[Snyk] Fix for 5 vulnerabilities#30

Open

snyk-bot wants to merge 1 commit intomasterfrom

snyk-fix-dbd881abe26ea56319a1e0747eb2a1a2

snyk-bot commented Apr 30, 2023

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	619/1000 Why? Has a fix available, CVSS 8.1	Remote Code Execution (RCE) SNYK-JS-SHELLQUOTE-1766506	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-UGLIFYJS-1727251	Yes	No Known Exploit
	741/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.4	Command Injection npm:shell-quote:20160621	Yes	Proof of Concept
	629/1000 Why? Has a fix available, CVSS 8.3	Improper minification of non-boolean comparisons npm:uglify-js:20150824	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:uglify-js:20151024	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: browserify

The new version differs by 42 commits.

e19f256 12.0.0
c881c07 update devdeps
c77bf33 update glob and shell-quote
c35f73e update builtins deps
da949a1 update deps for streams3
e3fbe7d update module-deps & fix symlink bug (also uses streams3)
df43933 remove unused deps
dca78a6 update browser-pack & fix charset bug (also uses streams3)
46aba9f use latest node in travis
76b60a9 remove node 0.8 from travis
f5a82d8 Merge pull request #1362 from mnichols/master
185be39 Merge pull request #1393 from emilbayes/patch-1
d48ec61 Merge pull request #1396 from stevemao/patch-3
d847221 travis: test on node4 not "4.0.0"
a212016 Links to the wrong querystring module
b7cf5be 11.2.0
bb2a99d Merge pull request #1361 from substack/fix-bare
e781d9d Merge pull request #1377 from demohi/patch-2
05d7861 update package.json version
85e4b9d 11.1.0
c1c6b72 browserify adds the '.' in case you forget it
97a122e Update travis Node.js version & remove io.js
1b73d9b bump buffer to 3.4.3 to fix maximum call stack exceeded errors
cf32d77 Exclude "process" and "buffer" when "bundleExternal === false"

See the full diff

Package name: gulp-less

The new version differs by 11 commits.

9d9e96f chore: update deps, publish v5
ea13d8a Merge pull request #313 from MisterLuffy/master
7ce4b9b feat: support less v4
1a9d694 Merge pull request #314 from stamminator/master
b1a3e18 Update .travis.yml
ecacdf7 Fix links after moving repo
403b696 4.0.1
0678856 Upgrade less version to 3.7.1
6114989 Update README.md (#292)
7d9df97 4.0.0
cde149b Update accord to support less@3.0.0 - closes #269

See the full diff

Package name: gulp-uglify

The new version differs by 126 commits.

76b5b3a fix(package): update files array
5d4c4c6 chore(all): refactor unit tests
f2b779b feat(composer): implement new API for composing deps
dbbba30 fix(minify): log warnings to gulplog
4cc8751 feat(uglify): add support for UglifyJS3
ad73ab8 chore(pkg): update dependencies, run lint
4656fe5 2.1.2
ba83a45 fix(package): move eslint dependencies to dev
3d0f155 2.1.1
c722ab9 fix(errors): restore file and line info
da3e18f chore(prettier): setup prettier
ec8ba54 fix(tests): UglifyJS errors use "message" property
6c336ec v2.1.0
35c33f1 chore(uglifyjs): loosen uglify-js pin
74b6eff 2.0.1
832b427 chore(package): update uglify-js to version 2.7.5
1bf0f72 docs(README): link to Why Use Pump?
ccdc482 docs(pump): fix typo
5ddafd2 chore(package): update uglify-js to version 2.7.4
d5801ca chore(greenkeeper): ignore "gulp-sourcemaps" dependency
129df84 chore(package.json): update repository field
533ee01 fix(package): update uglify-js to version 2.7.3
1f2c508 docs(why-use-pump): fix plugin name
2829956 docs(README): fix typo

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	629/1000 Why? Has a fix available, CVSS 8.3	Improper minification of non-boolean comparisons npm:uglify-js:20150824	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Remote Code Execution (RCE)
🦉 Regular Expression Denial of Service (ReDoS)


          fix: package.json & .snyk to reduce vulnerabilities

f4a2e97

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-SHELLQUOTE-1766506
- https://snyk.io/vuln/SNYK-JS-UGLIFYJS-1727251
- https://snyk.io/vuln/npm:shell-quote:20160621
- https://snyk.io/vuln/npm:uglify-js:20150824
- https://snyk.io/vuln/npm:uglify-js:20151024


The following vulnerabilities are fixed with a Snyk patch:
- https://snyk.io/vuln/npm:uglify-js:20150824

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet