search

turkdevops / lodash

A modern JavaScript utility library delivering modularity, performance, & extras.
https://lodash.com/
1 stars 0 forks source link

[Snyk] Fix for 19 vulnerabilities #1

Open snyk-bot opened 4 years ago

snyk-bot commented 4 years ago

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Vulnerabilities that will be fixed

With an upgrade:
Severity Issue Breaking Change Exploit Maturity
high severity Prototype Pollution
SNYK-JS-AJV-584908		 No No Known Exploit
medium severity Prototype Pollution
SNYK-JS-DOJO-559224		 No Proof of Concept
medium severity Cross-site Scripting (XSS)
SNYK-JS-DOJO-72305		 No No Known Exploit
high severity Denial of Service (DoS)
SNYK-JS-ECSTATIC-540354		 Yes Proof of Concept
medium severity Cross-site Scripting (XSS)
SNYK-JS-JQUERY-565129		 No No Known Exploit
medium severity Cross-site Scripting (XSS)
SNYK-JS-JQUERY-567880		 No No Known Exploit
medium severity Denial of Service (DoS)
SNYK-JS-JSYAML-173999		 Yes No Known Exploit
high severity Arbitrary Code Execution
SNYK-JS-JSYAML-174129		 Yes No Known Exploit
medium severity Prototype Pollution
SNYK-JS-MINIMIST-559764		 Yes Proof of Concept
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-MOCHA-561476		 Yes No Known Exploit
low severity Regular Expression Denial of Service (ReDoS)
npm:braces:20180219		 Yes Proof of Concept
medium severity Cross-site Scripting (XSS)
npm:dojo:20180818		 No No Known Exploit
medium severity Prototype Pollution
npm:hoek:20180212		 Yes No Known Exploit
medium severity Uninitialized Memory Exposure
npm:tunnel-agent:20170305		 Yes Proof of Concept
Commit messages
Package name: coveralls The new version differs by 3 commits.
  • 2ed4d09 major version bump for node > 4.x
  • 5ebe57f bump version
  • 428780c Expand allowed dependency versions to all API compatible versions (#172)
See the full diff
Package name: dojo The new version differs by 23 commits.
  • ca3ea12 Update kernel.js
  • 4c59174 Updating metadata for 1.14.0
  • b27d4da Fix function declaration syntax in dojo/request/util.js module (#312) (#313)
  • 9177bb8 And another missing semicolon (#315)
  • 84d254d Missing semicolon (#314)
  • c36866c Fixes an issue with deepCopy not creating copies of objects. see #293 (#294)
  • 9117ffd Fix potential XSS vulnerability (#307)
  • 27509ee Corrects a reference in a deferred error message, fixes #304 (#305)
  • 8c72eba 19102 change dojo/promise/all array verification (#292)
  • c42d280 Refs #297, Changed regex to remove comments in loader.js. (#299)
  • c9f8645 improve performance on _base/Color.blendColors (#302)
  • b769bdc add transferType property to distinguish progress (#296)
  • 2df2870 fixes #16218, dojo/data/ObjectStore save function return value
  • 3b04330 Remove trailing package location slash when building URL
  • 7a73fa7 Fix an IE vulnerability (CVE-2017-11895). (#288)
  • e96395d fixes #19097, Deduplicate handlers call
  • 9877c64 Fixes #18249, don't check for attributes when meaning
  • 8fcd1d2 Update the short and medium dateFormat descriptors for the ja bundle
  • c71d5a0 fixes #16566, Don’t add Content-Type unless post/put or has data
  • 47944f9 fixes #19083, Add support for 'foreign-loader' has condition in dojo.js
  • 5eb0b4f add test for dojo/Stateful module: when we set one stateful instance to another, the watchers should work correctly
  • bd9156b Add upload progress support to dojo/request/xhr (#274)
  • ef6f0ab Updating source version to 1.14.0-pre
See the full diff
Package name: ecstatic The new version differs by 120 commits.
  • c2de337 Update package.json
  • 4961bbe what are tests? never heard of them
  • 72044b8 v4.1.3: [security] Fix crash on redirect with formfeed in URL (CVE-2019-10775) (#266)
  • dd29df2 Create npmpublish.yml
  • ae7a39b Notice of non-maintenance/deprecation
  • 89e9f22 Release 4.1.2
  • be6fc25 Ho hum
  • fab5945 Release 4.1.1
  • ed0b114 Update package-lock
  • 599d987 Merge branch 'fix-edge-cases'
  • 82b1803 Merge branch 'master' into fix-edge-cases
  • 892f4a1 More consistent behavior around handleError
  • 5d46c66 Release 4.1.0
  • f593b84 Added "--host" option. (#253)
  • 497c664 Release 4.0.2
  • ebf9e7f fix: on-finished (#249)
  • d0c3e94 Release 4.0.1
  • 2b59fd8 Update contributors
  • b9a994f fix: leak on res aborted on non-range requests
  • 6481ff4 Release 4.0.0
  • daa49fb Refresh package-lock.json
  • 7ad77dc Merge pull request #242 from jfhbrook/fix-226
  • 570e391 Test against nodes 9-11
  • 68f8446 Downgrade linting stuff
See the full diff
Package name: mocha The new version differs by 250 commits.
  • eb781e2 Release v6.2.3
  • 10dbe94 update CHANGELOG for v6.2.3 [ci skip]
  • 848d6fb security: update mkdirp, yargs, yargs-parser
  • 843a322 6.2.2
  • aec8b02 update CHANGELOG for v6.2.2 [ci skip]
  • 7a8b95a npm audit fixes
  • cebddf2 Improve reporter documentation for mocha in browser. (#4026)
  • 3f7b987 uncaughtException: report more than one exception per test (#4033)
  • ee82d38 modify alt text of image from Backers to Sponsors inside Sponsors section in Readme (#4046)
  • e9c036c special-case parsing of "require" in unparseNodeArgs(); closes #4035 (#4063)
  • 954cf0b Fix HTMLCollection iteration to make unhide function work as expected (#4051)
  • 816dc27 uncaughtException: fix double EVENT_RUN_END events (#4025)
  • 9650d3f add OpenJS Foundation logo to website (#4008)
  • f04b81d Adopt the OpenJSF Code of Conduct (#3971)
  • aca8895 Add link checking to docs build step (#3972)
  • ef6c820 Release v6.2.1
  • 9524978 updated CHANGELOG for v6.2.1 [ci skip]
  • dfdb8b3 Update yargs to v13.3.0 (#3986)
  • 18ad1c1 treat '--require esm' as Node option (#3983)
  • fcffd5a Update yargs-unparser to v1.6.0 (#3984)
  • ad4860e Remove extraGlobals() (#3970)
  • b269ad0 Clarify effect of .skip() (#3947)
  • 1e6cf3b Add Matomo to website (#3765)
  • 91b3a54 fix style on mochajs.org (#3886)
See the full diff
Package name: request The new version differs by 31 commits.
  • 6420240 2.88.0
  • bd22e21 fix: massive dependency upgrade, fixes all production vulnerabilities
  • 925849a Merge pull request #2996 from kwonoj/fix-uuid
  • 7b68551 fix(uuid): import versioned uuid
  • 5797963 Merge pull request #2994 from dlecocq/oauth-sign-0.9.0
  • 628ff5e Update to oauth-sign 0.9.0
  • 10987ef Merge pull request #2993 from simov/fix-header-tests
  • cd848af These are not going to fail if there is a server listening on those ports
  • a92e138 #515, #2894 Strip port suffix from Host header if the protocol is known. (#2904)
  • 45ffc4b Improve AWS SigV4 support. (#2791)
  • a121270 Merge pull request #2977 from simov/update-cert
  • bd16414 Update test certificates
  • 536f0e7 2.87.1
  • 02fc5b1 Update changelog
  • de1ed5a 2.87.0
  • a6741d4 Replace hawk dependency with a local implemenation (#2943)
  • a7f0a36 2.86.1
  • 8f2fd4d Update changelog
  • 386c7d8 2.86.0
  • 76a6e5b Merge pull request #2885 from ChALkeR/patch-1
  • db76838 Merge branch 'patch-1' of github.com:ChALkeR/request
  • fb7aeb3 Merge pull request #2942 from simov/fix-tests
  • e47ce95 Add Node v10 build target explicitly
  • 0c5db42 Skip status code 105 on Node > v10
See the full diff
Package name: webpack The new version differs by 250 commits.
  • 4be093d 2.2.0
  • 2278469 2.2.0-rc.8
  • b946eb4 Merge pull request #3988 from malstoun/bug/2664
  • 260e413 Merge pull request #3986 from webpack/bugfix/revert_use_of_buffer_dot_from
  • 0ec7de9 Fix regression with watch cli opt, add tests for this case
  • 72226db add missing disable line
  • 4d30675 build fresh yarn.lock file to remove buffer polyfill
  • 91c1f35 fix(node): rollback changes of Buffer.from to new Buffer() and bump down travis to 4.3 min node v
  • 0b47602 2.2.0-rc.7
  • db6ccbc Merge pull request #3978 from webpack/bugfix/conditional-reexports
  • 82a5b03 Merge pull request #3977 from malstoun/bug/2664
  • fc1a43b Merge pull request #3976 from timse/rely-on-defaults
  • a44694a hoist exports declarations too
  • 682bde8 Fix lint
  • c6d7d90 Add tests
  • af8d49e remove defaults values to shave a few bytes
  • 9796696 2.2.0-rc.6
  • e9bdb05 Merge pull request #3971 from webpack/bugfix/fix_available_vars_in_fmtp
  • bd45bdc add test case for global in harmony modules
  • bfccb20 fix PR
  • 5a3a23f fix(nmf): Fix exports for var injection to include free glob exports or arguments
  • 437dce4 2.2.0-rc.5
  • 91cb1df Merge pull request #3970 from webpack/ci/appveyor
  • 9fd55e5 Merge pull request #3969 from webpack/bugfix/issue-3964
See the full diff
With a Snyk patch:
Severity Issue Exploit Maturity
medium severity Prototype Pollution
SNYK-JS-LODASH-567746		 Proof of Concept
low severity Regular Expression Denial of Service (ReDoS)
npm:hawk:20160119		 No Known Exploit
medium severity Timing Attack
npm:http-signature:20150122		 No Known Exploit
low severity Regular Expression Denial of Service (ReDoS)
npm:mime:20170907		 No Known Exploit
medium severity Remote Memory Exposure
npm:request:20160119		 No Known Exploit
medium severity Uninitialized Memory Exposure
npm:tunnel-agent:20170305		 Proof of Concept

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: 🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic