Closed snyk-bot closed 2 years ago
(*) Note that the real score may have changed since the PR was raised.
Check the changes in this PR to ensure they won't cause issues with your project.
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information: 🧐 View latest project report
🛠 Adjust project settings
📚 Read more about Snyk's upgrade and patch logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Prototype Pollution 🦉 Prototype Pollution
Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.
Changes included in this PR
Vulnerabilities that will be fixed
With an upgrade:
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5
SNYK-JS-ASYNC-2441827
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3
SNYK-JS-NCONF-2395478
(*) Note that the real score may have changed since the PR was raised.
Commit messages
Package name: forever
The new version differs by 14 commits.- 9fde732 Bump to 4.0.3
- 0ecfa3e Prepare to release 4.0.3
- a0fb120 Upgrade Winston (#1128)
- 980ea04 Prepare to release 4.0.2
- b20a9e8 Pin colors version (#1127)
- 2211e32 Prepare 4.0.1 for release
- 3b3c81c Update eventemitter2 (#1116)
- 6c7f0a5 forever.config Configstore init and usage fixes (#1115)
- 4705421 Prepare 4.0.0 for release
- 35a4062 Remove y18n due to CVE 2020 7774 part 5 (#1112)
- 1f6108e Move getopts to devDependencies (#1113)
- aa22041 Replace yargs with getopts (CVE-2020-777) (#1110)
- ae6d88e Update in-range dependencies (#1108)
- 4a404f7 Drop `deep-equal` (#1101)
See the full diffPackage name: nconf
The new version differs by 41 commits.- 583e713 0.12.0
- 60c99cd chore: upgrade to nyc for test coverage (#400)
- 080624a [dist] Update dependency async to v3 (#332) (#399)
- f1ddb1b fix(ci): use npm install w/o package-lock
- f25feb2 0.11.4
- 2e9e453 chore: disable package-lock, since this is a lib
- 7aa9402 chore: update node version test matrix
- feaba56 fix(security): prevent prototype pollution in memory store (#397)
- 218059e 0.11.3
- dc8c3d6 Handle case where parsed config object hasn't prototype (#365)
- b1914ae 0.11.2
- 54bd403 chore: upgrade deps to fix security vulns
- e6dfa5d 0.11.1
- 709cc60 Bump node-notifier from 8.0.0 to 8.0.1 (#355)
- eca2bf3 Bump ini from 1.3.5 to 1.3.6 (#353)
- 85229df chore: enable circleci
- 91e9106 chore: update changelog
- 4122731 0.11.0
- 56794d1 chore: upgrade deps to fix security vulns
- 1392ac4 0.10.0
- 01f25fa Regex as env separator (#288)
- 16667be Argv store separator (#291)
- bac910a 0.9.1
- 2bdf7e1 Clean Argv Store options (#290)
See the full diffPackage name: winston
The new version differs by 159 commits.- d6d620f Merge branch '2.x' of https://github.com/winstonjs/winston into 2.x
- cd7c60b Update version # & changelog
- b17beca Update async to 3.2.3
- 52060d6 2.4.5
- d9ff3d6 use a different vows reporter because the spec reporter doesn't seem to work with recent Node versions
- a69d202 Prepare for v2.4.5
- 1db00d8 Silence node.js 14 non-existent property warning (#1800)
- 542f2b9 Fixing path for example (#1756)
- 9659197 Update README.md (#1448)
- 67c44ff [dist] Maintenance release. 2.4.4
- c288a69 [dist] Regenerate package-lock.json
- 5bf66ac npm ignore scratch folder from CI
- d164991 Bundle TS definitions from DefinitelyTyped for 2.x (#1374)
- dc74db6 [dist] Maintenance release. 2.4.3
- 292c2be [Winston 2.x] Decycle circular `Error` instances (#1307)
- d9304b8 [dist] Maintenance release. 2.4.2
- c3dc8d3 [dist] Add .gitattributes file.
- 0ac4623 [fix] Backport #1281 onto 2.x for maintenance.
- 78d25c6 [dist] Add ignores from 3.x for easier maintenance switching.
- 19d1cdb fix: clone() cloning prototype's custom methods (#1086)
- edfaa8b Don't swallow Error message/stack when using formatter (#1188)
- 078e99c [dist] Add package-lock.json
- 569668b Update http.js - Add support for headers
- b11cae2 Merge pull request #1253 from DABH/fix-readme-link
See the full diffCheck the changes in this PR to ensure they won't cause issues with your project.
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
🛠 Adjust project settings
📚 Read more about Snyk's upgrade and patch logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Prototype Pollution 🦉 Prototype Pollution