Skip to content

[Snyk] Fix for 42 vulnerabilities#10

Open
snyk-bot wants to merge 1 commit intoremove-custom-frequencyfrom
snyk-fix-c17a56c72206b5b61b85230493dbc5f7
Open

[Snyk] Fix for 42 vulnerabilities#10
snyk-bot wants to merge 1 commit intoremove-custom-frequencyfrom
snyk-fix-c17a56c72206b5b61b85230493dbc5f7

Conversation

@snyk-bot
Copy link
Copy Markdown

@snyk-bot snyk-bot commented Jun 13, 2021

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • nh_graphs/dev/coffee/package.json
    • nh_graphs/dev/coffee/.snyk

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 584/1000
Why? Has a fix available, CVSS 7.4		 Directory Traversal
SNYK-JS-ADMZIP-1065796		 No No Known Exploit
high severity 599/1000
Why? Has a fix available, CVSS 7.7		 Remote Memory Exposure
SNYK-JS-BL-608877		 Yes No Known Exploit
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5		 Denial of Service (DoS)
SNYK-JS-ENGINEIO-1056749		 Yes Proof of Concept
medium severity 479/1000
Why? Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-GLOBPARENT-1016905		 Yes No Known Exploit
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3		 Prototype Pollution
SNYK-JS-INI-1048974		 No Proof of Concept
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-1018905		 Yes Proof of Concept
high severity 681/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.2		 Command Injection
SNYK-JS-LODASH-1040724		 Yes Proof of Concept
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3		 Prototype Pollution
SNYK-JS-LODASH-450202		 Yes Proof of Concept
medium severity 636/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.3		 Prototype Pollution
SNYK-JS-LODASH-567746		 Yes Proof of Concept
high severity 704/1000
Why? Has a fix available, CVSS 9.8		 Prototype Pollution
SNYK-JS-LODASH-590103		 Yes No Known Exploit
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3		 Prototype Pollution
SNYK-JS-LODASH-608086		 Yes Proof of Concept
high severity 579/1000
Why? Has a fix available, CVSS 7.3		 Prototype Pollution
SNYK-JS-LODASH-73638		 Yes No Known Exploit
medium severity 434/1000
Why? Has a fix available, CVSS 4.4		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-73639		 Yes No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Prototype Pollution
SNYK-JS-MERGE-1040469		 Yes No Known Exploit
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3		 Prototype Pollution
SNYK-JS-MERGE-1042987		 Yes Proof of Concept
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-MINIMATCH-1019388		 Yes No Known Exploit
medium severity 601/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.6		 Prototype Pollution
SNYK-JS-MINIMIST-559764		 No Proof of Concept
medium severity 494/1000
Why? Has a fix available, CVSS 5.6		 Command Injection
SNYK-JS-NODENOTIFIER-1035794		 Yes No Known Exploit
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3		 Insecure Defaults
SNYK-JS-SOCKETIO-1024859		 Yes Proof of Concept
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5		 Denial of Service (DoS)
SNYK-JS-SOCKETIOPARSER-1056752		 Yes Proof of Concept
high severity 661/1000
Why? Recently disclosed, Has a fix available, CVSS 7.5		 Denial of Service (DoS)
SNYK-JS-TRIMNEWLINES-1298042		 Yes No Known Exploit
medium severity 551/1000
Why? Recently disclosed, Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-WS-1296835		 Yes No Known Exploit
high severity 899/1000
Why? Mature exploit, Has a fix available, CVSS 9.4		 Arbitrary File Write via Archive Extraction (Zip Slip)
npm:adm-zip:20180415		 No Mature
low severity 506/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 3.7		 Regular Expression Denial of Service (ReDoS)
npm:braces:20180219		 Yes Proof of Concept
medium severity 641/1000
Why? Mature exploit, Has a fix available, CVSS 5.1		 Uninitialized Memory Exposure
npm:concat-stream:20160901		 No Mature
low severity 399/1000
Why? Has a fix available, CVSS 3.7		 Regular Expression Denial of Service (ReDoS)
npm:debug:20170905		 Yes No Known Exploit
high severity 619/1000
Why? Has a fix available, CVSS 8.1		 Insecure Defaults
npm:engine.io-client:20160426		 No No Known Exploit
low severity 399/1000
Why? Has a fix available, CVSS 3.7		 Regular Expression Denial of Service (ReDoS)
npm:hawk:20160119		 Yes No Known Exploit
medium severity 529/1000
Why? Has a fix available, CVSS 6.3		 Prototype Pollution
npm:hoek:20180212		 Yes No Known Exploit
medium severity 539/1000
Why? Has a fix available, CVSS 6.5		 Timing Attack
npm:http-signature:20150122		 Yes No Known Exploit
medium severity 529/1000
Why? Has a fix available, CVSS 6.3		 Prototype Pollution
npm:lodash:20180130		 Yes No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Regular Expression Denial of Service (ReDoS)
npm:minimatch:20160620		 Yes No Known Exploit
medium severity 479/1000
Why? Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
npm:ms:20151024		 No No Known Exploit
high severity 756/1000
Why? Mature exploit, Has a fix available, CVSS 7.4		 Uninitialized Memory Exposure
npm:npmconf:20180512		 No Mature
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Prototype Override Protection Bypass
npm:qs:20170213		 Yes No Known Exploit
medium severity 469/1000
Why? Has a fix available, CVSS 5.1		 Remote Memory Exposure
npm:request:20160119		 Yes No Known Exploit
medium severity 479/1000
Why? Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
npm:semver:20150403		 No No Known Exploit
medium severity 576/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.1		 Uninitialized Memory Exposure
npm:tunnel-agent:20170305		 Yes Proof of Concept
medium severity 539/1000
Why? Has a fix available, CVSS 6.5		 Remote Memory Exposure
npm:ws:20160104		 No No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Denial of Service (DoS)
npm:ws:20160624		 No No Known Exploit
medium severity 479/1000
Why? Has a fix available, CVSS 5.3		 Insecure Randomness
npm:ws:20160920		 No No Known Exploit
high severity 761/1000
Why? Mature exploit, Has a fix available, CVSS 7.5		 Denial of Service (DoS)
npm:ws:20171108		 No Mature

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: del The new version differs by 6 commits.

See the full diff

Package name: gulp The new version differs by 243 commits.
  • 55eb23a Release: 4.0.0
  • 173a532 Docs: Fix the installation instructions
  • ec54d09 Docs: Improve note about out-of-date docs
  • 03b7c98 Docs: Update recipes to install gulp@next
  • 2eba29e Docs: Remove run-sequence from recipes
  • 76eb4d6 Docs: Add installation instructions & update badges
  • fbc162f Docs: Remove references to gulp-util
  • 3011cf9 Scaffold: Normalize repository
  • f27be05 Update: Remove graceful-fs from test suite
  • 361ab63 Upgrade: Update glob-watcher
  • 064d100 Build: Avoid broken node 9
  • 057df59 Release: 4.0.0-alpha.3
  • c1ba80c Breaking: Upgrade major versions of glob-watcher, gulp-cli & vinyl-fs
  • 89acc5c Docs: Improve ES2015 task exporting examples (#1999)
  • 0ac9e04 Docs: Add "Project structure" section to CONTRIBUTING.md (#1859)
  • 723cbc4 Docs: Fix syntax in recipe example (#1715)
  • d420a6a Docs: Have gulp.lastRun take a function to avoid task registration (#1828)
  • 29ece6f Upgrade: Update undertaker
  • e931cb0 Docs: Fix changelog typos (#1696)
  • 477db84 Docs: Add a "BrowserSync with Gulp 4" recipe (#1659)
  • d4ed3c7 Docs: Add options.cwd for gulp.src API (#1645)
  • 5dc3b07 Docs: Update gulp.watch API to align with glob-watcher
  • 0c66069 Breaking: Replace chokidar as gulp.watch with glob-watcher wrapper
  • c3dbc10 Docs: Clarify incremental builds example (#1609)

See the full diff

Package name: gulp-coffee The new version differs by 42 commits.

See the full diff

Package name: gulp-notify The new version differs by 18 commits.

See the full diff

Package name: karma The new version differs by 250 commits.
  • 3653caf chore(release): 6.0.0 [skip ci]
  • 04a811d fix(ci): abandon browserstack tests for Safari and IE (#3615)
  • 4bf90f7 feat(client): update banner with connection, test status, ping times (#3611)
  • 68c4a3a chore(test): run client tests without grunt wrapper (#3604)
  • fec972f fix(middleware): catch errors when loading a module (#3605)
  • 3fca456 fix(server): clean up close-server logic (#3607)
  • 1c9c2de fix(test): mark all second connections reconnects (#3598)
  • 87f7e5e chore(license): Update copyright notice to 2020 [ci skip] (#3568)
  • e6b045f chore(deps): npm audit fix the package-lock.json (#3603)
  • 3c649fa chore(build): remove obsolete Grunt tasks (#3602)
  • 8997b74 fix(test): clear up clearContext (#3597)
  • fe0e24a chore(build): unify client bundling scripts (#3600)
  • 1a65bf1 feat(server): remove deprecated static methods (#3595)
  • fb76ed6 chore(test): remove usage of deprecated buffer API (#3596)
  • 35a5842 feat(server): print stack of unhandledrejections (#3593)
  • 4a8178f fix(client): do not reset karmaNavigating in unload handler (#3591)
  • 603bbc0 feat(cli): error out on unexpected options or parameters (#3589)
  • 7a3bd55 feat: remove support for running dart code in the browser (#3592)
  • 1b9e1de fix(deps): bump socket-io to v3 (#3586)
  • 3fed0bc fix(cve): update yargs to 16.1.1 to fix cve-2020-7774 in y18n (#3578)
  • f819fa8 fix(cve): update ua-parser-js to 0.7.23 to fix CVE-2020-7793 (#3584)
  • 05dc288 fix(context): do not error when karma is navigating (#3565)
  • e5086fc docs: clarify `browser_complete` vs `run_complete`
  • ead31cd chore(release): 5.2.3 [skip ci]

See the full diff

Package name: karma-sauce-launcher The new version differs by 46 commits.
  • 004d61d chore: release v1.2.0
  • f783f63 chore: update contributors
  • a21fbd9 chore(deps): update dev dependencies
  • 79c70c2 feat(config): expose commandTimeout, idleTimeout, maxDuration options
  • f607303 Merge branch 'master' of https://github.com/JamieMason/karma-sauce-launcher into JamieMason-master
  • 0362ad5 docs(readme): fix SauceLabs doc links
  • 0ac67d4 feat(config): allow SE traffic to be sent via Sauce Connect's Relay
  • 0219065 docs(readme): add hint to platform configurator
  • bae326f feat(config): pass parentTunnel to selenium
  • bae758a feat(config): add proxy option
  • e792677 feat(deps): upgrade sauce connect
  • 79b688c chore(travis): update build config
  • 1af7432 chore: release v1.1.0
  • 9939f1d chore: update contributors
  • de8fbcc chore: update dependencies
  • 747a19f feat: update deps and add new saucelabs config
  • 3fe1c75 feat(launcher): expose commandTimeout, idleTimeout, maxDuration options
  • 2e8ff42 chore: release v1.0.0
  • d2d331c chore: update contributors
  • 3a4467b version bump to 1.0
  • 18480ef chore: release v0.3.1
  • 7ba0aad chore: update contributors
  • c1e39f4 Merge pull request [Snyk] Security upgrade gulp from 3.9.0 to 4.0.0 #87 from petejohanson/master
  • 9a5a147 fix(reporter): Add adapters property for 0.13 compat.

See the full diff

Package name: phantomjs The new version differs by 131 commits.
  • 017ec0c backport 2.1+ installer fixes back to phantomjs 1.9.8 installer
  • 0719f5d Merge pull request #512 from Medium/nick-global
  • 2b843b5 bump version #
  • f57d473 Merge pull request #511 from Medium/nick-global
  • 2da9622 Use github releases to serve download files
  • 18bed40 Merge pull request #510 from Medium/nick-global
  • ee20e6d try to link to the global phantomjs npm install if we can
  • 00c6258 Merge pull request #498 from Medium/nick-release
  • ceeff49 bump version #
  • 628ed57 Merge pull request #497 from bleggett/remove-adm-zip
  • b3c688d Rename var
  • b29be1d Remove local edit.
  • 77460b6 Replace adm_zip install dependency with extract-zip due to licensing issues with the former.
  • 9668e8c Merge pull request #489 from Medium/nick-release
  • a35c29a bump version #
  • a9099d6 Merge pull request #488 from jgibson/master
  • 8475d0a Merge pull request #479 from pra85/patch-1
  • e3de1dc Fixes #477 by passing CA options directly.
  • 3132404 Merge pull request #485 from Medium/nick-logs
  • 2ade873 tweak some logs
  • 8404465 Merge pull request #484 from SamMorrowDrums/master
  • d57f903 Replaces octal literal with parseInt. Fixes #483
  • d7f1d21 Fix typo in Readme
  • 2b64427 Merge pull request #476 from connesc/master

See the full diff

Package name: sauce-connect-launcher The new version differs by 54 commits.

See the full diff

With a Snyk patch:
Severity Priority Score (*) Issue Exploit Maturity
medium severity 529/1000
Why? Has a fix available, CVSS 6.3		 Prototype Pollution
npm:hoek:20180212		 No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Regular Expression Denial of Service (ReDoS)
npm:minimatch:20160620		 No Known Exploit
medium severity 469/1000
Why? Has a fix available, CVSS 5.1		 Remote Memory Exposure
npm:request:20160119		 No Known Exploit
medium severity 576/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.1		 Uninitialized Memory Exposure
npm:tunnel-agent:20170305		 Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

@snyk-bot
fix: nh_graphs/dev/coffee/package.json & nh_graphs/dev/coffee/.snyk t…
0ecca78 
…o reduce vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-ADMZIP-1065796
- https://snyk.io/vuln/SNYK-JS-BL-608877
- https://snyk.io/vuln/SNYK-JS-ENGINEIO-1056749
- https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905
- https://snyk.io/vuln/SNYK-JS-INI-1048974
- https://snyk.io/vuln/SNYK-JS-LODASH-1018905
- https://snyk.io/vuln/SNYK-JS-LODASH-1040724
- https://snyk.io/vuln/SNYK-JS-LODASH-450202
- https://snyk.io/vuln/SNYK-JS-LODASH-567746
- https://snyk.io/vuln/SNYK-JS-LODASH-590103
- https://snyk.io/vuln/SNYK-JS-LODASH-608086
- https://snyk.io/vuln/SNYK-JS-LODASH-73638
- https://snyk.io/vuln/SNYK-JS-LODASH-73639
- https://snyk.io/vuln/SNYK-JS-MERGE-1040469
- https://snyk.io/vuln/SNYK-JS-MERGE-1042987
- https://snyk.io/vuln/SNYK-JS-MINIMATCH-1019388
- https://snyk.io/vuln/SNYK-JS-MINIMIST-559764
- https://snyk.io/vuln/SNYK-JS-NODENOTIFIER-1035794
- https://snyk.io/vuln/SNYK-JS-SOCKETIO-1024859
- https://snyk.io/vuln/SNYK-JS-SOCKETIOPARSER-1056752
- https://snyk.io/vuln/SNYK-JS-TRIMNEWLINES-1298042
- https://snyk.io/vuln/SNYK-JS-WS-1296835
- https://snyk.io/vuln/npm:adm-zip:20180415
- https://snyk.io/vuln/npm:braces:20180219
- https://snyk.io/vuln/npm:concat-stream:20160901
- https://snyk.io/vuln/npm:debug:20170905
- https://snyk.io/vuln/npm:engine.io-client:20160426
- https://snyk.io/vuln/npm:hawk:20160119
- https://snyk.io/vuln/npm:hoek:20180212
- https://snyk.io/vuln/npm:http-signature:20150122
- https://snyk.io/vuln/npm:lodash:20180130
- https://snyk.io/vuln/npm:minimatch:20160620
- https://snyk.io/vuln/npm:ms:20151024
- https://snyk.io/vuln/npm:npmconf:20180512
- https://snyk.io/vuln/npm:qs:20170213
- https://snyk.io/vuln/npm:request:20160119
- https://snyk.io/vuln/npm:semver:20150403
- https://snyk.io/vuln/npm:tunnel-agent:20170305
- https://snyk.io/vuln/npm:ws:20160104
- https://snyk.io/vuln/npm:ws:20160624
- https://snyk.io/vuln/npm:ws:20160920
- https://snyk.io/vuln/npm:ws:20171108


The following vulnerabilities are fixed with a Snyk patch:
- https://snyk.io/vuln/npm:hoek:20180212
- https://snyk.io/vuln/npm:minimatch:20160620
- https://snyk.io/vuln/npm:request:20160119
- https://snyk.io/vuln/npm:tunnel-agent:20170305
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Jun 13, 2021

Kudos, SonarCloud Quality Gate passed!

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
No Duplication information No Duplication information

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@snyk-bot