hitchhaker / juice-shop

OWASP Juice Shop: Probably the most modern and sophisticated insecure web application
https://owasp-juice.shop
MIT License
0 stars 1 forks source link

[Snyk] Security upgrade check-dependencies from 1.1.1 to 2.0.0 #107

Open hitchhaker opened 6 months ago

hitchhaker commented 6 months ago

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

#### Changes included in this PR - Changes to the following files to upgrade the vulnerable dependencies to a fixed version: - package.json #### Vulnerabilities that will be fixed ##### With an upgrade: Severity | Priority Score (*) | Issue | Breaking Change | Exploit Maturity :-------------------------:|-------------------------|:-------------------------|:-------------------------|:------------------------- ![high severity](https://res.cloudinary.com/snyk/image/upload/w_20,h_20/v1561977819/icon/h.png "high severity") | **661/1000**
**Why?** Recently disclosed, Has a fix available, CVSS 7.5 | Uncontrolled resource consumption
[SNYK-JS-BRACES-6838727](https://snyk.io/vuln/SNYK-JS-BRACES-6838727) | Yes | No Known Exploit ![high severity](https://res.cloudinary.com/snyk/image/upload/w_20,h_20/v1561977819/icon/h.png "high severity") | **661/1000**
**Why?** Recently disclosed, Has a fix available, CVSS 7.5 | Inefficient Regular Expression Complexity
[SNYK-JS-MICROMATCH-6838728](https://snyk.io/vuln/SNYK-JS-MICROMATCH-6838728) | Yes | No Known Exploit (*) Note that the real score may have changed since the PR was raised.
Commit messages
Package name: check-dependencies The new version differs by 55 commits.
  • 03c8847 Tag 2.0.0
  • 65d9ef5 Set Node.js requirement in package.json engines to >=18.3
  • 4917ab0 Simplify the spawn logic
  • fc04cc8 Drop support for the callback interface
  • 28257dd Tweak ESLint settings
  • dc16e8a Drop the bluebird devDependency
  • 412337a Drop fs-extra & graceful-fs devDependencies
  • 091279a Drop the findup-sync dependency
  • 10ac9c5 Drop lodash.camelcase & minimist dependencies
  • 35dce52 Update dependencies
  • 2929ba7 Update tested Node.js versions
  • 1f514eb Don't invoke `npm prune`, `npm install` is already enough
  • 65107d2 Drop support for Bower & the `checkCustomPackageNames` option
  • f28ba1b Avoid `git://` URLs, they're no longer supported
  • 8fdc6ad Limit allowed `packageManager` values
  • 9809f13 Bump word-wrap from 1.2.3 to 1.2.4 (#58)
  • e522471 Bump semver from 7.3.8 to 7.5.2 (#57)
  • 031416d Bump yaml from 2.2.1 to 2.2.2 (#56)
  • dff3ab9 Build: Fix running tests on Windows
  • 062005f Build: Update the GitHub Actions config
  • ecf138f Build: Update dependencies
  • 15c13b3 Build: Remove AppVeyor
  • 89b9df0 Build: Update .gitattributes to files always use LF line endings
  • db8c172 Build: Tweak GitHub Actions workflow code style
See the full diff
Check the changes in this PR to ensure they won't cause issues with your project. ------------ **Note:** *You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.* For more information: 🧐 [View latest project report](https://app.snyk.io/org/o.dorokhin.duikt/project/3f998617-cd73-4bca-ba0e-94e83b3283b4?utm_source=github&utm_medium=referral&page=fix-pr) 🛠 [Adjust project settings](https://app.snyk.io/org/o.dorokhin.duikt/project/3f998617-cd73-4bca-ba0e-94e83b3283b4?utm_source=github&utm_medium=referral&page=fix-pr/settings) 📚 [Read more about Snyk's upgrade and patch logic](https://support.snyk.io/hc/en-us/articles/360003891078-Snyk-patches-to-fix-vulnerabilities) [//]: # (snyk:metadata:{"prId":"d9be37d7-190f-40a8-b30c-e45ce0f150dc","prPublicId":"d9be37d7-190f-40a8-b30c-e45ce0f150dc","dependencies":[{"name":"check-dependencies","from":"1.1.1","to":"2.0.0"}],"packageManager":"npm","projectPublicId":"3f998617-cd73-4bca-ba0e-94e83b3283b4","projectUrl":"https://app.snyk.io/org/o.dorokhin.duikt/project/3f998617-cd73-4bca-ba0e-94e83b3283b4?utm_source=github&utm_medium=referral&page=fix-pr","type":"auto","patch":[],"vulns":["SNYK-JS-BRACES-6838727","SNYK-JS-MICROMATCH-6838728"],"upgrade":["SNYK-JS-BRACES-6838727","SNYK-JS-MICROMATCH-6838728"],"isBreakingChange":true,"env":"prod","prType":"fix","templateVariants":["updated-fix-title","priorityScore"],"priorityScoreList":[661,661],"remediationStrategy":"vuln"}) --- **Learn how to fix vulnerabilities with free interactive lessons:** 🦉 [Uncontrolled resource consumption](https://learn.snyk.io/lesson/redos/?loc=fix-pr)