[Snyk] Security upgrade @pulumi/aws from 5.11.0 to 6.56.0 #137

Abuchtela · 2024-10-21T22:40:00Z

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- infra/staging/package.json
- infra/staging/package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	141/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Local, EPSS: 0.01055, Social Trends: No, Days since published: 326, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.35, Score Version: V5	Missing Release of Resource after Effective Lifetime SNYK-JS-INFLIGHT-6095116	Yes	Proof of Concept
	159/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.0016, Social Trends: No, Days since published: 489, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.64, Score Version: V5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @pulumi/aws

The new version differs by 250 commits.

9d605a9 Upstream v5.71.0 (fix wording for one-time contribution gitcoinco/web#4638)
cd0e3df Upgrade pulumi-terraform-bridge to v3.92.0 (fixed conflicts gitcoinco/web#4628)
33382b7 Update GitHub Actions workflows. (Sort Hackathon Bounties by Highest Value First gitcoinco/web#4615)
190ca4c chore: remove skipped credential config test (Bounties and Grants are mixed in menu with same icons! gitcoinco/web#4611)
39c3e7d Compute schema-minimal.json (newsletter 2019-06-07 gitcoinco/web#4587)
f2b6e3c Allow running gamelift test in parallel (WIP: #4599 PRs in Bounty Explorer gitcoinco/web#4609)
525a130 Update GitHub Actions workflows. (Cannot create bounties without Github API Key gitcoinco/web#4608)
77f656d Upstream v5.70.0 (Add send_weekly_recap to crontab gitcoinco/web#4604)
baee26c Update GitHub Actions workflows. (Fix rating duplication in profile gitcoinco/web#4592)
9a752fd Add pluralized lifecycle_policies to EFS file system data source (Gitcoin Profile Detail Page Does Not Include Coins Other than ETH gitcoinco/web#4590)
d80f7d1 Set explicit version for .NET core SDK requirement (dedupe profiles in directory gitcoinco/web#4591)
13719db Re-generate schema to fix aws.iam.Role description (As a person having their own programming/hacking company, I would like to be able to have my own organization for contribution gitcoinco/web#4589)
0808d68 Disable experimental post-quantum key exchange mechanism `X25519Kyber768Draft00` (sentry: fix undefined error gitcoinco/web#4583)
a795267 Remove explicit dependency on core SDK (Propose work gitcoinco/web#4478)
b62cf93 Upgrade upstream to v5.69.0 (as a funder who posted a bounty that has no action for 3 days, i want an email telling me what to do so i can salvage the bounty. gitcoinco/web#4571)
ca81399 make ci-mgmt (What should we do with issues that are 6 months old? Separate it out from the Open into a different filteR? gitcoinco/web#4531)
93506d9 Fix "the bridge does not accept secrets panic" by upgrade pulumi-terraform-bridge to v3.91.1 (This issue is closed on Github, but we did not detect that it was closed. gitcoinco/web#4526)
5af950d Upstream v5.68.0 ([low prio] Grants - you contribute... 0k? gitcoinco/web#4523)
3379551 Suppress undefined to default diffs on aws.autoscaling.Group (grant: cleanup + wsyiwyg editor gitcoinco/web#4510)
e45ca74 Update gamelift patches to sdkv2 (As a Gitcoin operator, our FTUX flows are a bit leaky and unclear. gitcoinco/web#4511)
36f9cde Upgrade pulumi-terraform-bridge to v3.91.0 (Funder Form - Display Default settings in collapsed accordian gitcoinco/web#4480)
e86c233 Update GitHub Actions workflows. (re-invite user gitcoinco/web#4472)
f4af80f Upstream v5.67.0 (grants that have a lot of contributors are slow gitcoinco/web#4458)
4559bc8 Update GitHub Actions workflows. (fix bad paths to js lib files gitcoinco/web#4464)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)

…reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-INFLIGHT-6095116 - https://snyk.io/vuln/SNYK-JS-SEMVER-3247795

socket-security · 2024-10-21T22:40:35Z

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@types/unist@2.0.3	None	`0`	5.23 kB	types
npm/@types/vfile-message@2.0.0	None	`+2`	25.4 kB	types
npm/@types/vfile@3.0.2	None	`0`	7.66 kB	types
npm/@webassemblyjs/ast@1.9.0	None	`0`	180 kB	xtuc
npm/@webassemblyjs/floating-point-hex-parser@1.9.0	None	`0`	6.37 kB	xtuc
npm/@webassemblyjs/helper-api-error@1.9.0	None	`0`	6.1 kB	xtuc
npm/@webassemblyjs/helper-buffer@1.9.0	None	`0`	8.7 kB	xtuc
npm/@webassemblyjs/helper-code-frame@1.9.0	None	`0`	4.28 kB	xtuc
npm/@webassemblyjs/helper-fsm@1.9.0	None	`0`	9.07 kB	xtuc
npm/@webassemblyjs/helper-module-context@1.9.0	None	`0`	29.8 kB	xtuc
npm/@webassemblyjs/helper-wasm-bytecode@1.9.0	None	`0`	24.2 kB	xtuc
npm/@webassemblyjs/helper-wasm-section@1.9.0	None	`0`	19 kB	xtuc
npm/@webassemblyjs/ieee754@1.9.0	None	`0`	5.19 kB	xtuc
npm/@webassemblyjs/leb128@1.9.0	None	`0`	46.1 kB	xtuc
npm/@webassemblyjs/utf8@1.9.0	None	`0`	11.2 kB	xtuc
npm/@webassemblyjs/wasm-edit@1.9.0	None	`0`	29.4 kB	xtuc
npm/@webassemblyjs/wasm-gen@1.9.0	None	`0`	23.9 kB	xtuc
npm/@webassemblyjs/wasm-opt@1.9.0	None	`0`	9.34 kB	xtuc
npm/@webassemblyjs/wasm-parser@1.9.0	None	`0`	122 kB	xtuc
npm/@webassemblyjs/wast-parser@1.9.0	None	`0`	137 kB	xtuc
npm/@webassemblyjs/wast-printer@1.9.0	None	`0`	37.3 kB	xtuc
npm/@xtuc/ieee754@1.2.0	None	`0`	8.57 kB	xtuc
npm/@xtuc/long@4.2.2	None	`0`	190 kB	xtuc
npm/ajv-errors@1.0.1	None	`0`	41.7 kB	esp
npm/anymatch@3.1.2	None	`0`	9.54 kB	paulmillr
npm/aproba@1.2.0	None	`0`	8.18 kB	iarna
npm/arr-union@3.1.0	None	`0`	6.66 kB	jonschlinkert
npm/asn1.js@5.4.1	None	`0`	49.8 kB	indutny
npm/assert@1.5.0	Transitive: environment	`+2`	84.3 kB	goto-bus-stop
npm/async-each@1.0.3	None	`0`	3.95 kB	paulmillr
npm/atob@2.1.2	None	`0`	36.2 kB	coolaj86
npm/bail@1.0.5	None	`0`	4.3 kB	wooorm
npm/binary-extensions@2.2.0	None	`0`	5.36 kB	sindresorhus
npm/bindings@1.5.0	environment, filesystem	`0`	11.2 kB	tootallnate
npm/bluebird@3.7.2	environment, eval, unsafe	`0`	632 kB	esailija
npm/bn.js@5.2.0	None	`0`	100 kB	fanatid
npm/browserify-aes@1.2.0	None	`+2`	42.9 kB	cwmma
npm/browserify-cipher@1.0.1	None	`0`	6.45 kB	cwmma
npm/browserify-des@1.0.2	None	`0`	6.27 kB	cwmma
npm/browserify-rsa@4.1.0	None	`0`	3.68 kB	cwmma
npm/browserify-sign@4.2.1	Transitive: environment	`+4`	180 kB	cwmma
npm/browserify-zlib@0.2.0	None	`0`	192 kB	dignifiedquire
npm/buffer-xor@1.0.3	None	`0`	4.83 kB	dcousens
npm/builtin-status-codes@3.0.0	network	`0`	4.5 kB	bendrucker
npm/cacache@10.0.4	environment, filesystem	`0`	102 kB	zkat
npm/cache-base@1.0.1	None	`0`	16.4 kB	jonschlinkert
npm/ccount@1.1.0	None	`0`	4.5 kB	wooorm
npm/character-entities-html4@1.1.4	None	`0`	9.04 kB	wooorm
npm/character-entities-legacy@1.1.4	None	`0`	6.71 kB	wooorm
npm/character-entities@1.2.4	None	`0`	47.7 kB	wooorm
npm/character-reference-invalid@1.1.4	None	`0`	5.54 kB	wooorm
npm/chokidar@3.5.2	environment, filesystem	`+5`	200 kB	paulmillr
npm/chownr@1.1.4	filesystem	`0`	5.71 kB	isaacs
npm/chrome-trace-event@1.0.3	None	`0`	14.2 kB	samccone
npm/class-utils@0.3.6	None	`0`	19 kB	jonschlinkert
npm/cliui@5.0.0	None	`+3`	28.1 kB	bcoe
npm/collapse-white-space@1.0.6	None	`0`	4.36 kB	wooorm
npm/collection-visit@1.0.0	None	`0`	6.85 kB	jonschlinkert
npm/commander@2.13.0	filesystem, shell	`0`	56.1 kB	abetomo
npm/component-emitter@1.3.0	None	`0`	8 kB	nami-doc
npm/console-browserify@1.2.0	None	`0`	10.3 kB	goto-bus-stop
npm/constants-browserify@1.0.0	None	`0`	7.46 kB	juliangruber
npm/copy-concurrently@1.0.5	filesystem	`+1`	27.3 kB	iarna
npm/copy-descriptor@0.1.1	None	`0`	4.15 kB	jonschlinkert
npm/create-ecdh@4.0.4	None	`+1`	101 kB	cwmma
npm/crypto-browserify@3.12.0	None	`0`	53.5 kB	cwmma
npm/cyclist@1.0.1	None	`0`	4.46 kB	mafintosh
npm/decode-uri-component@0.2.0	None	`0`	5.71 kB	samverschueren
npm/des.js@1.0.1	None	`+1`	40.2 kB	indutny
npm/detect-file@1.0.0	filesystem	`0`	8.63 kB	doowb
npm/diffie-hellman@5.0.3	None	`0`	17.3 kB	cwmma
npm/dom-serializer@0.2.2	None	`+2`	74 kB	feedic
npm/domain-browser@1.2.0	None	`0`	16.8 kB	bevryme
npm/duplexify@3.7.1	None	`+1`	23.4 kB	mafintosh
npm/elliptic@6.5.4	None	`0`	118 kB	indutny
npm/enhanced-resolve@4.5.0	None	`+1`	134 kB	sokra
npm/errno@0.1.8	None	`0`	18.1 kB	ralphtheninja
npm/events@3.3.0	None	`0`	82.8 kB	goto-bus-stop
npm/expand-tilde@2.0.2	None	`0`	6.59 kB	doowb
npm/extend@3.0.2	None	`0`	23.5 kB	ljharb
npm/figgy-pudding@3.5.2	None	`0`	18.4 kB	isaacs
npm/file-uri-to-path@1.0.0	None	`0`	8.07 kB	tootallnate
npm/findup-sync@3.0.0	filesystem	`0`	6.77 kB	phated
npm/flush-write-stream@1.1.1	None	`0`	6.5 kB	mafintosh
npm/for-in@1.0.2	None	`0`	6.28 kB	jonschlinkert
npm/from2@2.3.0	None	`0`	9.35 kB	mafintosh
npm/fs-write-stream-atomic@1.0.10	None	`0`	18.7 kB	iarna
npm/fsevents@2.3.2	None	`0`	156 kB	pipobscure
npm/get-caller-file@2.0.5	None	`0`	4.72 kB	stefanpenner
npm/get-value@2.0.6	None	`0`	3.71 kB	jonschlinkert
npm/has-value@1.0.0	None	`0`	7.62 kB	jonschlinkert
npm/has-values@1.0.0	None	`+1`	21.4 kB	jonschlinkert
npm/hash-base@3.1.0	None	`0`	6.08 kB	fanatid
npm/hash.js@1.1.7	None	`0`	41.7 kB	indutny
npm/hmac-drbg@1.0.1	None	`0`	25 kB	indutny
npm/homedir-polyfill@1.0.3	environment, filesystem	`0`	8.05 kB	doowb
npm/https-browserify@1.0.0	network	`0`	2.79 kB	feross
npm/ieee754@1.2.1	None	`0`	6.8 kB	feross
npm/iferr@0.1.5	None	`0`	5.43 kB	nadav
npm/import-local@2.0.0	None	`+1`	7.02 kB	sindresorhus
npm/infer-owner@1.0.4	filesystem	`0`	4.29 kB	isaacs
npm/interpret@1.4.0	None	`0`	14.9 kB	phated
npm/is-alphabetical@1.0.4	None	`0`	5.01 kB	wooorm
npm/is-alphanumeric@1.0.0	None	`0`	2.67 kB	arthurvr
npm/is-alphanumerical@1.0.4	None	`0`	5.11 kB	wooorm
npm/is-binary-path@2.1.0	None	`0`	3.08 kB	sindresorhus
npm/is-buffer@2.0.5	None	`0`	4.59 kB	feross
npm/is-decimal@1.0.4	None	`0`	4.68 kB	wooorm
npm/is-hexadecimal@1.0.4	None	`0`	4.99 kB	wooorm
npm/is-whitespace-character@1.0.4	None	`0`	5.31 kB	wooorm
npm/is-word-character@1.0.4	None	`0`	5.07 kB	wooorm
npm/is-wsl@1.1.0	environment, filesystem	`0`	2.88 kB	sindresorhus
npm/loader-runner@2.4.0	filesystem	`0`	16.3 kB	sokra
npm/longest-streak@2.0.4	None	`0`	5.16 kB	wooorm
npm/map-visit@1.0.0	None	`0`	8.47 kB	jonschlinkert
npm/markdown-escapes@1.0.4	None	`0`	5.19 kB	wooorm
npm/markdown-table@1.1.3	None	`0`	12 kB	wooorm
npm/md5.js@1.3.5	None	`0`	7.67 kB	cwmma
npm/mdast-util-compact@1.0.4	None	`0`	7.51 kB	wooorm
npm/memory-fs@0.4.1	None	`0`	13.4 kB	sokra
npm/miller-rabin@4.0.1	None	`0`	6.84 kB	indutny
npm/minimalistic-crypto-utils@1.0.1	None	`0`	4.76 kB	indutny
npm/mississippi@2.0.0	None	`0`	16.1 kB	bret
npm/mixin-deep@1.3.2	None	`0`	7.22 kB	doowb
npm/move-concurrently@1.0.1	filesystem	`0`	7.95 kB	iarna
npm/nan@2.14.2	None	`0`	418 kB	kkoopa
npm/neo-async@2.6.2	None	`0`	298 kB	suguru03
npm/nice-try@1.0.5	None	`0`	3.75 kB	electerious
npm/node-libs-browser@2.2.1	network, unsafe	`+1`	33.8 kB	sokra
npm/object-copy@0.1.0	None	`0`	5.47 kB	jonschlinkert
npm/object-visit@1.0.1	None	`0`	6.7 kB	jonschlinkert
npm/os-browserify@0.3.0	None	`0`	2.74 kB	coderpuppy
npm/pako@1.0.11	None	`0`	788 kB	vitaly
npm/parallel-transform@1.2.0	None	`0`	5.54 kB	mafintosh
npm/parse-passwd@1.0.0	None	`0`	5.96 kB	doowb
npm/pascalcase@0.1.1	None	`0`	4.46 kB	jonschlinkert
npm/path-browserify@0.0.1	None	`0`	27 kB	goto-bus-stop
npm/path-key@2.0.1	None	`0`	3.02 kB	sindresorhus
npm/pbkdf2@3.1.2	None	`0`	13.8 kB	cwmma
npm/promise-inflight@1.0.1	None	`0`	3.04 kB	iarna
npm/prr@1.0.1	None	`0`	10.1 kB	rvagg
npm/public-encrypt@4.0.3	None	`+1`	34.2 kB	cwmma
npm/pump@2.0.1	filesystem	`0`	7.38 kB	mafintosh
npm/pumpify@1.5.1	None	`0`	10.2 kB	mafintosh
npm/querystring-es3@0.2.1	None	`0`	16.1 kB	spaintrain
npm/randomfill@1.0.4	None	`0`	6.84 kB	cwmma

🚮 Removed packages: npm/@pulumi/aws@5.11.0, npm/@pulumi/awsx@0.40.0, npm/@pulumi/pulumi@3.38.0, npm/@types/node@14.18.26, npm/readable-stream@2.3.7, npm/redent@2.0.0, npm/regenerate-unicode-properties@8.2.0, npm/regenerate@1.4.2, npm/regenerator-runtime@0.13.7, npm/regenerator-transform@0.14.5, npm/regex-not@1.0.2, npm/regexpp@1.1.0, npm/regexpu-core@4.7.1, npm/regjsgen@0.5.2, npm/regjsparser@0.6.9, npm/remark-parse@6.0.3, npm/remark-stringify@6.0.4, npm/remark@10.0.1, npm/repeat-element@1.1.4, npm/require-uncached@1.0.3, npm/resolve-from@1.0.1, npm/resolve@1.20.0, npm/restore-cursor@2.0.0, npm/ret@0.1.15, npm/rimraf@2.7.1, npm/run-async@2.4.1, npm/rx-lite-aggregates@4.0.8, npm/rx-lite@4.0.8, npm/safe-buffer@5.1.2, npm/safe-regex@1.1.0, npm/safer-buffer@2.1.2, npm/schema-utils@2.7.1, npm/shebang-command@1.2.0, npm/shebang-regex@1.0.0, npm/siema@1.5.1, npm/signal-exit@3.0.3, npm/slash@2.0.0, npm/slice-ansi@1.0.0, npm/snapdragon-node@2.1.1, npm/snapdragon-util@3.0.1, npm/snapdragon@0.8.2, npm/source-map-resolve@0.5.3, npm/specificity@0.4.1, npm/split-string@3.1.0, npm/string_decoder@1.1.1, npm/strip-ansi@4.0.0, npm/strip-indent@2.0.0, npm/strip-json-comments@2.0.1, npm/style-loader@0.21.0, npm/style-search@0.1.0, npm/stylelint@9.10.1, npm/sugarss@2.0.0, npm/supports-color@5.5.0, npm/svg-tags@1.0.0, npm/table@4.0.2, npm/text-table@0.2.0, npm/through@2.3.8, npm/tmp@0.0.33, npm/to-fast-properties@2.0.0, npm/to-regex-range@2.1.1, npm/trim-newlines@2.0.0, npm/trim-right@1.0.1, npm/type-check@0.3.2, npm/typedarray@0.0.6, npm/unicode-canonical-property-names-ecmascript@1.0.4, npm/unicode-match-property-ecmascript@1.0.4, npm/unicode-match-property-value-ecmascript@1.2.0, npm/unicode-property-aliases-ecmascript@1.1.0, npm/unified@7.1.0, npm/uniq@1.0.1, npm/unist-util-find-all-after@1.0.5, npm/unist-util-is@3.0.0, npm/uri-js@4.4.1, npm/use@3.1.1, npm/util-deprecate@1.0.2, npm/which@1.3.1, npm/word-wrap@1.2.3, npm/write@0.2.1, npm/yallist@2.1.2, npm/yargs-parser@10.1.0

View full report↗︎

fix: infra/staging/package.json & infra/staging/package-lock.json to …

99bec76

…reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-INFLIGHT-6095116 - https://snyk.io/vuln/SNYK-JS-SEMVER-3247795

Abuchtela merged commit ba16cd1 into master Oct 30, 2024
7 of 9 checks passed

Abuchtela had a problem deploying to review October 30, 2024 13:20 — with GitHub Actions Failure

Abuchtela deleted the snyk-fix-e64e865cc70b9cec497d428538332dff branch October 30, 2024 13:20

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[Snyk] Security upgrade @pulumi/aws from 5.11.0 to 6.56.0 #137

[Snyk] Security upgrade @pulumi/aws from 5.11.0 to 6.56.0 #137

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

[Snyk] Security upgrade @pulumi/aws from 5.11.0 to 6.56.0 #137

[Snyk] Security upgrade @pulumi/aws from 5.11.0 to 6.56.0 #137

Uh oh!

Conversation

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Vulnerabilities that will be fixed

With an upgrade:

Uh oh!

Uh oh!

Uh oh!

Uh oh!