social-auth-example
social-auth-example copied to clipboard
alien35
[Snyk] Fix for 26 vulnerabilities
This PR was automatically created by Snyk using the credentials of a real user.
Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.
Changes included in this PR
- Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- backend/package.json
- backend/package-lock.json
- backend/.snyk
Vulnerabilities that will be fixed
With an upgrade:
| Severity | Priority Score (*) | Issue | Breaking Change | Exploit Maturity |
|---|---|---|---|---|
 |
619/1000 Why? Has a fix available, CVSS 8.1 |
Prototype Pollution SNYK-JS-AJV-584908 |
No | No Known Exploit |
|
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5 |
Prototype Pollution SNYK-JS-ASYNC-2441827 |
Yes | Proof of Concept |
|
630/1000 Why? Has a fix available, CVSS 8.1 |
Internal Property Tampering SNYK-JS-BSON-561052 |
Yes | No Known Exploit |
|
584/1000 Why? Has a fix available, CVSS 7.4 |
Authorization Bypass SNYK-JS-EXPRESSJWT-575022 |
Yes | No Known Exploit |
|
584/1000 Why? Has a fix available, CVSS 7.4 |
Regular Expression Denial of Service (ReDoS) SNYK-JS-HAWK-2808852 |
No | No Known Exploit |
|
589/1000 Why? Has a fix available, CVSS 7.5 |
Denial of Service (DoS) SNYK-JS-MONGODB-473855 |
Yes | No Known Exploit |
 |
601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6 |
Prototype Pollution SNYK-JS-MONGOOSE-1086688 |
Yes | Proof of Concept |
|
671/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7 |
Prototype Pollution SNYK-JS-MONGOOSE-2961688 |
Yes | Proof of Concept |
|
509/1000 Why? Has a fix available, CVSS 5.9 |
Information Exposure SNYK-JS-MONGOOSE-472486 |
No | No Known Exploit |
|
661/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.8 |
Arbitrary Code Injection SNYK-JS-MORGAN-72579 |
No | Proof of Concept |
|
601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6 |
Prototype Pollution SNYK-JS-MPATH-1577289 |
Yes | Proof of Concept |
|
579/1000 Why? Has a fix available, CVSS 7.3 |
Prototype Pollution SNYK-JS-MPATH-72672 |
No | No Known Exploit |
|
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3 |
Prototype Pollution SNYK-JS-MQUERY-1050858 |
Yes | Proof of Concept |
|
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5 |
Prototype Pollution SNYK-JS-MQUERY-1089718 |
Yes | Proof of Concept |
|
454/1000 Why? Has a fix available, CVSS 4.8 |
Session Fixation SNYK-JS-PASSPORT-2840631 |
No | No Known Exploit |
 |
399/1000 Why? Has a fix available, CVSS 3.7 |
Regular Expression Denial of Service (ReDoS) npm:debug:20170905 |
No | No Known Exploit |
|
589/1000 Why? Has a fix available, CVSS 7.5 |
Regular Expression Denial of Service (ReDoS) npm:fresh:20170908 |
No | No Known Exploit |
|
399/1000 Why? Has a fix available, CVSS 3.7 |
Regular Expression Denial of Service (ReDoS) npm:mime:20170907 |
No | No Known Exploit |
|
399/1000 Why? Has a fix available, CVSS 3.7 |
Regular Expression Denial of Service (ReDoS) npm:ms:20170412 |
No | No Known Exploit |
|
589/1000 Why? Has a fix available, CVSS 7.5 |
Prototype Override Protection Bypass npm:qs:20170213 |
No | No Known Exploit |
(*) Note that the real score may have changed since the PR was raised.
Commit messages
Package name: body-parser
The new version differs by 92 commits.- b2659a7 1.18.2
- 6339bf7 perf: remove argument reassignment
- d5f9a4a deps: [email protected]
- d041563 1.18.1
- 9efa9ab deps: content-type@~1.0.4
- f1ef6cc deps: [email protected]
- e438db5 deps: [email protected]
- 15c3585 deps: [email protected]
- adfa01c 1.18.0
- 0632e2f Include the "type" property on all generated errors
- b8f97cd Include the "body" property on verify errors
- c659e8a tests: add test for err.body on json parse error
- 4e15325 tests: reorganize json error tests
- 5bd7ed5 tests: reorganize json strict option tests
- 3cb380b tests: store server on mocha context instead of variable shadowing
- 29c8cd0 docs: document too many parameters error
- 7b9cb14 Use http-errors to set status code on errors
- 29a27f1 docs: fix typo in jsdoc comment
- 448dc57 Fix JSON strict violation error to match native parse error
- 87df7e6 tests: add leading whitespace strict json test
- 1841248 deps: [email protected]
- e666dbe deps: http-errors@~1.6.2
- c2a110a deps: [email protected]
- a1a2e31 build: [email protected]
Package name: debug
The new version differs by 154 commits.- 13abeae Release 2.6.9
- f53962e remove ReDoS regexp in %o formatter (#504)
- 52e1f21 Release 2.6.8
- 2482e08 Check for undefined on browser globals (#462)
- 6bb07f7 release 2.6.7
- 15850cb Fix Regular Expression Denial of Service (ReDoS)
- 4a6c85c update "debug" to v1.0.0 (#454)
- b68dbf8 Fix typo (#455)
- 1351d2f Inline extend function in node implementation (#452)
- c211947 update version for component
- 14df14c release 2.6.5
- cae07b7 cleanup browser tests and fix null reference check on window.documentElement.style.WebkitAppearance (#447)
- f311b10 release 2.6.4
- 1f01b70 Fix bug that would occure if process.env.DEBUG is a non-string value. (#444)
- 2f3ebf4 Update CHANGELOG.md
- f5ae332 Update CHANGELOG.md
- 9742c5f chore(): ignore bower.json in npm installations. (#437)
- 27d93a3 update "debug" to v0.7.3
- 9dc30f8 release 2.6.3
- 0fb8ea4 LocalStorage returns undefined for any key not present (#431)
- ce4d93e changelog fix
- 017a9d6 release 2.6.2
- 23bc780 fix DEBUG_MAX_ARRAY_LENGTH
- 065cbfb Add backers and sponsors from Open Collective (#422)
Package name: express
The new version differs by 151 commits.- f974d22 4.16.0
- 8d4ceb6 docs: add more information to installation
- c0136d8 Add express.json and express.urlencoded to parse bodies
- 86f5df0 deps: [email protected]
- 4196458 deps: [email protected]
- ddeb713 tests: add maxAge option tests for res.sendFile
- 7154014 Add "escape json" setting for res.json and res.jsonp
- 628438d deps: update example dependencies
- a24fd0c Add options to res.download
- 95fb5cc perf: remove dead .charset set in res.jsonp
- 44591fe deps: vary@~1.1.2
- 2df1ad2 Improve error messages when non-function provided as middleware
- 12c3712 Use safe-buffer for improved Buffer API
- fa272ed docs: fix typo in jsdoc comment
- d9d09b8 perf: re-use options object when generating ETags
- 02a9d5f deps: proxy-addr@~2.0.2
- c2f4fb5 deps: [email protected]
- 673d51f deps: [email protected]
- 5cc761c deps: parseurl@~1.3.2
- ad7d96d deps: [email protected]
- e62bb8b deps: etag@~1.8.1
- 70589c3 deps: content-type@~1.0.4
- 9a99c15 deps: accepts@~1.3.4
- 550043c deps: [email protected]
Package name: express-jwt
The new version differs by 13 commits.- 678f3b0 6.0.0
- 7ecab5f Merge pull request from GHSA-6g6m-m6h5-w9gf
- 304a1c5 Made algorithms mandatory
- e9ed6d2 5.3.3
- 8662579 Make clearer sections in the Readme
- d3e86bf Update README.md
- c5d8419 Add a note about OAuth2 bearer tokens
- 888f0e9 Update Readme and use a consistent JS style for code examples
- 6591014 5.3.2
- f4f4d1d fix license field
- 1789282 fix dependencies vulnerabilities and test against 8, 10 and 12 from now on
- 5766a24 Merge pull request #186 from auth0/jwt_update
- 11f3ac4 Update jsonwebtoken dependency to 8.1.0
Package name: mongoose
The new version differs by 250 commits.- ca7996b chore: release 5.13.15
- e75732a Merge pull request #12307 from Automattic/vkarpov15/fix-5x-build
- a1144dc test: run node 7 tests with upgraded npm re: #12297
- dfc4ad7 test: try upgrading npm for node v4 tests re: #12297
- b9e985c test: more strict @ types/node version
- 4d813fa test: fix @ types/node version in tests re: #12297
- 99b4189 Merge pull request #12297 from shubanker/issue/prototype-pollution-5.x-patch
- 5eb11dd made function non async
- 6a19731 fix(schema): disallow setting __proto__ when creating schema with dotted properties
- a2ec28d Merge pull request #11366 from laissonsilveira/5.x
- 05ce577 Fix broken link from findandmodify method deprecation
- d2b846f chore: release 5.13.14
- 69c1f6c docs(models): fix up nModified example for 5.x
- 4cfc4d6 fix(timestamps): avoid setting `createdAt` on documents that already exist but dont have createdAt
- a738440 chore: release 5.13.13
- 4d12a62 Merge pull request #10942 from jneal-afs/fix-query-set-ts-type
- c3463c4 Merge pull request #10916 from iovanom/gh-10902-v5
- ff5ddb5 fix: hardcode base 10 for nodeMajorVersion parseInt() call
- d205c4d make value optional
- c6fd7f7 Fix ts types for query set
- 22e9b3b [gh-10902 v5] Add node major version to utils
- 5468642 [gh-10902 v5] Emit end event in before close
- 271bc60 Merge pull request #10910 from lorand-horvath/patch-2
- b7ebeec Update mongodb driver to 3.7.3
Package name: morgan
The new version differs by 91 commits.- 572dd93 1.9.1
- e02de38 lint: apply standard 12 style
- e329663 Fix using special characters in format
- eb1968a tests: use strict equality checks
- 310b206 build: use yaml eslint configuration
- 5810937 build: [email protected]
- f60afd5 build: [email protected]
- 5295b0c build: [email protected]
- 178daaf build: [email protected]
- 7b08641 build: [email protected]
- 73cb666 build: [email protected]
- edc95aa build: [email protected]
- ace86c3 build: [email protected]
- 4dd1180 lint: apply standard 11 style
- 60c31e8 build: [email protected]
- 05e382f build: [email protected]
- 1a5be20 build: [email protected]
- cf9565f docs: remove gratipay badge
- b66251d build: [email protected]
- 0113732 build: [email protected]
- 47659a9 deps: depd@~1.1.2
- 695f659 build: support Node.js 9.x
- f4c51e9 build: [email protected]
- 4f15f36 build: [email protected]
Package name: passport
The new version differs by 126 commits.- c33067b 0.6.0
- 3052bb4 Update changelog.
- 42630cb Merge pull request #900 from jaredhanson/fix-fixation
- 8dd79fe Use utils-merge rather than Object.assign for compatibility.
- 4f6bd5b Change keepSessionData to keepSessionData.
- 46756e5 Silence verbose logging.
- 987b191 Add tests.
- f8a175f Add tests.
- 29a90d6 No need to guard callback existence.
- bfba8a1 Add tests.
- 17111d7 Add option to keep session data on logout.
- a349c2b Add option to keep session data.
- e69834e Add optional options to login and logout.
- 8825a9a Add tests.
- c1991cf Add tests.
- 294f22c Better session detection and exceptions.
- 80cc4e3 Add tests.
- 3001654 Add tests.
- b395106 Clean up tests.
- cfa8259 Add tests.
- ee0bf81 Add tests.
- cc7606c Add tests.
- 71c54f6 Add test.
- 88c1f1b Handle logout without session manager.
Package name: request
The new version differs by 41 commits.- 6420240 2.88.0
- bd22e21 fix: massive dependency upgrade, fixes all production vulnerabilities
- 925849a Merge pull request #2996 from kwonoj/fix-uuid
- 7b68551 fix(uuid): import versioned uuid
- 5797963 Merge pull request #2994 from dlecocq/oauth-sign-0.9.0
- 628ff5e Update to oauth-sign 0.9.0
- 10987ef Merge pull request #2993 from simov/fix-header-tests
- cd848af These are not going to fail if there is a server listening on those ports
- a92e138 #515, #2894 Strip port suffix from Host header if the protocol is known. (#2904)
- 45ffc4b Improve AWS SigV4 support. (#2791)
- a121270 Merge pull request #2977 from simov/update-cert
- bd16414 Update test certificates
- 536f0e7 2.87.1
- 02fc5b1 Update changelog
- de1ed5a 2.87.0
- a6741d4 Replace hawk dependency with a local implemenation (#2943)
- a7f0a36 2.86.1
- 8f2fd4d Update changelog
- 386c7d8 2.86.0
- 76a6e5b Merge pull request #2885 from ChALkeR/patch-1
- db76838 Merge branch 'patch-1' of github.com:ChALkeR/request
- fb7aeb3 Merge pull request #2942 from simov/fix-tests
- e47ce95 Add Node v10 build target explicitly
- 0c5db42 Skip status code 105 on Node > v10
Package name: serve-favicon
The new version differs by 50 commits.- 68b34f5 2.4.5
- 930b0a0 deps: [email protected]
- 8105b88 deps: etag@~1.8.1
- c050d26 2.4.4
- d36c44e deps: [email protected]
- c33f25e deps: parseurl@~1.3.2
- 878c248 tests: use mocha context for server
- e24fa4b deps: [email protected]
- 998dcb5 build: [email protected]
- a5cff5d build: [email protected]
- c2e05e8 build: support Node.js 8.x
- 52cb604 build: [email protected]
- 44c4c6e build: [email protected]
- 9293f89 2.4.3
- 53a3778 deps: [email protected]
- b5b9412 build: [email protected]
- df97c51 build: [email protected]
- dcf75b3 build: [email protected]
- 11108e1 Use safe-buffer for improved Buffer API
- 08135aa tests: use temp-path for paths
- ca3ce4e build: [email protected]
- b450452 2.4.2
- 0b0bf0a build: [email protected]
- 4e083b7 build: [email protected]
With a Snyk patch:
| Severity | Priority Score (*) | Issue | Exploit Maturity |
|---|---|---|---|
|
731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2 |
Prototype Pollution SNYK-JS-LODASH-567746 |
Proof of Concept |
|
579/1000 Why? Has a fix available, CVSS 7.3 |
Prototype Pollution npm:extend:20180424 |
No Known Exploit |
|
636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3 |
Prototype Pollution npm:hoek:20180212 |
Proof of Concept |
|
399/1000 Why? Has a fix available, CVSS 3.7 |
Regular Expression Denial of Service (ReDoS) npm:moment:20170905 |
No Known Exploit |
|
646/1000 Why? Mature exploit, Has a fix available, CVSS 5.2 |
Uninitialized Memory Exposure npm:stringstream:20180511 |
Mature |
|
479/1000 Why? Has a fix available, CVSS 5.3 |
Regular Expression Denial of Service (ReDoS) npm:uglify-js:20151024 |
No Known Exploit |
(*) Note that the real score may have changed since the PR was raised.
Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.
Check the changes in this PR to ensure they won't cause issues with your project.
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📚 Read more about Snyk's upgrade and patch logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Regular Expression Denial of Service (ReDoS) 🦉 Regular Expression Denial of Service (ReDoS) 🦉 Prototype Pollution 🦉 More lessons are available in Snyk Learn
