search

yurikrupnik / mussia8

Mussia8 base project monorepo poc for api gateway
alfred-lake.vercel.app
MIT License
0 stars 0 forks source link

[Snyk] Fix for 1 vulnerabilities #352

Open yurikrupnik opened 1 year ago

yurikrupnik commented 1 year ago

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

#### Changes included in this PR - Changes to the following files to upgrade the vulnerable dependencies to a fixed version: - packages/ui/clients/alfred/package.json - packages/ui/clients/alfred/package-lock.json #### Vulnerabilities that will be fixed ##### With an upgrade: Severity | Priority Score (*) | Issue | Breaking Change | Exploit Maturity :-------------------------:|-------------------------|:-------------------------|:-------------------------|:------------------------- ![high severity](https://res.cloudinary.com/snyk/image/upload/w_20,h_20/v1561977819/icon/h.png "high severity") | **823/1000**
**Why?** Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 8.6 | Prototype Pollution
[SNYK-JS-PROTOBUFJS-5756498](https://snyk.io/vuln/SNYK-JS-PROTOBUFJS-5756498) | Yes | Proof of Concept (*) Note that the real score may have changed since the PR was raised.
Commit messages
Package name: @google-cloud/pubsub The new version differs by 80 commits.
  • 179b617 chore(main): release 3.0.0 (#1556)
  • 158c606 fix: fixes for dynamic routing and streaming descriptors (#1566)
  • adb4319 build!: update library to use Node 12 (#1564)
  • b173d4c docs: fix #1559 publishMessage return type documentation (#1560)
  • 29d38a1 feat: add BigQuery configuration for subscriptions (#1563)
  • 518fce1 fix(deps): update dependency google-gax to v2.30.4 (#1555)
  • 39c6729 chore(deps): update dependency sinon to v14 (#1553)
  • 6224648 build: update auto approve to v2, remove release autoapproving (#1432) (#1551)
  • f9c9cd1 chore(main): release 2.19.4 (#1550)
  • 2b7bb8f chore(deps): update dependency @ types/mocha to v9 (#1545)
  • 5810331 fix(deps): update dependency google-gax to v2.30.3 (#1549)
  • 81abae8 tests: factor out resource management from sample system tests (#1544)
  • 0a4b77c chore(main): release 2.19.3 (#1540)
  • 37d075e fix(deps): update dependency google-gax to v2.30.2 (#1502)
  • 5ce58b1 samples: topic publish() method is deprecated (#1522)
  • 80adb0a tests: make another pass at cleaning up flaky tests (#1537)
  • e7ce2cf chore(main): release 2.19.2 (#1526)
  • 3903304 build(node): update client library version in samples metadata (#1356) (#1530)
  • 3d41115 build: make ci testing conditional on engines field in package.json, move configs to Node 12 (#1418) (#1520)
  • 5ff0105 fix: fix flaky schema and subscription tests (#1518)
  • b68e53b chore(main): release 2.19.1 (#1494)
  • 46fe2ef chore(deps): update actions/checkout action to v3 (#1392) (#1511)
  • abd10cc fix: update grpc.max_metadata_size to 4MiB for exactly-once, and shift ack/modack errors to 'debug' stream channel (#1505)
  • 18b7e5d chore: Enable Size-Label bot in all googleapis NodeJs repositories (#1382) (#1508)
See the full diff
Check the changes in this PR to ensure they won't cause issues with your project. ------------ **Note:** *You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.* For more information: 🧐 [View latest project report](https://app.snyk.io/org/yurikrupnik-plq/project/e660b6b4-487f-4f8f-a80b-9366e5d75a80?utm_source=github&utm_medium=referral&page=fix-pr) 🛠 [Adjust project settings](https://app.snyk.io/org/yurikrupnik-plq/project/e660b6b4-487f-4f8f-a80b-9366e5d75a80?utm_source=github&utm_medium=referral&page=fix-pr/settings) 📚 [Read more about Snyk's upgrade and patch logic](https://support.snyk.io/hc/en-us/articles/360003891078-Snyk-patches-to-fix-vulnerabilities) [//]: # (snyk:metadata:{"prId":"e38ab4ed-7743-4a9f-b187-372b9e880181","prPublicId":"e38ab4ed-7743-4a9f-b187-372b9e880181","dependencies":[{"name":"@google-cloud/pubsub","from":"2.16.6","to":"3.0.0"},{"name":"firebase-admin","from":"9.11.1","to":"11.1.0"}],"packageManager":"npm","projectPublicId":"e660b6b4-487f-4f8f-a80b-9366e5d75a80","projectUrl":"https://app.snyk.io/org/yurikrupnik-plq/project/e660b6b4-487f-4f8f-a80b-9366e5d75a80?utm_source=github&utm_medium=referral&page=fix-pr","type":"auto","patch":[],"vulns":["SNYK-JS-PROTOBUFJS-5756498"],"upgrade":["SNYK-JS-PROTOBUFJS-5756498"],"isBreakingChange":true,"env":"prod","prType":"fix","templateVariants":["priorityScore"],"priorityScoreList":[823],"remediationStrategy":"vuln"}) --- **Learn how to fix vulnerabilities with free interactive lessons:** 🦉 [Prototype Pollution](https://learn.snyk.io/lessons/prototype-pollution/javascript/?loc=fix-pr)
secure-code-warrior-for-github[bot] commented 1 year ago

Micro-Learning Topic: Prototype pollution (Detected by phrase)

Matched on "Prototype Pollution"

What is this? (2min video)

By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf).

Try a challenge in Secure Code Warrior