Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes for vulnerabilities in yaml, minimist and got dependencies #468

Open
mluk-sastrify opened this issue Apr 27, 2023 · 1 comment
Open

Fixes for vulnerabilities in yaml, minimist and got dependencies #468

mluk-sastrify opened this issue Apr 27, 2023 · 1 comment
Labels
dependencies Pull requests that update a dependency file

Comments

@mluk-sastrify
Copy link

Describe the bug
The SNYK vulnerability scan picked up some packages with exploits.

To Reproduce
Run vulnerability scan for the dependencies

Expected behavior
Dependency packages are bumped to versions with fixes:
yaml@2.2.2
minimist@0.2.4, @1.2.6
got@11.8.5, @12.1.0

Additional context
SNYK vulnerabilities scan:
image
@javierbrea javierbrea added the dependencies Pull requests that update a dependency file label May 3, 2023
@monolithed
Copy link 

# npm audit report

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install @mocks-server/main@3.2.0, which is a breaking change
node_modules/got
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/package-json
    latest-version  0.2.0 - 5.1.0
    Depends on vulnerable versions of package-json
    node_modules/latest-version
      update-notifier  0.2.0 - 5.1.0
      Depends on vulnerable versions of latest-version
      node_modules/update-notifier
        @mocks-server/core  >=3.3.0
        Depends on vulnerable versions of update-notifier
        node_modules/@mocks-server/core
          @mocks-server/main  >=3.3.0
          Depends on vulnerable versions of @mocks-server/core
          Depends on vulnerable versions of @mocks-server/plugin-admin-api
          Depends on vulnerable versions of @mocks-server/plugin-inquirer-cli
          Depends on vulnerable versions of @mocks-server/plugin-openapi
          Depends on vulnerable versions of @mocks-server/plugin-proxy
          node_modules/@mocks-server/main
          @mocks-server/plugin-admin-api  >=3.2.0
          Depends on vulnerable versions of @mocks-server/core
          node_modules/@mocks-server/plugin-admin-api
          @mocks-server/plugin-inquirer-cli  >=3.2.0
          Depends on vulnerable versions of @mocks-server/core
          node_modules/@mocks-server/plugin-inquirer-cli
          @mocks-server/plugin-openapi  *
          Depends on vulnerable versions of @mocks-server/core
          node_modules/@mocks-server/plugin-openapi
          @mocks-server/plugin-proxy  >=3.0.0
          Depends on vulnerable versions of @mocks-server/core
          node_modules/@mocks-server/plugin-proxy

10 moderate severity vulnerabilities

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
Backlog
Status: To do
Milestone
No milestone
Development

No branches or pull requests
3 participants
@monolithed @javierbrea @mluk-sastrify