Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Security upgrade firebase-admin from 8.9.2 to 11.1.0 #55

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

fix: package.json & yarn.lock to reduce vulnerabilities

edd7e8d
Select commit
Loading
Failed to load commit list.
Open

[Snyk] Security upgrade firebase-admin from 8.9.2 to 11.1.0 #55

fix: package.json & yarn.lock to reduce vulnerabilities
edd7e8d
Select commit
Loading
Failed to load commit list.
Mend Bolt for GitHub / WhiteSource Security Check failed Dec 6, 2023 in 6m 26s

Security Report

You have successfully remediated 12 vulnerabilities, but introduced 11 new vulnerabilities in this branch.

❌ New vulnerabilities:

CVE Severity CVSS Score Vulnerable Library Suggested Fix Issue
CVE-2023-26136

Path to dependency file: /package.json

Path to vulnerable library: /package.json,/email-verifier/package.json

Dependency Hierarchy:

-> request-2.88.2.tgz (Root Library)

   -> ❌ tough-cookie-2.5.0.tgz (Vulnerable Library)

Critical 9.8 tough-cookie-2.5.0.tgz Upgrade to version: tough-cookie - 4.1.3 None
CVE-2022-2421

Path to dependency file: /package.json

Path to vulnerable library: /package.json,/logger/package.json,/engages-email-sender/package.json

Dependency Hierarchy:

-> cote-1.0.0.tgz (Root Library)

   -> socket.io-2.3.0.tgz

     -> ❌ socket.io-parser-3.4.1.tgz (Vulnerable Library)

Critical 9.8 socket.io-parser-3.4.1.tgz Upgrade to version: socket.io-parser - 3.3.3,3.4.2,4.0.5,4.2.1;org.webjars.npm:socket.io-parser:4.0.5,4.2.1 None
CVE-2021-44906

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> firebase-admin-11.11.1.tgz (Root Library)

   -> firestore-6.8.0.tgz

     -> google-gax-3.6.1.tgz

       -> protobufjs-cli-1.1.1.tgz

         -> ❌ minimist-1.2.0.tgz (Vulnerable Library)

Critical 9.8 minimist-1.2.0.tgz Upgrade to version: minimist - 0.2.4,1.2.6 None
CVE-2023-32695

Path to dependency file: /package.json

Path to vulnerable library: /package.json,/logger/package.json,/engages-email-sender/package.json

Dependency Hierarchy:

-> cote-1.0.0.tgz (Root Library)

   -> socket.io-2.3.0.tgz

     -> ❌ socket.io-parser-3.4.1.tgz (Vulnerable Library)

High 7.5 socket.io-parser-3.4.1.tgz Upgrade to version: socket.io-parser - 3.4.3,4.2.3 None
CVE-2023-26115

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> firebase-admin-11.11.1.tgz (Root Library)

   -> firestore-6.8.0.tgz

     -> google-gax-3.6.1.tgz

       -> protobufjs-cli-1.1.1.tgz

         -> escodegen-1.14.3.tgz

           -> optionator-0.8.3.tgz

             -> ❌ word-wrap-1.2.3.tgz (Vulnerable Library)

High 7.5 word-wrap-1.2.3.tgz Upgrade to version: word-wrap - 1.2.4 None
CVE-2022-25883

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> pubsub-1.5.0.tgz (Root Library)

   -> google-gax-1.14.2.tgz

     -> ❌ semver-6.3.0.tgz (Vulnerable Library)

High 7.5 semver-6.3.0.tgz Upgrade to version: semver - 5.7.2,6.3.1,7.5.2;org.webjars.npm:semver:7.5.2 None
CVE-2022-25883

Path to dependency file: /package.json

Path to vulnerable library: /package.json,/logger/package.json,/engages-email-sender/package.json,/email-verifier/package.json

Dependency Hierarchy:

-> mongoose-5.7.10.tgz (Root Library)

   -> mongodb-3.3.3.tgz

     -> require_optional-1.0.1.tgz

       -> ❌ semver-5.7.1.tgz (Vulnerable Library)

High 7.5 semver-5.7.1.tgz Upgrade to version: semver - 5.7.2,6.3.1,7.5.2;org.webjars.npm:semver:7.5.2 None
CVE-2022-24999

Path to dependency file: /engages-email-sender/package.json

Path to vulnerable library: /engages-email-sender/package.json

Dependency Hierarchy:

-> telnyx-1.7.2.tgz (Root Library)

   -> ❌ qs-6.9.4.tgz (Vulnerable Library)

High 7.5 qs-6.9.4.tgz Upgrade to version: qs - 6.2.4,6.3.3,6.4.1,6.5.3,6.6.1,6.7.3,6.8.3,6.9.7,6.10.3 None
CVE-2022-24999

Path to dependency file: /logger/package.json

Path to vulnerable library: /logger/package.json,/engages-email-sender/package.json,/package.json,/email-verifier/package.json

Dependency Hierarchy:

-> body-parser-1.19.0.tgz (Root Library)

   -> ❌ qs-6.7.0.tgz (Vulnerable Library)

High 7.5 qs-6.7.0.tgz Upgrade to version: qs - 6.2.4,6.3.3,6.4.1,6.5.3,6.6.1,6.7.3,6.8.3,6.9.7,6.10.3 None
CVE-2022-24999

Path to dependency file: /package.json

Path to vulnerable library: /package.json,/email-verifier/package.json

Dependency Hierarchy:

-> request-2.88.2.tgz (Root Library)

   -> ❌ qs-6.5.2.tgz (Vulnerable Library)

High 7.5 qs-6.5.2.tgz Upgrade to version: qs - 6.2.4,6.3.3,6.4.1,6.5.3,6.6.1,6.7.3,6.8.3,6.9.7,6.10.3 None
CVE-2020-7598

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> firebase-admin-11.11.1.tgz (Root Library)

   -> firestore-6.8.0.tgz

     -> google-gax-3.6.1.tgz

       -> protobufjs-cli-1.1.1.tgz

         -> ❌ minimist-1.2.0.tgz (Vulnerable Library)

Medium 5.6 minimist-1.2.0.tgz Upgrade to version: minimist - 0.2.1,1.2.3 None

✔️ Remediated vulnerabilities:

CVE Vulnerable Library
CVE-2020-7720 node-forge-0.7.4.tgz
CVE-2022-24773 node-forge-0.7.4.tgz
CVE-2022-24772 node-forge-0.7.4.tgz
CVE-2023-6460 firestore-3.5.1.tgz
CVE-2021-33502 normalize-url-3.3.0.tgz
CVE-2022-0122 node-forge-0.7.4.tgz
CVE-2022-24771 node-forge-0.7.4.tgz
CVE-2022-23539 jsonwebtoken-8.1.0.tgz
WS-2022-0008 node-forge-0.7.4.tgz
CVE-2020-7765 util-0.2.41.tgz
CVE-2022-23541 jsonwebtoken-8.1.0.tgz
CVE-2022-23540 jsonwebtoken-8.1.0.tgz

Base branch total remaining vulnerabilities: 130
Base branch commit: null


Total libraries scanned: 854

Scan token: 76acc7f5cb3d44dfbeebcca4c99c9ee1

View more details on Mend Bolt for GitHub