search

lifion / lifion-kinesis

A native Node.js producer and consumer library for Amazon Kinesis Data Streams
MIT License
86 stars 18 forks source link

[Snyk] Security upgrade protobufjs from 6.11.2 to 7.2.4 #722

Closed eaviles closed 1 year ago

eaviles commented 1 year ago

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

#### Changes included in this PR - Changes to the following files to upgrade the vulnerable dependencies to a fixed version: - package.json - package-lock.json #### Vulnerabilities that will be fixed ##### With an upgrade: Severity | Priority Score (*) | Issue | Breaking Change | Exploit Maturity :-------------------------:|-------------------------|:-------------------------|:-------------------------|:------------------------- ![high severity](https://res.cloudinary.com/snyk/image/upload/w_20,h_20/v1561977819/icon/h.png "high severity") | **823/1000**
**Why?** Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 8.6 | Prototype Pollution
[SNYK-JS-PROTOBUFJS-5756498](https://snyk.io/vuln/SNYK-JS-PROTOBUFJS-5756498) | Yes | Proof of Concept (*) Note that the real score may have changed since the PR was raised.
Commit messages
Package name: protobufjs The new version differs by 72 commits.
  • 42e5a9c chore: release master (#1900)
  • e66379f fix: do not let setProperty change the prototype (#1899)
  • 56b1e64 chore: release master (#1879)
  • 8817ee6 fix: type names can be split into multiple tokens (#1877)
  • e721d04 chore: release master (#1867)
  • 14f0536 fix: do not allow to extend same field twice to prevent the error (#1784)
  • 644d588 chore: release master (#1865)
  • e42eea4 fix(cli): fix relative path to Google pb files (#1859)
  • dce9a2e fix: use bundled filename to fix common pb includes (#1860)
  • 64e8936 fix: use ES5 style function syntax (#1830)
  • 4489fa7 Revert "fix: error should be thrown (#1817)" (#1864)
  • 0099ddc chore: release master (#1852)
  • 32f2d6a feat(cli): generate static files at the granularity of proto messages (#1840)
  • ea7b9a6 build(deps): bump decode-uri-component from 0.2.0 to 0.2.2 (#1837)
  • e7a3489 fix: error should be thrown (#1817)
  • 82f55e6 build(deps): bump json5 from 2.2.1 to 2.2.3 (#1848)
  • 57fe6f5 chore(deps): update dependency jsdoc to v4 (#1833)
  • d026849 chore: release master (#1813)
  • 119d90a fix(types): nested object can be a oneof (#1812)
  • 67fe592 Update CDN (RawGit EOL) (#1806)
  • 6254efb chore: release master (#1804)
  • 7c27b5a fix: add import long to the generated .d.ts (#1802)
  • 7120e93 fix: generate valid js code for aliased enum values (#1801)
  • 48457c4 chore: release master (#1772)
See the full diff
Check the changes in this PR to ensure they won't cause issues with your project. ------------ **Note:** *You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.* For more information: šŸ§ [View latest project report](https://app.snyk.io/org/eaviles/project/dcf71b97-1967-4cb7-94cf-08c034010a2a?utm_source=github&utm_medium=referral&page=fix-pr) šŸ›  [Adjust project settings](https://app.snyk.io/org/eaviles/project/dcf71b97-1967-4cb7-94cf-08c034010a2a?utm_source=github&utm_medium=referral&page=fix-pr/settings) šŸ“š [Read more about Snyk's upgrade and patch logic](https://support.snyk.io/hc/en-us/articles/360003891078-Snyk-patches-to-fix-vulnerabilities) [//]: # (snyk:metadata:{"prId":"1f5a497b-767f-4a29-a7af-4afe51d5ad60","prPublicId":"1f5a497b-767f-4a29-a7af-4afe51d5ad60","dependencies":[{"name":"protobufjs","from":"6.11.2","to":"7.2.4"}],"packageManager":"npm","projectPublicId":"dcf71b97-1967-4cb7-94cf-08c034010a2a","projectUrl":"https://app.snyk.io/org/eaviles/project/dcf71b97-1967-4cb7-94cf-08c034010a2a?utm_source=github&utm_medium=referral&page=fix-pr","type":"auto","patch":[],"vulns":["SNYK-JS-PROTOBUFJS-5756498"],"upgrade":["SNYK-JS-PROTOBUFJS-5756498"],"isBreakingChange":true,"env":"prod","prType":"fix","templateVariants":["updated-fix-title","priorityScore"],"priorityScoreList":[823],"remediationStrategy":"vuln"}) --- **Learn how to fix vulnerabilities with free interactive lessons:** šŸ¦‰ [Prototype Pollution](https://learn.snyk.io/lessons/prototype-pollution/javascript/?loc=fix-pr)
codecov[bot] commented 1 year ago

Codecov Report

Patch and project coverage have no change.

Comparison is base (e226a50) 100.00% compared to head (ab81365) 100.00%.

:exclamation: Current head ab81365 differs from pull request most recent head 2aa2c94. Consider uploading reports for the commit 2aa2c94 to get more accurate results

Additional details and impacted files ```diff @@ Coverage Diff @@ ## develop #722 +/- ## ========================================= Coverage 100.00% 100.00% ========================================= Files 19 19 Lines 1409 1409 Branches 192 192 ========================================= Hits 1409 1409 ```

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

skolsuper commented 1 year ago

Sorry to be a bother, but what's the timeline get this into an npm release? I'm having trouble using this branch in my package.json because of a conflict with husky

albertosaito commented 1 year ago

I'll merge this PR today, and then I'll try to figure out how to make the npm release.

albertosaito commented 1 year ago

Merging this PR to solve https://github.com/advisories/GHSA-h755-8qp9-cq85