Skip to content

[Snyk] Fix for 3 vulnerabilities #162

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Fix for 3 vulnerabilities #162

wants to merge 1 commit into from

Conversation

@Omrisnyk
Copy link
Owner

@Omrisnyk Omrisnyk commented May 22, 2024

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • large-file/package.json
    • large-file/package-lock.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity Reachability
high severity 169/1000
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00045, Social Trends: No, Days since published: 9, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.81, Score Version: V5		 Uncontrolled resource consumption
SNYK-JS-BRACES-6838727		 Yes Proof of Concept No Path Found
critical severity 283/1000
Why? Confidentiality impact: High, Integrity impact: High, Availability impact: None, Scope: Changed, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Adjacent, EPSS: 0.01055, Social Trends: No, Days since published: 0, Reachable: No, Transitive dependency: No, Is Malicious: No, Business Criticality: High, Provider Urgency: Critical, Package Popularity Score: 99, Impact: 9.6, Likelihood: 2.94, Score Version: V5		 Authentication Bypass
SNYK-JS-HAWK-6969142		 Yes Proof of Concept No Path Found
high severity 124/1000
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00045, Social Trends: No, Days since published: 9, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.06, Score Version: V5		 Inefficient Regular Expression Complexity
SNYK-JS-MICROMATCH-6838728		 Yes No Known Exploit No Path Found

(*) Note that the real score may have changed since the PR was raised.

Release notes
Package name: @cypress/browserify-preprocessor
  • 3.0.2 - 2021-11-04

    3.0.2 (2021-11-04)

    Miscellaneous

    • deps: update dependency glob-parent to version 5.1.2 🌟 (#84) (61dae70)
  • 3.0.1 - 2020-07-14

    3.0.1 (2020-07-14)

    Bug Fixes

    • Handle function transforms when typescript is set (#57) (fb2f417), closes #56
  • 3.0.0 - 2020-05-21

    3.0.0 (2020-05-21)

    Breaking Changes

    • This plugin now requires Node.js 8+

    Bug Fixes

    • Validate type of typescript option and its existence as a path (3fb7b2c)
    • Improve error when attempting to preprocess a TypeScript file but the typescript option is not set (36d77a8)
  • 2.2.4 - 2020-05-11

    2.2.4 (2020-05-11)

    Bug Fixes

    • generate sourcemaps on .ts and .tsx files (#51) (d64122c)
  • 2.2.3 - 2020-05-08

    2.2.3 (2020-05-08)

    Bug Fixes

    • Only enable TypeScript jsx compiling for .js, .jsx, and .tsx files (#45) (00e9be9)
  • 2.2.2 - 2020-04-23

    2.2.2 (2020-04-23)

    Bug Fixes

    • Fix TypeScript iterator support. (#43) (f549896)
  • 2.2.1 - 2020-04-04

    2.2.1 (2020-04-04)

    Bug Fixes

    • Fix lib files not being published (#40) (24117d0)
  • 2.2.0 - 2020-04-03

    2.2.0 (2020-04-03)

    Features

    • Add out-of-the-tbox typescript support (#38) (344a057)
  • 2.1.4 - 2020-02-11

    2.1.4 (2020-02-11)

    Bug Fixes

  • 2.1.3 - 2020-02-05

    2.1.3 (2020-02-05)

    Bug Fixes

  • 2.1.2 - 2020-02-05
  • 2.1.1 - 2019-06-07
from @cypress/browserify-preprocessor GitHub release notes
Package name: add-asset-html-webpack-plugin from add-asset-html-webpack-plugin GitHub release notes
Package name: braces from braces GitHub release notes
Package name: chokidar
  • 3.0.0 - 2019-04-30
  • 2.1.8 - 2019-08-21
  • 2.1.6 - 2019-05-15
  • 2.1.5 - 2019-03-22
  • 2.1.4 - 2019-03-22
  • 2.1.3 - 2019-03-22
  • 2.1.2 - 2019-02-18
  • 2.1.1 - 2019-02-11
  • 2.1.0 - 2019-02-05
  • 2.0.4 - 2018-06-18
  • 2.0.3 - 2018-03-23
  • 2.0.2 - 2018-02-14
  • 2.0.1 - 2018-02-08
  • 2.0.0 - 2017-12-29
from chokidar GitHub release notes
Package name: expect
  • 25.0.0 - 2019-08-22
  • 24.9.0 - 2019-08-16

    Features

    • [expect] Highlight substring differences when matcher fails, part 1 (#8448)
    • [expect] Highlight substring differences when matcher fails, part 2 (#8528)
    • [expect] Improve report when mock-spy matcher fails, part 1 (#8640)
    • [expect] Improve report when mock-spy matcher fails, part 2 (#8649)
    • [expect] Improve report when mock-spy matcher fails, part 3 (#8697)
    • [expect] Improve report when mock-spy matcher fails, part 4 (#8710)
    • [expect] Throw matcher error when received cannot be jasmine spy (#8747)
    • [expect] Improve report when negative CalledWith assertion fails (#8755)
    • [expect] Improve report when positive CalledWith assertion fails (#8771)
    • [expect] Display equal values for ReturnedWith similar to CalledWith (#8791)
    • [expect, jest-snapshot] Change color from green for some args in matcher hints (#8812)
    • [jest-snapshot] Highlight substring differences when matcher fails, part 3 (#8569)
    • [jest-core] Improve report when snapshots are obsolete (#8448)
    • [jest-cli] Improve chai support (with detailed output, to match jest exceptions) (#8454)
    • [*] Manage the global timeout with --testTimeout command line argument. (#8456)
    • [pretty-format] Render custom displayName of memoized components (#8546)
    • [jest-validate] Allow maxWorkers as part of the jest.config.js (#8565)
    • [jest-runtime] Allow passing configuration objects to transformers (#7288)
    • [@ jest/core, @ jest/test-sequencer] Support async sort in custom testSequencer (#8642)
    • [jest-runtime, @ jest/fake-timers] Add jest.advanceTimersToNextTimer (#8713)
    • [@ jest-transform] Extract transforming require logic within jest-core into @ jest-transform (#8756)
    • [jest-matcher-utils] Add color options to matcherHint (#8795)
    • [jest-circus/jest-jasmine2] Give clearer output for Node assert errors (#8792)
    • [jest-runner] Export all types in the type signature of jest-runner (#8825)

    Fixes

    • [jest-cli] Detect side-effect only imports when running --onlyChanged or --changedSince (#8670)
    • [jest-cli] Allow --maxWorkers to work with % input again (#8565)
    • [babel-plugin-jest-hoist] Expand list of whitelisted globals in global mocks (#8429)
    • [jest-core] Make watch plugin initialization errors look nice (#8422)
    • [jest-snapshot] Prevent inline snapshots from drifting when inline snapshots are updated (#8492)
    • [jest-haste-map] Don't throw on missing mapper in Node crawler (#8558)
    • [jest-core] Fix incorrect passWithNoTests warning (#8595)
    • [jest-snapshots] Fix test retries that contain snapshots (#8629)
    • [jest-mock] Fix incorrect assignments when restoring mocks in instances where they originally didn't exist (#8631)
    • [expect] Fix stack overflow when matching objects with circular references (#8687)
    • [jest-haste-map] Workaround a node >=12.5.0 bug that causes the process not to exit after tests have completed and cancerous memory growth (#8787)

    Chore & Maintenance

    • [docs] Replace FlowType with TypeScript in CONTRIBUTING.MD code conventions
    • [jest-leak-detector] remove code repeat (#8438)
    • [docs] Add example to jest.requireActual (#8482)
    • [docs] Add example to jest.mock for mocking ES6 modules with the factory parameter (#8550)
    • [docs] Add information about using jest.doMock with ES6 imports (#8573)
    • [docs] Fix variable name in custom-matcher-api code example (#8582)
    • [docs] Fix example used in custom environment docs (#8617)
    • [docs] Updated react tutorial to refer to new package of react-testing-library (@ testing-library/react) (#8753)
    • [docs] Updated imports of react-testing-library to @ testing-library/react in website (#8757)
    • [jest-core] Add getVersion (moved from jest-cli) (#8706)
    • [docs] Fix MockFunctions example that was using toContain instead of toContainEqual (#8765)
    • [*] Make sure copyright header comment includes license (#8783)
    • [*] Check copyright and license as one joined substring (#8815)
    • [docs] Fix WatchPlugins jestHooks.shouldRunTestSuite example that receives an object (#8784)
    • [*] Enforce LF line endings (#8809)
    • [pretty-format] Delete obsolete link and simplify structure in README (#8824)
    • [docs] Fix broken transform link on webpack page (#9155)

    Performance

    • [jest-watcher] Minor optimization for JestHook (#8746)
    • [@ jest/reporters] Prevent runaway CPU useage with --notify on macOS (#8830)
  • 24.8.0 - 2019-05-05

    Features

    • [jest-circus] Bind to Circus events via an optional event handler on any custom env (#8344)
    • [expect] Improve report when matcher fails, part 15 (#8281)
    • [jest-cli] Update --forceExit and "did not exit for one second" message colors (#8329)
    • [expect] Improve report when matcher fails, part 16 (#8306)
    • [jest-runner] Pass docblock pragmas to TestEnvironment constructor (#8320)
    • [docs] Add DynamoDB guide (#8319)
    • [expect] Improve report when matcher fails, part 17 (#8349)
    • [expect] Improve report when matcher fails, part 18 (#8356)
    • [expect] Improve report when matcher fails, part 19 (#8367)

    Fixes

    • [jest-each] Fix bug with placeholder values (#8289)
    • [jest-snapshot] Inline snapshots: do not indent empty lines (#8277)
    • [@ jest/runtime, @ jest/transform] Allow custom transforms for JSON dependencies (#8278)
    • [jest-core] Make detectOpenHandles imply runInBand (#8283)
    • [jest-haste-map] Fix the mapper option which was incorrectly ignored (#8299)
    • [jest-jasmine2] Fix describe return value warning being shown if the describe function throws (#8335)
    • [jest-environment-jsdom] Re-declare global prototype of JSDOMEnvironment (#8352)
    • [jest-snapshot] Handle arrays when merging snapshots (#7089)
    • [expect] Extract names of async and generator functions (#8362)
    • [jest-runtime] Fix virtual mocks not being unmockable after previously being mocked (#8396)
    • [jest-transform] Replace special characters in transform cache filenames to support Windows (#8353)
    • [jest-config] Allow exactly one project (#7498)

    Chore & Maintenance

    • [expect] Fix label and add opposite assertion for toEqual tests (#8288)
    • [docs] Mention Jest MongoDB Preset (#8318)
    • [@ jest/reporters] Migrate away from istanbul-api (#8294)
    • [*] Delete obsolete emails tag from header comment in test files (#8377)
    • [expect] optimize compare nodes (#8368)
    • [docs] Fix typo in MockFunctionAPI.md (#8406)
    • [LICENSE] Follow copyright header guidelines and delete For Jest software (#8428)

    Performance

    • [jest-runtime] Fix module registry memory leak (#8282)
    • [jest-resolve] optimize resolve module path (#8388)
    • [jest-resolve] cache current directory (#8412)
    • [jest-get-type] Simplify checking for primitive (#8416)
  • 24.7.1 - 2019-04-04

    Fixes

    • [@ jest/config] Normalize testSequencer to its absolute path (#8267)
    • [@ jest/console] Print to stderr when calling console.error, console.warn or console.assert using the jest-runtime CLI (#8261)
  • 24.7.0 - 2019-04-03

    Features

    • [@ jest/core, @ jest/test-sequencer] Move testSequencer to individual package @ jest/test-sequencer (#8223)
    • [@ jest/core, jest-cli, jest-config] Add option testSequencer allow user use custom sequencer. (#8223)

    Fixes

    • [expect] Add negative equality tests for iterables (#8260)
    • [jest-haste-map] Resolve fs watcher EMFILE error (#8258)

    Chore & Maintenance

    • [expect] Remove repetition of matcherName and options in matchers (#8224)

    Performance

  • 24.6.0 - 2019-04-01

    Features

    • [expect]: Improve report when matcher fails, part 13 (#8077)
    • [@ jest/core] Filter API pre-filter setup hook (#8142)
    • [jest-snapshot] Improve report when matcher fails, part 14 (#8132)
    • [@ jest/reporter] Display todo and skip test descriptions when verbose is true (#8038)
    • [jest-runner] Support default exports for test environments (#8163)
    • [pretty-format] Support React.Suspense (#8180)
    • [jest-snapshot] Indent inline snapshots (#8198)
    • [jest-config] Support colors in displayName configuration (#8025)

    Fixes

    • [jest-circus] Fix test retries with beforeAll/beforeEach failures (#8227)
    • [expect] Fix circular references in iterable equality (#8160)
    • [jest-changed-files] Change method of obtaining git root (#8052)
    • [jest-each] Fix test function type (#8145)
    • [jest-fake-timers] getTimerCount not taking immediates and ticks into account (#8139)
    • [jest-runtime] Allow json file as manual mock (#8159)
    • [pretty-format] Print BigInt as a readable number instead of {} (#8138)
    • [jest-core] Fix ability to transform dependencies required from globalSetup script (#8143)
    • [@ jest/reporters] Fix Cannot read property converageData of null (#8168)
    • [jest-worker] JEST_WORKER_ID starts at 1 (#8205)
    • [jest-config] Use default cwd even if config contains a cwd property (#7923)
    • [jest-resolve-dependencies]: Remove internal peer dependencies (#8215)
    • [jest-resolve]: Remove internal peer dependencies (#8215)
    • [jest-snapshot]: Remove internal peer dependencies (#8215)
    • [jest-resolve] Fix requireActual with moduleNameMapper (#8210)
    • [jest-haste-map] Fix haste map duplicate detection in watch mode (#8237)

    Chore & Maintenance

    • [*] Remove flow from code base (#8061)
    • [*] Use property initializer syntax in Jest codebase (#8117)
    • [*] Move @ types/node to the root package.json (#8129)
    • [*] Add documentation and tests related to auto-mocking (#8099)
    • [*] Add jest-watch-typeahead as a devDependency (#6449)
    • [*] upgrade TS to 3.4.0-dev* for incremental builds (#8149)
    • [docs] Improve description of optional arguments in ExpectAPI.md (#8126)

    Performance

    • [jest-haste-map] Optimize haste map data structure for serialization/deserialization (#8171)
    • [jest-haste-map] Avoid persisting haste map or processing files when not changed (#8153)
    • [jest-core] Improve performance of SearchSource.findMatchingTests by 15% (#8184)
    • [jest-resolve] Optimize internal cache lookup performance (#8183)
    • [jest-core] Dramatically improve watch mode performance (#8201)
    • [jest-transform] Cache regular expression instead of creating anew for every file in ScriptTransformer (#8235)
    • [jest-core] Fix memory leak of source map info and minor performance improvements (#8234)
    • [jest-console] Fix memory leak by releasing console output reference when printed to stdout (#8233)
    • [jest-runtime] Use Map instead of Object for module registry (#8232)
  • 24.5.0 - 2019-03-12

    Features

    • [jest-haste-map] Expose throwOnModuleCollision via config.haste (#8113)

    Chore & Maintenance

    • [expect] Export Matchers interface from expect (#8093)
  • 24.4.0 - 2019-03-11

    Features

    • [jest-resolve] Now supports PnP environment without plugins (#8094)

    Fixes

    • [expect] Compare DOM nodes even if there are multiple Node classes (#8064)
    • [jest-worker] worker.getStdout() can return null (#8083)
    • [jest-worker] Re-attach stdout and stderr from new processes/threads created after retries (#8087)
    • [jest-reporters/jest-runner] Serialize changedFiles passed to workers (#8090)

    Chore & Maintenance

    • [*] Make sure to include d.ts files in the tarball when building (#8086)
  • 24.3.1 - 2019-03-07

    v24.3.1

  • 24.3.0 - 2019-03-07

    We skipped 24.2.0 because a draft was accidentally published. Please use 24.3.0 or a newer version instead.

    Features

    • [expect]: Improve report when matcher fails, part 10 (#7960)
    • [expect]: Improve report when matcher fails, part 11 (#8008)
    • [expect]: Improve report when matcher fails, part 12 (#8033)
    • [expect]: Improve report when matcher fails, part 7 (#7866)
    • [expect]: Improve report when matcher fails, part 8 (#7876)
    • [expect]: Improve report when matcher fails, part 9 (#7940)
    • [jest-circus/jest-jasmine2] Warn if describe returns a value (#7852)
    • [jest-config] Print error information on preset normalization error (#7935)
    • [jest-get-type] Add isPrimitive function (#7708)
    • [jest-haste-map] Add skipPackageJson option (#7778)
    • [jest-util] Add isPromise (#7852)
    • [pretty-format] Support React.memo (#7891)

    Fixes

    • [expect] Fix toStrictEqual not considering arrays with objects having undefined values correctly (#7938)
    • [expect] Fix custom async matcher stack trace (#7652)
    • [expect] Fix non-object received value in toHaveProperty (#7986, #8067)
    • [expect] Fix non-symmetric equal for Number (#7948)
    • [expect] Remove duck typing and obsolete browser support code when comparing DOM nodes and use DOM-Level-3 API instead (#7995)
    • [jest-changed-files] Fix getChangedFilesFromRoots to not return parts of the commit messages as if they were files, when the commit messages contained multiple paragraphs (#7961)
    • [jest-changed-files] Fix pattern for HG changed files (#8066)
    • [jest-changed-files] Improve default file selection for Mercurial repos (#7880)
    • [jest-circus] Fix bug with test.only (#7888)
    • [jest-circus]: Throw explicit error when errors happen after test is considered complete (#8005)
    • [jest-cli] Fix prototype pollution vulnerability in dependency (#7904)
    • [jest-cli] Refactor -o and --coverage combined (#7611)
    • [jest-environment-node] Add missing globals: TextEncoder and TextDecoder (#8022)
    • [jest-haste-map] Enforce uniqueness in names (mocks and haste ids) (#8002)
    • [jest-jasmine2]: Throw explicit error when errors happen after test is considered complete (#8005)
    • [jest-mock] Adds a type check to prototype to allow mocks of objects with a primitive prototype property. (#8040)
    • [jest-transform] Normalize config and remove unnecessary checks, convert TestUtils.js to TypeScript (#7801)
    • [jest-util]Make sure to not fail if unable to assign toStringTag to the process object, which is read only in Node 12 (#8050)
    • [jest-validate] Fix validating async functions (#7894)
    • [jest-worker] Fix jest-worker when using pre-allocated jobs (#7934)
    • [static] Remove console log '-' on the front page (#7977)

    Chore & Maintenance

    • [*]: Setup building, linting and testing of TypeScript (#7808, #7855, #7951)
    • [@ jest/console]: Extract custom console implementations from jest-util into a new separate package (#8030)
    • [@ jest/core] Create new package, which is jest-cli minus yargs and prompts (

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

glob-parent unsafe TypeScript handling assumes all transforms are specified as arrays Node6 does not support syntax of trailing comma

3 participants

@Omrisnyk @snyk-bot