Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Fix for 4 vulnerabilities #54

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
+722 −284

fix: package.json & yarn.lock to reduce vulnerabilities

24b24ed
Select commit
Loading
Failed to load commit list.
Open

[Snyk] Fix for 4 vulnerabilities #54

fix: package.json & yarn.lock to reduce vulnerabilities
24b24ed
Select commit
Loading
Failed to load commit list.
Mend Bolt for GitHub / WhiteSource Security Check failed Nov 28, 2023 in 6m 45s

Security Report

You have successfully remediated 15 vulnerabilities, but introduced 9 new vulnerabilities in this branch.

❌ New vulnerabilities:

CVE Severity CVSS Score Vulnerable Library Suggested Fix Issue
CVE-2023-36665

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> firebase-admin-10.3.0.tgz (Root Library)

   -> firestore-4.15.1.tgz

     -> google-gax-2.30.5.tgz

       -> ❌ protobufjs-6.11.3.tgz (Vulnerable Library)

Critical 9.8 protobufjs-6.11.3.tgz Upgrade to version: protobufjs - 6.11.4,7.2.4 None
CVE-2023-26136

Path to dependency file: /email-verifier/package.json

Path to vulnerable library: /email-verifier/package.json,/package.json

Dependency Hierarchy:

-> request-2.88.2.tgz (Root Library)

   -> ❌ tough-cookie-2.5.0.tgz (Vulnerable Library)

Critical 9.8 tough-cookie-2.5.0.tgz Upgrade to version: tough-cookie - 4.1.3 None
CVE-2022-2421

Path to dependency file: /package.json

Path to vulnerable library: /package.json,/logger/package.json,/engages-email-sender/package.json

Dependency Hierarchy:

-> cote-1.0.0.tgz (Root Library)

   -> socket.io-2.3.0.tgz

     -> ❌ socket.io-parser-3.4.1.tgz (Vulnerable Library)

Critical 9.8 socket.io-parser-3.4.1.tgz Upgrade to version: socket.io-parser - 3.3.3,3.4.2,4.0.5,4.2.1;org.webjars.npm:socket.io-parser:4.0.5,4.2.1 None
CVE-2023-32695

Path to dependency file: /package.json

Path to vulnerable library: /package.json,/logger/package.json,/engages-email-sender/package.json

Dependency Hierarchy:

-> cote-1.0.0.tgz (Root Library)

   -> socket.io-2.3.0.tgz

     -> ❌ socket.io-parser-3.4.1.tgz (Vulnerable Library)

High 7.5 socket.io-parser-3.4.1.tgz Upgrade to version: socket.io-parser - 3.4.3,4.2.3 None
CVE-2022-25883

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> pubsub-1.5.0.tgz (Root Library)

   -> google-gax-1.14.2.tgz

     -> ❌ semver-6.3.0.tgz (Vulnerable Library)

High 7.5 semver-6.3.0.tgz Upgrade to version: semver - 5.7.2,6.3.1,7.5.2;org.webjars.npm:semver:7.5.2 None
CVE-2022-25883

Path to dependency file: /logger/package.json

Path to vulnerable library: /logger/package.json,/email-verifier/package.json,/package.json,/engages-email-sender/package.json

Dependency Hierarchy:

-> mongoose-5.7.10.tgz (Root Library)

   -> mongodb-3.3.3.tgz

     -> require_optional-1.0.1.tgz

       -> ❌ semver-5.7.1.tgz (Vulnerable Library)

High 7.5 semver-5.7.1.tgz Upgrade to version: semver - 5.7.2,6.3.1,7.5.2;org.webjars.npm:semver:7.5.2 None
CVE-2022-24999

Path to dependency file: /engages-email-sender/package.json

Path to vulnerable library: /engages-email-sender/package.json

Dependency Hierarchy:

-> telnyx-1.7.2.tgz (Root Library)

   -> ❌ qs-6.9.4.tgz (Vulnerable Library)

High 7.5 qs-6.9.4.tgz Upgrade to version: qs - 6.2.4,6.3.3,6.4.1,6.5.3,6.6.1,6.7.3,6.8.3,6.9.7,6.10.3 None
CVE-2022-24999

Path to dependency file: /package.json

Path to vulnerable library: /package.json,/engages-email-sender/package.json,/email-verifier/package.json,/logger/package.json

Dependency Hierarchy:

-> body-parser-1.19.0.tgz (Root Library)

   -> ❌ qs-6.7.0.tgz (Vulnerable Library)

High 7.5 qs-6.7.0.tgz Upgrade to version: qs - 6.2.4,6.3.3,6.4.1,6.5.3,6.6.1,6.7.3,6.8.3,6.9.7,6.10.3 None
CVE-2022-24999

Path to dependency file: /package.json

Path to vulnerable library: /package.json,/email-verifier/package.json

Dependency Hierarchy:

-> request-2.88.2.tgz (Root Library)

   -> ❌ qs-6.5.2.tgz (Vulnerable Library)

High 7.5 qs-6.5.2.tgz Upgrade to version: qs - 6.2.4,6.3.3,6.4.1,6.5.3,6.6.1,6.7.3,6.8.3,6.9.7,6.10.3 None

✔️ Remediated vulnerabilities:

CVE Vulnerable Library
CVE-2020-7720 node-forge-0.7.4.tgz
CVE-2022-24773 node-forge-0.7.4.tgz
CVE-2022-24772 node-forge-0.7.4.tgz
CVE-2021-23369 handlebars-4.7.3.tgz
CVE-2021-33502 normalize-url-3.3.0.tgz
CVE-2022-0122 node-forge-0.7.4.tgz
CVE-2021-44906 minimist-0.0.10.tgz
CVE-2022-24771 node-forge-0.7.4.tgz
CVE-2022-23539 jsonwebtoken-8.1.0.tgz
WS-2022-0008 node-forge-0.7.4.tgz
CVE-2020-7598 minimist-0.0.10.tgz
CVE-2020-7765 util-0.2.41.tgz
CVE-2021-23383 handlebars-4.7.3.tgz
CVE-2022-23541 jsonwebtoken-8.1.0.tgz
CVE-2022-23540 jsonwebtoken-8.1.0.tgz

Base branch total remaining vulnerabilities: 128
Base branch commit: null


Total libraries scanned: 807

Scan token: a530500a4885484cbe56077b8cdacb3e

View more details on Mend Bolt for GitHub