Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Fix for 2 vulnerabilities #37

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

fix: package.json & yarn.lock to reduce vulnerabilities

3022e2e
Select commit
Loading
Failed to load commit list.
Open

[Snyk] Fix for 2 vulnerabilities #37

fix: package.json & yarn.lock to reduce vulnerabilities
3022e2e
Select commit
Loading
Failed to load commit list.
Mend Bolt for GitHub / WhiteSource Security Check failed Dec 7, 2024 in 48s

Security Report

You have successfully remediated 6 vulnerabilities, but introduced 12 new vulnerabilities in this branch.

❌ New vulnerabilities:

CVE Severity CVSS Score Vulnerable Library Suggested Fix Issue
CVE-2021-44906

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> migrate-1.6.2.tgz (Root Library)

   -> mkdirp-0.5.1.tgz

     -> ❌ minimist-0.0.8.tgz (Vulnerable Library)

Critical 9.8 minimist-0.0.8.tgz Upgrade to version: minimist - 0.2.4,1.2.6 None
CVE-2023-43646

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> botbuilder-4.5.3.tgz (Root Library)

   -> botframework-connector-4.5.3.tgz

     -> nock-10.0.6.tgz

       -> chai-4.2.0.tgz

         -> ❌ get-func-name-2.0.0.tgz (Vulnerable Library)

High 8.6 get-func-name-2.0.0.tgz Upgrade to version: get-func-name - 2.0.1,3.0.0 None
WS-2023-0439

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> botbuilder-4.5.3.tgz (Root Library)

   -> botframework-connector-4.5.3.tgz

     -> ms-rest-js-1.2.6.tgz

       -> ❌ axios-0.18.1.tgz (Vulnerable Library)

High 7.5 axios-0.18.1.tgz Upgrade to version: axios - 1.6.3,0.20.0 None
CVE-2023-26159

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> botbuilder-4.5.3.tgz (Root Library)

   -> botframework-connector-4.5.3.tgz

     -> ms-rest-js-1.2.6.tgz

       -> axios-0.18.1.tgz

         -> ❌ follow-redirects-1.5.10.tgz (Vulnerable Library)

High 7.3 follow-redirects-1.5.10.tgz Upgrade to version: follow-redirects - 1.15.4 None
CVE-2024-28849

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> botbuilder-4.5.3.tgz (Root Library)

   -> botframework-connector-4.5.3.tgz

     -> ms-rest-js-1.2.6.tgz

       -> axios-0.18.1.tgz

         -> ❌ follow-redirects-1.5.10.tgz (Vulnerable Library)

Medium 6.5 follow-redirects-1.5.10.tgz Upgrade to version: follow-redirects - 1.15.6 None
CVE-2023-45857

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> botbuilder-4.5.3.tgz (Root Library)

   -> botframework-connector-4.5.3.tgz

     -> ms-rest-js-1.2.6.tgz

       -> ❌ axios-0.18.1.tgz (Vulnerable Library)

Medium 6.5 axios-0.18.1.tgz Upgrade to version: axios - 1.6.0 None
CVE-2022-0155

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> botbuilder-4.5.3.tgz (Root Library)

   -> botframework-connector-4.5.3.tgz

     -> ms-rest-js-1.2.6.tgz

       -> axios-0.18.1.tgz

         -> ❌ follow-redirects-1.5.10.tgz (Vulnerable Library)

Medium 6.5 follow-redirects-1.5.10.tgz Upgrade to version: follow-redirects - v1.14.7 None
CVE-2020-7751

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> botbuilder-4.5.3.tgz (Root Library)

   -> botframework-connector-4.5.3.tgz

     -> nock-10.0.6.tgz

       -> chai-4.2.0.tgz

         -> ❌ pathval-1.1.0.tgz (Vulnerable Library)

Medium 6.0 pathval-1.1.0.tgz Upgrade to version: pathval - 1.1.1 None
CVE-2020-28168

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> botbuilder-4.5.3.tgz (Root Library)

   -> botframework-connector-4.5.3.tgz

     -> ms-rest-js-1.2.6.tgz

       -> ❌ axios-0.18.1.tgz (Vulnerable Library)

Medium 5.9 axios-0.18.1.tgz Upgrade to version: axios - 0.21.1 None
CVE-2020-7598

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> migrate-1.6.2.tgz (Root Library)

   -> mkdirp-0.5.1.tgz

     -> ❌ minimist-0.0.8.tgz (Vulnerable Library)

Medium 5.6 minimist-0.0.8.tgz Upgrade to version: minimist - 0.2.1,1.2.3 None
CVE-2023-0842

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> botbuilder-4.5.3.tgz (Root Library)

   -> botframework-connector-4.5.3.tgz

     -> ms-rest-js-1.2.6.tgz

       -> ❌ xml2js-0.4.22.tgz (Vulnerable Library)

Medium 5.3 xml2js-0.4.22.tgz Upgrade to version: xml2js - 0.5.0 None
CVE-2022-0536

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> botbuilder-4.5.3.tgz (Root Library)

   -> botframework-connector-4.5.3.tgz

     -> ms-rest-js-1.2.6.tgz

       -> axios-0.18.1.tgz

         -> ❌ follow-redirects-1.5.10.tgz (Vulnerable Library)

Low 2.6 follow-redirects-1.5.10.tgz Upgrade to version: follow-redirects - 1.14.8 None

✔️ Remediated vulnerabilities:

CVE Vulnerable Library
CVE-2023-3696 mongoose-5.7.5.tgz
CVE-2021-23438 mpath-0.6.0.tgz
CVE-2020-35149 mquery-3.2.2.tgz
CVE-2019-2391 bson-1.1.1.tgz
CVE-2020-7610 bson-1.1.1.tgz
CVE-2022-2564 mongoose-5.7.5.tgz

Base branch total remaining vulnerabilities: 99
Base branch commit: null


Total libraries scanned: 591

Scan token: d3f15e222edf4a5ca8372150243a389d

View more details on Mend Bolt for GitHub