search

reactioncommerce / reaction-file-collections

Reaction File Collection packages
MIT License
19 stars 11 forks source link

[Snyk] Security upgrade tus-node-server from 0.3.2 to 0.4.0 #119

Closed snyk-bot closed 2 years ago

snyk-bot commented 2 years ago

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
medium severity 479/1000
Why? Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-DATEANDTIME-1054430		 No No Known Exploit
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5		 Prototype Pollution
SNYK-JS-JSONBIGINT-608659		 No Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: tus-node-server The new version differs by 32 commits.
  • 6ffae1c Add metadata parsing and stringification functions
  • 823edb0 Implement creation-with-upload extension
  • e4ddd89 Implement GET handler
  • 8bffceb Fix issues with GCS datastore tests
  • 698918b Implement resumable uploads with GCS (#37)
  • 892b774 Bump handlebars from 4.7.6 to 4.7.7 (#178)
  • 16a21bf Bump lodash from 4.17.20 to 4.17.21 (#179)
  • e524428 Bump url-parse from 1.4.7 to 1.5.1 (#180)
  • ea677c2 Bump date-and-time from 0.14.1 to 0.14.2 (#175)
  • e446904 Bump y18n from 4.0.0 to 4.0.1 (#176)
  • e56b9ce Use new URL for tus demo server
  • bec95da Upgrade dependencies and drop Node.js v8 support (#173)
  • 1dfc6c9 Merge pull request #171 from tus/dependabot/npm_and_yarn/node-fetch-2.6.1
  • 8914b2d Bump node-fetch from 2.3.0 to 2.6.1
  • e2c610a Bump lodash from 4.17.15 to 4.17.19 (#169)
  • 0ea3674 Bump https-proxy-agent from 2.2.1 to 2.2.4 (#165)
  • 7e48842 chore: update dependency with security issue (#166)
  • b68db52 Merge pull request #164 from tus/dependabot/npm_and_yarn/acorn-6.4.1
  • 0d35c2e Bump acorn from 6.1.1 to 6.4.1
  • b26594f Add TypeScript definitions (#162)
  • 6f27db9 Bump handlebars from 4.1.0 to 4.5.3 (#161)
  • 1a65ae4 Bump eslint-utils from 1.3.1 to 1.4.3 (#154)
  • 932cb71 Bump lodash from 4.17.11 to 4.17.15 (#155)
  • ac22f04 Bump mixin-deep from 1.3.1 to 1.3.2 (#152)
See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: 🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic