search

iceColdChris / ZodiacWebsite

0 stars 0 forks source link

[Snyk] Security upgrade react-scripts from 1.1.4 to 4.0.0 #238

Open iceColdChris opened 7 months ago

iceColdChris commented 7 months ago

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

#### Changes included in this PR - Changes to the following files to upgrade the vulnerable dependencies to a fixed version: - package.json
⚠️ Warning ``` Failed to update the package-lock.json, please update manually before merging. ```
#### Vulnerabilities that will be fixed ##### With an upgrade: Severity | Priority Score (*) | Issue | Breaking Change | Exploit Maturity :-------------------------:|-------------------------|:-------------------------|:-------------------------|:------------------------- ![high severity](https://res.cloudinary.com/snyk/image/upload/w_20,h_20/v1561977819/icon/h.png "high severity") | **768/1000**
**Why?** Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 7.5 | Prototype Pollution
[SNYK-JS-LODASH-6139239](https://snyk.io/vuln/SNYK-JS-LODASH-6139239) | Yes | Proof of Concept (*) Note that the real score may have changed since the PR was raised. Check the changes in this PR to ensure they won't cause issues with your project. ------------ **Note:** *You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.* For more information: 🧐 [View latest project report](https://app.snyk.io/org/icecoldchris/project/c84198bc-ee37-4dd5-9492-98937fcf8069?utm_source=github&utm_medium=referral&page=fix-pr) 🛠 [Adjust project settings](https://app.snyk.io/org/icecoldchris/project/c84198bc-ee37-4dd5-9492-98937fcf8069?utm_source=github&utm_medium=referral&page=fix-pr/settings) 📚 [Read more about Snyk's upgrade and patch logic](https://support.snyk.io/hc/en-us/articles/360003891078-Snyk-patches-to-fix-vulnerabilities) [//]: # (snyk:metadata:{"prId":"30da9399-9d94-4812-9685-fd1a2cd75068","prPublicId":"30da9399-9d94-4812-9685-fd1a2cd75068","dependencies":[{"name":"react-scripts","from":"1.1.4","to":"4.0.0"}],"packageManager":"npm","projectPublicId":"c84198bc-ee37-4dd5-9492-98937fcf8069","projectUrl":"https://app.snyk.io/org/icecoldchris/project/c84198bc-ee37-4dd5-9492-98937fcf8069?utm_source=github&utm_medium=referral&page=fix-pr","type":"auto","patch":[],"vulns":["SNYK-JS-LODASH-6139239"],"upgrade":["SNYK-JS-LODASH-6139239"],"isBreakingChange":true,"env":"prod","prType":"fix","templateVariants":["updated-fix-title","pr-warning-shown","priorityScore"],"priorityScoreList":[768],"remediationStrategy":"vuln"}) --- **Learn how to fix vulnerabilities with free interactive lessons:** 🦉 [Prototype Pollution](https://learn.snyk.io/lesson/prototype-pollution/?loc=fix-pr)
socket-security[bot] commented 7 months ago

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/rc@1.2.8 environment, filesystem 0 17.3 kB dominictarr
npm/react-dev-utils@5.0.1 None 0 78.3 kB timer
npm/react-dom@16.4.1 environment 0 2.15 MB gaearon
npm/react-error-overlay@4.0.0 network 0 418 kB gaearon
npm/react-event-listener@0.6.2 environment 0 26.9 kB oliviertassinari
npm/react-image-gallery@0.8.11 None 0 133 kB linxtion
npm/react-jss@8.6.1 environment 0 1.11 MB kof
npm/react-lifecycles-compat@3.0.4 None 0 29 kB brianvaughn
npm/react-redux@5.0.7 environment 0 207 kB timdorr
npm/react-router-dom@4.3.1 None 0 203 kB timdorr
npm/react-router@4.3.1 None 0 186 kB timdorr
npm/react-scripts@1.1.4 None 0 214 kB timer
npm/react-swipeable@4.3.0 None 0 62.6 kB hartzis
npm/react-transition-group@2.4.0 environment 0 180 kB monastic.panic
npm/react@16.4.1 environment 0 124 kB gaearon
npm/read-pkg-up@1.0.1 None 0 4.25 kB sindresorhus
npm/read-pkg@1.1.0 None 0 4.42 kB sindresorhus
npm/readable-stream@2.3.6 environment 0 88 kB matteo.collina
npm/readdirp@2.1.0 None 0 45.3 kB thlorenz
npm/recompose@0.28.2 environment 0 206 kB istarkov
npm/recursive-readdir@2.2.1 filesystem 0 17.1 kB jergason
npm/redent@1.0.0 None 0 2.84 kB sindresorhus
npm/reduce-css-calc@1.3.0 None 0 10 kB moox
npm/reduce-function-call@1.0.2 None 0 5.93 kB moox
npm/redux@4.0.0 environment 0 147 kB timdorr
npm/regenerate@1.4.0 None 0 49.2 kB mathias
npm/regenerator-runtime@0.11.1 eval 0 26.7 kB benjamn
npm/regenerator-transform@0.10.1 None 0 120 kB benjamn
npm/regex-cache@0.4.4 None 0 9.88 kB doowb
npm/regex-not@1.0.2 None 0 8.46 kB jonschlinkert
npm/regexpu-core@2.0.0 None 0 17.8 kB mathias
npm/registry-auth-token@3.3.2 environment 0 79.4 kB rexxars
npm/registry-url@3.1.0 None 0 3.25 kB sindresorhus
npm/regjsgen@0.2.0 None 0 13.6 kB d10
npm/regjsparser@0.1.5 None 0 34.7 kB jviereck
npm/relateurl@0.2.7 None 0 31.4 kB stevenvachon
npm/remove-trailing-separator@1.1.0 None 0 4.25 kB darsain
npm/renderkid@2.0.1 None 0 108 kB ariaminaei
npm/repeat-element@1.1.2 None 0 3.8 kB jonschlinkert
npm/repeat-string@1.6.1 None 0 9.09 kB jonschlinkert
npm/repeating@2.0.1 None 0 3.41 kB sindresorhus
npm/request@2.87.0 environment, filesystem, network 0 207 kB simov
npm/require-directory@2.1.1 filesystem 0 12.1 kB troygoode
npm/require-from-string@1.2.1 unsafe 0 3.29 kB floatdrop
npm/require-main-filename@1.0.1 None 0 4.14 kB bcoe
npm/require-uncached@1.0.3 None 0 3.53 kB sindresorhus
npm/requires-port@1.0.0 None 0 8.56 kB 3rdeden
npm/resize-observer-polyfill@1.5.0 None 0 136 kB que-etc
npm/resolve-cwd@2.0.0 None 0 3.54 kB sindresorhus
npm/resolve-dir@1.0.1 None 0 6.29 kB phated
npm/resolve-from@1.0.1 unsafe 0 3.21 kB sindresorhus
npm/resolve-pathname@2.2.0 None 0 11.9 kB mjackson
npm/resolve-url@0.2.1 None 0 8.77 kB lydell
npm/resolve@1.6.0 filesystem 0 70.5 kB ljharb
npm/restore-cursor@2.0.0 None 0 2.44 kB sindresorhus
npm/ret@0.1.15 None 0 17.9 kB fent
npm/right-align@0.1.3 None 0 4.34 kB jonschlinkert
npm/rimraf@2.6.2 filesystem 0 15.1 kB isaacs
npm/ripemd160@2.0.2 None 0 9.79 kB dcousens
npm/run-async@2.3.0 None 0 5.32 kB sboudrias
npm/rx-lite-aggregates@4.0.8 eval 0 92.6 kB mattpodwysocki
npm/rx-lite@4.0.8 None 0 459 kB mattpodwysocki
npm/safe-buffer@5.1.2 None 0 31.7 kB feross
npm/safe-regex@1.1.0 None 0 5.87 kB substack
npm/safer-buffer@2.1.2 None 0 42.3 kB chalker
npm/sane@1.6.0 filesystem 0 28.8 kB amasad
npm/sax@1.2.4 None 0 54.6 kB isaacs
npm/schema-utils@0.3.0 filesystem 0 10.9 kB d3viant0ne
npm/select-hose@2.0.0 None 0 15.4 kB indutny
npm/selfsigned@1.10.3 None 0 21.6 kB jfromaniello
npm/semver-diff@2.1.0 None 0 3.23 kB sindresorhus
npm/semver@5.5.0 None 0 57.4 kB isaacs
npm/send@0.16.2 filesystem, network 0 46.6 kB dougwilson
npm/serve-index@1.9.1 filesystem, network 0 93.4 kB dougwilson
npm/serve-static@1.13.2 None 0 24.4 kB dougwilson
npm/serviceworker-cache-polyfill@4.0.0 network 0 16.6 kB jaffathecake
npm/set-blocking@2.0.0 None 0 4.22 kB bcoe
npm/set-immediate-shim@1.0.1 None 0 1.4 kB sindresorhus
npm/set-value@2.0.0 None 0 10.2 kB jonschlinkert
npm/setimmediate@1.0.5 None 0 8.56 kB domenic
npm/setprototypeof@1.1.0 None 0 2.26 kB wesleytodd
npm/sha.js@2.4.11 None 0 31.1 kB dcousens
npm/shebang-command@1.2.0 None 0 2.69 kB kevva
npm/shebang-regex@1.0.0 None 0 2.3 kB sindresorhus
npm/shell-quote@1.6.1 None 0 21.9 kB substack
npm/shellwords@0.1.1 None 0 3.69 kB jimmycuadra
npm/signal-exit@3.0.2 None 0 9.43 kB isaacs
npm/slash@1.0.0 None 0 1.7 kB sindresorhus
npm/slice-ansi@1.0.0 None 0 5.04 kB sindresorhus
npm/snapdragon-node@2.1.1 None 0 25.8 kB jonschlinkert
npm/snapdragon-util@3.0.1 None 0 50.6 kB jonschlinkert
npm/snapdragon@0.8.2 filesystem 0 35.2 kB jonschlinkert
npm/sockjs-client@1.1.4 environment, network 0 810 kB brycekahle
npm/sockjs@0.3.18 filesystem, network 0 108 kB brycekahle
npm/sort-keys@1.1.2 None 0 3.58 kB sindresorhus
npm/source-list-map@2.0.0 None 0 26.2 kB sokra
npm/source-map-resolve@0.5.2 None 0 84.9 kB lydell
npm/source-map-support@0.4.18 filesystem, unsafe 0 78.3 kB linusu
npm/source-map-url@0.4.0 None 0 19.4 kB lydell
npm/spdx-correct@3.0.0 None 0 20.8 kB kemitchell
npm/spdx-exceptions@2.1.0 None 0 2.25 kB kemitchell
npm/spdx-expression-parse@3.0.0 None 0 11.9 kB kemitchell
npm/spdx-license-ids@3.0.0 None 0 7.66 kB shinnn
npm/spdy-transport@2.1.0 None 0 140 kB daviddias
npm/spdy@3.4.7 network 0 57 kB daviddias
npm/split-string@3.1.0 None 0 13.8 kB jonschlinkert
npm/sprintf-js@1.0.3 None 0 34.8 kB alexei
npm/sshpk@1.14.2 None 0 209 kB arekinath
npm/static-extend@0.1.2 None 0 4.69 kB jonschlinkert
npm/statuses@1.4.0 None 0 10.9 kB dougwilson
npm/stream-browserify@2.0.1 None 0 7.18 kB stevemao
npm/stream-http@2.8.3 None 0 91.3 kB jhiesey
npm/strict-uri-encode@1.1.0 None 0 2.53 kB kevva
npm/string_decoder@1.1.1 None 0 15.3 kB matteo.collina
npm/string-length@1.0.1 None 0 2.75 kB sindresorhus
npm/string-width@2.1.1 None 0 3.79 kB sindresorhus
npm/strip-ansi@3.0.1 None 0 3.1 kB jbnicolai
npm/strip-bom@3.0.0 None 0 3 kB sindresorhus
npm/strip-eof@1.0.0 None 0 2.64 kB sindresorhus
npm/strip-indent@1.0.1 None 0 4 kB sindresorhus
npm/strip-json-comments@2.0.1 None 0 5.06 kB sindresorhus
npm/style-loader@0.19.0 None 0 37.7 kB d3viant0ne
npm/supports-color@5.4.0 environment 0 6.69 kB sindresorhus
npm/svgo@0.7.2 filesystem 0 336 kB greli
npm/sw-precache-webpack-plugin@0.11.4 None 0 183 kB goldhand
npm/sw-precache@5.2.1 environment, filesystem 0 74.8 kB jeffposnick
npm/sw-toolbox@3.6.0 network 0 134 kB jeffposnick
npm/symbol-observable@1.2.0 eval 0 10.2 kB blesh
npm/symbol-tree@3.2.2 None 0 56.8 kB joris-van-der-wel
npm/table@4.0.3 None 0 108 kB gajus
npm/tapable@0.2.8 None 0 17.1 kB sokra
npm/term-size@1.2.0 environment 0 30.9 kB sindresorhus
npm/test-exclude@4.2.1 None 0 13.8 kB bcoe
npm/text-table@0.2.0 None 0 11 kB substack
npm/theming@1.3.0 None 0 72.6 kB kof
npm/throat@3.2.0 None 0 7.98 kB forbeslindesay
npm/through@2.3.8 None 0 12.5 kB dominictarr
npm/thunky@1.0.2 None 0 6.09 kB mafintosh
npm/time-stamp@2.0.0 None 0 8.75 kB jonschlinkert
npm/timed-out@4.0.1 None 0 4.08 kB floatdrop
npm/timers-browserify@2.0.10 None 0 10.2 kB jryans
npm/tmp@0.0.33 filesystem 0 26 kB raszi
npm/tmpl@1.0.4 None 0 2.81 kB daaku
npm/to-arraybuffer@1.0.1 None 0 5.54 kB jhiesey
npm/to-fast-properties@1.0.3 None 0 2.79 kB sindresorhus
npm/to-object-path@0.3.0 None 0 5.07 kB jonschlinkert
npm/to-regex-range@2.1.1 None 0 20.3 kB jonschlinkert
npm/to-regex@3.0.2 None 0 12.6 kB jonschlinkert
npm/toposort@1.0.7 None 0 15.5 kB marcelklehr
npm/tough-cookie@2.4.3 network 0 84 kB jstash
npm/tr46@0.0.3 None 0 268 kB sebmaster
npm/trim-newlines@1.0.0 None 0 2.99 kB sindresorhus
npm/trim-right@1.0.1 None 0 2.61 kB sindresorhus
npm/tty-browserify@0.0.0 None 0 1.99 kB substack
npm/tunnel-agent@0.6.0 environment, network 0 16.7 kB mikeal
npm/tweetnacl@0.14.5 None 0 174 kB dchest
npm/type-check@0.3.2 None 0 20.9 kB gkz
npm/type-is@1.6.16 None 0 16.7 kB dougwilson
npm/typedarray@0.0.6 None 0 26 kB substack
npm/typeface-roboto@0.0.54 None 0 449 kB kylemathews
npm/ua-parser-js@0.7.18 None 0 203 kB faisalman
npm/uglify-js@3.4.6 eval, filesystem 0 685 kB alexlamsl
npm/uglify-to-browserify@1.0.2 filesystem 0 4.78 kB forbeslindesay
npm/uglifyjs-webpack-plugin@0.4.6 environment, filesystem, shell 0 24.7 kB thelarkinn
npm/union-value@1.0.0 None 0 6.83 kB jonschlinkert
npm/uniq@1.0.1 None 0 4.32 kB mikolalysenko
npm/uniqs@2.0.0 None 0 2.42 kB fgnass
npm/unique-string@1.0.0 None 0 2.58 kB sindresorhus
npm/universalify@0.1.2 None 0 4.71 kB ryanzim
npm/unpipe@1.0.0 None 0 4.31 kB dougwilson
npm/unset-value@1.0.0 None 0 8.53 kB jonschlinkert
npm/unzip-response@2.0.1 None 0 3.5 kB sindresorhus
npm/upath@1.1.0 None 0 33.9 kB anodynos
npm/update-notifier@2.5.0 environment, shell 0 13.5 kB sboudrias
npm/upper-case@1.1.3 None 0 4.64 kB blakeembrey
npm/uri-js@4.2.2 None 0 533 kB garycourt
npm/urijs@1.19.1 None 0 222 kB rodneyrehm
npm/urix@0.1.0 None 0 4.37 kB lydell
npm/url-loader@0.6.2 None 0 11.3 kB d3viant0ne
npm/url-parse-lax@1.0.0 None 0 3.71 kB sindresorhus
npm/url-parse@1.4.3 None 0 48.3 kB 3rdeden
npm/url@0.11.0 None 0 76.8 kB defunctzombie
npm/use@3.1.1 None 0 9.51 kB jonschlinkert
npm/util-deprecate@1.0.2 None 0 5.48 kB tootallnate
npm/util@0.10.4 environment 0 18 kB goto-bus-stop
npm/utila@0.4.0 None 0 24.2 kB ariaminaei
npm/utils-merge@1.0.1 None 0 3.72 kB jaredhanson
npm/uuid@3.3.2 None 0 43.6 kB broofa
npm/validate-npm-package-license@3.0.3 None 0 16.6 kB kemitchell
npm/value-equal@0.4.0 None 0 13.4 kB mjackson
npm/vary@1.1.2 None 0 8.75 kB dougwilson
npm/vendors@1.0.2 None 0 3.85 kB wooorm
npm/verror@1.10.0 None 0 35.8 kB dap
npm/vm-browserify@0.0.4 eval 0 21.5 kB substack
npm/walker@1.0.7 filesystem 0 5.78 kB daaku
npm/warning@4.0.1 None 0 8.37 kB berkeleytrue
npm/watch@0.10.0 filesystem 0 19.1 kB mikeal
npm/watchpack@1.6.0 None 0 22.7 kB sokra
npm/wbuf@1.7.3 None 0 20.9 kB indutny
npm/webidl-conversions@4.0.2 None 0 19.3 kB domenic
npm/webpack-dev-middleware@1.12.2 None 0 22.3 kB shellscape
npm/webpack-dev-server@2.9.4 filesystem, network 0 714 kB shellscape
npm/webpack-manifest-plugin@1.3.2 filesystem 0 10.4 kB mastilver
npm/webpack-sources@1.1.0 None 0 28 kB sokra
npm/webpack@3.8.1 environment, filesystem, unsafe 0 888 kB sokra
npm/websocket-driver@0.7.0 network 0 65.6 kB jcoglan
npm/websocket-extensions@0.1.3 None 0 55.2 kB jcoglan
npm/whatwg-encoding@1.0.3 None 0 12.3 kB domenic
npm/whatwg-fetch@2.0.4 None 0 23.1 kB mislav
npm/whatwg-url@4.8.0 None 0 50 kB domenic
npm/whet.extend@0.9.9 None 0 22.6 kB meettya
npm/which-module@1.0.0 None 0 4.16 kB nexdrew
npm/which@1.3.1 environment 0 9.42 kB isaacs
npm/widest-line@2.0.0 None 0 3.12 kB sindresorhus
npm/window-size@0.1.0 None 0 3.34 kB jonschlinkert
npm/wordwrap@1.0.0 None 0 36.8 kB substack
npm/worker-farm@1.6.0 environment, shell 0 47.2 kB rvagg
npm/wrap-ansi@2.1.0 None 0 7.79 kB sindresorhus
npm/wrappy@1.0.2 None 0 2.96 kB zkat
npm/write-file-atomic@2.3.0 None 0 9.7 kB iarna
npm/write@0.2.1 filesystem 0 6.94 kB jonschlinkert
npm/xdg-basedir@3.0.0 environment 0 4.08 kB sindresorhus
npm/xml-name-validator@2.0.1 None 0 13.5 kB domenic
npm/xtend@4.0.1 None 0 5.96 kB raynos
npm/y18n@3.2.1 filesystem 0 8.75 kB bcoe
npm/yargs@7.1.0 environment, filesystem 0 244 kB bcoe

View full report↗︎

socket-security[bot] commented 7 months ago

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert Package NoteSource
Install scripts npm/uglifyjs-webpack-plugin@0.4.6
  • Install script: postinstall
  • Source: node lib/post_install.js

View full report↗︎

Next steps

What is an install script?

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

  • @SocketSecurity ignore npm/uglifyjs-webpack-plugin@0.4.6