[Snyk] Fix for 20 vulnerabilities #32

neolivz · 2023-11-28T14:26:36Z

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json

Vulnerabilities that will be fixed

With an upgrade:

Priority Score (*)	Issue	Breaking Change	Exploit Maturity
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-CSSWHAT-3035488	Yes	Proof of Concept
636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Arbitrary File Write via Archive Extraction (Zip Slip) SNYK-JS-DECOMPRESSTAR-559095	No	Proof of Concept
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	No	Proof of Concept
484/1000 Why? Has a fix available, CVSS 5.4	Open Redirect SNYK-JS-GOT-2932019	No	No Known Exploit
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	Yes	Proof of Concept
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	Yes	Proof of Concept
541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	Yes	Proof of Concept
681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASHTEMPLATE-1088054	No	Proof of Concept
506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-NTHCHECK-1586032	Yes	Proof of Concept
646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	Yes	Proof of Concept
646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:braces:20180219	No	Proof of Concept
636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: npm-check

The new version differs by 209 commits.

eff52bc 6.0.1
c6e9911 update package-lock, add renovate.json.
3c8798d Latest packages; added basic yarn support; added rc file depcheck api support (#397)
f92f449 Merge pull request #411 from abernier/patch-1
4a261a4 updated `npm-outdated` doc link
f8ce810 5.9.2
edc4a6d Downgrade depcheck to restore older Node.js support
dcb8bbe 5.9.1
c610aa8 Merge pull request #368 from omrilotan/2019-10-29-fix-vuln
ce892a9 Update depcheck
4b633e2 Fix vulnerabilities
f569c7d Merge pull request #326 from mansona/fixing-ci
b713af5 adding later node versions to CI
76cefd6 fixing CI for Node 4
f47c605 Merge pull request #321 from dyun8080/patch-1
24d7b70 fix: npm run lint
bda767d 5.9.0
6d6eb6e Merge pull request #307 from dylang/depcheck-0-6-11
7065511 feat: bump depcheck dependency
72054dd 5.8.0
042c7f6 Merge pull request #294 from zkochan/master
5d5bc0e feat: use pnpm on projects that previously used pnpm
258bc6b 5.7.1
64e5532 Merge pull request #289 from dylang/drop-merge-options

See the full diff

Package name: yeoman-generator

The new version differs by 171 commits.

9e4ccf5 2.0.0
a29e5d9 Bump dependencies
96da393 Bump package-lock.json
4b1b841 Replace gulp with raw Mocha
6effbfe Use raw nsp
183b3a8 Get rid of before/after (toward jest migration)
68d59c1 Add package-lock.json
f8e46b0 Don't die on diffing file deletions (again) (#1028)
edc2bf2 [comments] Change wrong param name in description (#1018)
364606e Switch to `make-dir`
eaf1ade New: option shorthand on installDependencies method (#1015)
e296e52 Bump XO and minor style tweaks
9da7391 Bump dependencies
b010701 More ES2015ifing
cfd2a8e Refactor install methods to handle promises - ref #1006
1be88e6 Remove callback API from Genrator#github.username() in favor of Promise one - ref #1006
00912ce Remove class-extend (isn't necessary with ES6), clean jsdoc
2cab46e Get rid of some dependencies
6553965 More ES2015ification
d535bac Initial ES2015ification
80863b0 1.1.1
af3048f Fix issue with API documentation deploy script
74cb46f Document legacy Generator.extend method properly - rel #996
6d267f0 Use XO