[Snyk] Upgrade @slack/webhook from 5.0.4 to 7.0.2 #238
Conversation
Snyk has created this PR to upgrade @slack/webhook from 5.0.4 to 7.0.2. See this package in npm: https://www.npmjs.com/package/@slack/webhook See this project in Snyk: https://app.snyk.io/org/mikolaj-roszak/project/89fafb7b-1110-4112-b075-f376a919f601?utm_source=github&utm_medium=referral&page=upgrade-pr
Deploying snyk-1 with
|
| Latest commit: |
41bb7d4
|
| Status: | 🚫 Build failed. |
Micro-Learning Topic: Regular expression denial of service (Detected by phrase)Matched on "Regular Expression Denial of Service"Denial of Service (DoS) attacks caused by Regular Expression which causes the system to hang or cause them to work very slowly when attacker sends a well-crafted input(exponentially related to input size).Denial of service attacks significantly degrade the service quality experienced by legitimate users. These attacks introduce large response delays, excessive losses, and service interruptions, resulting in direct impact on availability. Try a challenge in Secure Code WarriorMicro-Learning Topic: Weak input validation (Detected by phrase)Matched on "Improper Input Validation"Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project Try a challenge in Secure Code WarriorHelpful references
Micro-Learning Topic: Cross-site request forgery (Detected by phrase)Matched on "Cross-site Request Forgery"Session-related but not session-based, this attack is based on the ability of an attacker to force an action on a user’s browser (commonly in the form of a POST request) to perform an unauthorized action on behalf of the user. This can often occur without the user even noticing it… or only noticing when it is too late. The root cause is that browsers automatically send session cookies with all requests to a given domain, regardless of where the source of the request came from, and the application server cannot differentiate between a request that came from pages it served or a request that came from an unrelated page. Try a challenge in Secure Code WarriorHelpful references
Micro-Learning Topic: Denial of service (Detected by phrase)Matched on "Denial of Service"The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service Try a challenge in Secure Code WarriorMicro-Learning Topic: Information disclosure (Detected by phrase)Matched on "Information Exposure"Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser. Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project Try a challenge in Secure Code WarriorMicro-Learning Topic: Prototype pollution (Detected by phrase)Matched on "Prototype Pollution"By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Try a challenge in Secure Code Warrior |
This PR was automatically created by Snyk using the credentials of a real user.
Snyk has created this PR to upgrade @slack/webhook from 5.0.4 to 7.0.2.
ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
Warning: This is a major version upgrade, and may be a breaking change.
The recommended version fixes:
SNYK-JS-AXIOS-1579269
Why? Proof of Concept exploit, CVSS 7.5
SNYK-JS-AXIOS-6032459
Why? Proof of Concept exploit, CVSS 7.5
SNYK-JS-AXIOS-6144788
Why? Proof of Concept exploit, CVSS 7.5
SNYK-JS-FOLLOWREDIRECTS-6141137
Why? Proof of Concept exploit, CVSS 7.5
SNYK-JS-AXIOS-6124857
Why? Proof of Concept exploit, CVSS 7.5
SNYK-JS-FOLLOWREDIRECTS-2332181
Why? Proof of Concept exploit, CVSS 7.5
SNYK-JS-FOLLOWREDIRECTS-6444610
Why? Proof of Concept exploit, CVSS 7.5
SNYK-JS-FOLLOWREDIRECTS-2396346
Why? Proof of Concept exploit, CVSS 7.5
(*) Note that the real score may have changed since the PR was raised.
Release notes
Package name: @slack/webhook
-
7.0.2 - 2024-01-02
-
7.0.1 - 2023-10-30
-
7.0.0 - 2023-10-04
-
6.1.0 - 2022-01-12
-
6.0.0 - 2021-01-12
-
5.0.4 - 2021-01-05
from @slack/webhook GitHub release notesWhat's Changed
This major release bumps dependencies to their latest versions and sets the minimum node version is to v18, the current LTS node.js. While the library should work with older versions of node, we no longer test the library against versions of node older than 18, so we cannot guarantee compatibility.
In addition, calling
disconnect()when already disconnected should no longer throw an exception (fixed #842).Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.
For more information:
🧐 View latest project report
🛠 Adjust upgrade PR settings
🔕 Ignore this dependency or unsubscribe from future upgrade PRs