search

camptocamp / mel-dataplatform

Source code for MEL's OpenData platform frontend
https://data.lillemetropole.fr/
GNU General Public License v3.0
2 stars 0 forks source link

[Snyk] Security upgrade geonetwork-ui from 2.2.0-dev.1b3d9896 to 2.2.0 #53

Closed RenataMuellerC2C closed 2 months ago

RenataMuellerC2C commented 2 months ago

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

:sparkles: Snyk has automatically assigned this pull request, set who gets assigned.

As this is a private repository, Snyk-bot does not have access. Therefore, this PR has been created automatically, but appears to have been created by a real user.

Changes included in this PR

⚠️ Warning ``` Failed to update the package-lock.json, please update manually before merging. ```

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
medium severity 591/1000
Why? Recently disclosed, Has a fix available, CVSS 6.1		 Open Redirect
SNYK-JS-EXPRESS-6474509		 No No Known Exploit
medium severity 646/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.5		 Information Exposure
SNYK-JS-FOLLOWREDIRECTS-6444610		 No Proof of Concept
medium severity 631/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.2		 Missing Release of Resource after Effective Lifetime
SNYK-JS-INFLIGHT-6095116		 No Proof of Concept
high severity 691/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.4		 Path Traversal
SNYK-JS-WEBPACKDEVMIDDLEWARE-6476555		 No Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: geonetwork-ui The new version differs by 7 commits.
  • 9946a03 2.2.0
  • 40043f4 Merge pull request #852 from geonetwork/improve-e2e-test
  • 85cb4ee e2e(datahub): more efficiently open dropdown
  • 8a17994 Merge pull request #846 from geonetwork/update-xlsx-fix-security
  • ac68181 chore: update xlsx to v0.20.2 to fix vulnerabilities
  • 4fbb164 Merge pull request #847 from geonetwork/fix-dh-favorite-e2e-test
  • 2c1d78d e2e(datahub): wait more precisely for favorite to be registered
See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: 🧐 View latest project report

👩‍💻 Set who automatically gets assigned

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Open Redirect 🦉 Path Traversal

tkohr commented 2 months ago

Closing this, as we've moved to 2.3.0-dev.139106e0