New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Security upgrade lerna from 3.22.1 to 5.1.8 #136

Open

Manny27nyc wants to merge 1 commit into master from snyk-fix-d1a6d76cbaa0d7fe18979295f397e644

Owner

Manny27nyc commented Nov 28, 2023

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
- package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-HTTPCACHESEMANTICS-3248783	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASHSET-1320032	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASHTEMPLATE-1088054	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Authorization Bypass Through User-Controlled Key SNYK-JS-PARSEPATH-2936439	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: lerna

The new version differs by 250 commits.

c567a29 chore(release): v5.1.8
f954404 fix: update git-url-parse to v12 ([REF] show no value for zero amount transactions bitpay/bitcore#3231)
f74c08c docs: fix typo
e4acb28 chore: fix formatting after publish
0e47379 chore(release): v5.1.7
ead461e fix(run): add double quotes around script target containing colon (BWS persistent config bitpay/bitcore#3218)
041f581 chore: add some version e2e coverage for --conventional-prerelease and --conventional-graduate (Error "pathspec '4.0' did not match any file(s) known to git." bitpay/bitcore#3224)
0eb7f7b docs(website): enable search (LET SMILEY GRADUATE POWER POINT bitpay/bitcore#3222)
87278f0 chore: set longer jest timeout for version conventional commits e2e
11c8247 docs: add info about npm automation tokens (increase search input padding to avoid text and search icon overlap on desktop view bitpay/bitcore#2825)
808132f chore: more e2e coverage for conventional-commits ([FIX] ERC20 chain issue 2 bitpay/bitcore#3221)
1129224 docs: add configuration guide
54b693d chore: add initial coverage for version --conventional-commits (Docker Image not available bitpay/bitcore#3213)
73492e2 chore: share normalization logic in jest serializers (Feature/cleanup script bitpay/bitcore#3212)
93d2501 chore: fix typo in getting-started.md ([FIX] Insight - LTC bitpay/bitcore#3206)
7493610 chore: add some initial e2e coverage for version (Insight/hashing assets bitpay/bitcore#3209)
edf59da chore(release): v5.1.6
f80d03c fix: lerna run parallel should maximize concurrency with useNx ([FIX] Point does not lie on the curve error bitpay/bitcore#3205)
a8b4ce4 chore: use ssh-agent 0.5.4 in github actions ([BWS] Doge and LTC chain tests bitpay/bitcore#3204)
f7bc7a5 chore: tweak fixture insantiation
f1c765b chore: add contributors
fe4be62 chore: refactor e2e test implementation (Auto load modules for configured chains bitpay/bitcore#3203)
18b1b54 chore: e2e test structure (Fix uncaught error in XRP ledeger query bitpay/bitcore#3200)
ef1ff4b chore(release): v5.1.5

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Server-side Request Forgery (SSRF)


          fix: package.json & package-lock.json to reduce vulnerabilities

5f2a17f

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908
- https://snyk.io/vuln/SNYK-JS-HTTPCACHESEMANTICS-3248783
- https://snyk.io/vuln/SNYK-JS-LODASHSET-1320032
- https://snyk.io/vuln/SNYK-JS-LODASHTEMPLATE-1088054
- https://snyk.io/vuln/SNYK-JS-PARSEPATH-2936439
- https://snyk.io/vuln/SNYK-JS-REQUEST-3361831
- https://snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873
- https://snyk.io/vuln/SNYK-JS-UNSETVALUE-2400660

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment