Skip to content

[Snyk] Fix for 2 vulnerabilities #8

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jugnu-appveen wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Fix for 2 vulnerabilities #8

jugnu-appveen wants to merge 1 commit into from

Conversation

@jugnu-appveen
Copy link

@jugnu-appveen jugnu-appveen commented Oct 16, 2023

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json
    • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
medium severity 531/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 4.2		 Prototype Pollution
SNYK-JS-IOREDIS-1567196		 No Proof of Concept
high severity 726/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 8.1		 Prototype Pollution
SNYK-JS-MONGOOSE-5777721		 No Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: ioredis The new version differs by 93 commits.
  • 0587353 chore(release): 4.27.8 [skip ci]
  • 7d73b9d fix: handle malicious keys for hgetall (#1416)
  • 17c7595 chore: fix potential security vulnerabilities [skip ci]
  • a13eddc chore(release): 4.27.7 [skip ci]
  • d7477aa fix(cluster): fix autopipeline with keyPrefix or arg array (#1391)
  • beefcc1 docs(README): fix docs typo (#1385)
  • cae7fc5 chore(release): 4.27.6 [skip ci]
  • 42f1ee1 fix: fixed autopipeline performances. (#1226)
  • 71f2994 chore(release): 4.27.5 [skip ci]
  • f02e383 fix(SENTINEL): actively failover detection under an option (#1363)
  • c87ea2a chore(release): 4.27.4 [skip ci]
  • 62b6a64 perf: Serialize error stack only when needed (#1359)
  • d4a55b5 chore(release): 4.27.3 [skip ci]
  • abd9a82 fix: autopipeling for buffer function (#1231)
  • e0cfea1 chore(release): 4.27.2 [skip ci]
  • aa9c5b1 fix(cluster): avoid ClusterAllFailedError in certain cases
  • aafc349 chore(release): 4.27.1 [skip ci]
  • d65f8b2 fix: clears commandTimeout timer as each respective command gets fulfilled (#1336)
  • 9e140f0 chore(release): 4.27.0 [skip ci]
  • a464151 feat(sentinel): detect failover from +switch-master messages (#1328)
  • 6b821af docs: add CONTRIBUTING note
  • dac428d chore(release): 4.26.0 [skip ci]
  • 2e388db feat(cluster): apply provided connection name to internal connections
  • 81b9be0 fix(cluster): subscriber connection leaks

See the full diff

Package name: mongoose The new version differs by 42 commits.
  • 0f3997a chore: release 5.13.20
  • f1efabf fix: avoid prototype pollution on init
  • 98e0762 chore: release 5.13.19
  • 7e36d21 chore: release 5.13.18
  • 6759c60 undo accidental changes and actually pin @ types/json-schema
  • 4ed4a89 chore: pin version of @ types/json-schema because of install issues on node v4 and v6
  • 9a9536d Merge pull request #13535 from lorand-horvath/patch-12
  • 26424d5 5.x - bump mongodb driver to 3.7.4
  • 4b8b0a9 add versionNumber to 5.x
  • 1bc07ec chore: release 5.13.17
  • 3f827b3 Merge branch '5.x' of github.com:Automattic/mongoose into 5.x
  • eeabe5f chore: run CI tests on ubuntu 20.04 because 18.04 no longer supported
  • 14464d1 Merge pull request #13195 from raj-goguardian/gh-13192
  • 7e888e4 fix(update): handle $and & $or in array filters.
  • 5dd0a4e Merge pull request #13138 from rdeavila94/gh-13136
  • c8191da Update model.indexes.test.js
  • 7364264 Update model.indexes.test.js
  • 77b9d99 Updated the isIndexEqual function to take into account non-text indexes when checking compound indexes that include both text and non-text indexes
  • 9dd82be Merge pull request #13132 from rdeavila94/gh-12654
  • d0e149b Merge pull request #12737 from Automattic/vkarpov15/gh-12654
  • e76c41c chore: release 5.13.16
  • cdab11e chore: remove Node 5 and 7 from CI because GitHub actions is bugging out with them
  • e33a8be fix(types): add missing typedefs for bulkSave() to 5.x
  • 896cd76 Merge pull request #12692 from hasezoey/backportLinkUpdate

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jugnu-appveen @snyk-bot