Fix for 4 vulnerable dependency paths

[snyk-community]

mbta-alerts currently has a 12 vulnerable dependency paths, introducing 8 different types of known vulnerabilities.

This PR fixes vulnerable dependencies.

• ReDOS vulnerability in the hawk dependency.
• remote memory exposure vulnerability in the request dependency.
• Denial of Service (Event Loop Blocking) vulnerability in the qs dependency.
• Denial of Service (Memory Exhaustion) vulnerability in the qs dependency.

You can see Snyk test report of this project for details.

This PR changes Package.json to upgrade request to the newer 2.74.0 version, and will fix the vulnerabilities listed above.

You can get alerts and fix PRs for future vulnerabilities for free by watching this repo with Snyk.

Note this PR fixes all the vulnerabilities introduced trough request dependency, in order to be vulnerability free you will need to upgrade other dependencies as well.

Stay Secure, The Snyk Team

[calvinmetcalf]

I'm on vacation but will look into this when I'm back, not a big issue for us as we don't use this as server

On Tue, Oct 18, 2016, 4:43 PM Snyk Community notifications@github.com wrote:

mbta-alerts currently has a 12 vulnerable dependency paths, introducing 8 different types of known vulnerabilities.

This PR fixes vulnerable dependencies.

• ReDOS vulnerability https://snyk.io/vuln/npm:hawk:20160119 in the hawk dependency.
• remote memory exposure https://snyk.io/vuln/npm:request:20160119 vulnerability in the request dependency.
• Denial of Service (Event Loop Blocking) https://snyk.io/vuln/npm:qs:20140806-1 vulnerability in the qs dependency.
• Denial of Service (Memory Exhaustion) https://snyk.io/vuln/npm:qs:20140806 vulnerability in the qs dependency.

You can see Snyk test report https://snyk.io/test/github/codeforboston/mbta-alerts of this project for details.

This PR changes Package.json to upgrade request to the newer 2.74.0 version, and will fix the vulnerabilities listed above.

You can get alerts and fix PRs for future vulnerabilities for free by watching this repo with Snyk https://snyk.io/add.

Note this PR fixes all the vulnerabilities introduced trough request dependency, in order to be vulnerability free you will need to upgrade others dependencies as well.

Stay Secure,

The Snyk Team

You can view, comment on, or merge this pull request online at:

https://github.com/codeforboston/mbta-alerts/pull/11 Commit Summary

• Fix for 4 vulnerable dependency paths

File Changes

• M package.json https://github.com/codeforboston/mbta-alerts/pull/11/files#diff-0 (2)

Patch Links:

• https://github.com/codeforboston/mbta-alerts/pull/11.patch
• https://github.com/codeforboston/mbta-alerts/pull/11.diff

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/codeforboston/mbta-alerts/pull/11, or mute the thread https://github.com/notifications/unsubscribe-auth/ABE4n6eJTGTq4jFahff5PZqTgS772ecZks5q1M0FgaJpZM4KZzh9 .