Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 8 vulnerabilities #36

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Fix for 8 vulnerabilities #36

wants to merge 1 commit into from

Conversation

snyk-bot
Copy link

@snyk-bot snyk-bot commented Jun 3, 2023

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5		 Prototype Pollution
SNYK-JS-ASYNC-2441827		 Yes Proof of Concept
high severity 630/1000
Why? Has a fix available, CVSS 8.1		 Internal Property Tampering
SNYK-JS-BSON-561052		 Yes No Known Exploit
medium severity 526/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 4.1		 Arbitrary Code Injection
SNYK-JS-EJS-1049328		 Yes Proof of Concept
high severity 726/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 8.1		 Remote Code Execution (RCE)
SNYK-JS-EJS-2803307		 Yes Proof of Concept
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5		 Denial of Service (DoS)
SNYK-JS-ENGINEIO-1056749		 Yes Proof of Concept
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Denial of Service (DoS)
SNYK-JS-ENGINEIO-3136336		 Yes No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Denial of Service (DoS)
SNYK-JS-MONGODB-473855		 Yes No Known Exploit
medium severity 601/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.6		 Prototype Pollution
SNYK-JS-MONGOOSE-1086688		 Yes Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: mongodb The new version differs by 250 commits.
  • c6f417e chore(release): 3.1.13
  • 210c71d fix(db_ops): ensure we async resolve errors in createCollection
  • 5ad9fa9 fix(changeStream): properly handle changeStream event mid-close (#1902)
  • e806be4 fix(bulk): honor ignoreUndefined in initializeUnorderedBulkOp
  • 050267d fix(*): restore ability to webpack by removing `makeLazyLoader`
  • 6e896f4 docs: adding aggregation, createIndex, and runCommand examples
  • cb3cd12 chore(release): 3.1.12
  • 508d685 Revert "chore(release): 3.2.0"
  • e7619aa chore(release): 3.2.0
  • d0dc228 chore(travis): include forgotten stage info for sharded builds
  • ffbe90b chore(travis): run sharded tests in travis as well
  • 9bef6e7 feat(core): update to mongodb-core v3.1.11
  • e4bb39e chore(release): 3.1.11
  • 76c0130 chore(core): bump version of mongodb-core
  • a3adb3f fix(bulk): fix error propagation in empty bulk.execute
  • ec0e30e doc(change-streams): correct typo, add missing example
  • 10ea992 chore(package): update lock file
  • fcb3ec1 test(sharded): reduce some sharded errors
  • d4eae97 test(sessions): undo hack for apm events in sessions tests
  • 0eaca21 test(sessions): fixing broken session test
  • 6790a74 test(sharding): fixing old sharding tests
  • 98f0c68 test(sharded): fixing sharded operation test
  • c6a9baa test(sessions): fixing session tests in sharded env
  • 985f0e9 test(drop): fixing drop assertions for sharded tests

See the full diff

Package name: mongoose The new version differs by 250 commits.
  • 5549f26 chore: release 5.12.2
  • 4b1aaac Merge pull request #10050 from SoftwareSing/fix-bulkwrite-with-timestamps-false
  • 3759f34 chore: address CR comments
  • 5ffbb8e fix(query): apply schema-level `select` option from array schematypes
  • 7d19c9f test(query): repro #10029
  • 4b0052e fix(schema): support setting `ref` as an option on an array SchemaType
  • 171c31f test(schema): repro #10029
  • 96f7905 fix(index.d.ts): make query methods return `QueryWithHelpers` so query helpers pass through chaining
  • 04f880f fix(index.d.ts): add back `Aggregate#project()` types that were mistakenly removed in 5.12.0
  • 9a3a7b4 style: fix lint
  • 91f003a Merge pull request #10053 from 418sec/1-npm-mongoose
  • 3ed44ff Merge pull request [Snyk Update] New fixes for 1 vulnerable dependency path #1 from zpbrent/patch-2
  • 00e059d fix(index.d.ts): add `upserted` array to `updateOne()`, `updateMany()`, `update()` result
  • 003e477 add missing issue number
  • 0101ab8 fix(bulkwrite): make bulkWrite can work with `timestamps: false`
  • 9559c46 test(bulkwrite): repro #10048
  • 1bb97ba chore: update opencollective sponsors
  • 5888269 docs(mongoose browser): fix broken links to info about `mongoose.Types`
  • 43b0cfa Merge branch 'master' of github.com:Automattic/mongoose
  • 03905c5 fix(index.d.ts): always allow setting `type` in Schema to a SchemaType class or a Schema instance
  • 422620b Merge pull request #10015 from Automattic/gh-9982
  • 7b14258 test(QueryCursor): fix tests from #10015
  • f2651d7 docs(transactions): introduce `session.withTransaction()` before `session.startTransaction()` because `withTransaction()` is the recommended approach
  • 61d313b chore: update opencollective sponsor logo

See the full diff

Package name: socket.io The new version differs by 154 commits.
  • 1af3267 chore(release): 3.0.0
  • 02951c4 chore(release): 3.0.0-rc4
  • 54bf4a4 feat: emit an Error object upon middleware error
  • aa7574f feat: serve msgpack bundle
  • 64056d6 docs(examples): update TypeScript example
  • cacad70 chore(release): 3.0.0-rc3
  • d16c035 refactor: rename ERROR to CONNECT_ERROR
  • 5c73733 feat: add support for catch-all listeners
  • 129c641 feat: make Socket#join() and Socket#leave() synchronous
  • 0d74f29 refactor(typings): export Socket class
  • 7603da7 feat: remove prod dependency to socket.io-client
  • a81b9f3 docs(examples): add example with TypeScript
  • 20ea6bd docs(examples): add example with ES modules
  • 0ce5b4c chore(release): 3.0.0-rc2
  • 8a5db7f refactor: remove duplicate _sockets map
  • 2a05042 refactor: add additional typings
  • 91cd255 fix: close clients with no namespace
  • 58b66f8 refactor: hide internal methods and properties
  • 669592d feat: move binary detection back to the parser
  • 2d2a31e chore: publish the wrapper.mjs file
  • ebb0575 chore(release): 3.0.0-rc1
  • c0d171f test: use the reconnect event of the Manager
  • 9c7a48d test: use the complete export name
  • 4bd5b23 feat: throw upon reserved event names

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Arbitrary Code Injection
🦉 Denial of Service (DoS)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@snyk-bot