search

prasad-edlabadka / homebridge-tuya-ir

Allows homebridge to control Tuya Smart IR based devices
Apache License 2.0
50 stars 22 forks source link

[Snyk] Security upgrade crypto-js from 4.0.0 to 4.2.0 #101

Open prasad-edlabadka opened 8 months ago

prasad-edlabadka commented 8 months ago

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

#### Changes included in this PR - Changes to the following files to upgrade the vulnerable dependencies to a fixed version: - package.json - package-lock.json #### Vulnerabilities that will be fixed ##### With an upgrade: Severity | Priority Score (*) | Issue | Breaking Change | Exploit Maturity :-------------------------:|-------------------------|:-------------------------|:-------------------------|:------------------------- ![high severity](https://res.cloudinary.com/snyk/image/upload/w_20,h_20/v1561977819/icon/h.png "high severity") | **716/1000**
**Why?** Recently disclosed, Has a fix available, CVSS 8.6 | Use of Weak Hash
[SNYK-JS-CRYPTOJS-6028119](https://snyk.io/vuln/SNYK-JS-CRYPTOJS-6028119) | No | No Known Exploit (*) Note that the real score may have changed since the PR was raised.
Commit messages
Package name: crypto-js The new version differs by 42 commits.
  • ac34a5a Merge branch 'release/4.2.0' into develop
  • d5af3ae Update release notes.
  • 9496e07 Bump version.
  • 421dd53 Change default hash algorithm and iteration's for PBKDF2 to prevent weak security by using the default configuration.
  • d1f4f4d Update grunt.
  • 1da3dab Discontinued
  • 4dcaa7a Merge pull request #380 from Alanscut/dev
  • 762feb2 chore: rename BF to Blowfish
  • fb81418 feat: blowfish support
  • c8a2312 Merge pull request #379 from Alanscut/dev
  • 09ee2ab feat: custom KDF hasher
  • 0229694 Merge branch 'develop' of ssh://github.com/brix/crypto-js into develop
  • df09288 Remove travis status, as travis is not used anymore.
  • 6703e79 Merge pull request #285 from paulmwatson/develop
  • d50d964 No es default param.
  • 4840268 Merge pull request #378 from Elity/develop
  • f92ddc0 Merge pull request #377 from Alanscut/dev
  • fe84967 fix: es-check error
  • ca7384f test: add test case,using salt in the config
  • dcc3848 fix:The "cfg.salt" parameter don't work
  • ecfe2e4 Update dev dependencies.
  • a4dac50 Merge branch 'release/4.1.1' into develop
  • 81ed562 Update release notes.
  • 0326a86 Bump version.
See the full diff
Check the changes in this PR to ensure they won't cause issues with your project. ------------ **Note:** *You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.* For more information: 🧐 [View latest project report](https://app.snyk.io/org/prasad-edlabadka/project/b1aaab82-7ac9-45e0-93e7-cf4ff4c1c228?utm_source=github&utm_medium=referral&page=fix-pr) 🛠 [Adjust project settings](https://app.snyk.io/org/prasad-edlabadka/project/b1aaab82-7ac9-45e0-93e7-cf4ff4c1c228?utm_source=github&utm_medium=referral&page=fix-pr/settings) 📚 [Read more about Snyk's upgrade and patch logic](https://support.snyk.io/hc/en-us/articles/360003891078-Snyk-patches-to-fix-vulnerabilities) [//]: # (snyk:metadata:{"prId":"d7e33ad0-8b70-4b29-9701-a9cb4017fb57","prPublicId":"d7e33ad0-8b70-4b29-9701-a9cb4017fb57","dependencies":[{"name":"crypto-js","from":"4.0.0","to":"4.2.0"}],"packageManager":"npm","projectPublicId":"b1aaab82-7ac9-45e0-93e7-cf4ff4c1c228","projectUrl":"https://app.snyk.io/org/prasad-edlabadka/project/b1aaab82-7ac9-45e0-93e7-cf4ff4c1c228?utm_source=github&utm_medium=referral&page=fix-pr","type":"auto","patch":[],"vulns":["SNYK-JS-CRYPTOJS-6028119"],"upgrade":["SNYK-JS-CRYPTOJS-6028119"],"isBreakingChange":false,"env":"prod","prType":"fix","templateVariants":["updated-fix-title","priorityScore"],"priorityScoreList":[716],"remediationStrategy":"vuln"}) --- **Learn how to fix vulnerabilities with free interactive lessons:** 🦉 [Use of Weak Hash](https://learn.snyk.io/lesson/insecure-hash/?loc=fix-pr)
sonarcloud[bot] commented 8 months ago

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication

github-advanced-security[bot] commented 8 months ago

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.