Skip to content

[Snyk] Fix for 5 vulnerabilities#23

Open
one3chens wants to merge 1 commit into
masterfrom
snyk-fix-90a02826993403669d15e8406a016d3a
Open

[Snyk] Fix for 5 vulnerabilities#23
one3chens wants to merge 1 commit into
masterfrom
snyk-fix-90a02826993403669d15e8406a016d3a

Conversation

@one3chens
Copy link
Copy Markdown
Member

@one3chens one3chens commented Nov 25, 2023

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-ANSIREGEX-1583908		 Yes Proof of Concept
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-GLOBPARENT-1016905		 Yes Proof of Concept
medium severity 646/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.5		 Server-side Request Forgery (SSRF)
SNYK-JS-REQUEST-3361831		 No Proof of Concept
medium severity 646/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.5		 Prototype Pollution
SNYK-JS-TOUGHCOOKIE-5672873		 No Proof of Concept
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Prototype Pollution
SNYK-JS-UNSETVALUE-2400660		 Yes No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: cheerio The new version differs by 18 commits.
  • 35c4917 Release 0.21.0
  • 1d2e8a7 Return undefined in .prop if given an invalid element or tag (#880)
  • df55c93 Merge pull request #884 from cheeriojs/readme-cleanup
  • bbceb09 readme updates
  • 010b718 Merge pull request #881 from piamancini/patch-1
  • 4997e70 Added backers and sponsors from OpenCollective
  • 4ccb41b Use jQuery from the jquery module in benchmarks (#871)
  • 54359c9 Document, test, and extend static `$.text` method (#855)
  • c6612f3 Fix typo on calling _.extend (#861)
  • ed60b34 0.21.0
  • 79d4e5e Update versions (#870)
  • e7d18af Use individual lodash functions (#864)
  • e65ad72 Added `.serialize()` support. Fixes #69 (#827)
  • df39f33 Update Readme.md (#857)
  • 7b59afb add extension for JSON require call
  • d0551dc remove gittask badge
  • f500197 Merge pull request #672 from underdogio/dev/checkbox.radio.values.sqwished
  • 046071a Added default value for checkboxes/radios

See the full diff

Package name: hexo-cli The new version differs by 114 commits.
  • 0335fce Merge pull request #101 from curbengh/3.0.0
  • 3ae4402 chore(deps-dev): bump mocha from 6.2.0 to 6.2.1 (#117)
  • 01a87f7 chore(deps-dev): bump eslint from 6.4.0 to 6.5.1 (#119)
  • 10326e8 Merge pull request #114 from hexojs/dependabot/npm_and_yarn/sinon-7.5.0
  • fd09efb Merge pull request #115 from hexojs/dependabot/npm_and_yarn/acorn-7.1.0
  • 979b89e Merge pull request #116 from hexojs/dependabot/npm_and_yarn/hexo-util-1.3.1
  • 1f25ab8 chore(deps): bump hexo-util from 1.2.0 to 1.3.1
  • 82409a2 chore(deps): bump acorn from 7.0.0 to 7.1.0
  • 968a6a7 chore(deps-dev): bump sinon from 7.4.2 to 7.5.0
  • ae2fb4a Merge pull request #113 from hexojs/dependabot/npm_and_yarn/hexo-log-1.0.0
  • 9cb01b6 Bump hexo-log from 0.2.0 to 1.0.0
  • 5f33447 fix(console): formatting output (#111)
  • da3b091 Bump eslint from 6.3.0 to 6.4.0 (#110)
  • bc68c5c Bump hexo-util from 1.1.0 to 1.2.0 (#109)
  • 8085f61 Bump hexo-util from 1.0.1 to 1.1.0 (#108)
  • 39f7e71 Bump sinon from 7.4.1 to 7.4.2 (#107)
  • 396f5aa Bump hexo-fs from 1.0.2 to 2.0.0 (#106)
  • c183d2b Bump eslint from 6.2.2 to 6.3.0 (#105)
  • 9939cb6 [Security] Bump mixin-deep from 1.3.1 to 1.3.2 (#103)
  • 7394f7f Bump hexo-util from 1.0.0 to 1.0.1 (#104)
  • 1b3c068 Bump eslint from 6.2.1 to 6.2.2 (#102)
  • 673e6b8 release: 3.0.0
  • 43a34b8 fix(doc): Moved travis-ci from .org to .com (#100)
  • 8aef007 Merge pull request #99 from hexojs/dependabot/npm_and_yarn/hexo-renderer-marked-2.0.0

See the full diff

Package name: hexo-fs The new version differs by 68 commits.
  • 780a5a9 Merge pull request #46 from curbengh/2.0.0
  • b108888 release: 2.0.0
  • 3cde091 Refactor(test): tuple to map (#45)
  • 2d2efcd Merge pull request #44 from segayuu/Refactor-test-1
  • 7d600ad Destructuring path module
  • ba54c11 Refactor test
  • bca03f3 Merge pull request #43 from segayuu/Refactor-useful-chai-as-promised
  • 21da957 Fix test: Usefull chai-as-promised
  • afc4e3e Install chai-as-promised
  • 0154d8a Merge pull request #41 from curbengh/badge
  • 8fec0e0 Merge pull request #42 from hexojs/dependabot/npm_and_yarn/escape-string-regexp-tw-2.0.0
  • 9071966 Update escape-string-regexp requirement from ^1.0.5 to ^2.0.0
  • 060fcba docs(readme): fix appveyor badge
  • 726da41 docs(readme): add npm link and fix appveyor link
  • 719038e Merge pull request #37 from hexojs/dependabot/npm_and_yarn/eslint-tw-6.0.1
  • d2100fb Merge pull request #38 from curbengh/nyc
  • 8c83d6e fix: hasOwnProperty syntax
  • 35df948 chore: deprecate npmignore (#40)
  • 6e32aed chore: add node 12 to appveyor (#39)
  • 1716d2a test: replace istanbul with nyc
  • 29643ad eslint fiixes
  • 491ae31 Update eslint requirement from ^5.16.0 to ^6.0.1
  • 571e1b9 fix chokidar update by removing support for nodejs 6 (#34)
  • 20cb85a Revert "Update escape-string-regexp requirement from ^1.0.5 to ^2.0.0" ([Snyk] Security upgrade cheerio from 0.20.0 to 0.22.0 one3chens/hexo#33)

See the full diff

Package name: nunjucks The new version differs by 250 commits.
  • 53d1223 Release v3.2.1
  • 93129bf Replace yargs with commander
  • 17691da Chokidar bump
  • 40dfdf0 Remove dead link
  • cefb1cf Prevent optional dependency Chokidar from loading when not watching
  • 1485a44 Add badges in README.md
  • 2246457 Add Mozilla Code of Conduct file
  • ff5571c Release v3.2.0
  • f997a52 Add NodeResolveLoader
  • 34b0a26 Fix syntax typos in CONTRIBUTING.md
  • 55e0b7a Set dash as joiner element
  • c99154e Update faq.md
  • 1338712 Emit 'load' events on Loader and Environment instances
  • 057e7b3 Add test for line/column info in user-function exception
  • bcf38f3 Emit line and column info for functions
  • fbddcd5 lexer more accurately tracks token line and column information
  • 889ef80 Add nodejs versions 10 and 11 to CI, remove 6 and 9
  • b828158 Fix documentation typo
  • 1370361 v3.1.7
  • 0a65e1f Fixes for replace example
  • 2946fb4 Removed postinstall-build in favor of npm prepare script
  • 9fd5bdb Add link to Plugin syntax highlighting for VSCode
  • 68ba15c Fix bug where exceptions were silently swallowed with synchronous render
  • 7c187ac tests: fix issue running tests on node 10.x

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Server-side Request Forgery (SSRF)
🦉 Prototype Pollution

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

generate error

2 participants

@one3chens @snyk-bot