ever-co / ever-demand

Ever® Demand™ - Open Commerce Platform - https://everdemand.co
https://everdemand.co
GNU Affero General Public License v3.0
1.74k stars 464 forks source link

[Snyk] Fix for 4 vulnerabilities #1402

Closed snyk-bot closed 3 years ago

snyk-bot commented 3 years ago

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
medium severity 673/1000
Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 5.6
Prototype Pollution
SNYK-JS-MPATH-1577289
No Proof of Concept
high severity 711/1000
Why? Recently disclosed, Has a fix available, CVSS 8.5
Arbitrary File Write
SNYK-JS-TAR-1579147
Yes No Known Exploit
high severity 711/1000
Why? Recently disclosed, Has a fix available, CVSS 8.5
Arbitrary File Write
SNYK-JS-TAR-1579152
Yes No Known Exploit
high severity 711/1000
Why? Recently disclosed, Has a fix available, CVSS 8.5
Arbitrary File Write
SNYK-JS-TAR-1579155
Yes No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: mpath The new version differs by 15 commits.
  • 634a0fa chore: release 0.8.4
  • 89402d2 fix: throw error if `parts` contains an element that isn't a string or number
  • 03c4efe chore: add basic SECURITY.md file
  • ad7a023 chore: release 0.8.3
  • f050c3a fix: use var instead of let/const for Node.js 4.x support
  • e3bdd36 chore: release 0.8.2
  • b09cebc chore: add lint
  • ffed519 fix(stringToParts): fall back to legacy treatment for square brackets if square brackets contents aren't a number
  • 095573c chore: release 0.8.1
  • c507d2c fix(stringToParts): handle empty string and trailing dot the same way that `split()` does for backwards compat
  • 484c22c chore: release 0.8.0
  • b9ec839 feat: support square bracket indexing for `get()`, `set()`, `has()`, and `unset()`
  • 99fea22 chore: release 0.7.0
  • e2231e6 Merge pull request #9 from AlexeyGrigorievBoost/component_json_removal
  • c1ef66b Component.json removal
See the full diff
Package name: node-sass The new version differs by 43 commits.
  • 7105b0a 5.0.0 (#3015)
  • 0648b5a chore: Add Node 15 support (#2983)
  • e2391c2 Add a deprecation message to the readme (#3011)
  • 6a33e53 chore: Don't upload artifacts on PRs
  • d763506 chore: Only run coverage on main repo
  • d4ebe72 build(deps): update actions/setup-node requirement to v2.1.2
  • 2bebe05 build(deps-dev): bump rimraf from 2.7.1 to 3.0.2
  • f877689 chore: Don't double build DependaBot PRs
  • b48fac4 chore: Add weekly DependaBot updates
  • 91c40a0 Remove deprecated process.sass API
  • 1f6df86 Replace lodash/assign in favor of the native Object.assign
  • 522828a Remove workarounds for old Node.js versions
  • 40e0f00 chore: Remove second NPM badge
  • ab91bf6 chore: Remove Slack badge
  • 6853a80 chore: Cleanup status badges
  • fb1109c chore: Bump minimum engine version to v10
  • d185440 chore: Add basic Node version support policy
  • db25736 chore: Bump node-gyp to 7.1.0
  • 2c5b110 chore: Bump cross-spawn to v7.0.3
  • 38b9633 chore: Update Istanbul to NYC
  • d63b5bf chore: Bump mocha to v8.1.3
  • d0d8865 chore: Skip constructor tests on v14.6+
  • ee3984d chore: Hoist test ESLint config
  • feee448 chore: Remove disabled and recommended rules
See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: 🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

CLAassistant commented 3 years ago

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.