	671
	Prototype Pollution SNYK-JS-HANDLEBARS-567742	646
	Server-Side Request Forgery (SSRF) SNYK-JS-IP-7148531	646
	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	646
	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	646
	Prototype Pollution SNYK-JS-JSONSCHEMA-1920922	644
	Prototype Pollution SNYK-JS-DOTPROP-543489	636
	Prototype Pollution npm:lodash:20180130	636
	Man-in-the-Middle (MitM) SNYK-JS-HTTPSPROXYAGENT-469131	626
	Prototype Pollution SNYK-JS-AJV-584908	619
	Prototype Pollution SNYK-JS-HANDLEBARS-1279029	601
	Prototype Pollution SNYK-JS-MINIMIST-559764	601
	Denial of Service (DoS) SNYK-JS-HANDLEBARS-480388	589
	Regular Expression Denial of Service (ReDoS) SNYK-JS-HOSTEDGITINFO-1088355	586
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	586
	Prototype Pollution SNYK-JS-HANDLEBARS-173692	579
	Prototype Pollution SNYK-JS-HANDLEBARS-174183	579
	Prototype Pollution SNYK-JS-HANDLEBARS-469063	579
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	541
	Regular Expression Denial of Service (ReDoS) npm:brace-expansion:20170302	524
	Prototype Pollution SNYK-JS-MINIMIST-2429795	506
	Regular Expression Denial of Service (ReDoS) npm:clean-css:20180306	506
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	479

[!IMPORTANT]

Check the changes in this PR to ensure they won't cause issues with your project.

Max score is 1000. Note that the real score may have changed since the PR was raised.

This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: 🧐 View latest project report 📜 Customise PR templates 🛠 Adjust project settings 📚 Read about Snyk's upgrade logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution 🦉 Regular Expression Denial of Service (ReDoS) 🦉 Remote Code Execution (RCE) 🦉 More lessons are available in Snyk Learn

semgrepcode-auth0[bot] commented 2 months ago

Semgrep found 1 ssc-d5d8f586-e6e9-42b3-8b5b-ab176a2efd4e finding:

package-lock.json
- L13586 - Triage

Risk: npm 8.x before 8.11.0 is vulnerable to exposure of sensitive information to an unauthorized actor. The npm cli incorrectly ignores root-level .gitignore and .npmignore files when run in a workspace. Upgrade to npm 8.11.0.

Fix: Upgrade this library to at least version 8.11.0 at auth0-authorization-extension/package-lock.json:13586.

Reference(s): https://github.com/advisories/GHSA-hj9c-8jmm-8c52, CVE-2022-29244

_{Ignore this finding from ssc-d5d8f586-e6e9-42b3-8b5b-ab176a2efd4e.}