Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 1 vulnerabilities #54

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Fix for 1 vulnerabilities #54

wants to merge 1 commit into from

Conversation

ekmixon
Copy link
Owner

@ekmixon ekmixon commented Feb 11, 2024

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json
⚠️ Warning 
Failed to update the package-lock.json, please update manually before merging.

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 823/1000
Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 8.6		 Server-side Request Forgery (SSRF)
SNYK-JS-IP-6240864		 Yes Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: nightwatch The new version differs by 250 commits.
  • efb9468 2.0.1
  • d4df3f3 updated readme
  • 5459c74 2.0.0
  • 9b1a125 2.0.0-dev.23
  • a44f536 updated cucumber to RC2 and fixed a small issue
  • 202e2f0 2.0.0-dev.22
  • 17b0ff3 fixed assertion name in examples
  • 95bdc25 2.0.0-dev.21
  • 0de9e5f updated example tests and output formatting
  • 73f9c96 2.0.0-dev.20
  • 6238933 2.0.0-dev.19
  • 8cb5b7f 2.0.0-rc.0
  • 6e57d49 updated api docs
  • f873e78 added high-level tests for expect() (#3013)
  • a328977 Refactoring tests for new element commands (#3012)
  • 4025048 Update CONTRIBUTING.md
  • 55ac7bf updated api docs for some assertions
  • 5296838 Merge branch 'main' of github.com:nightwatchjs/nightwatch
  • 80fb01a added several new assertions
  • f0baa6b 2.0.0-dev.19
  • cfdea8c Merge branch 'gravityvi-features/get-child-element-commands'
  • bb3ac87 Fix #2955 - an issue caused by missing the browserName capability
  • 9e1fe15 Added textEquals assertion (#2972)
  • 0e8b0b9 test case added for #2539 (#2979)

See the full diff

Package name: webpack-dev-server The new version differs by 250 commits.
  • 5aad1e7 chore(release): 4.8.0
  • 28ad7ed chore(deps): bump graceful-fs from 4.2.9 to 4.2.10 (#4368)
  • 7920364 feat: export initialized socket client (#4304)
  • 4e7800e chore: update webpack (#4367)
  • fbda2a8 chore(deps-dev): bump body-parser from 1.19.2 to 1.20.0 (#4366)
  • 67c080b chore(deps-dev): bump puppeteer from 13.5.1 to 13.5.2 (#4361)
  • 56ec411 chore(deps): bump html-entities from 2.3.2 to 2.3.3 (#4358)
  • ca8a53a chore: update deps and fix audit (#4356)
  • 501f6aa chore(deps-dev): bump @ babel/runtime
  • 7d2b4f0 chore(deps-dev): bump @ babel/core
  • 95e26fe test: add cases for `webSocketURL` with `server` option (#4346)
  • 84b4774 chore: migrate script for examples on `setupMiddlewares` option (#4347)
  • a7ccab1 chore: replace deprecated String.prototype.substr() (#4343)
  • 1bf2614 chore(deps-dev): bump lint-staged from 12.3.6 to 12.3.7 (#4344)
  • 188497a chore(deps-dev): bump prettier from 2.5.1 to 2.6.0 (#4339)
  • 7560a37 chore(deps-dev): bump lint-staged from 12.3.5 to 12.3.6 (#4341)
  • dc2d6f7 chore(deps): bump http-proxy-middleware from 2.0.3 to 2.0.4 (#4333)
  • 552e4ab chore(deps-dev): bump @ babel/runtime
  • af3de07 chore(deps-dev): bump @ babel/core
  • a80fa1f chore(deps): bump @ types/ws
  • 457e1e5 chore(deps-dev): bump eslint from 8.10.0 to 8.11.0 (#4334)
  • b48ff7f chore(deps-dev): bump puppeteer from 13.5.0 to 13.5.1 (#4330)
  • 3ce15d4 chore(deps-dev): bump puppeteer from 13.4.1 to 13.5.0 (#4329)
  • a892235 chore(deps-dev): bump lint-staged from 12.3.4 to 12.3.5 (#4328)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Server-side Request Forgery (SSRF)

@snyk-bot
fix: package.json to reduce vulnerabilities
b9d779e 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-IP-6240864
@secure-code-warrior-for-github Secure Code Warrior for GitHub
Copy link

Micro-Learning Topic: Server-side request forgery (Detected by phrase)

Matched on "Server-side Request Forgery"

What is this? (2min video)

Server-Side Request Forgery (SSRF) vulnerabilities are caused when an attacker can supply or modify a URL that reads or sends data to the server. The attacker can create a malicious request with a manipulated URL, when this request reaches the server, the server-side code executes the exploit URL causing the attacker to be able to read data from services that shouldn't be exposed.

Try a challenge in Secure Code Warrior

sourcery-ai[bot]
sourcery-ai bot reviewed Feb 11, 2024
View reviewed changes
Copy link

@sourcery-ai sourcery-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR Type: Enhancement

PR Summary: This pull request addresses a critical security vulnerability by updating vulnerable npm dependencies as identified by Snyk. Specifically, it upgrades the versions of 'nightwatch' and 'webpack-dev-server' to mitigate a high severity Server-side Request Forgery (SSRF) vulnerability. The PR was automatically generated by Snyk and indicates a proactive approach to maintaining security and dependency health.

Decision: Comment

📝 Type: 'Enhancement' - not supported yet.
  • Sourcery currently only approves 'Typo fix' PRs.
✅ Issue addressed: this change correctly addresses the issue or implements the desired feature.
No details provided.
✅ Small diff: the diff is small enough to approve with confidence.
No details provided.

General suggestions:

  • Ensure thorough testing of the application with the updated dependencies to confirm that there are no breaking changes or new issues introduced.
  • Manually update the package-lock.json file as indicated by the warning in the PR description to ensure consistency and completeness of the dependency upgrade.
  • Review the detailed commit history and differences for the upgraded packages provided in the PR description to understand the scope of changes and potential impacts on the project.

Thanks for using Sourcery. We offer it for free for open source projects and would be very grateful if you could help us grow. If you like it, would you consider sharing Sourcery on your favourite social media? ✨

Share Sourcery

Help me be more useful! Please click 👍 or 👎 on each comment to tell me if it was helpful.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ekmixon @snyk-bot