search

koajs / koala

[SEEKING MAINTAINER] An HTTP/2 and ES6 Module-ready Koa Suite
MIT License
320 stars 27 forks source link

[Snyk] Fix for 1 vulnerabilities #106

Closed fengmk2 closed 1 year ago

fengmk2 commented 1 year ago

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

#### Changes included in this PR - Changes to the following files to upgrade the vulnerable dependencies to a fixed version: - package.json - package-lock.json #### Vulnerabilities that will be fixed ##### With an upgrade: Severity | Priority Score (*) | Issue | Breaking Change | Exploit Maturity :-------------------------:|-------------------------|:-------------------------|:-------------------------|:------------------------- ![high severity](https://res.cloudinary.com/snyk/image/upload/w_20,h_20/v1561977819/icon/h.png "high severity") | **768/1000**
**Why?** Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 7.5 | Prototype Pollution
[SNYK-JS-QS-3153490](https://snyk.io/vuln/SNYK-JS-QS-3153490) | Yes | Proof of Concept (*) Note that the real score may have changed since the PR was raised.
Commit messages
Package name: koa-qs The new version differs by 18 commits.
  • 255df00 3.0.0
  • fdb0cf9 chore: fixpack
  • 8dc4c48 Merge pull request #27 from 3imed-jaberi/add-opts-support
  • 15d4042 update LICENSE πŸ— ..
  • 7550ca7 update pkg.json πŸŽ— ..
  • 8bafa18 add test for opts support + koa 2 πŸ’‰ ..
  • 3b4c591 add opts support πŸ§™β€β™‚οΈ ..
  • 07c915b Merge pull request #26 from 3imed-jaberi/3imed-jaberi-update-pkg
  • e22ef88 update README.md --io πŸ“‹ ..
  • 44a5fa6 update pkg.json πŸŽ— ..
  • 0b788e2 update README.md πŸ“‹ ..
  • 362b105 update the CI pipeline 🎲 ..
  • 25c767e better code πŸš€ ..
  • 974540f fix test --pass πŸ§ͺβœ”οΈ ..
  • 1b86ba9 add mocha config. β˜•οΈ ..
  • 8f7c5f1 avoid generating pkg-lock.json β˜”οΈ ..
  • 9195b9a update .gitignore file 🐞 ..
  • bf1225e update travis (#17)
See the full diff
Package name: qs The new version differs by 31 commits.
  • 298bfa5 v6.5.3
  • ed0f5dc [Fix] `parse`: ignore `__proto__` keys (#428)
  • 691e739 [Robustness] `stringify`: avoid relying on a global `undefined` (#427)
  • 1072d57 [readme] remove travis badge; add github actions/codecov badges; update URLs
  • 12ac1c4 [meta] fix README.md (#399)
  • 0338716 [actions] backport actions from main
  • 5639c20 Clean up license text so it’s properly detected as BSD-3-Clause
  • 51b8a0b add FUNDING.yml
  • 45f6759 [Fix] fix for an impossible situation: when the formatter is called with a non-string value
  • f814a7f [Dev Deps] backport from main
  • fd950b0 [Tests] always use `String(x)` over `x.toString()`
  • 31bcb32 [Fix] `utils.merge`: avoid a crash with a null target and an array source
  • 98c93d6 [Refactor] `utils`: reduce observable [[Get]]s
  • 49ad67f [Fix]` `utils.merge`: avoid a crash with a null target and a truthy non-array source
  • ef27de4 [Refactor] use cached `Array.isArray`
  • 107c302 [Docs] Clarify the need for "arrayLimit" option
  • fafc2d2 [Fix] correctly parse nested arrays
  • 55d217b [refactor] `stringify`: Avoid arr = arr.concat(...), push to the existing instance (#269)
  • c1c2a9d [Fix] `stringify`: fix a crash with `strictNullHandling` and a custom `filter`/`serializeDate` (#279)
  • d1d1a97 [Fix] `utils`: `merge`: fix crash when `source` is a truthy primitive & no options are provided
  • b6956c9 [Tests] remove nonexistent tape option
  • f85bce6 [Fix] when `parseArrays` is false, properly handle keys ending in `[]`
  • eee72e3 [Tests] up to `node` `v10.1`, `v9.11`, `v8.11`, `v6.14`, `v4.9`; pin included builds to LTS
  • 1bfe04c [Refactor] `parse`: only need to reassign the var once
See the full diff
Check the changes in this PR to ensure they won't cause issues with your project. ------------ **Note:** *You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.* For more information: 🧐 [View latest project report](https://app.snyk.io/org/fengmk2/project/5ca2da73-217d-4894-b7d9-032bcec85d42?utm_source=github&utm_medium=referral&page=fix-pr) πŸ›  [Adjust project settings](https://app.snyk.io/org/fengmk2/project/5ca2da73-217d-4894-b7d9-032bcec85d42?utm_source=github&utm_medium=referral&page=fix-pr/settings) πŸ“š [Read more about Snyk's upgrade and patch logic](https://support.snyk.io/hc/en-us/articles/360003891078-Snyk-patches-to-fix-vulnerabilities) [//]: # (snyk:metadata:{"prId":"72f1e36e-b9e4-44a4-8355-321f80962f52","prPublicId":"72f1e36e-b9e4-44a4-8355-321f80962f52","dependencies":[{"name":"koa-qs","from":"2.0.0","to":"3.0.0"},{"name":"qs","from":"6.5.1","to":"6.5.3"}],"packageManager":"npm","projectPublicId":"5ca2da73-217d-4894-b7d9-032bcec85d42","projectUrl":"https://app.snyk.io/org/fengmk2/project/5ca2da73-217d-4894-b7d9-032bcec85d42?utm_source=github&utm_medium=referral&page=fix-pr","type":"auto","patch":[],"vulns":["SNYK-JS-QS-3153490"],"upgrade":["SNYK-JS-QS-3153490"],"isBreakingChange":true,"env":"prod","prType":"fix","templateVariants":["priorityScore"],"priorityScoreList":[768]}) --- **Learn how to fix vulnerabilities with free interactive lessons:** πŸ¦‰ [Prototype Pollution](https://learn.snyk.io/lessons/prototype-pollution/javascript/?loc=fix-pr)