Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Fix for 2 vulnerabilities #197

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

Omrisnyk
Copy link
Owner

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • large-file/package.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity Reachability
medium severity 44/1000
Why? Confidentiality impact: None, Integrity impact: Low, Availability impact: None, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 4, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 2.35, Likelihood: 1.86, Score Version: V5
Cross-site Scripting (XSS)
SNYK-JS-COOKIE-8163060
Yes No Known Exploit No Path Found
high severity 131/1000
Why? Confidentiality impact: Low, Integrity impact: High, Availability impact: None, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 0, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 7.03, Likelihood: 1.86, Score Version: V5
Improper Verification of Cryptographic Signature
SNYK-JS-ELLIPTIC-8172694
Yes No Known Exploit No Path Found

(*) Note that the real score may have changed since the PR was raised.

Release notes
Package name: elliptic from elliptic GitHub release notes
Package name: engine.io
  • 6.6.2 - 2024-10-09

    This release contains a bump of the cookie dependency.

    See also: GHSA-pxg6-pf52-xh8x

    Dependencies

  • 6.6.1 - 2024-09-21

    Bug Fixes

    • move 'offline' event listener at the top (8a2f5a3)
    • only remove the event listener if it exists (9b3c9ab)
    • do not send a packet on an expired connection (#5134) (8adcfbf)

    Performance Improvements

    • do not reset the heartbeat timer on each packet (7a23dde)

    Dependencies

  • 6.6.0 - 2024-06-21

    Diff: socketio/engine.io-client@6.5.3...6.6.0

  • 6.5.5 - 2024-06-18
  • 6.5.4 - 2023-11-09
  • 6.5.3 - 2023-10-06
  • 6.5.2 - 2023-08-02
  • 6.5.2-alpha.1 - 2023-08-01
  • 6.5.1 - 2023-06-27
  • 6.5.0 - 2023-06-16
  • 6.5.0-alpha.1 - 2023-06-11
  • 6.4.2 - 2023-05-01
  • 6.4.1 - 2023-02-19
  • 6.4.0 - 2023-02-06
  • 6.3.1 - 2023-01-12
  • 6.3.0 - 2023-01-10
  • 6.2.1 - 2022-11-20
  • 6.2.0 - 2022-04-17
  • 6.2.0-alpha.1 - 2022-03-12
  • 6.1.3 - 2022-02-23
  • 6.1.2 - 2022-01-18
  • 6.1.1 - 2022-01-11
  • 6.1.0 - 2021-11-08
  • 6.0.1 - 2021-11-06
  • 6.0.0 - 2021-10-08
  • 5.2.1 - 2022-01-11
  • 5.2.0 - 2021-08-29
  • 5.1.1 - 2021-05-16
  • 5.1.0 - 2021-05-04
  • 5.0.0 - 2021-03-10
  • 4.1.2 - 2022-01-11
  • 4.1.1 - 2021-02-02
  • 4.1.0 - 2021-01-14
  • 4.0.6 - 2021-01-04
  • 4.0.5 - 2020-12-07
  • 4.0.4 - 2020-11-17
  • 4.0.3 - 2020-11-17
  • 4.0.2 - 2020-11-09
  • 4.0.1 - 2020-10-21
  • 4.0.0 - 2020-09-10
  • 4.0.0-alpha.1 - 2020-02-12
  • 4.0.0-alpha.0 - 2020-02-12
  • 3.6.2 - 2024-06-18
  • 3.6.1 - 2022-11-20
  • 3.6.0 - 2022-06-06
  • 3.5.0 - 2020-12-30
  • 3.4.2 - 2020-06-04
  • 3.4.1 - 2020-04-17
  • 3.4.0 - 2019-09-13
  • 3.3.2 - 2018-11-29
  • 3.3.1 - 2018-11-19
  • 3.3.0 - 2018-11-07
  • 3.2.1 - 2018-11-02
  • 3.2.0 - 2018-02-28
  • 3.1.5 - 2018-02-18
  • 3.1.4 - 2017-11-12
  • 3.1.3 - 2017-10-11
  • 3.1.2 - 2017-09-27
  • 3.1.1 - 2017-09-02
  • 3.1.0 - 2017-04-27
from engine.io GitHub release notes
Package name: react-middle-truncate from react-middle-truncate GitHub release notes
Package name: webpack
  • 5.0.0 - 2020-10-10

    Announcement and changelog

  • 5.0.0-rc.6 - 2020-10-10

    Bugfixes

    • fix evaluation order of concatenated modules
    • fix parsing of calls for ProvidePlugin
    • fix electron-renderer target
  • 5.0.0-rc.5 - 2020-10-09

    Bugfixes

    • fix crash in getNumberOfMatchingSizeTypes
    • fix crash in SideEffectsFlagPlugin
    • fix crash when using runtimeChunk and Module Federation shared
    • add some missing type exports

    Migration

    • improve Node.js polyfill message
  • 5.0.0-rc.4 - 2020-10-07

    Features

    • optimization.sideEffects will detect simple cases of modules without side effects from the source code now
      • supported: class and function declarations, variable declarations with pure init expression, if, while, for, switch, export, import, function calls with pure flag
    • added a "transitive only" side effects mode which drops the module but keeps dependencies
      • This is useful for mini-css-extract-plugin to allow droping the extracted JS, while keeping the CSS dependencies

    Bugfixes

    • accessing properties of the prototype from imported modules is now possible. They are no longer incorrectly mangled.

    Dependencies

    • update schema-utils to major 3
    • update acorn to major 8
  • 5.0.0-rc.3 - 2020-09-30

    Bugfixes

    • delete x.y.z now also works in concatenated modules
    • folder and file names containing # are now supported
  • 5.0.0-rc.2 - 2020-09-29

    Features

    • [Stats] do not display loader prefix for modules in bold
    • [Stats] improve grouping by path for modules and assets
    • add optimization.splitChunks.defaultSizeTypes to specify size types considered for sizes when only a number is specified
      • this allows plugins to add default size types

    Bugfixes

    • [Stats] fix some space calculation issues for assets and modules space limit
    • [Stats] fix filtered item count
    • remove error when watch option is used without callback and show a deprecation message instead.
  • 5.0.0-rc.1 - 2020-09-28

    Breaking Changes

    • uses target: "browserslist" as default when a browserslist config has been found, otherwise fallback to target: "web" as usual
      • This could have unexpected changed to the EcmaScript version of the generated code
      • In same cases this might causes builds to fail because browserslist contain web and node versions
      • In most cases we expect this to simplify migration while still allowing to generate better code
        • This partially reverts a breaking change: Instead of changing the generated code from ES5 to ES6, this now changes it from ES5 to an automatic version depending on browserslist when available

    Features

    • add support for target: "browserslist" and more advanced options
    • expose more classes as needed by plugins
    • add Compiler.watching
    • add parser.worker for javascript files to allow to modify which syntax is special for WebWorker support
    • allow output.chunkFilename to be a function via schema
    • allow RegExp for watchOptions.ignored via schema
    • add resolve.preferRelative option, which allows to resolve module requests also as relative requests

    Migration

    • add more hints regarding breaking changes in config
    • improve deprecation layer for Array -> Set to allow accessing the first index
    • allow to use splitChunks name to move modules to an parent chunk

    Bugfixes

    • avoid some errors in dependencies when target module failed
    • when min(Remaingin)Size is violated, use only modules that are fine, instead of failing for all modules
    • fix infinite recursion when having a circular symlink and a context containing it
    • warning for importing an disposed module displays the correct module
    • fix too wide hash for javascript chunks that caused unnecessary invalidation of the rendered files
    • fix new URL("relative/file.png", import.meta.url) to resolve relative
    • update webpack-sources to fix crash with source "." is not in SourceMap
    • fix stack overflow in resolving
  • 5.0.0-rc.0 - 2020-09-20

    Full Changelog

    Known Problems

    • delete x.y.z doesn't work with optimization.concatenateModules: true yet.
    • mini-css-extract-plugin is not fully compatible and there a few problems.
    • html-webpack-plugin doesn't understand the new default automatic publicPath yet. Use output.publicPath: "" instead.
    • target doesn't support individual browser versions yet. Use the general targets for now: target: ["web", "es2020"]
    • The stable webpack-cli shows too verbose output for schema validation problems.
    • new URL with string not starting with ./ or ../ works incorrectly
    • The stats grouping algorithm need still some fine-tuning
  • 5.0.0-beta.33 - 2020-09-20

    Changes

    • deprecate stats.warningsFilter in favor of ignoreWarnings
      • We need to filter warnings earlier and not only for display, e. g. for correct ignoring in hasWarnings()

    Bugfixes

    • fix missing fileDependencies for managed items
  • 5.0.0-beta.32 - 2020-09-18

    Features

    • sort assets by size
    • update all dependencies to stable versions only
    • output.publicPath is now "auto" by default when supported by target
    • add output.publicPath: "auto" to determine publicPath automatically

    Bugfixes

    • avoid error for managed paths that only contain a node_modules
  • 5.0.0-beta.31 - 2020-09-17
  • 5.0.0-beta.30 - 2020-09-11
  • 5.0.0-beta.29 - 2020-08-28
  • 5.0.0-beta.28 - 2020-08-20
  • 5.0.0-beta.27 - 2020-08-19
  • 5.0.0-beta.26 - 2020-08-14
  • 5.0.0-beta.25 - 2020-08-10
  • 5.0.0-beta.24 - 2020-08-05
  • 5.0.0-beta.23 - 2020-08-02
  • 5.0.0-beta.22 - 2020-07-09
  • 5.0.0-beta.21 - 2020-07-06
  • 5.0.0-beta.20 - 2020-06-29
  • 5.0.0-beta.19 - 2020-06-29
  • 5.0.0-beta.18 - 2020-06-17
  • 5.0.0-beta.17 - 2020-06-03
  • 5.0.0-beta.16 - 2020-05-05
  • 5.0.0-beta.15 - 2020-04-21
  • 5.0.0-beta.14 - 2020-03-02
  • 5.0.0-beta.13 - 2020-01-29
  • 5.0.0-beta.12 - 2020-01-16
  • 5.0.0-beta.11 - 2019-12-24
  • 5.0.0-beta.10 - 2019-12-22
  • 5.0.0-beta.9 - 2019-12-08
  • 5.0.0-beta.8 - 2019-12-08
  • 5.0.0-beta.7 - 2019-11-20
  • 5.0.0-beta.6 - 2019-11-14
  • 5.0.0-beta.5 - 2019-11-13
  • 5.0.0-beta.4 - 2019-11-12
  • 5.0.0-beta.3 - 2019-11-06
  • 5.0.0-beta.2 - 2019-10-31
  • 5.0.0-beta.1 - 2019-10-22
  • 5.0.0-beta.0 - 2019-10-11
  • 5.0.0-alpha.32 - 2019-10-11
  • 5.0.0-alpha.31 - 2019-10-10
  • 5.0.0-alpha.30 - 2019-10-07
  • 5.0.0-alpha.29 - 2019-10-02
  • 5.0.0-alpha.28 - 2019-09-26
  • 5.0.0-alpha.27 - 2019-09-25
  • 5.0.0-alpha.26 - 2019-09-08
  • 5.0.0-alpha.25 - 2019-09-06
  • 5.0.0-alpha.24 - 2019-09-05
  • 5.0.0-alpha.23 - 2019-08-27
  • 5.0.0-alpha.22 - 2019-08-23
  • 5.0.0-alpha.21 - 2019-08-22
  • 5.0.0-alpha.20 - 2019-08-14
  • 5.0.0-alpha.19 - 2019-08-06
  • 5.0.0-alpha.18 - 2019-07-08
  • 5.0.0-alpha.17 - 2019-07-01
  • 5.0.0-alpha.16 - 2019-06-14
  • 5.0.0-alpha.15 - 2019-06-05
  • 5.0.0-alpha.14 - 2019-05-23
  • 5.0.0-alpha.13 - 2019-05-20
  • 5.0.0-alpha.12 - 2019-05-10
  • 5.0.0-alpha.11 - 2019-02-19
  • 5.0.0-alpha.10 - 2019-02-07
  • 5.0.0-alpha.9 - 2019-01-27
  • 5.0.0-alpha.8 - 2019-01-19
  • 5.0.0-alpha.7 - 2019-01-19
  • 5.0.0-alpha.6 - 2019-01-15
  • 5.0.0-alpha.5 - 2019-01-09
  • 5.0.0-alpha.4 - 2019-01-08
  • 5.0.0-alpha.3 - 2018-12-29
  • 5.0.0-alpha.2 - 2018-12-26
  • 5.0.0-alpha.1 - 2018-12-23
  • 5.0.0-alpha.0 - 2018-12-21
  • 4.47.0 - 2023-09-06
  • 4.46.0 - 2021-01-11
  • 4.45.0 - 2021-01-08
  • 4.44.2 - 2020-09-17
  • 4.44.1 - 2020-07-30
  • 4.44.0 - 2020-07-24
  • 4.43.0 - 2020-04-21
  • 4.42.1 - 2020-03-24
  • 4.42.0 - 2020-03-02
  • 4.41.6 - 2020-02-11
  • 4.41.5 - 2019-12-27
  • 4.41.4 - 2019-12-19
  • 4.41.3 - 2019-12-16
  • 4.41.2 - 2019-10-15
  • 4.41.1 - 2019-10-11
  • 4.41.0 - 2019-09-24
  • 4.40.3 - 2019-09-24
  • 4.40.2 - 2019-09-13
  • 4.40.1 - 2019-09-13
  • 4.40.0 - 2019-09-12
  • 4.39.3 - 2019-08-27
  • 4.39.2 - 2019-08-13
  • 4.39.1 - 2019-08-02
  • 4.39.0 - 2019-08-01
  • 4.38.0 - 2019-07-26
  • 4.37.0 - 2019-07-23
  • 4.36.1 - 2019-07-17
  • 4.36.0 - 2019-07-17
  • 4.35.3 - 2019-07-08
  • 4.35.2 - 2019-07-01
  • 4.35.1 - 2019-07-01
  • 4.35.0 - 2019-06-20
  • 4.34.0 - 2019-06-12
  • 4.33.0 - 2019-06-04
  • 4.32.2 - 2019-05-22
  • 4.32.1 - 2019-05-22
  • 4.32.0 - 2019-05-20
  • 4.31.0 - 2019-05-09
  • 4.30.0 - 2019-04-12
  • 4.29.6 - 2019-02-28
  • 4.29.5 - 2019-02-18
  • 4.29.4 - 2019-02-15
  • 4.29.3 - 2019-02-07
  • 4.29.2 - 2019-02-06
  • 4.29.1 - 2019-02-04
  • 4.29.0 - 2019-01-20
  • 4.28.4 - 2019-01-10
  • 4.28.3 - 2018-12-29
  • 4.28.2 - 2018-12-22
  • 4.28.1 - 2018-12-20
  • 4.28.0 - 2018-12-19
  • 4.27.1 - 2018-12-05
  • 4.27.0 - 2018-12-04
  • 4.26.1 - 2018-11-25
  • 4.26.0 - 2018-11-19
  • 4.25.1 - 2018-11-05
  • 4.25.0 - 2018-11-05
  • 4.24.0 - 2018-11-02
  • 4.23.1 - 2018-10-25
  • 4.23.0 - 2018-10-24
  • 4.22.0 - 2018-10-21
  • 4.21.0 - 2018-10-17
  • 4.20.2 - 2018-09-25
  • 4.20.1 - 2018-09-25
  • 4.20.0 - 2018-09-25
  • 4.19.1 - 2018-09-18
  • 4.19.0 - 2018-09-13
  • 4.18.1 - 2018-09-13
  • 4.18.0 - 2018-09-10
  • 4.17.3 - 2018-09-10
  • 4.17.2 - 2018-09-03
  • 4.17.1 - 2018-08-22
  • 4.17.0 - 2018-08-21
  • 4.16.5 - 2018-08-06
  • 4.16.4 - 2018-08-02
  • 4.16.3 - 2018-07-27
  • 4.16.2 - 2018-07-23
  • 4.16.1 - 2018-07-16
  • 4.16.0 - 2018-07-11
  • 4.15.1 - 2018-07-05
  • 4.15.0 - 2018-07-04
  • 4.14.0 - 2018-06-29
  • 4.13.0 - 2018-06-28
  • 4.12.2 - 2018-06-27
  • 4.12.1 - 2018-06-24
  • 4.12.0 - 2018-06-08
  • 4.11.1 - 2018-06-06
  • 4.11.0 - 2018-06-05
  • 4.10.2 - 2018-05-30
  • 4.10.1 - 2018-05-29
  • 4.10.0 - 2018-05-28
  • 4.9.2 - 2018-05-28
  • 4.9.1 - 2018-05-25
  • 4.9.0 - 2018-05-25
  • 4.8.3 - 2018-05-12
  • 4.8.2 - 2018-05-11
  • 4.8.1 - 2018-05-07
  • 4.8.0 - 2018-05-07
  • 4.7.0 - 2018-05-04
from webpack GitHub release notes
Commit messages
Package name: elliptic The new version differs by 10 commits.

See the full diff

Package name: engine.io The new version differs by 250 commits.

See the full diff

Package name: react-middle-truncate The new version differs by 12 commits.

See the full diff

Package name: webpack The new version differs by 250 commits.
  • 610f368 5.0.0
  • 5ce65c1 update examples
  • bbe1230 Merge pull request #11628 from webpack/bugfix/real-content-hash
  • 75ecff2 5.0.0-rc.6
  • bfc35d6 Merge pull request #11603 from MayaWolf/master
  • 76e8cbd Merge pull request #11622 from webpack/dependabot/npm_and_yarn/types/node-13.13.25
  • 9fd1be2 chore(deps-dev): bump @ types/node from 13.13.23 to 13.13.25
  • 36bcfaa Merge pull request #11621 from webpack/bugfix/11619
  • 9130d10 fix called variables with ProvidePlugin
  • 3e42105 Merge pull request #11620 from webpack/bugfix/11617
  • 4709719 skip connections copied to concatenated module
  • 57b493f 5.0.0-rc.5
  • 1658e2f Merge pull request #11618 from webpack/bugfix/11615
  • a8fb45d fixes crash in SideEffectsFlagPlugin
  • 84b196d emit error instead of crashing when unexpected problem occurs
  • 5573fed Merge pull request #11601 from Hornwitser/improve-suggested-polyfill-config
  • 9b5cce9 Merge pull request #11609 from snitin315/export-types
  • 37c495c export type RuleSetUseItem
  • 39faf34 export type RuleSetUse
  • e5fd246 export type RuleSetConditionAbsolute
  • 660baad export RuleSetCondition types
  • 13e3ca5 Merge pull request #11602 from webpack/bugfix/shared-runtime-chunk
  • 9c0587e Merge pull request #11606 from webpack/dependabot/npm_and_yarn/simple-git-2.21.0
  • 502d166 Merge pull request #11607 from webpack/dependabot/npm_and_yarn/acorn-8.0.4

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Cross-site Scripting (XSS)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants