firespring / givesource

Other
13 stars 2 forks source link

[Snyk] Security upgrade browser-sync from 2.26.9 to 2.26.14 #58

Closed snyk-bot closed 1 year ago

snyk-bot commented 3 years ago

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

merge advice

Changes included in this PR

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 726/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 8.1
Arbitrary Code Injection
SNYK-JS-XMLHTTPREQUESTSSL-1082936
No Proof of Concept
high severity 758/1000
Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 7.3
Access Restriction Bypass
SNYK-JS-XMLHTTPREQUESTSSL-1255647
No Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: browser-sync The new version differs by 49 commits.
  • d7cdcec v2.26.14
  • 783b741 v2.26.14-y.2
  • 368f89e fix(deps): upgraded localtunnel to fix axios issue
  • cbd2f34 v2.26.14-y.1
  • 9ded19e v2.26.14-y.0
  • 235ce22 publish scripts
  • 9416fbf v2.26.14-alpha.1
  • aacc59f v2.26.14-alpha.0
  • bb035b4 chore(ci): trying to get reliable builds on appveyor
  • 2320195 chore(deps): same version of socket.io-client everywhere
  • b0e8538 updating deps
  • f3d49ba chore: update scripts
  • cdbcabd chore: apply prettier
  • 148c151 chore: remove bootstrap
  • 02175da chore: remove bootstrap
  • 2fe13e0 chore: remove bootstrap
  • da5ab89 chore: updated lock-file
  • 5aca695 Merge pull request #1836
  • 8ee49b1 fix: socket.io had a breaking change related to cors which broken the UI
  • 35363e1 build(deps): bump socket.io in /packages/browser-sync
  • 4acc350 chore: lock file differences
  • 60498df Merge pull request #1796 from BrowserSync/dependabot/npm_and_yarn/node-fetch-2.6.1
  • 8e4d802 Merge pull request #1786 from BrowserSync/dependabot/npm_and_yarn/packages/browser-sync-ui/elliptic-6.5.3
  • 1cb50a4 Merge pull request #1787 from BrowserSync/dependabot/npm_and_yarn/packages/browser-sync-client/elliptic-6.5.3
See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: 🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic