profile
viewpoint

FauxFaux/ansible-ghetto-json 30

ansible module for quick edits to JSON files

FauxFaux/apt-pkg-native-rs 7

Rust bindings for libapt-pkg

FauxFaux/argon2min 2

The pure-Rust password hashing library running on Argon2.

FauxFaux/aiowrap 1

Small helpers for using AsyncRead/AsyncWrite

FauxFaux/BBC-QRCode-Generator 1

A Sinatra application that will generate QRCodes for a BBC url with a BBC logo embedded in it.

FauxFaux/afl.rs 0

Fuzzing Rust code with american-fuzzy-lop

issue commentfacebook/jest

CONTRIBUTING mentions `yarn link`, which doesn't even exist anymore

As a first time contributor (to many projects), especially ones with workspaces, my worry with not using link is that it would pick up random versions of random modules, and not get you the full "running from HEAD" experience, which I like to avoid.

I also have no particular love for link. In fact, I found two (2) yarn bugs trying to run it against our npm 6 project.

FauxFaux

comment created time in a day

PR closed FauxFaux/apt-pkg-native-rs

Add more accessors for different package details

First commit is a small inconsequential fix, second one adds a simple accessor and the third one adds the meat of the matter.

Thanks for the library!

+278 -4

2 comments

5 changed files

PiMaker

pr closed time in 2 days

pull request commentFauxFaux/apt-pkg-native-rs

Add more accessors for different package details

I've merged and published this as is.

However, this might matter to you: https://github.com/FauxFaux/apt-pkg-native-rs/issues/6

Thanks, either way!

PiMaker

comment created time in 2 days

issue openedFauxFaux/apt-pkg-native-rs

to_c_string leaks

We never attempt to free the result of to_c_string, so all uses of this will leak memory.

Maybe mark these as:

https://github.com/FauxFaux/apt-pkg-native-rs/blob/edc7008762056ac31c6f38fda350e6b5219b825d/src/raw.rs#L4

created time in 2 days

issue openedFauxFaux/apt-pkg-native-rs

Features should be additive

The ye-olde-apt feature should add functionality, but instead it takes it away. This makes it incompatible with the intention of features in cargo. It should probably be a "apt-14-onwards" kind of feature, like the sqlite crate? They can be enabled by default, which would be fine. (Could they not originally? Or did I just not know?)

created time in 2 days

push eventFauxFaux/apt-pkg-native-rs

Stefan Reiter

commit sha f28cd3e4997f12b0a6ad9d548a46a243b759d246

use correct raw type in PkgFileIterator

view details

Stefan Reiter

commit sha 10185365236f1bf66eff5b7344f39b70f6a7b688

add priority type accessor to VerView

view details

Stefan Reiter

commit sha 07c92f003b31e43440c1508733234b66cdd5d99a

add package detail accessors * short description * long description * maintainer * homepage Requires constructing a pkgRecords::Parser to read for some reason. AFAICT this parser is bound to the pkgRecords instance and deleted together with it, so it doesn't require an explicit delete/free.

view details

Stefan Reiter

commit sha 7b2d146e8d77b483752f988a5e4137d7a083d578

expose 'sane' interface to external consumers

view details

Stefan Reiter

commit sha edc7008762056ac31c6f38fda350e6b5219b825d

add DepIterator to list dependencies of package versions Mostly the same boilerplate as the other iterators, but with a special SinglePkgView type introduced to allow direct access to the nested PkgIterator returned from target_pkg.

view details

Stefan Reiter

commit sha e073fe8081cc0bfa44ffd775ac9e5dd26d1af651

bump version to 0.3.2

view details

Chris West (Faux)

commit sha a5b8ede7ece2d783c8c9d0b8d56cfc3a2ff3883b

chore: format

view details

Chris West (Faux)

commit sha 99fba9024ab7c0797ddb468e72c42dd612f28934

fix: missing header(?) This seems to be required on 20.04.

view details

Chris West (Faux)

commit sha a60323705ff67d59dc565be87cb12ac765828a88

chore: cripple some examples on ye-old-apt

view details

Chris West (Faux)

commit sha a0277868287910924a03ef80b611d0a23f6caf4f

chore: clippy: unused import

view details

push time in 2 days

issue openedfacebook/jest

CONTRIBUTING mentions `yarn link`, which doesn't even exist anymore

🐛 Bug Report

CONTRIBUTING.md tells us we can test the project by using yarn link. Unfortunately, yarn has been forced to a random commit of yarn 2, and yarn 2 doesn't even have the yarn link (no-args) syntax:

faux@astoria:~/clone% yarn --version
1.22.10

faux@astoria:~/clone% cd jest
faux@astoria:~/clone/jest% yarn --version
2.3.3-git.20201026.e34bf6c6

faux@astoria:~/clone/jest% yarn link
Unknown Syntax Error: Not enough positional arguments.

$ yarn link [-A,--all] [-p,--private] [-r,--relative] <destination>

(Also, top tip to save anyone else an hour of debugging: this yarn version ignores your ~/.npmrc, you must rewrite it for them.)

If you use the yarn 2 syntax instead, you instead get a resolution error about @yarn/test-utils, which does indeed not exist in the registry, and apparently yarn isn't smart enough to link it, either in --all mode or while trying to link just the cli (exactly the same output).

my-app% ~/clone/jest/.yarn/releases/yarn-sources.cjs link ~/clone/jest --all
➤ YN0000: ┌ Resolution step
➤ YN0001: │ Error: No candidate found for @jest/test-utils@npm:^26.0.0
    at ~/clone/jest/.yarn/releases/yarn-sources.cjs:2:335032
    at processTicksAndRejections (internal/process/task_queues.js:97:5)
[...]

Expected behavior

<!-- A clear and concise description of what you expected to happen. -->

Can someone who understands this yarn setup please update the CONTRIBUTING.md document with how to .. run jest from git?

created time in 2 days

push eventFauxFaux/rc

Chris West (Faux)

commit sha 6eb3b349dd59ecda75c8a4ad08b9870c20cef135

chore: rebuild xprintidle.so with a new compiler, again

view details

Chris West (Faux)

commit sha b095d5c430412ed68040e7880ef638bc55f77c20

fix: ugly trailing slash in bin path

view details

push time in 4 days

push eventUWCS/choob

snyk-bot

commit sha eb455d3f97bb9b2815811077dcef542e1232d0f4

fix: pom.xml to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-1015415

view details

push time in 8 days

create barnchUWCS/choob

branch : snyk-fix-e86e455c6f4b544b27579d999c6c28a0

created branch time in 8 days

push eventFauxFaux/dmnp

snyk-bot

commit sha c7b78650de239efef0c07200e6720b7477605149

fix: util-java/pom.xml to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-1015415

view details

push time in 8 days

create barnchFauxFaux/dmnp

branch : snyk-fix-519a8f9932c479ff085b3ea7c9a5aebd

created branch time in 8 days

push eventFauxFaux/maven-version-rs

Chris West (Faux)

commit sha b086ce1739d05f5e0e78dafd26b7748503accf37

feat: work around some edge-cases

view details

Chris West (Faux)

commit sha 5495a8617570d9903f6b0894fcfb6d051feaa2bf

chore: totally fail to pin down equality insanity

view details

push time in 10 days

delete branch snyk/try-require

delete branch : fix/npm-7

delete time in 12 days

push eventsnyk/try-require

Chris West (Faux)

commit sha af45da15f50b4b83ddd8164b26f99273fa8cb680

fix: npm 7 support This insane (I wrote it) hack of using postinstall to install test dependencies has finally broken. It causes npm 7 to fail to install this package in people depending on us.

view details

Chris West

commit sha a79f6c1dfe4c806b04f1b847d70b79354e1f78a2

Merge pull request #17 from snyk/fix/npm-7 fix: npm 7 support

view details

push time in 12 days

PR merged snyk/try-require

Reviewers
fix: npm 7 support

This insane hack (I wrote it) of using postinstall to install test dependencies has finally broken. It causes npm 7 to fail to install this package in people depending on us.

npm ERR! code 254
npm ERR! path /home/faux/code/snyk/whoop/node_modules/snyk-try-require
npm ERR! command failed
npm ERR! command sh -c npm --prefix test/fixtures/shrink-test-v1 install && npm --prefix test/fixtures/with-policy install
npm ERR! npm ERR! code ENOENT
npm ERR! npm ERR! syscall lstat
npm ERR! npm ERR! path /home/faux/code/snyk/whoop/node_modules/snyk-try-require/test
npm ERR! npm ERR! errno -2
npm ERR! npm ERR! enoent ENOENT: no such file or directory, lstat '/home/faux/code/snyk/whoop/node_modules/snyk-try-require/test'
npm ERR! npm ERR! enoent This is related to npm not being able to find a file.
npm ERR! npm ERR! enoent 
npm ERR! 
npm ERR! npm ERR! A complete log of this run can be found in:
+11 -1

0 comment

2 changed files

FauxFaux

pr closed time in 12 days

issue commenttapjs/node-tap

getValidSourceFile during tap's typescript-compilation

While I don't know how to fix this (yet!), I do know it is caused by the coverage support. tap --no-coverage does not have the same problem.

rgrannell1

comment created time in 13 days

push eventFauxFaux/react-native-segmented-control-tab

snyk-bot

commit sha 260874ff1aa1b70188044abc84f74ac1e8c069f5

fix: Example/package.json to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-NODEFETCH-674311

view details

push time in 15 days

PR opened snyk/try-require

fix: npm 7 support

This insane hack (I wrote it) of using postinstall to install test dependencies has finally broken. It causes npm 7 to fail to install this package in people depending on us.

npm ERR! code 254
npm ERR! path /home/faux/code/snyk/whoop/node_modules/snyk-try-require
npm ERR! command failed
npm ERR! command sh -c npm --prefix test/fixtures/shrink-test-v1 install && npm --prefix test/fixtures/with-policy install
npm ERR! npm ERR! code ENOENT
npm ERR! npm ERR! syscall lstat
npm ERR! npm ERR! path /home/faux/code/snyk/whoop/node_modules/snyk-try-require/test
npm ERR! npm ERR! errno -2
npm ERR! npm ERR! enoent ENOENT: no such file or directory, lstat '/home/faux/code/snyk/whoop/node_modules/snyk-try-require/test'
npm ERR! npm ERR! enoent This is related to npm not being able to find a file.
npm ERR! npm ERR! enoent 
npm ERR! 
npm ERR! npm ERR! A complete log of this run can be found in:
+11 -1

0 comment

2 changed files

pr created time in 16 days

create barnchsnyk/try-require

branch : fix/npm-7

created branch time in 16 days

push eventUWCS/choob

snyk-bot

commit sha 709b6e1c9855a237d1c38f880b3e16c4eee6a19f

fix: pom.xml to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-1016906

view details

push time in 22 days

create barnchUWCS/choob

branch : snyk-fix-33805c083e87efdfaa850adada6f18e1

created branch time in 22 days

delete branch snyk/goof

delete branch : snyk-fix-1709aef90466e7444b8a4025a098642a

delete time in 23 days

PR closed snyk/goof

[Snyk] Security upgrade typeorm from 0.2.24 to 0.2.25

<h3>Snyk has created this PR to fix one or more vulnerable packages in the npm dependencies of this project.</h3>

merge advice

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json
    • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 801/1000 <br/> Why? Mature exploit, Has a fix available, CVSS 8.3 Prototype Pollution <br/>SNYK-JS-TYPEORM-590152 No Mature

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: <img src="https://api.segment.io/v1/pixel/track?data=eyJ3cml0ZUtleSI6InJyWmxZcEdHY2RyTHZsb0lYd0dUcVg4WkFRTnNCOUEwIiwiYW5vbnltb3VzSWQiOiIzOTJlNzEzNS02YWMzLTQ0NWQtYmI3NC1lN2I2MTkxZDBmOGIiLCJldmVudCI6IlBSIHZpZXdlZCIsInByb3BlcnRpZXMiOnsicHJJZCI6IjM5MmU3MTM1LTZhYzMtNDQ1ZC1iYjc0LWU3YjYxOTFkMGY4YiJ9fQ==" width="0" height="0"/> 🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

+17 -31

0 comment

2 changed files

snyk-bot

pr closed time in 23 days

delete branch FauxFaux/node-auth0

delete branch : feat/remove-assign-polyfill

delete time in 24 days

create barnchFauxFaux/unnest

branch : chore/widers

created branch time in 24 days

push eventsnyk/snyk-docker-plugin

Chris West (Faux)

commit sha 57544c0dd7dcc361a0dfc2121d9e2f6afa54217a

feat: upgrade node lockfile parser (dropping weird transitive) Pick up a minor release of `snyk-nodejs-lockfile-parser`, which we have pinned. This version bump brings the removal of source-map-support, which is inappropriate behaviour for a library.

view details

Chris West

commit sha 5c995d28d06d2df3c08d493f8cdc43ea0525d499

Merge pull request #269 from snyk/feat/s-m-s feat: upgrade node lockfile parser (dropping weird transitive)

view details

push time in 25 days

delete branch snyk/snyk-docker-plugin

delete branch : feat/s-m-s

delete time in 25 days

PR merged snyk/snyk-docker-plugin

feat: upgrade node lockfile parser (dropping weird transitive)

Pick up a minor release of snyk-nodejs-lockfile-parser, which we have pinned. This version bump brings the removal of source-map-support, which is inappropriate behaviour for a library.

+1 -1

1 comment

1 changed file

FauxFaux

pr closed time in 25 days

PR opened snyk/snyk-docker-plugin

feat: upgrade node lockfile parser (dropping weird transitive)

Pick up a minor release of snyk-nodejs-lockfile-parser, which we have pinned. This version bump brings the removal of source-map-support, which is inappropriate behaviour for a library.

+1 -1

0 comment

1 changed file

pr created time in a month

create barnchsnyk/snyk-docker-plugin

branch : feat/s-m-s

created branch time in a month

fork FauxFaux/passport-heroku-addon

Passport strategy for heroku addons

fork in a month

push eventsnyk/cocoapods-lockfile-parser

Chris West (Faux)

commit sha 9c9688d63504e4428407983960ca4e3bab8788cc

feat: upgrade dep-graph (dropping weird transitive)

view details

Chris West (Faux)

commit sha e318ddf5a7f04fb4a66f568b54d431f4f13d010e

feat: drop unused dependency on source-map-support

view details

Chris West

commit sha 951e997e676765e8818c993caaa53c3d88e49923

Merge pull request #31 from snyk/feat/s-m-s feat: drop source-map-support

view details

push time in a month

delete branch snyk/cocoapods-lockfile-parser

delete branch : feat/s-m-s

delete time in a month

PR merged snyk/cocoapods-lockfile-parser

Reviewers
feat: drop source-map-support

What this does

We're not using the source-map-support library, and we shouldn't be. Stop declaring a dependence on it. It's for applications, not libraries.

Also pick up a minor release of @snyk/dep-graph, which we have pinned. This version bump brings the same removal of source-map-support, but their case is even worse; they're initialising the library, which is bad.

+1 -2

0 comment

1 changed file

FauxFaux

pr closed time in a month

push eventsnyk/nodejs-lockfile-parser

Chris West (Faux)

commit sha 60e5bcdb7d7d2fefc1dab205ddfded8ce2eccf3c

feat: libraries do not register source maps This forces applications to pick up source-map-support, which is not always wanted, and may be causing them issues.

view details

Chris West

commit sha af8ba81930e950156b539281ecf41c1bc63dacf4

Merge pull request #88 from snyk/feat/s-m-s feat: libraries do not register source maps

view details

push time in a month

delete branch snyk/nodejs-lockfile-parser

delete branch : feat/s-m-s

delete time in a month

PR merged snyk/nodejs-lockfile-parser

Reviewers
feat: libraries do not register source maps

This forces applications to pick up source-map-support, which is not always wanted, and may be causing them issues.

+2 -4

0 comment

2 changed files

FauxFaux

pr closed time in a month

push eventsnyk/snyk-cli-interface

Chris West (Faux)

commit sha af6c7dd1d06c4488585ffa5fa28434e1d99783e4

feat: upgrade dep-graph (dropping weird transitive)

view details

Chris West (Faux)

commit sha dc4996cc832c299141a7c7f37c222e6aaa3287a9

feat: pin typescript version to 3.8

view details

Chris West

commit sha 32e7a94f7a2f16da5ac5447f676d1c983ca28625

Merge pull request #41 from snyk/feat/s-m-s feat: upgrade dep-graph (removing weird transitive)

view details

push time in a month

delete branch snyk/snyk-cli-interface

delete branch : feat/s-m-s

delete time in a month

PR merged snyk/snyk-cli-interface

Reviewers
feat: upgrade dep-graph (removing weird transitive)

Pick up a minor release of @snyk/dep-graph, which we have pinned. This version bump brings the removal of source-map-support, which is inappropriate behaviour for a library.

Also ~pin typescript, so the build doesn't randomly break on upgrades. (They don't do semver.)

+2 -2

0 comment

1 changed file

FauxFaux

pr closed time in a month

push eventsnyk/snyk-cli-interface

maxjeffos

commit sha e4a8cdec3a035aaed3b8e5d615291f66dfaa658c

fix: remove no longer required type definition

view details

Jeff McLean

commit sha 8bc3247e0b2c902e42b6dd56173a954345f0c487

Merge pull request #40 from snyk/fix/remove-unrequired-type-defn fix: remove no longer required type definition

view details

Chris West (Faux)

commit sha af6c7dd1d06c4488585ffa5fa28434e1d99783e4

feat: upgrade dep-graph (dropping weird transitive)

view details

Chris West (Faux)

commit sha dc4996cc832c299141a7c7f37c222e6aaa3287a9

feat: pin typescript version to 3.8

view details

push time in a month

PR opened snyk/snyk-cli-interface

feat: upgrade dep-graph (removing weird transitive)

Pick up a minor release of @snyk/dep-graph, which we have pinned. This version bump brings the removal of source-map-support, which is inappropriate behaviour for a library.

Also ~pin typescript, so the build doesn't randomly break on upgrades. (They don't do semver.)

+2 -2

0 comment

1 changed file

pr created time in a month

create barnchsnyk/snyk-cli-interface

branch : feat/s-m-s

created branch time in a month

push eventsnyk/cocoapods-lockfile-parser

Chris West (Faux)

commit sha e318ddf5a7f04fb4a66f568b54d431f4f13d010e

feat: drop unused dependency on source-map-support

view details

push time in a month

PR opened snyk/cocoapods-lockfile-parser

feat: upgrade dep-graph (dropping weird transitive)

What this does

Minor release of @snyk/dep-graph, which we have pinned. It removes dependence on a library it didn't need.

+1 -1

0 comment

1 changed file

pr created time in a month

create barnchsnyk/cocoapods-lockfile-parser

branch : feat/s-m-s

created branch time in a month

issue closedsnyk/event-loop-spinner

`reset` is not a good idea for a global instance

This library exports a Singleton, but that instance has a reset method.. which clearly does not make sense (global state), but more importantly can defeat the whole purpose of the utility:

import { eventLoopSpinner } from 'event-loop-spinner';

async function inner(item) {
  // some processing that is too short to actually trigger a "starve"
  eventLoopSpinner.reset();
}

async function cpuIntensiveOperationHandler(hugeArray) {
  for (const item of hugeArray) {
    // this inner function resets the spinner
    await inner(item);
    // this won't actually spin
    if (eventLoopSpinner.isStarving()) {
      await eventLoopSpinner.spin();
    }
  }
}

Conceptually, no one can ever know when it is "safe" to call reset on a global instance.

closed time in a month

darscan

issue commentsnyk/event-loop-spinner

`reset` is not a good idea for a global instance

This was fixed in #4.

darscan

comment created time in a month

delete branch snyk/goof

delete branch : snyk-upgrade-7827cf6e3842a1ace32aaa1ae3a2c274

delete time in a month

delete branch snyk/goof

delete branch : snyk-upgrade-2f88d0ec5844e07cebcfebc039d47225

delete time in a month

issue commentsnyk/event-loop-spinner

Missing License file

There's a license stated in the package.json: https://github.com/snyk/event-loop-spinner/blob/585fa507971ae1f66798c3947fd479558ffe9abf/package.json#L36

If we were to carefully think this through, it would probably end up as Apache2 like our other open source projects. Do you care?

mcampbellcisco

comment created time in a month

PR closed snyk/goof

[Snyk-dev] Upgrade moment from 2.15.1 to 2.28.0

<h3>Snyk has created this PR to upgrade moment from 2.15.1 to 2.28.0.</h3>

merge advice :information_source: Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project. <hr/>

  • The recommended version is 26 versions ahead of your current version.
  • The recommended version was released 21 days ago, on 2020-09-13.

The recommended version fixes:

Severity Issue PriorityScore (*) Exploit Maturity
<img src="https://res.cloudinary.com/snyk/image/upload/w_20,h_20/v1561977819/icon/m.png" width="20" height="20" title="medium severity"/> Regular Expression Denial of Service (ReDoS)<br/> npm:moment:20161019 509/1000 <br/> Why? Has a fix available, CVSS 5.9 No Known Exploit
<img src="https://res.cloudinary.com/snyk/image/upload/w_20,h_20/v1561977819/icon/l.png" width="20" height="20" title="low severity"/> Regular Expression Denial of Service (ReDoS)<br/> npm:moment:20170905 509/1000 <br/> Why? Has a fix available, CVSS 5.9 No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

<details> <summary><b>Release notes</b></summary> <br/> <details> <summary>Package name: <b>moment</b></summary> <ul> <li> <b>2.28.0</b> - <a href="https://snyk.io/redirect/github/moment/moment/releases/tag/2.28.0">2020-09-13</a></br><p>2.28.0</p> </li> <li> <b>2.27.0</b> - <a href="https://snyk.io/redirect/github/moment/moment/releases/tag/2.27.0">2020-06-18</a></br><p>2.27.0</p> </li> <li> <b>2.26.0</b> - <a href="https://snyk.io/redirect/github/moment/moment/releases/tag/2.26.0">2020-05-20</a></br><p>2.26.0</p> </li> <li> <b>2.25.3</b> - <a href="https://snyk.io/redirect/github/moment/moment/releases/tag/2.25.3">2020-05-04</a></br><p>2.25.3</p> </li> <li> <b>2.25.2</b> - <a href="https://snyk.io/redirect/github/moment/moment/releases/tag/2.25.2">2020-05-04</a></br><p>2.25.2</p> </li> <li> <b>2.25.1</b> - <a href="https://snyk.io/redirect/github/moment/moment/releases/tag/2.25.1">2020-05-01</a></br><p>2.25.1</p> </li> <li> <b>2.25.0</b> - <a href="https://snyk.io/redirect/github/moment/moment/releases/tag/2.25.0">2020-05-01</a></br><p>2.25.0</p> </li> <li> <b>2.24.0</b> - <a href="https://snyk.io/redirect/github/moment/moment/releases/tag/2.24.0">2019-01-21</a></br><p>2.24.0</p> </li> <li> <b>2.23.0</b> - <a href="https://snyk.io/redirect/github/moment/moment/releases/tag/2.23.0">2018-12-13</a></br><p>2.23.0</p> </li> <li> <b>2.22.2</b> - 2018-06-01 </li> <li> <b>2.22.1</b> - 2018-04-15 </li> <li> <b>2.22.0</b> - 2018-03-30 </li> <li> <b>2.21.0</b> - 2018-03-02 </li> <li> <b>2.20.1</b> - 2017-12-19 </li> <li> <b>2.20.0</b> - 2017-12-17 </li> <li> <b>2.19.4</b> - 2017-12-11 </li> <li> <b>2.19.3</b> - 2017-11-29 </li> <li> <b>2.19.2</b> - 2017-11-11 </li> <li> <b>2.19.1</b> - 2017-10-11 </li> <li> <b>2.19.0</b> - 2017-10-10 </li> <li> <b>2.18.1</b> - 2017-03-21 </li> <li> <b>2.18.0</b> - 2017-03-18 </li> <li> <b>2.17.1</b> - 2016-12-04 </li> <li> <b>2.17.0</b> - 2016-11-22 </li> <li> <b>2.16.0</b> - 2016-11-10 </li> <li> <b>2.15.2</b> - 2016-10-24 </li> <li> <b>2.15.1</b> - 2016-09-21 </li> </ul> from <a href="https://snyk.io/redirect/github/moment/moment/releases">moment GitHub release notes</a> </details> </details> <hr/>

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information: <img src="https://api.segment.io/v1/pixel/track?data=eyJ3cml0ZUtleSI6InBSUXVPcTdTclNvTmpyYmJDSFVDR3BjNjFPcXNQbHVBIiwiYW5vbnltb3VzSWQiOiI4YTY2MGRiYi01ODM5LTRhYzAtOTVlYy1hOTNlYzQxNjg5ODMiLCJldmVudCI6IlBSIHZpZXdlZCIsInByb3BlcnRpZXMiOnsicHJJZCI6IjhhNjYwZGJiLTU4MzktNGFjMC05NWVjLWE5M2VjNDE2ODk4MyJ9fQ==" width="0" height="0"/>

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

<!--- (snyk:metadata:{"prId":"8a660dbb-5839-4ac0-95ec-a93ec4168983","dependencies":[{"name":"moment","from":"2.15.1","to":"2.28.0"}],"packageManager":"npm","type":"auto","projectUrl":"https://app.dev.snyk.io/org/joakim.bajoul-kakaei/project/64ce3087-cf1a-49ed-8b94-23a64548daab?utm_source=github&utm_medium=upgrade-pr","projectPublicId":"64ce3087-cf1a-49ed-8b94-23a64548daab","env":"dev","prType":"upgrade","vulns":["npm:moment:20161019","npm:moment:20170905"],"issuesToFix":[{"issueId":"npm:moment:20161019","severity":"medium","title":"Regular Expression Denial of Service (ReDoS)","exploitMaturity":"no-known-exploit","priorityScore":509,"priorityScoreFactors":[{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"5.9","score":295}]},{"issueId":"npm:moment:20170905","severity":"low","title":"Regular Expression Denial of Service (ReDoS)","exploitMaturity":"no-known-exploit","priorityScore":399,"priorityScoreFactors":[{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"3.7","score":185}]}],"upgrade":["npm:moment:20161019","npm:moment:20170905"],"upgradeInfo":{"versionsDiff":26,"publishedDate":"2020-09-13T11:27:15.903Z"},"templateVariants":["merge-advice-badge-shown","priorityScore"],"hasFixes":true,"isMajorUpgrade":false,"isBreakingChange":false,"priorityScoreList":[509,399]}) --->

+4 -4

0 comment

2 changed files

snyk-bot

pr closed time in a month

PR closed snyk/goof

[Snyk-dev] Upgrade typeorm from 0.2.24 to 0.2.26

<h3>Snyk has created this PR to upgrade typeorm from 0.2.24 to 0.2.26.</h3>

merge advice :information_source: Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project. <hr/>

  • The recommended version is 2 versions ahead of your current version.
  • The recommended version was released 22 days ago, on 2020-09-10.

The recommended version fixes:

Severity Issue PriorityScore (*) Exploit Maturity
<img src="https://res.cloudinary.com/snyk/image/upload/w_20,h_20/v1561977819/icon/h.png" width="20" height="20" title="high severity"/> Prototype Pollution<br/> SNYK-JS-TYPEORM-590152 801/1000 <br/> Why? Mature exploit, Has a fix available, CVSS 8.3 Mature

(*) Note that the real score may have changed since the PR was raised.

<details> <summary><b>Release notes</b></summary> <br/> <details> <summary>Package name: <b>typeorm</b></summary> <ul> <li> <b>0.2.26</b> - <a href="https://snyk.io/redirect/github/typeorm/typeorm/releases/tag/0.2.26">2020-09-10</a></br><p>version bump</p> </li> <li> <b>0.2.25</b> - <a href="https://snyk.io/redirect/github/typeorm/typeorm/releases/tag/0.2.25">2020-05-19</a></br><p>version bump</p> </li> <li> <b>0.2.24</b> - <a href="https://snyk.io/redirect/github/typeorm/typeorm/releases/tag/0.2.24">2020-02-28</a></br><p>missed few changes from master, released 0.2.24</p> </li> </ul> from <a href="https://snyk.io/redirect/github/typeorm/typeorm/releases">typeorm GitHub release notes</a> </details> </details> <hr/>

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information: <img src="https://api.segment.io/v1/pixel/track?data=eyJ3cml0ZUtleSI6InBSUXVPcTdTclNvTmpyYmJDSFVDR3BjNjFPcXNQbHVBIiwiYW5vbnltb3VzSWQiOiJlODU5ZmE0OS1mZmRjLTQ4ZGYtOTc4MS0yZjc0YzhkYTMzZTQiLCJldmVudCI6IlBSIHZpZXdlZCIsInByb3BlcnRpZXMiOnsicHJJZCI6ImU4NTlmYTQ5LWZmZGMtNDhkZi05NzgxLTJmNzRjOGRhMzNlNCJ9fQ==" width="0" height="0"/>

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

<!--- (snyk:metadata:{"prId":"e859fa49-ffdc-48df-9781-2f74c8da33e4","dependencies":[{"name":"typeorm","from":"0.2.24","to":"0.2.26"}],"packageManager":"npm","type":"auto","projectUrl":"https://app.dev.snyk.io/org/joakim.bajoul-kakaei/project/64ce3087-cf1a-49ed-8b94-23a64548daab?utm_source=github&utm_medium=upgrade-pr","projectPublicId":"64ce3087-cf1a-49ed-8b94-23a64548daab","env":"dev","prType":"upgrade","vulns":["SNYK-JS-TYPEORM-590152"],"issuesToFix":[{"issueId":"SNYK-JS-TYPEORM-590152","severity":"high","title":"Prototype Pollution","exploitMaturity":"mature","priorityScore":801,"priorityScoreFactors":[{"type":"exploit","label":"Functional","score":171},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"8.3","score":415}]}],"upgrade":["SNYK-JS-TYPEORM-590152"],"upgradeInfo":{"versionsDiff":2,"publishedDate":"2020-09-10T07:29:18.841Z"},"templateVariants":["merge-advice-badge-shown","priorityScore"],"hasFixes":true,"isMajorUpgrade":false,"isBreakingChange":false,"priorityScoreList":[801]}) --->

+18 -26

0 comment

2 changed files

snyk-bot

pr closed time in a month

delete branch FauxFaux/DefinitelyTyped

delete branch : feat/needle-timeout

delete time in a month

pull request commentDefinitelyTyped/DefinitelyTyped

feat: [request] new RequestOptions

Haha, just noticed I got the title comically wrong (request, instead of needle).

FauxFaux

comment created time in a month

pull request commentDefinitelyTyped/DefinitelyTyped

feat: [request] new RequestOptions

Ready to merge

FauxFaux

comment created time in a month

PR opened snyk/nodejs-lockfile-parser

feat: libraries do not register source maps

This forces applications to pick up source-map-support, which is not always wanted, and may be causing them issues.

+2 -4

0 comment

2 changed files

pr created time in a month

create barnchsnyk/nodejs-lockfile-parser

branch : feat/s-m-s

created branch time in a month

PR opened snyk/dep-graph

feat: libraries do not register source maps

This forces applications to pick up source-map-support, which is not always wanted, and may be causing them issues.

+0 -3

0 comment

2 changed files

pr created time in a month

create barnchsnyk/dep-graph

branch : feat/s-m-s

created branch time in a month

PR opened tomas/needle

chore: README typo

Hee hee hee! It looks like I'm one of those annoying hacktoberfest people, but I'm not.

I'm copy-pasting the docs into the @types/needle package and noticed this typo (🧙).

+1 -1

0 comment

1 changed file

pr created time in a month

PR opened DefinitelyTyped/DefinitelyTyped

feat: [request] new RequestOptions

Add two missing RequestOptions, response_timeout (which is pretty critical as read_timeout doesn't.. time out your requests, ever, even if the server never replies), which seems to have been missed.

localAddress is new.in 2.5.

  • [x] Use a meaningful title for the pull request. Include the name of the package modified.
  • [x] Test the change in your own code. (Compile and run.)
  • [x] Add or edit tests to reflect the change. (Run with npm test YOUR_PACKAGE_NAME.)
  • [x] Follow the advice from the readme.
  • [x] Avoid common mistakes.
  • [x] Run npm run lint package-name (or tsc if no tslint.json is present).

Changing an existing definition:

  • [x] Provide a URL to documentation or source code which provides context for the suggested changes:
  • https://github.com/tomas/needle/blob/cb53f295428adacbf048d348d037b15adf003447/README.md#request-options
  • [x] If this PR brings the type definitions up to date with a new version of the JS library, update the version number in the header.

url modification is new in 2.5: https://github.com/tomas/needle/commit/fb07a5d7208570b9abad401f8a6977079a9ef353

+27 -1

0 comment

2 changed files

pr created time in a month

push eventFauxFaux/DefinitelyTyped

Chris West (Faux)

commit sha 078ed72f6808c70d003b914a02fb51863685e06c

feat: [request] new RequestOptions response_timeout, which is pretty critical as read_timeout doesn't.. read time out, seems to have been missed. localAddress is new. https://github.com/tomas/needle/blob/cb53f295428adacbf048d348d037b15adf003447/README.md#request-options

view details

push time in a month

create barnchFauxFaux/DefinitelyTyped

branch : feat/needle-timeout

created branch time in a month

fork FauxFaux/DefinitelyTyped

The repository for high quality TypeScript type definitions.

fork in a month

push eventFauxFaux/needle

Chris West

commit sha 02f494bbe6523a8ad901b1b60c25ef6dbc81c7ab

chore: README typo Hee hee hee! It looks like I'm one of those annoying hacktoberfest people, but I'm not. I'm copy-pasting the docs into the `@types/needle` package and noticed this typo (🧙).

view details

push time in a month

fork FauxFaux/needle

Nimble, streamable HTTP client for Node.js. With proxy, iconv, cookie, deflate & multipart support.

https://www.npmjs.com/package/needle

fork in a month

PR opened auth0/node-auth0

feat: drop object.assign polyfill

Changes

No functional changes, but the removal of a long unnecessary prod dependency.

Object.assign has been present since node 4 (2015). The library even uses Object.assign without the polyfill in some places, so is unlikely to work on node 4, even before this commit.

This library now pulls in es-abstract, which pulls in a ridiculous tree of libraries:

│ ├─┬ object.assign@4.1.1
│ │ ├─┬ define-properties@1.1.3
│ │ │ └── object-keys@1.1.1 deduped
│ │ ├─┬ es-abstract@1.18.0-next.0
│ │ │ ├─┬ es-to-primitive@1.2.1
│ │ │ │ ├── is-callable@1.2.2 deduped
│ │ │ │ ├── is-date-object@1.0.2
│ │ │ │ └─┬ is-symbol@1.0.3
│ │ │ │   └── has-symbols@1.0.1 deduped
│ │ │ ├── function-bind@1.1.1
│ │ │ ├─┬ has@1.0.3
│ │ │ │ └── function-bind@1.1.1 deduped
│ │ │ ├── has-symbols@1.0.1 deduped
│ │ │ ├── is-callable@1.2.2
│ │ │ ├── is-negative-zero@2.0.0
│ │ │ ├─┬ is-regex@1.1.1
│ │ │ │ └── has-symbols@1.0.1 deduped
│ │ │ ├── object-inspect@1.8.0
│ │ │ ├── object-keys@1.1.1 deduped
│ │ │ ├── object.assign@4.1.1 deduped
│ │ │ ├─┬ string.prototype.trimend@1.0.1
│ │ │ │ ├── define-properties@1.1.3 deduped
│ │ │ │ └─┬ es-abstract@1.17.6
│ │ │ │   ├── es-to-primitive@1.2.1 deduped
│ │ │ │   ├── function-bind@1.1.1 deduped
│ │ │ │   ├── has@1.0.3 deduped
│ │ │ │   ├── has-symbols@1.0.1 deduped
│ │ │ │   ├── is-callable@1.2.2 deduped
│ │ │ │   ├── is-regex@1.1.1 deduped
│ │ │ │   ├── object-inspect@1.8.0 deduped
│ │ │ │   ├── object-keys@1.1.1 deduped
│ │ │ │   ├── object.assign@4.1.1 deduped
│ │ │ │   ├── string.prototype.trimend@1.0.1 deduped
│ │ │ │   └── string.prototype.trimstart@1.0.1 deduped
│ │ │ └─┬ string.prototype.trimstart@1.0.1
│ │ │   ├── define-properties@1.1.3 deduped
│ │ │   └─┬ es-abstract@1.17.6
│ │ │     ├── es-to-primitive@1.2.1 deduped
│ │ │     ├── function-bind@1.1.1 deduped
│ │ │     ├── has@1.0.3 deduped
│ │ │     ├── has-symbols@1.0.1 deduped
│ │ │     ├── is-callable@1.2.2 deduped
│ │ │     ├── is-regex@1.1.1 deduped
│ │ │     ├── object-inspect@1.8.0 deduped
│ │ │     ├── object-keys@1.1.1 deduped
│ │ │     ├── object.assign@4.1.1 deduped
│ │ │     ├── string.prototype.trimend@1.0.1 deduped
│ │ │     └── string.prototype.trimstart@1.0.1 deduped

References

https://node.green/#ES2015-built-in-extensions-Object-static-methods-Object-assign

https://github.com/auth0/node-auth0/blob/cfa6903dc506bc2aa8e75a8cb5837299cf7f1fbd/src/errors.js#L52

Testing

No new functionality.

Checklist

+44 -49

0 comment

7 changed files

pr created time in a month

create barnchFauxFaux/node-auth0

branch : feat/remove-assign-polyfill

created branch time in a month

fork FauxFaux/node-auth0

Node.js client library for the Auth0 platform.

fork in a month

push eventFauxFaux/react-native-segmented-control-tab

snyk-bot

commit sha bc7b0579c2ff152546b5d8294dd3f803b13e9c72

fix: Example/package.json & Example/yarn.lock to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-NODEFETCH-674311

view details

push time in a month

PR opened slackapi/node-slack-sdk

feat: upgrade p-queue (no changes)

Summary

p-queue now provides its own types, and @types/p-queue throws a deprecation warning, so remove it. (I only care about the deprecation warning.)

Requirements (place an x in each [ ])

+1 -2

0 comment

1 changed file

pr created time in a month

create barnchFauxFaux/node-slack-sdk

branch : feat/bump-pqueue

created branch time in a month

delete branch snyk/nexus-snyk-security-plugin

delete branch : snyk-upgrade-93073658b876573be55971716c04f2ae

delete time in a month

delete branch snyk/snyk-maven-plugin

delete branch : snyk-fix-1b74568d750a57a4fa332f3d82989bee

delete time in a month

delete branch snyk/snyk-maven-plugin

delete branch : snyk-fix-34988e7f158fe179dca6fea548a0a02d

delete time in a month

delete branch snyk/snyk-maven-plugin

delete branch : snyk-fix-4923b23e6c0debcb8f3486fd8dbdb2fd

delete time in a month

delete branch snyk/snyk-maven-plugin

delete branch : snyk-fix-66d84fa7f17143d99c54d1548fe766fa

delete time in a month

delete branch snyk/snyk-maven-plugin

delete branch : snyk-fix-e13defdba8e8c6a2869b031d8d7775b9

delete time in a month

PR closed snyk/snyk-maven-plugin

[Snyk] Security upgrade jaxen:jaxen from 1.1.1 to 1.1.4

<h3>Snyk has created this PR to fix one or more vulnerable packages in the maven dependencies of this project.</h3>

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • src/it/single-module/pom.xml

Vulnerabilities that will be fixed

With an upgrade:
Severity Issue Upgrade Breaking Change Exploit Maturity
medium severity Denial of Service (DoS) <br/>SNYK-JAVA-XERCES-30183 jaxen:jaxen: <br> 1.1.1 -> 1.1.4 <br> No No Known Exploit
medium severity Denial of Service (DoS) <br/>SNYK-JAVA-XERCES-31497 jaxen:jaxen: <br> 1.1.1 -> 1.1.4 <br> No Proof of Concept
high severity Denial of Service (DoS) <br/>SNYK-JAVA-XERCES-31585 jaxen:jaxen: <br> 1.1.1 -> 1.1.4 <br> No No Known Exploit
medium severity Denial of Service (DoS) <br/>SNYK-JAVA-XERCES-32014 jaxen:jaxen: <br> 1.1.1 -> 1.1.4 <br> No No Known Exploit

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: <img src="https://api.segment.io/v1/pixel/track?data=eyJ3cml0ZUtleSI6InJyWmxZcEdHY2RyTHZsb0lYd0dUcVg4WkFRTnNCOUEwIiwiYW5vbnltb3VzSWQiOiIyMzU3NjE3Zi00Y2IzLTQ5YmQtYjY1Yy05OTViMzEyNjUyMjgiLCJldmVudCI6IlBSIHZpZXdlZCIsInByb3BlcnRpZXMiOnsicHJJZCI6IjIzNTc2MTdmLTRjYjMtNDliZC1iNjVjLTk5NWIzMTI2NTIyOCJ9fQ==" width="0" height="0"/> 🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

+1 -1

0 comment

1 changed file

snyk-bot

pr closed time in a month

PR closed snyk/snyk-maven-plugin

[Snyk] Security upgrade jaxen:jaxen from 1.1.1 to 1.1.4

<h3>Snyk has created this PR to fix one or more vulnerable packages in the maven dependencies of this project.</h3>

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • src/it/multi-module/pom.xml

Vulnerabilities that will be fixed

With an upgrade:
Severity Issue Upgrade Breaking Change Exploit Maturity
medium severity Denial of Service (DoS) <br/>SNYK-JAVA-XERCES-30183 jaxen:jaxen: <br> 1.1.1 -> 1.1.4 <br> No No Known Exploit
medium severity Denial of Service (DoS) <br/>SNYK-JAVA-XERCES-31497 jaxen:jaxen: <br> 1.1.1 -> 1.1.4 <br> No Proof of Concept
high severity Denial of Service (DoS) <br/>SNYK-JAVA-XERCES-31585 jaxen:jaxen: <br> 1.1.1 -> 1.1.4 <br> No No Known Exploit
medium severity Denial of Service (DoS) <br/>SNYK-JAVA-XERCES-32014 jaxen:jaxen: <br> 1.1.1 -> 1.1.4 <br> No No Known Exploit

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: <img src="https://api.segment.io/v1/pixel/track?data=eyJ3cml0ZUtleSI6InJyWmxZcEdHY2RyTHZsb0lYd0dUcVg4WkFRTnNCOUEwIiwiYW5vbnltb3VzSWQiOiI0YjM3MGM1MS1iZDMzLTQ1NTAtYTc3OS1jZTBkNzNhZGY5YzAiLCJldmVudCI6IlBSIHZpZXdlZCIsInByb3BlcnRpZXMiOnsicHJJZCI6IjRiMzcwYzUxLWJkMzMtNDU1MC1hNzc5LWNlMGQ3M2FkZjljMCJ9fQ==" width="0" height="0"/> 🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

+1 -1

0 comment

1 changed file

snyk-bot

pr closed time in a month

PR closed snyk/snyk-maven-plugin

[Snyk] Security upgrade jaxen:jaxen from 1.1.1 to 1.1.4

<h3>Snyk has created this PR to fix one or more vulnerable packages in the maven dependencies of this project.</h3>

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • src/it/multi-module/pom.xml

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Upgrade Breaking Change
medium severity 800/1000 <br/> Why? Recently disclosed, Has a fix available, Medium severity LGPL-3.0 license <br/>snyk:lic:maven:xom:xom:LGPL-3.0 jaxen:jaxen: <br> 1.1.1 -> 1.1.4 <br> No

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: <img src="https://api.segment.io/v1/pixel/track?data=eyJ3cml0ZUtleSI6InJyWmxZcEdHY2RyTHZsb0lYd0dUcVg4WkFRTnNCOUEwIiwiYW5vbnltb3VzSWQiOiI1NDkyNTU0ZC1kMmVmLTQwMmUtYmI4ZS04ZmU5OTVlYmYzYzQiLCJldmVudCI6IlBSIHZpZXdlZCIsInByb3BlcnRpZXMiOnsicHJJZCI6IjU0OTI1NTRkLWQyZWYtNDAyZS1iYjhlLThmZTk5NWViZjNjNCJ9fQ==" width="0" height="0"/> 🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

+1 -1

0 comment

1 changed file

snyk-bot

pr closed time in a month

PR closed snyk/snyk-maven-plugin

[Snyk] Security upgrade jaxen:jaxen from 1.1.1 to 1.1.4

<h3>Snyk has created this PR to fix one or more vulnerable packages in the maven dependencies of this project.</h3>

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • src/it/single-module/pom.xml

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Upgrade Breaking Change
low severity 650/1000 <br/> Why? Recently disclosed, Has a fix available, Low severity LGPL-3.0 license <br/>snyk:lic:maven:xom:xom:LGPL-3.0 jaxen:jaxen: <br> 1.1.1 -> 1.1.4 <br> No

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: <img src="https://api.segment.io/v1/pixel/track?data=eyJ3cml0ZUtleSI6InJyWmxZcEdHY2RyTHZsb0lYd0dUcVg4WkFRTnNCOUEwIiwiYW5vbnltb3VzSWQiOiJhMmZmYjAwNC03ZjI0LTQ0YTktOTYyZS1lYzhhZmIwOGU2NGQiLCJldmVudCI6IlBSIHZpZXdlZCIsInByb3BlcnRpZXMiOnsicHJJZCI6ImEyZmZiMDA0LTdmMjQtNDRhOS05NjJlLWVjOGFmYjA4ZTY0ZCJ9fQ==" width="0" height="0"/> 🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

+1 -1

0 comment

1 changed file

snyk-bot

pr closed time in a month

PR closed snyk/snyk-maven-plugin

[Snyk] Security upgrade jaxen:jaxen from 1.1.1 to 1.1.6

<h3>Snyk has created this PR to fix one or more vulnerable packages in the maven dependencies of this project.</h3>

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • src/it/multi-module/pom.xml

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Upgrade Breaking Change Exploit Maturity
high severity 579/1000 <br/> Why? Has a fix available, CVSS 7.3 Arbitrary Class Load <br/>SNYK-JAVA-XALAN-31385 jaxen:jaxen: <br> 1.1.1 -> 1.1.6 <br> No No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: <img src="https://api.segment.io/v1/pixel/track?data=eyJ3cml0ZUtleSI6InJyWmxZcEdHY2RyTHZsb0lYd0dUcVg4WkFRTnNCOUEwIiwiYW5vbnltb3VzSWQiOiIyZWY0NzhjMC02MmRhLTQ5NjAtYjU2Ni1hMTA0NTQxMzlhMTUiLCJldmVudCI6IlBSIHZpZXdlZCIsInByb3BlcnRpZXMiOnsicHJJZCI6IjJlZjQ3OGMwLTYyZGEtNDk2MC1iNTY2LWExMDQ1NDEzOWExNSJ9fQ==" width="0" height="0"/> 🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

+1 -1

0 comment

1 changed file

snyk-bot

pr closed time in a month

PR closed snyk/nexus-snyk-security-plugin

[Snyk-beemo] Upgrade com.squareup.retrofit2:converter-jackson from 2.8.2 to 2.9.0

<h3>Snyk has created this PR to upgrade com.squareup.retrofit2:converter-jackson from 2.8.2 to 2.9.0.</h3>

:information_source: Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project. <hr/>

  • The recommended version is 1 version ahead of your current version.
  • The recommended version was released 4 months ago, on 2020-05-20.

<hr/>

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

<!--- (snyk:metadata:{"prId":"cda93d5a-ad73-4ec0-b70e-c6cd0f2223a5","dependencies":[{"name":"com.squareup.retrofit2:converter-jackson","from":"2.8.2","to":"2.9.0"}],"packageManager":"maven","type":"auto","projectUrl":"https://app.beemo.snyk.io/org/crystal.hirschorn/project/7b5358e7-4814-438f-9b89-f2289a2f692c?utm_source=github&utm_medium=upgrade-pr","projectPublicId":"7b5358e7-4814-438f-9b89-f2289a2f692c","env":"beemo","prType":"upgrade","vulns":[],"issuesToFix":[],"upgrade":[],"upgradeInfo":{"versionsDiff":1,"publishedDate":"2020-05-20T16:23:33.000Z"},"templateVariants":[],"hasFixes":false,"isMajorUpgrade":false,"isBreakingChange":false,"priorityScoreList":[]}) --->

+1 -1

0 comment

1 changed file

snyk-bot

pr closed time in a month

delete branch snyk/vulncost

delete branch : snyk-upgrade-a8cfa0a57f3ee40d1de5489b2afdc2be

delete time in a month

PR closed snyk/vulncost

[Snyk-beemo] Upgrade snyk from 1.319.1 to 1.378.0

<h3>Snyk has created this PR to upgrade snyk from 1.319.1 to 1.378.0.</h3>

:information_source: Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project. <hr/>

  • The recommended version is 107 versions ahead of your current version.
  • The recommended version was released 22 days ago, on 2020-08-18.

The recommended version fixes:

Severity Issue PriorityScore (*) Exploit Maturity
<img src="https://res.cloudinary.com/snyk/image/upload/w_20,h_20/v1561977819/icon/h.png" width="20" height="20" title="high severity"/> Remote Memory Exposure<br/> SNYK-JS-BL-608877 456/1000 <br/> Why? Recently disclosed, CVSS 7.7 No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

<details> <summary><b>Release notes</b></summary> <br/> <details> <summary>Package name: <b>snyk</b></summary> <ul> <li> <b>1.378.0</b> - <a href="https://snyk.io/redirect/github/snyk/snyk/releases/tag/v1.378.0">2020-08-18</a></br><h1><a href="https://snyk.io/redirect/github/snyk/snyk/compare/v1.377.2...v1.378.0">1.378.0</a> (2020-08-18)</h1> <h3>Features</h3> <ul> <li>Bumping snyk-docker-plugin to 3.17.0 (<a href="https://snyk.io/redirect/github/snyk/snyk/commit/4a1e32f694739e1ed4bfdab15a8bb9d526d3940d">4a1e32f</a>)</li> </ul> </li> <li> <b>1.377.2</b> - <a href="https://snyk.io/redirect/github/snyk/snyk/releases/tag/v1.377.2">2020-08-18</a></br><h2><a href="https://snyk.io/redirect/github/snyk/snyk/compare/v1.377.1...v1.377.2">1.377.2</a> (2020-08-18)</h2> <h3>Bug Fixes</h3> <ul> <li>move custom API endpoint warning message to stderr (<a href="https://snyk.io/redirect/github/snyk/snyk/commit/77c66ed7f53036d09bd8646075a67d55158afbc4">77c66ed</a>)</li> </ul> </li> <li> <b>1.377.1</b> - <a href="https://snyk.io/redirect/github/snyk/snyk/releases/tag/v1.377.1">2020-08-17</a></br><h2><a href="https://snyk.io/redirect/github/snyk/snyk/compare/v1.377.0...v1.377.1">1.377.1</a> (2020-08-17)</h2> <h3>Bug Fixes</h3> <ul> <li><strong>build:</strong> use node 14 for alpine executable (<a href="https://snyk.io/redirect/github/snyk/snyk/commit/9d1b74035612e6c280aeb09dcd917cdff0fdfeab">9d1b740</a>)</li> </ul> </li> <li> <b>1.377.0</b> - <a href="https://snyk.io/redirect/github/snyk/snyk/releases/tag/v1.377.0">2020-08-17</a></br><h1><a href="https://snyk.io/redirect/github/snyk/snyk/compare/v1.376.0...v1.377.0">1.377.0</a> (2020-08-17)</h1> <h3>Features</h3> <ul> <li>bump cocoapods plugin to update graph & cli interface deps (<a href="https://snyk.io/redirect/github/snyk/snyk/commit/4c3a1418a49500b561dd2a20534ae88b372d5de0">4c3a141</a>)</li> </ul> </li> <li> <b>1.376.0</b> - <a href="https://snyk.io/redirect/github/snyk/snyk/releases/tag/v1.376.0">2020-08-17</a></br><h1><a href="https://snyk.io/redirect/github/snyk/snyk/compare/v1.375.0...v1.376.0">1.376.0</a> (2020-08-17)</h1> <h3>Features</h3> <ul> <li>Allow environment variables to override config values (<a href="https://snyk.io/redirect/github/snyk/snyk/commit/16fc43223984d11227c614f41df45e8f3417643a">16fc432</a>)</li> </ul> </li> <li> <b>1.375.0</b> - <a href="https://snyk.io/redirect/github/snyk/snyk/releases/tag/v1.375.0">2020-08-17</a></br><h1><a href="https://snyk.io/redirect/github/snyk/snyk/compare/v1.374.0...v1.375.0">1.375.0</a> (2020-08-17)</h1> <h3>Features</h3> <ul> <li>detect <code>build.gradle.kts</code> projects automatically behind <code>--all-projects</code> flag and scan all root level files with implied <code>--all-sub-projects</code> (<a href="https://snyk.io/redirect/github/snyk/snyk/commit/57d8d02f88ce0e041fd164fa8998dbbfaa7de25c">57d8d02</a>)</li> <li>if both gradle files detected in the same folder, prefer <code>build.gradle</code> if <code>build.gradle.kts</code> also found (<a href="https://snyk.io/redirect/github/snyk/snyk/commit/6e806fb1f2971f564befc2db8d18dd380e4787e1">6e806fb</a>)</li> </ul> </li> <li> <b>1.374.0</b> - <a href="https://snyk.io/redirect/github/snyk/snyk/releases/tag/v1.374.0">2020-08-14</a></br><h1><a href="https://snyk.io/redirect/github/snyk/snyk/compare/v1.373.1...v1.374.0">1.374.0</a> (2020-08-14)</h1> <h3>Features</h3> <ul> <li>show original severity if overridden by a policy (<a href="https://snyk.io/redirect/github/snyk/snyk/commit/30a8cd73637ea086e289bb2c8816a8def3f7843c">30a8cd7</a>)</li> </ul> </li> <li> <b>1.373.1</b> - <a href="https://snyk.io/redirect/github/snyk/snyk/releases/tag/v1.373.1">2020-08-12</a></br><h2><a href="https://snyk.io/redirect/github/snyk/snyk/compare/v1.373.0...v1.373.1">1.373.1</a> (2020-08-12)</h2> <h3>Bug Fixes</h3> <ul> <li><strong>test:</strong> json output with all-projects flag (<a href="https://snyk.io/redirect/github/snyk/snyk/commit/8258ef035665427c3eb1b265a463da76eab11ffa">8258ef0</a>)</li> </ul> </li> <li> <b>1.373.0</b> - <a href="https://snyk.io/redirect/github/snyk/snyk/releases/tag/v1.373.0">2020-08-11</a></br><h1><a href="https://snyk.io/redirect/github/snyk/snyk/compare/v1.372.0...v1.373.0">1.373.0</a> (2020-08-11)</h1> <h3>Features</h3> <ul> <li>improve iac test json output (<a href="https://snyk.io/redirect/github/snyk/snyk/commit/140625c0239e0602c092479643ba5bf16b63c0db">140625c</a>)</li> </ul> </li> <li> <b>1.372.0</b> - <a href="https://snyk.io/redirect/github/snyk/snyk/releases/tag/v1.372.0">2020-08-10</a></br><h1><a href="https://snyk.io/redirect/github/snyk/snyk/compare/v1.371.1...v1.372.0">1.372.0</a> (2020-08-10)</h1> <h3>Features</h3> <ul> <li>scan gradle projects behind --all-projects (<a href="https://snyk.io/redirect/github/snyk/snyk/commit/a2bfc899b76d5b5592857cdd01b4c68e80f5f818">a2bfc89</a>)<br> Default behaviour for gradle projects detected with <code>--all-projects</code> is the same as doing <code>snyk test --all-sub-projects</code> in the root of the gradle project.</li> </ul> </li> <li> <b>1.371.1</b> - 2020-08-10 </li> <li> <b>1.371.0</b> - 2020-08-10 </li> <li> <b>1.370.1</b> - 2020-08-08 </li> <li> <b>1.370.0</b> - 2020-08-07 </li> <li> <b>1.369.3</b> - 2020-08-04 </li> <li> <b>1.369.2</b> - 2020-07-30 </li> <li> <b>1.369.1</b> - 2020-07-29 </li> <li> <b>1.369.0</b> - 2020-07-28 </li> <li> <b>1.368.1</b> - 2020-07-28 </li> <li> <b>1.368.0</b> - 2020-07-28 </li> <li> <b>1.367.0</b> - 2020-07-27 </li> <li> <b>1.366.2</b> - 2020-07-24 </li> <li> <b>1.366.1</b> - 2020-07-24 </li> <li> <b>1.366.0</b> - 2020-07-23 </li> <li> <b>1.365.0</b> - 2020-07-23 </li> <li> <b>1.364.2</b> - 2020-07-22 </li> <li> <b>1.364.1</b> - 2020-07-22 </li> <li> <b>1.364.0</b> - 2020-07-21 </li> <li> <b>1.363.0</b> - 2020-07-20 </li> <li> <b>1.362.1</b> - 2020-07-16 </li> <li> <b>1.362.0</b> - 2020-07-15 </li> <li> <b>1.361.3</b> - 2020-07-09 </li> <li> <b>1.361.2</b> - 2020-07-09 </li> <li> <b>1.361.1</b> - 2020-07-09 </li> <li> <b>1.361.0</b> - 2020-07-09 </li> <li> <b>1.360.0</b> - 2020-07-03 </li> <li> <b>1.359.1</b> - 2020-07-02 </li> <li> <b>1.359.0</b> - 2020-07-01 </li> <li> <b>1.358.0</b> - 2020-07-01 </li> <li> <b>1.357.0</b> - 2020-07-01 </li> <li> <b>1.356.0</b> - 2020-07-01 </li> <li> <b>1.355.0</b> - 2020-06-30 </li> <li> <b>1.354.0</b> - 2020-06-30 </li> <li> <b>1.353.1</b> - 2020-06-30 </li> <li> <b>1.353.0</b> - 2020-06-30 </li> <li> <b>1.352.1</b> - 2020-06-29 </li> <li> <b>1.352.0</b> - 2020-06-29 </li> <li> <b>1.351.0</b> - 2020-06-29 </li> <li> <b>1.350.1</b> - 2020-06-29 </li> <li> <b>1.350.0</b> - 2020-06-29 </li> <li> <b>1.349.0</b> - 2020-06-25 </li> <li> <b>1.348.2</b> - 2020-06-24 </li> <li> <b>1.348.1</b> - 2020-06-23 </li> <li> <b>1.348.0</b> - 2020-06-23 </li> <li> <b>1.347.1</b> - 2020-06-22 </li> <li> <b>1.347.0</b> - 2020-06-22 </li> <li> <b>1.346.0</b> - 2020-06-19 </li> <li> <b>1.345.1</b> - 2020-06-18 </li> <li> <b>1.345.0</b> - 2020-06-18 </li> <li> <b>1.344.0</b> - 2020-06-18 </li> <li> <b>1.343.0</b> - 2020-06-18 </li> <li> <b>1.342.3</b> - 2020-06-18 </li> <li> <b>1.342.2</b> - 2020-06-16 </li> <li> <b>1.342.1</b> - 2020-06-16 </li> <li> <b>1.342.0</b> - 2020-06-16 </li> <li> <b>1.341.2</b> - 2020-06-16 </li> <li> <b>1.341.1</b> - 2020-06-15 </li> <li> <b>1.341.0</b> - 2020-06-15 </li> <li> <b>1.340.0</b> - 2020-06-15 </li> <li> <b>1.339.4</b> - 2020-06-15 </li> <li> <b>1.339.3</b> - 2020-06-14 </li> <li> <b>1.339.2</b> - 2020-06-12 </li> <li> <b>1.339.1</b> - 2020-06-11 </li> <li> <b>1.339.0</b> - 2020-06-10 </li> <li> <b>1.338.0</b> - 2020-06-10 </li> <li> <b>1.337.0</b> - 2020-06-09 </li> <li> <b>1.336.0</b> - 2020-06-04 </li> <li> <b>1.335.0</b> - 2020-06-03 </li> <li> <b>1.334.0</b> - 2020-06-01 </li> <li> <b>1.333.0</b> - 2020-05-31 </li> <li> <b>1.332.1</b> - 2020-05-29 </li> <li> <b>1.332.0</b> - 2020-05-28 </li> <li> <b>1.331.0</b> - 2020-05-28 </li> <li> <b>1.330.4</b> - 2020-05-28 </li> <li> <b>1.330.3</b> - 2020-05-28 </li> <li> <b>1.330.2</b> - 2020-05-27 </li> <li> <b>1.330.1</b> - 2020-05-27 </li> <li> <b>1.330.0</b> - 2020-05-27 </li> <li> <b>1.329.0</b> - 2020-05-26 </li> <li> <b>1.328.0</b> - 2020-05-26 </li> <li> <b>1.327.1</b> - 2020-05-26 </li> <li> <b>1.327.0</b> - 2020-05-24 </li> <li> <b>1.326.0</b> - 2020-05-24 </li> <li> <b>1.325.0</b> - 2020-05-24 </li> <li> <b>1.324.0</b> - 2020-05-22 </li> <li> <b>1.323.2</b> - 2020-05-21 </li> <li> <b>1.323.1</b> - 2020-05-20 </li> <li> <b>1.323.0</b> - 2020-05-19 </li> <li> <b>1.322.0</b> - 2020-05-19 </li> <li> <b>1.321.0</b> - 2020-05-14 </li> <li> <b>1.320.5</b> - 2020-05-14 </li> <li> <b>1.320.4</b> - 2020-05-14 </li> <li> <b>1.320.3</b> - 2020-05-13 </li> <li> <b>1.320.2</b> - 2020-05-11 </li> <li> <b>1.320.1</b> - 2020-05-11 </li> <li> <b>1.320.0</b> - 2020-05-11 </li> <li> <b>1.319.2</b> - 2020-05-07 </li> <li> <b>1.319.1</b> - 2020-05-06 </li> </ul> from <a href="https://snyk.io/redirect/github/snyk/snyk/releases">snyk GitHub release notes</a> </details> </details>

<details> <summary><b>Commit messages</b></summary> </br> <details> <summary>Package name: <b>snyk</b></summary> <ul> <li><a href="https://snyk.io/redirect/github/snyk/snyk/commit/b444f70a49ce6b6081a32ef3436a16dbf4e51acf">b444f70</a> Merge pull request #1346 from snyk/feat/bump-sdp-3.17.0</li> <li><a href="https://snyk.io/redirect/github/snyk/snyk/commit/4a1e32f694739e1ed4bfdab15a8bb9d526d3940d">4a1e32f</a> feat: Bumping snyk-docker-plugin to 3.17.0</li> <li><a href="https://snyk.io/redirect/github/snyk/snyk/commit/e182d1f8d23ad4d0f6fe340af84eb895289541ac">e182d1f</a> Merge pull request #1343 from snyk/feat/bump-sdp-3.17.0</li> <li><a href="https://snyk.io/redirect/github/snyk/snyk/commit/9e97c07cf84a76ef30965110f781321416697ef4">9e97c07</a> Bumping snyk-docker-plugin to 3.17.0</li> <li><a href="https://snyk.io/redirect/github/snyk/snyk/commit/027d194468c318cb65c25c3792eaa97925f09b26">027d194</a> Merge pull request #1331 from snykerjames/fix/custom-api-endpoint-warning-output</li> <li><a href="https://snyk.io/redirect/github/snyk/snyk/commit/07c3a692c4afb61685c9f2f29c3e64910eed6581">07c3a69</a> Merge pull request #1342 from snyk/chore/fix-binary-naming</li> <li><a href="https://snyk.io/redirect/github/snyk/snyk/commit/3c9687f6e1d074d0b55a7892962af8c28200ac84">3c9687f</a> chore(build): don’t rely on dynamic names from pkg</li> <li><a href="https://snyk.io/redirect/github/snyk/snyk/commit/d32c8aba6479807faa84cf4ab7ec0ccc8233fdc9">d32c8ab</a> Merge pull request #1337 from snyk/feat/smoke-test</li> <li><a href="https://snyk.io/redirect/github/snyk/snyk/commit/132afe29ed7be51d93c50560ff8e63fb90d6dea5">132afe2</a> test: run alpine test in docker</li> <li><a href="https://snyk.io/redirect/github/snyk/snyk/commit/9d1b74035612e6c280aeb09dcd917cdff0fdfeab">9d1b740</a> fix(build): use node 14 for alpine executable</li> <li><a href="https://snyk.io/redirect/github/snyk/snyk/commit/a5c9ec4ac8d45ed8909b4a65bda9c8169e5caa1b">a5c9ec4</a> Merge pull request #1338 from snyk/feat/bump-plugin-update-deps</li> <li><a href="https://snyk.io/redirect/github/snyk/snyk/commit/90acae1b34ff70a0a0af2737ca34832e66810df7">90acae1</a> Merge pull request #1332 from snyk/feat/config-env-value-override</li> <li><a href="https://snyk.io/redirect/github/snyk/snyk/commit/4c3a1418a49500b561dd2a20534ae88b372d5de0">4c3a141</a> feat: bump cocoapods plugin to update graph & cli interface deps</li> <li><a href="https://snyk.io/redirect/github/snyk/snyk/commit/fcc157d55109ec47a2b1455b24f1e4cd84b0376b">fcc157d</a> Merge pull request #1328 from snyk/feat/enable-kotlin-gradle-all-projects</li> <li><a href="https://snyk.io/redirect/github/snyk/snyk/commit/16fc43223984d11227c614f41df45e8f3417643a">16fc432</a> feat: Allow environment variables to override config values</li> <li><a href="https://snyk.io/redirect/github/snyk/snyk/commit/2e8c8cdd79e90fa88b9333f40b42ebee5bfa2da4">2e8c8cd</a> Merge pull request #1307 from snyk/feat/show-original-severity-cli</li> <li><a href="https://snyk.io/redirect/github/snyk/snyk/commit/30a8cd73637ea086e289bb2c8816a8def3f7843c">30a8cd7</a> feat: show original severity if overridden by a policy</li> <li><a href="https://snyk.io/redirect/github/snyk/snyk/commit/17552b60985d4b53d87222c7f2ed5db1b7b27711">17552b6</a> Merge pull request #1333 from snyk/chore/node-12</li> <li><a href="https://snyk.io/redirect/github/snyk/snyk/commit/957c64e29c7c5dd12c209c729decd37afdb870c6">957c64e</a> chore(build): downgrade binary to Node v12</li> <li><a href="https://snyk.io/redirect/github/snyk/snyk/commit/fa3e1d97b74bcc091d54ca6b9e93965933b518c0">fa3e1d9</a> chore: remove npmignore</li> <li><a href="https://snyk.io/redirect/github/snyk/snyk/commit/c49d9426bdcc70df41fb466d3968575be45ad7ef">c49d942</a> Merge pull request #1327 from snyk/feat/smoke-test</li> <li><a href="https://snyk.io/redirect/github/snyk/snyk/commit/41e8de23d591bea6e99ae23ad7fe989cdeabe172">41e8de2</a> chore(test): add regression test for valid JSON bodies</li> <li><a href="https://snyk.io/redirect/github/snyk/snyk/commit/7dfc02784f23424d219e581587d53d32fa1e5265">7dfc027</a> test: kotlin monorepo --all-projects</li> <li><a href="https://snyk.io/redirect/github/snyk/snyk/commit/6e806fb1f2971f564befc2db8d18dd380e4787e1">6e806fb</a> feat: prefer build.gradle if kotlin also found</li> </ul>

<a href="https://snyk.io/redirect/github/snyk/snyk/compare/de65d600aea5a118be77ea91e752243c15a49012...b444f70a49ce6b6081a32ef3436a16dbf4e51acf">Compare</a> </details> </details> <hr/>

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

<!--- (snyk:metadata:{"prId":"4f67a426-a8f5-45ef-91cc-83c46e7aa288","dependencies":[{"name":"snyk","from":"1.319.1","to":"1.378.0"}],"packageManager":"npm","type":"auto","projectUrl":"https://app.beemo.snyk.io/org/crystal.hirschorn/project/93ff4eae-7e00-438d-9f54-ab1e878ea781?utm_source=github&utm_medium=upgrade-pr","projectPublicId":"93ff4eae-7e00-438d-9f54-ab1e878ea781","env":"beemo","prType":"upgrade","vulns":["SNYK-JS-BL-608877"],"issuesToFix":[{"issueId":"SNYK-JS-BL-608877","severity":"high","title":"Remote Memory Exposure","exploitMaturity":"no-known-exploit","priorityScore":456,"priorityScoreFactors":[{"type":"freshness","label":true,"score":71},{"type":"cvssScore","label":"7.7","score":385}]}],"upgrade":["SNYK-JS-BL-608877"],"upgradeInfo":{"versionsDiff":107,"publishedDate":"2020-08-18T17:20:44.391Z"},"templateVariants":["priorityScore"],"hasFixes":true,"isMajorUpgrade":false,"isBreakingChange":false,"priorityScoreList":[456]}) --->

+1472 -736

0 comment

2 changed files

snyk-bot

pr closed time in a month

PR closed snyk/vulncost

[Snyk] Upgrade: @babel/parser, @babel/traverse, @babel/types

<h3>Snyk has created this PR to upgrade multiple dependencies.</h3> 👯‍♂ The following dependencies are linked and will therefore be updated together. </br></br> :information_source: Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project. </br></br>

Name Versions Released on
@babel/parser</br>from 7.8.4 to 7.9.4 7 versions ahead of your current version 25 days ago</br>on 2020-03-24
@babel/traverse</br>from 7.8.4 to 7.9.0 2 versions ahead of your current version a month ago</br>on 2020-03-20
@babel/types</br>from 7.8.3 to 7.9.0 3 versions ahead of your current version a month ago</br>on 2020-03-20

<hr/>

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

<!--- (snyk:metadata:{"prId":"41cbf488-f73c-4118-a9f6-b0c277e8f40a","dependencies":[{"name":"@babel/parser","from":"7.8.4","to":"7.9.4"},{"name":"@babel/traverse","from":"7.8.4","to":"7.9.0"},{"name":"@babel/types","from":"7.8.3","to":"7.9.0"}],"packageManager":"npm","type":"auto","projectUrl":"https://app.snyk.io/org/snyk/project/180b1914-47e7-4a41-80de-d444b51adff0?utm_source=github&utm_medium=upgrade-pr","projectPublicId":"180b1914-47e7-4a41-80de-d444b51adff0","env":"prod","prType":"upgrade","vulns":[],"issuesToFix":[],"upgrade":[],"upgradeInfo":{"versionsDiff":7,"publishedDate":"2020-03-24T08:31:23.294Z"},"templateVariants":[],"hasFixes":false,"isMajorUpgrade":false,"isBreakingChange":false}) --->

+88 -40

0 comment

2 changed files

snyk-bot

pr closed time in a month

PR closed snyk/java-goof

[Snyk] Security upgrade org.springframework:spring-web from 3.2.6.RELEASE to 4.3.29.RELEASE

<h3>Snyk has created this PR to fix one or more vulnerable packages in the maven dependencies of this project.</h3>

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • pom.xml

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Upgrade Breaking Change Exploit Maturity
high severity 716/1000 <br/> Why? Recently disclosed, Has a fix available, CVSS 8.6 Improper Input Validation <br/>SNYK-JAVA-ORGSPRINGFRAMEWORK-1009832 org.springframework:spring-web: <br> 3.2.6.RELEASE -> 4.3.29.RELEASE <br> Yes No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: <img src="https://api.segment.io/v1/pixel/track?data=eyJ3cml0ZUtleSI6InJyWmxZcEdHY2RyTHZsb0lYd0dUcVg4WkFRTnNCOUEwIiwiYW5vbnltb3VzSWQiOiIxYzNhYmU5NS04OWE0LTRkNTQtODZhMy00ZTM2Y2M0OTFjNzAiLCJldmVudCI6IlBSIHZpZXdlZCIsInByb3BlcnRpZXMiOnsicHJJZCI6IjFjM2FiZTk1LTg5YTQtNGQ1NC04NmEzLTRlMzZjYzQ5MWM3MCJ9fQ==" width="0" height="0"/> 🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

+1 -1

0 comment

1 changed file

snyk-bot

pr closed time in a month

PR closed snyk/java-goof

[Snyk] Security upgrade org.hibernate:hibernate-validator from 4.3.1.Final to 6.0.19.Final

<h3>Snyk has created this PR to fix one or more vulnerable packages in the maven dependencies of this project.</h3>

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • todolist-web-common/pom.xml

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Upgrade Breaking Change Exploit Maturity
medium severity 479/1000 <br/> Why? Has a fix available, CVSS 5.3 Improper Input Validation <br/>SNYK-JAVA-ORGHIBERNATE-568162 org.hibernate:hibernate-validator: <br> 4.3.1.Final -> 6.0.19.Final <br> Yes No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: <img src="https://api.segment.io/v1/pixel/track?data=eyJ3cml0ZUtleSI6InJyWmxZcEdHY2RyTHZsb0lYd0dUcVg4WkFRTnNCOUEwIiwiYW5vbnltb3VzSWQiOiJmODE4MDdmMi05YjdkLTQzZDItOGM1My05NDQ3YWZhZDQ1Y2QiLCJldmVudCI6IlBSIHZpZXdlZCIsInByb3BlcnRpZXMiOnsicHJJZCI6ImY4MTgwN2YyLTliN2QtNDNkMi04YzUzLTk0NDdhZmFkNDVjZCJ9fQ==" width="0" height="0"/> 🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

+1 -1

0 comment

1 changed file

snyk-bot

pr closed time in a month

PR closed snyk/java-goof

[Snyk] Fix for 1 vulnerabilities

<h3>Snyk has created this PR to fix one or more vulnerable packages in the maven dependencies of this project.</h3>

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • pom.xml

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Upgrade Breaking Change Exploit Maturity
high severity 619/1000 <br/> Why? Has a fix available, CVSS 8.1 SQL Injection <br/>SNYK-JAVA-ORGHIBERNATE-584563 org.hibernate:hibernate-core: <br> 4.3.7.Final -> 5.3.18.Final <br> org.hibernate:hibernate-entitymanager: <br> 4.3.7.Final -> 5.3.18.Final <br> Yes No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: <img src="https://api.segment.io/v1/pixel/track?data=eyJ3cml0ZUtleSI6InJyWmxZcEdHY2RyTHZsb0lYd0dUcVg4WkFRTnNCOUEwIiwiYW5vbnltb3VzSWQiOiIzOGYyY2E0Yi0xMjZkLTRhMTgtYTA5Ny1iMTAwYmRlZTQzNmMiLCJldmVudCI6IlBSIHZpZXdlZCIsInByb3BlcnRpZXMiOnsicHJJZCI6IjM4ZjJjYTRiLTEyNmQtNGExOC1hMDk3LWIxMDBiZGVlNDM2YyJ9fQ==" width="0" height="0"/> 🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

+1 -1

0 comment

1 changed file

snyk-bot

pr closed time in a month

PR closed snyk/java-goof

[Snyk] Security upgrade org.apache.struts:struts2-core from 2.3.20 to 2.5

<h3>Snyk has created this PR to fix one or more vulnerable packages in the maven dependencies of this project.</h3>

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • pom.xml

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Upgrade Breaking Change Exploit Maturity
high severity 726/1000 <br/> Why? Recently disclosed, Has a fix available, CVSS 8.8 Unrestricted Upload of File with Dangerous Type <br/>SNYK-JAVA-ORGAPACHESTRUTS-609765 org.apache.struts:struts2-core: <br> 2.3.20 -> 2.5 <br> No No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: <img src="https://api.segment.io/v1/pixel/track?data=eyJ3cml0ZUtleSI6InJyWmxZcEdHY2RyTHZsb0lYd0dUcVg4WkFRTnNCOUEwIiwiYW5vbnltb3VzSWQiOiI4YjExYjE3Mi0wZTU1LTQwZTktYjg3YS05NzM5NmY5ZDM4ZjgiLCJldmVudCI6IlBSIHZpZXdlZCIsInByb3BlcnRpZXMiOnsicHJJZCI6IjhiMTFiMTcyLTBlNTUtNDBlOS1iODdhLTk3Mzk2ZjlkMzhmOCJ9fQ==" width="0" height="0"/> 🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

+1 -1

0 comment

1 changed file

snyk-bot

pr closed time in a month

PR closed snyk/java-goof

[Snyk] Security upgrade org.hibernate:hibernate-validator from 4.3.1.Final to 5.1.0.Final

<h3>Snyk has created this PR to fix one or more vulnerable packages in the maven dependencies of this project.</h3>

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • todolist-web-common/pom.xml

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Upgrade Breaking Change
medium severity 800/1000 <br/> Why? Recently disclosed, Has a fix available, Medium severity LGPL-2.1 license <br/>snyk:lic:maven:org.jboss.logging:jboss-logging:LGPL-2.1 org.hibernate:hibernate-validator: <br> 4.3.1.Final -> 5.1.0.Final <br> Yes

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: <img src="https://api.segment.io/v1/pixel/track?data=eyJ3cml0ZUtleSI6InJyWmxZcEdHY2RyTHZsb0lYd0dUcVg4WkFRTnNCOUEwIiwiYW5vbnltb3VzSWQiOiJhMzc3YmM0Yi03NDNkLTQyMTItOTRiZS1hNDQ1MGVkNjU1MjYiLCJldmVudCI6IlBSIHZpZXdlZCIsInByb3BlcnRpZXMiOnsicHJJZCI6ImEzNzdiYzRiLTc0M2QtNDIxMi05NGJlLWE0NDUwZWQ2NTUyNiJ9fQ==" width="0" height="0"/> 🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

+1 -1

0 comment

1 changed file

snyk-bot

pr closed time in a month

PR closed snyk/java-goof

[Snyk] Security upgrade org.apache.struts:struts2-core from 2.3.20 to 2.5.22

<h3>Snyk has created this PR to fix one or more vulnerable packages in the maven dependencies of this project.</h3>

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • pom.xml

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Upgrade Breaking Change Exploit Maturity
high severity 883/1000 <br/> Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 9.8 Remote Code Execution (RCE) <br/>SNYK-JAVA-ORGAPACHESTRUTS-608097 org.apache.struts:struts2-core: <br> 2.3.20 -> 2.5.22 <br> No Proof of Concept
high severity 768/1000 <br/> Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 7.5 Denial of Service (DoS) <br/>SNYK-JAVA-ORGAPACHESTRUTS-608098 org.apache.struts:struts2-core: <br> 2.3.20 -> 2.5.22 <br> No Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: <img src="https://api.segment.io/v1/pixel/track?data=eyJ3cml0ZUtleSI6InJyWmxZcEdHY2RyTHZsb0lYd0dUcVg4WkFRTnNCOUEwIiwiYW5vbnltb3VzSWQiOiI4MWU4N2RjNC01Y2RjLTQ1NTQtOGVlZS1mNzJkNWM3NjgwOTUiLCJldmVudCI6IlBSIHZpZXdlZCIsInByb3BlcnRpZXMiOnsicHJJZCI6IjgxZTg3ZGM0LTVjZGMtNDU1NC04ZWVlLWY3MmQ1Yzc2ODA5NSJ9fQ==" width="0" height="0"/> 🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

+1 -1

0 comment

1 changed file

snyk-bot

pr closed time in a month

PR closed snyk/java-goof

[Snyk-test] Security upgrade org.hibernate:hibernate-validator from 4.3.1.Final to 6.0.18.Final

<h3>Snyk has created this PR to fix one or more vulnerable packages in the maven dependencies of this project.</h3>

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • todolist-web-common/pom.xml

Vulnerabilities that will be fixed

With an upgrade:
Severity Issue Upgrade Breaking Change Exploit Maturity
medium severity Cross-site Scripting (XSS) <br/>SNYK-JAVA-ORGHIBERNATE-569100 org.hibernate:hibernate-validator: <br> 4.3.1.Final -> 6.0.18.Final <br> Yes No Known Exploit

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: <img src="https://api.segment.io/v1/pixel/track?data=eyJ3cml0ZUtleSI6IlFiUEliNW1iMWFlNlloQ1htS1RMcWlydlFDOHdFQ0tsIiwiYW5vbnltb3VzSWQiOiI0NjEyOTMxNS0yMzk1LTQ1OTQtYTM5NC1iM2NhMzg5YTAwYWYiLCJldmVudCI6IlBSIHZpZXdlZCIsInByb3BlcnRpZXMiOnsicHJJZCI6IjQ2MTI5MzE1LTIzOTUtNDU5NC1hMzk0LWIzY2EzODlhMDBhZiJ9fQ==" width="0" height="0"/> 🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

+1 -1

0 comment

1 changed file

snyk-bot

pr closed time in a month

PR closed snyk/java-goof

[Snyk-beemo] Upgrade org.hsqldb:hsqldb from 2.3.2 to 2.5.1

<h3>Snyk has created this PR to upgrade org.hsqldb:hsqldb from 2.3.2 to 2.5.1.</h3> :information_source: Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project. <hr/>

  • The recommended version is 8 versions ahead of your current version.
  • The recommended version was released 22 days ago, on 2020-06-28.

<hr/>

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

<!--- (snyk:metadata:{"prId":"ede01036-e7a5-4d61-8c71-55bd71b0e0f7","dependencies":[{"name":"org.hsqldb:hsqldb","from":"2.3.2","to":"2.5.1"}],"packageManager":"maven","type":"auto","projectUrl":"https://app.beemo.snyk.io/org/odinn1984/project/5229be2b-fbed-47d8-8e22-02c223d38269?utm_source=github&utm_medium=upgrade-pr","projectPublicId":"5229be2b-fbed-47d8-8e22-02c223d38269","env":"beemo","prType":"upgrade","vulns":[],"issuesToFix":[],"upgrade":[],"upgradeInfo":{"versionsDiff":8,"publishedDate":"2020-06-28T22:49:43.000Z"},"templateVariants":[],"hasFixes":false,"isMajorUpgrade":false,"isBreakingChange":false}) --->

+1 -1

0 comment

1 changed file

snyk-bot

pr closed time in a month

more