[Snyk] Fix for 4 vulnerabilities #11

snyk-bot · 2021-10-19T19:09:09Z

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
- package-lock.json
Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Priority Score (*)	Issue	Breaking Change	Exploit Maturity
389/1000 Why? Has a fix available, CVSS 3.5	Improper Input Validation SNYK-JS-ACTIONSCORE-1015402	No	No Known Exploit
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-YARGSPARSER-560381	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: eslint

The new version differs by 250 commits.

145aec1 7.16.0
83518a5 Build: changelog update for 7.16.0
a62ad6f Update: fix false negative of no-extra-parens with NewExpression (#13930)
f85b4c7 Fix: require-atomic-updates false positive across await (fixes #11954) (#13915)
301d0c0 Fix: no-constant-condition false positives with unary expressions (#13927)
555c128 Fix: false positive with await and ** in no-extra-parens (fixes #12739) (#13923)
d93c935 Docs: update JSON Schema links (#13936)
8d0c93a Upgrade: table@6.0.4 (#13920)
9247683 Docs: Remove for deleted npm run profile script (#13931)
ab240d4 Fix: prefer-exponentiation-operator invalid autofix with await (#13924)
dc76911 Chore: Add .pre-commit-hooks.yaml file (#13628)
2124e1b Docs: Fix wrong rule name (#13913)
06b5809 Sponsors: Sync README with website
26fc12f Docs: Update README team and sponsors
902a032 7.15.0
6356778 Build: changelog update for 7.15.0
5c11aab Upgrade: @ eslint/esintrc and espree for bug fixes (refs #13878) (#13908)
0eb7957 Upgrade: file-entry-cache@6.0.0 (#13877)
683ad00 New: no-unsafe-optional-chaining rule (fixes #13431) (#13859)
cbc57fb Fix: one-var autofixing for export (fixes #13834) (#13891)
110cf96 Docs: Fix a broken link in working-with-rules.md (#13875)
0cb81a9 7.14.0
fb3a594 Build: changelog update for 7.14.0
5f09073 Update: fix 'skip' options in no-irregular-whitespace (fixes #13852) (#13853)

See the full diff

Package name: eslint-plugin-github

The new version differs by 42 commits.

6d821c9 3.2.1
a5674d5 Merge pull request Manage your Location History - Google Search Help jpoehnelt/secrets-sync-action#77 from github/update-packages
531e57e remove eslint-plugin-jest that is not used
7a33644 update dependencies and set >= as the version operator
8a40ad7 3.2.0
dc2f3e8 Merge pull request Action takes a very long time to execute with no status when an user has access to hundreds of repositories jpoehnelt/secrets-sync-action#76 from github/feat-follow-symlinks-in-dependency-graph
754038c feat: follow symlinks in dependency graph
40f8d9a 3.1.3
781fd4d Merge pull request Documentation README.md should include version info jpoehnelt/secrets-sync-action#74 from github/fix-ts-ext
0bf51c1 Update github-lint.js
b3b4e53 3.1.2
dd60ecb Merge pull request BotsConfiguration.BotsConfigurationBuilder (Oracle Android SDK 22.02 API) jpoehnelt/secrets-sync-action#73 from github/support-eslint-6-1
6d044b3 style: fix lint errors
e1880f8 fix: add support for Eslint 6 in stylish-fixes
9f6171d eslint-plugin-github 3.1.1
c4c5aee eslint-plugin-github 3.1.0
d60f23e Merge pull request Setting your commit Email dreamlivehaven@gmail.com jpoehnelt/secrets-sync-action#71 from github/flow-to-typescript
fac30d5 Add flow-to-typescript transitioning rule
91ea0fe Merge pull request Value jpoehnelt/secrets-sync-action#72 from github/fix-build
7aa2cea Update node versions
17bf3c9 Stay on eslint@5
2482a48 Check in package-lock file
bcea7f3 Trigger CI
0a462d1 eslint-plugin-github 3.1.0-beta.4

See the full diff

Package name: jest

The new version differs by 250 commits.

343532a v26.0.0
075854a chore: update changelog for release
68b65af v26.0.0-alpha.2
d30a586 fix: disallow hook definitions in tests (#9957)
3375ac3 chore: remove unused prettier uninstall step from CI
0a63d40 fix: absolute path moduleNameMapper + jest.mock issue (#8727)
03dbb2f chore: fix watch mode test with utimes (#9967)
68d12d5 chore: skip broken test on windows (#9966)
e8e8146 align circus with jasmine's top-to-bottom execution order (#9965)
968a301 Fix invalid re-run of tests in watch mode (#7347)
5d1be03 chore: fix windows CI (#9964)
2bac04f v26.0.0-alpha.1
c665f22 feat: add `createMockFromModule` to replace `genMockFromModule` (#9962)
8147af1 chore: improve error on module not found (#9963)
71631f6 feat: add new 'modern' implementation of Fake Timers (#7776)
d7f3427 chore: rename LolexFakeTimers to ModernFakeTimers (#9960)
2c7682c Update index.js (#9095)
5a16415 docs: Updated Testing Frameworks guide with React; make it generic (#9106)
4216b86 updated docs regarding testSequencer (#9174)
2e8f8d5 fix: handle `null` being passed to `createTransformer` (#9955)
7a3c997 jest-circus: throw if a test / hook is defined asynchronously (#8096)
42f920c chore: update ts-eslint (#9953)
3078172 Updated config docs with default transform value (#8583)
b6052e0 Update jest-phabricator documentation (#8662)

See the full diff

Package name: jest-circus

The new version differs by 22 commits.

ff9269b chore: bump most dated deps (#8850)
7594141 chore: upgrade to eslint@6 (#8855)
b33ce0d chore: upgrade to micromatch v4 (#8852)
d6ff72a chore: add node 12 to CI (#8411)
7e9b4ea chore: upgrade jsdom (#8851)
4bb7a2d Use `weak-napi` instead of `weak` in `jest-leak-detector`
ce47c6c Get rid of Node 6 support (#8455)
bc5c3c7 jest-snapshot: Remove only the added newlines in multiline snapshots (#8859)
d523fa8 bug.md: highlights placeholder should be removed (#8836)
08f109c expect: Display expectedDiff more carefully in toBeCloseTo (#8389)
b09de2d chore: bump node-notifier for node v6 support
557a39f fix(linter): Fix linting failure introduced in #8847 😓 (#8849)
012472b fix(docs): Update broken links in docs. (#8847)
ee2bea1 chore: sort member in imports (#8846)
9ba4594 add Chinese Jest work with AngularJS tutorial (#8828)
0e5b363 chore: reduce reliance on esModuleInterop (#8842)
d69f8d3 getTimerCount will not include cancelled immediates (#8764)
b4bd77b Fix grammar: "your jest's config"->"your Jest..." (#8843)
54b3dcf Fix grammar: "a known issues"->"a known issue" (#8844)
e76c7da docs: update matchMedia methods (#8835)
23b9860 chore: roll new version of docs
3cdbd55 Release 24.9.0

See the full diff

Package name: ts-jest

The new version differs by 210 commits.

ad58c9b chore(release): 25.3.0
949e3e1 chore: update package-lock.json
b8ebf36 docs: add Troubleshoting section (#1463)
8b5325e chore(transformer): only do type checking for js/jsx/ts/tsx file (#1464)
58b05b1 chore: replace travis-ci.org with travis-ci.com (#1469)
79e8fdf build(deps-dev): bump jest from 25.2.3 to 25.2.4 (#1468)
dddce1c build(deps-dev): bump @ jest/transform from 25.2.3 to 25.2.4 (#1467)
d811bae build(deps-dev): bump lint-staged from 10.0.9 to 10.0.10 (#1466)
ecc8312 build(deps-dev): bump @ types/react from 16.9.26 to 16.9.27 (#1462)
c10ad4a chore(compiler): improve performance for language service (#1461)
455ee5b build(deps-dev): bump @ jest/transform from 25.2.1 to 25.2.3 (#1459)
1641cfb build(deps-dev): bump jest from 25.2.2 to 25.2.3 (#1460)
3010ec8 build(deps-dev): bump @ jest/types from 25.2.1 to 25.2.3 (#1458)
26a81f0 build(deps-dev): bump @ types/react from 16.9.25 to 16.9.26 (#1457)
99c552d build(deps-dev): bump jest from 25.2.1 to 25.2.2 (#1455)
5214f1b build(deps): bump yargs-parser from 18.1.1 to 18.1.2 (#1456)
79478ae build(deps-dev): bump tslint-plugin-prettier from 2.2.0 to 2.3.0 (#1454)
107e062 fix: always do type check for all files provided to ts-jest transformer (#1450)
1e34075 build(deps-dev): bump @ jest/types from 25.2.0 to 25.2.1 (#1452)
ba5a6c4 build(deps-dev): bump @ jest/transform from 25.2.0 to 25.2.1 (#1451)
e857f5b build(deps-dev): bump jest from 25.2.0 to 25.2.1 (#1453)
4981da8 Merge pull request #1447 f 8000 rom kulshekhar/dependabot/npm_and_yarn/jest/types-25.2.0
ea8240a Merge pull request #1448 from kulshekhar/dependabot/npm_and_yarn/jest/transform-25.2.0
e50db11 build(deps-dev): bump @ jest/types from 25.1.0 to 25.2.0

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-LODASH-567746	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-ACTIONSCORE-1015402 - https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908 - https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381 The following vulnerabilities are fixed with a Snyk patch: - https://snyk.io/vuln/SNYK-JS-LODASH-567746

pr-triage bot added the PR: unreviewed label Oct 19, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[Snyk] Fix for 4 vulnerabilities #11

[Snyk] Fix for 4 vulnerabilities #11

Uh oh!

Uh oh!

Uh oh!

[Snyk] Fix for 4 vulnerabilities #11

Are you sure you want to change the base?

[Snyk] Fix for 4 vulnerabilities #11

Uh oh!

Conversation

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Vulnerabilities that will be fixed

With an upgrade:

With a Snyk patch:

Uh oh!

Uh oh!