Open victornpb opened 1 year ago
socket-security[bot]
commented
1 year ago Updated dependencies detected. Learn more about Socket for GitHub ↗︎
| Packages | Version | New capabilities | Transitives | Size | Publisher |
|---|---|---|---|---|---|
| jsdom | 16.4.0...16.5.0 | eval | +17/-21 |
6.62 MB | domenic |
socket-security[bot]
commented
1 year ago 🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎
To accept the risk, merge this PR and you will not be notified again.
| Issue | Package | Version | Note | Source |
|---|---|---|---|---|
| Dynamic require | url-parse | 1.5.10 |
|
|
| Obfuscated require | url-parse | 1.5.10 |
|
|
| Suspicious strings | psl | 1.9.0 |
|
|
| Uses eval | lodash | 4.17.21 |
|
Dynamic require can indicate the package is performing dangerous or unsafe dynamic code execution.
Packages should avoid dynamic imports when possible. Audit the use of dynamic require to ensure it is not executing malicious or vulnerable code.
Package accesses dynamic properties of require and may be obfuscating code execution.
The package should not access dynamic properties of module. Instead use import or require directly.
This package contains suspicious text patterns which are commonly associated with bad behavior
The package code should be reviewed before installing
Package uses eval() which is a dangerous function. This prevents the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.
Avoid packages that use eval, since this could potentially execute any code.
Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.
If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.
To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@* or ignore all packages with @SocketSecurity ignore-all
@SocketSecurity ignore lodash@4.17.21@SocketSecurity ignore url-parse@1.5.10@SocketSecurity ignore psl@1.9.0
This PR was automatically created by Snyk using the credentials of a real user.
Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.
#### Changes included in this PR - Changes to the following files to upgrade the vulnerable dependencies to a fixed version: - package.json - package-lock.json #### Vulnerabilities that will be fixed ##### With an upgrade: Severity | Priority Score (*) | Issue | Breaking Change | Exploit Maturity :-------------------------:|-------------------------|:-------------------------|:-------------------------|:-------------------------  | **718/1000****Why?** Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 6.5 | Prototype Pollution
[SNYK-JS-TOUGHCOOKIE-5672873](https://snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873) | No | Proof of Concept (*) Note that the real score may have changed since the PR was raised.
Commit messages
Package name: jsdom
The new version differs by 30 commits.- 2d82763 Version 16.5.0
- 9741311 Fix loading of subresources with Unicode filenames
- 5e46553 Use domenic's ESLint config as the base
- 19b35da Fix the URL of about:blank iframes
- 017568e Support inputType on InputEvent
- 29f4fdf Upgrade dependencies
- e2f7639 Refactor create‑event‑accessor.js to remove code duplication
- ff69a75 Convert JSDOM to use callback functions
- 19df6bc Update links in contributing guidelines
- 1e34ff5 Test triage
- 1d6cb3c XHR: clear response buffer on errors
- 1e86b2e XHR: mark Content-Length as CORS-safelisted
- 6a8f012 XHR: avoid a redundant final progress event
- 021555b Allow mutating disabled <input type=checkbox/radio>
- a62d9fe Remove ondragexit from GlobalEventHandlers
- 745fbaf Call mutation observer callbacks with the MutationObserver as this
- 6c758c9 Implement window.event
- a88d0bf Clean up navigator.plugins and navigator.mimeTypes
- 31eb938 Implement queueMicrotask()
- 2ab99ad Stop replacing / with : in the File constructor
- ffd4aa3 Reduce log spam when starting WPT server
- e0de8be Upgrade to-upstream WPTs to Python 3
- c94ceeb Automatically omit all testdriver tests
- b3f6056 Update WPT
See the full diff