Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Security upgrade npm from 5.6.0 to 7.21.0 #86

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

Omrisnyk
Copy link
Owner

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • openshift/message-board/message-board-web/package.json
    • openshift/message-board/message-board-web/package-lock.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity Reachability
high severity 165/1000
Why? Confidentiality impact: High, Integrity impact: High, Availability impact: High, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Network, EPSS: 0.00318, Social Trends: No, Days since published: 1404, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 9.79, Likelihood: 1.68, Score Version: V5
Prototype Pollution
SNYK-JS-AJV-584908
No No Known Exploit No Path Found
high severity 159/1000
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00348, Social Trends: No, Days since published: 981, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.65, Score Version: V5
Regular Expression Denial of Service (ReDoS)
SNYK-JS-ANSIREGEX-1583908
No Proof of Concept No Path Found
high severity 97/1000
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Changed, Exploit Maturity: No data, User Interaction (UI): Required, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00083, Social Trends: No, Days since published: 745, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 6.65, Likelihood: 1.45, Score Version: V5
Regular Expression Denial of Service (ReDoS)
SNYK-JS-HAWK-2808852
No No Known Exploit No Path Found
medium severity 63/1000
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00324, Social Trends: No, Days since published: 1154, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 2.35, Likelihood: 2.65, Score Version: V5
Regular Expression Denial of Service (ReDoS)
SNYK-JS-HOSTEDGITINFO-1088355
Yes Proof of Concept No Path Found
high severity 149/1000
Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: High, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00384, Social Trends: No, Days since published: 918, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 7.84, Likelihood: 1.9, Score Version: V5
Prototype Pollution
SNYK-JS-JSONSCHEMA-1920922
No No Known Exploit No Path Found
medium severity 45/1000
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: Low, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00146, Social Trends: No, Days since published: 580, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 2.35, Likelihood: 1.89, Score Version: V5
Regular Expression Denial of Service (ReDoS)
SNYK-JS-MINIMATCH-3050818
Yes No Known Exploit No Path Found
high severity 160/1000
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00877, Social Trends: No, Days since published: 533, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.66, Score Version: V5
Prototype Poisoning
SNYK-JS-QS-3153490
No Proof of Concept No Path Found
high severity 169/1000
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00091, Social Trends: No, Days since published: 335, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.81, Score Version: V5
Regular Expression Denial of Service (ReDoS)
SNYK-JS-SEMVER-3247795
Yes Proof of Concept No Path Found
medium severity 45/1000
Why? Confidentiality impact: Low, Integrity impact: None, Availability impact: None, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00205, Social Trends: No, Days since published: 2132, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 2.35, Likelihood: 1.9, Score Version: V5
Insecure Randomness
npm:cryptiles:20180710
No No Known Exploit No Path Found
high severity 107/1000
Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: Low, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.0039, Social Trends: No, Days since published: 2128, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.62, Likelihood: 1.9, Score Version: V5
Prototype Pollution
npm:extend:20180424
No No Known Exploit No Path Found
medium severity 141/1000
Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): Low, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.01021, Social Trends: No, Days since published: 2287, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 5.62, Likelihood: 2.5, Score Version: V5
Prototype Pollution
npm:hoek:20180212
No Proof of Concept No Path Found
high severity 159/1000
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.0017, Social Trends: No, Days since published: 2233, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.64, Score Version: V5
Regular Expression Denial of Service (ReDoS)
npm:sshpk:20180409
No Proof of Concept No Path Found
medium severity 45/1000
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: Low, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00115, Social Trends: No, Days since published: 2286, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 2.35, Likelihood: 1.89, Score Version: V5
Regular Expression Denial of Service (ReDoS)
npm:ssri:20180214
No No Known Exploit No Path Found
medium severity 202/1000
Why? Confidentiality impact: Low, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Functional, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Physical, EPSS: 0.00211, Social Trends: No, Days since published: 2199, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 7.03, Likelihood: 2.87, Score Version: V5
Uninitialized Memory Exposure
npm:stringstream:20180511
No Mature No Path Found

(*) Note that the real score may have changed since the PR was raised.

Release notes
Package name: npm
  • 7.21.0 - 2021-08-19

    v7.21.0 (2021-08-19)

    FEATURES

    BUG FIXES

    DEPENDENCIES

    • df57f0d53 @ npmcli/run-script@1.8.6
    • 8183976cf normalize-package-data@3.0.3:
      • fix: account for "licence" as spelling variant
    • f07772401 init-package-json@2.0.4
    • 991a3bd39 read-package-json@4.0.0
    • e9e5ee560 @ npmcli/arborist@2.8.2:
      • fix: treat top-level global packages as "top" nodes
      • fix: load global symlinks implicitly as file: deps
      • fix(reify): debug crash when extracting into symlink
      • fix: node_modules must be a directory
      • fix: make Node.children() a case-insensitive Map
      • fix(reify): verify existing deps in nm are dirs
    • b6f40b5f8 tar@6.1.10:
      • fix: prune dirCache properly for unicode, windows
      • fix: reserve paths properly for unicode, windows
      • fix: prevent path escape using drive-relative paths
      • fix: drop dirCache for symlink on all platforms
    • 218cacadc is-core-module@2.6.0
    • 7ac621cd1 smart-buffer@4.2.0
    • 94f92de13 make-fetch-happen@9.0.5
    • 71cdfd898 spdx-license-ids@3.0.10:
      • update license list to v3.14
  • 7.20.6 - 2021-08-12

    v7.20.6 (2021-08-12)

    DEPENDENCIES

    • 5bebf280f tar@6.1.8
      • fix: reserve paths case-insensitively
    • 5d89de44d tar@6.1.7:
      • fix: normalize paths on Windows systems
    • a1bdbea97 #3569 remove byte-size (@ wraithgar)
    • 61782fa85 @ npmcli/map-workspaces@1.0.4:
      • fix: better error message for duplicate workspace names
    • b88f770fa @ npmcli/arborist@2.8.1:
      • [#3632] Fix "cannot read property path of null" error in 'npm dedupe'
      • fix(shrinkwrap): always set name on the root node

    DOCUMENTATION

  • 7.20.5 - 2021-08-05

    v7.20.5 (2021-08-05)

    DEPENDENCIES

    • 44377738e graceful-fs@4.2.8
      • fix: start retrying immediately, stop after 60 seconds
  • 7.20.4 - 2021-08-05

    v7.20.4 (2021-08-05)

    BUG FIXES

    DEPENDENCIES

    • 15fae4941 tar@6.1.6:
      • fix: properly handle top-level files when using strip
      • Avoid an unlikely but theoretically possible redos
      • WriteEntry backpressure
      • fix(unpack): always resume parsing after an entry error
      • fix(unpack): fix hang on large file on open() fail
      • fix: properly prefix hard links
    • 745326de0 libnpmexec@2.0.1:
      • Clear progress bar which overlays confirm prompt
    • e82bcd4e8 graceful-fs@4.2.7:
      • fix: start retrying immediately, stop after 10 attempts
  • 7.20.3 - 2021-07-29

    v7.20.3 (2021-07-29)

    BUG FIXES

    DEPENDENCIES

    • 97cb5ec31 @ npmcli/arborist@2.8.0:
      • Refactor ideal tree building to handle more complicated
        peerDependencies use cases.
      • Do not modify ideal tree while checking if a peerSet can be placed.
    • 7db1a0a26 chore(deps): mime-types@1.49.0 mime-db@1.49.0
  • 7.20.2 - 2021-07-27

    v7.20.2 (2021-07-27)

    DEPENDENCIES

    • f5aab1f88 tar@6.1.1
      • fix: strip absolute paths more comprehensively
    • ce8fb0f69 tar@6.1.2
      • fix: Remove paths from dirCache when no longer dirs
    • ced85087a gauge@3.0.1
      • add missing dependency to package.json
  • 7.20.1 - 2021-07-22

    BUG FIXES

    DOCUMENTATION

    DEPENDENCIES

  • 7.20.0 - 2021-07-15

    v7.20.0 (2021-07-15)

    FEATURES

    BUG FIXES

    DOCUMENTATION

    DEPENDENCIES

    • 691816f3d @ npmcli/arborist@2.7.1
      • fixes running prepare scripts for workspaces on reify
      • ensure pacote always compares correct integrity values
    • b9597e944 make-fetch-happen@9.0.4
      • fix: retry socket timeout failures
      • fix: clean up invalid indexes and content after cacache read errors
    • f573e7c56 minipass-fetch@1.3.4
      • fix: correctly handle error events that happen after response events
    • 2d5797ea0 pacote@11.3.5
      • fix: show more actionable messages for git pathspec errors
      • fix: include all dep types when building for prepare
      • fix: do not set mtime when unpacking
  • 7.19.1 - 2021-07-01
  • 7.19.0 - 2021-06-24
  • 7.18.1 - 2021-06-17
  • 7.18.0 - 2021-06-17
  • 7.17.0 - 2021-06-10
  • 7.16.0 - 2021-06-03
  • 7.15.1 - 2021-05-31
  • 7.15.0 - 2021-05-27
  • 7.14.0 - 2021-05-20
  • 7.13.0 - 2021-05-13
  • 7.12.1 - 2021-05-10
  • 7.12.0 - 2021-05-06
  • 7.11.2 - 2021-04-29
  • 7.11.1 - 2021-04-23
  • 7.11.0 - 2021-04-23
  • 7.10.0 - 2021-04-15
  • 7.9.0 - 2021-04-08
  • 7.8.0 - 2021-04-01
  • 7.7.6 - 2021-03-29
  • 7.7.5 - 2021-03-25
  • 7.7.4 - 2021-03-24
  • 7.7.3 - 2021-03-24
  • 7.7.2 - 2021-03-24
  • 7.7.1 - 2021-03-24
  • 7.7.0 - 2021-03-23
  • 7.6.3 - 2021-03-11
  • 7.6.2 - 2021-03-09
  • 7.6.1 - 2021-03-04
  • 7.6.0 - 2021-02-25
  • 7.5.6 - 2021-02-22
  • 7.5.5 - 2021-02-22
  • 7.5.4 - 2021-02-12
  • 7.5.3 - 2021-02-08
  • 7.5.2 - 2021-02-02
  • 7.5.1 - 2021-02-01
  • 7.5.0 - 2021-01-28
  • 7.4.3 - 2021-01-21
  • 7.4.2 - 2021-01-15
  • 7.4.1 - 2021-01-14
  • 7.4.0 - 2021-01-07
  • 7.3.0 - 2020-12-18
  • 7.2.0 - 2020-12-15
  • 7.1.2 - 2020-12-11
  • 7.1.1 - 2020-12-09
  • 7.1.0 - 2020-12-04
  • 7.0.15 - 2020-11-27
  • 7.0.14 - 2020-11-23
  • 7.0.13 - 2020-11-20
  • 7.0.12 - 2020-11-17
  • 7.0.11 - 2020-11-13
  • 7.0.10 - 2020-11-10
  • 7.0.9 - 2020-11-06
  • 7.0.8 - 2020-11-03
  • 7.0.7 - 2020-10-30
  • 7.0.6 - 2020-10-27
  • 7.0.5 - 2020-10-23
  • 7.0.4 - 2020-10-23
  • 7.0.3 - 2020-10-20
  • 7.0.2 - 2020-10-16
  • 7.0.1 - 2020-10-15
  • 7.0.0 - 2020-10-13
  • 7.0.0-rc.4 - 2020-10-09
  • 7.0.0-rc.3 - 2020-10-06
  • 7.0.0-rc.2 - 2020-10-02
  • 7.0.0-rc.1 - 2020-10-02
  • 7.0.0-rc.0 - 2020-10-01
  • 7.0.0-beta.13 - 2020-09-29
  • 7.0.0-beta.12 - 2020-09-22
  • 7.0.0-beta.11 - 2020-09-16
  • 7.0.0-beta.10 - 2020-09-08
  • 7.0.0-beta.9 - 2020-09-04
  • 7.0.0-beta.8 - 2020-09-01
  • 7.0.0-beta.7 - 2020-08-25
  • 7.0.0-beta.6 - 2020-08-21
  • 7.0.0-beta.5 - 2020-08-18
  • 7.0.0-beta.4 - 2020-08-11
  • 7.0.0-beta.3 - 2020-08-10
  • 7.0.0-beta.2 - 2020-08-07
  • 7.0.0-beta.1 - 2020-08-05
  • 7.0.0-beta.0 - 2020-08-04
  • 6.14.18 - 2022-12-21
  • 6.14.17 - 2022-04-28
  • 6.14.16 - 2022-01-19
  • 6.14.15 - 2021-08-24
  • 6.14.14 - 2021-07-27

    6.14.14 (2021-07-27)

    DEPENDENCIES

  • 6.14.13 - 2021-04-12
  • 6.14.12 - 2021-03-25
  • 6.14.11 - 2021-01-08
  • 6.14.10 - 2020-12-18
  • 6.14.9 - 2020-11-20
  • 6.14.8 - 2020-08-17
  • 6.14.7 - 2020-07-21
  • 6.14.6 - 2020-07-07
  • 6.14.5 - 2020-05-04
  • 6.14.4 - 2020-03-25
  • 6.14.3 - 2020-03-19
  • 6.14.2 - 2020-03-03
  • 6.14.1 - 2020-02-27
  • 6.14.0 - 2020-02-25
  • 6.13.7 - 2020-01-28
  • 6.13.6 - 2020-01-09
  • 6.13.5 - 2020-01-09
  • 6.13.4 - 2019-12-11
  • 6.13.3 - 2019-12-10
  • 6.13.2 - 2019-12-03
  • 6.13.1 - 2019-11-18
  • 6.13.0 - 2019-11-05
  • 6.12.1 - 2019-10-29
  • 6.12.0 - 2019-10-08
  • 6.12.0-next.0 - 2019-09-26
  • 6.11.3 - 2019-09-03
  • 6.11.2 - 2019-08-22
  • 6.11.1 - 2019-08-21
  • 6.11.0 - 2019-08-20
  • 6.10.3 - 2019-08-06
  • 6.10.2 - 2019-07-23
  • 6.10.2-next.3 - 2019-07-22
  • 6.10.2-next.2 - 2019-07-21
  • 6.10.2-next.1 - 2019-07-17
  • 6.10.2-next.0 - 2019-07-16
  • 6.10.1 - 2019-07-11
  • 6.10.1-next.2 - 2019-07-10
  • 6.10.1-next.1 - 2019-07-03
  • 6.10.1-next.0 - 2019-07-03
  • 6.10.0 - 2019-07-03
  • 6.10.0-next.0 - 2019-07-01
  • 6.9.2 - 2019-06-27
  • 6.9.1-next.0 - 2019-03-20
  • 6.9.0 - 2019-03-06
  • 6.9.0-next.0 - 2019-02-21
  • 6.8.0 - 2019-02-13
  • 6.8.0-next.2 - 2019-02-07
  • 6.8.0-next.1 - 2019-02-06
  • 6.8.0-next.0 - 2019-01-31
  • 6.7.0 - 2019-01-23
  • 6.6.0 - 2019-01-17
  • 6.6.0-next.1 - 2019-01-10
  • 6.6.0-next.0 - 2018-12-12
  • 6.5.0 - 2018-12-10
  • 6.5.0-next.0 - 2018-11-28
  • 6.4.1 - 2018-08-29
  • 6.4.1-next.0 - 2018-08-23
  • 6.4.0 - 2018-08-15
  • 6.4.0-next.0 - 2018-08-09
  • 6.3.0 - 2018-08-02
  • 6.3.0-next.0 - 2018-07-25
  • 6.2.0 - 2018-07-14
  • 6.2.0-next.1 - 2018-07-05
  • 6.2.0-next.0 - 2018-06-29
  • 6.1.0 - 2018-05-24
  • 6.1.0-next.0 - 2018-05-17
  • 6.0.1 - 2018-05-10
  • 6.0.1-next.0 - 2018-05-04
  • 6.0.0 - 2018-04-24
  • 6.0.0-next.2 - 2018-04-21
  • 6.0.0-next.1 - 2018-04-13
  • 6.0.0-next.0 - 2018-03-23
  • 5.10.0 - 2018-05-11
  • 5.10.0-next.1 - 2018-05-07
  • 5.10.0-next.0 - 2018-04-13
  • 5.9.0-next.0 - 2018-03-23
  • 5.8.0 - 2018-03-23
  • 5.8.0-next.0 - 2018-03-13
  • 5.7.1 - 2018-02-22
  • 5.7.0 - 2018-02-21
  • 5.6.0 - 2017-11-28
from npm GitHub release notes
Commit messages
Package name: npm The new version differs by 250 commits.
  • 30a9844 7.21.0
  • 0b2cd9d update AUTHORS
  • 06461ec docs: changelog for v7.21.0
  • 771a1cb chore(tests): fix snapshots
  • 71cdfd8 spdx-license-ids@3.0.10
  • 94f92de make-fetch-happen@9.0.5
  • 7ac621c smart-buffer@4.2.0
  • 218caca is-core-module@2.6.0
  • ff6626a fix(docs): update npm-publish access flag info
  • b6f40b5 tar@6.1.10
  • e9e5ee5 @ npmcli/arborist@2.8.2
  • 991a3bd read-package-json@4.0.0
  • f077724 init-package-json@2.0.4
  • 68a19bb fix(error-message): look for er.path not er.file
  • ff34d6c feat(cache): initial implementation of ls and rm
  • 8183976 normalize-package-data@3.0.3
  • df57f0d @ npmcli/run-script@1.8.6
  • 487731c fix(logging): sanitize logged argv
  • 7a58264 chore(ci): check that docs are up to date in ci
  • 22f3bbb chore(docs): add more 'autogenerated' comments
  • 4314490 fix(docs): revert auto-generated portion of docs
  • 32e88c9 fix(did-you-mean): switch levenshtein libraries
  • 59b9851 7.20.6
  • 2591e67 update AUTHORS

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Insecure Randomness

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants