[Snyk] Security upgrade node-pre-gyp from 0.6.39 to 0.17.0 by takeratta · Pull Request #4 · takeratta/nodegit

takeratta · Feb 3, 2024

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json

Vulnerabilities that will be fixed

With an upgrade:

Priority Score (*)	Issue	Breaking Change	Exploit Maturity
619/1000 Why? Has a fix available, CVSS 8.1	Prototype Pollution SNYK-JS-AJV-584908	No	No Known Exploit
584/1000 Why? Has a fix available, CVSS 7.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-HAWK-2808852	No	No Known Exploit
631/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.2	Missing Release of Resource after Effective Lifetime SNYK-JS-INFLIGHT-6095116	No	Proof of Concept
646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	No	Proof of Concept
624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536528	No	No Known Exploit
624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536531	No	No Known Exploit
410/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758	No	No Known Exploit
639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579147	No	No Known Exploit
639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579152	No	No Known Exploit
639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579155	No	No Known Exploit
646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	No	Proof of Concept
636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:hoek:20180212	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: node-pre-gyp

The new version differs by 136 commits.

de39503 bump to v0.17.0
39eb005 update deps
dda7bdb skip less
834bbe0 latest releases
9611242 alt solution to Transfer callback stats are being converted wrong nodegit/nodegit#432 in order to fix windows/appveyor builds
3d3b4ee remove broken or partially broken badges
99b6f50 attempt to fix webkit tests per https://benlimmer.com/2019/01/14/travis-ci-xvfb/
6ff06c8 travis-ci.com link
27e150d latest node versions
a78e473 remove tests related to python that shift depending on the node-gyp version
ac2a149 Merge pull request Issues on scientific linux 6.6 nodegit/nodegit#521 from murgatroid99/version_0.16_update
8e7c199 Merge pull request Lots of complaints of missing build/Debug/nodegit nodegit/nodegit#520 from murgatroid99/abi_crosswalk_update_15
00c594c Bump to 0.16.0 and update changelog
e8e0908 Update ABI crosswalk with new Node versions including 15.x
6ca1a1c Bumping to 0.15.0
d5dfc55 Merge pull request Fix gitter badge for npm nodegit/nodegit#492 from mjziolko/mkdirp-vuln-fix
c3ed2ff Merge branch 'master' into mkdirp-vuln-fix
73d6c8a Merge pull request Improve coverage nodegit/nodegit#502 from clehene/patch-1
e0579c5 Update to the latest version of Needle (2.5.0)
3a3a0ed Merge pull request Bug with oid implicit cast inside C++ nodegit/nodegit#501 from murgatroid99/abi_crosswalk_update_14
b8fe01f Update abi_crosswalk with new runtime versions
2c6a519 update crosswalk
e8891b5 tUpdate mkdirp to 0.5.3 which removes the vulnerable dep on minimist: https://npmjs.com/advisories/1179
ef634f9 Merge pull request Remove unneeded connect call from push example nodegit/nodegit#483 from murgatroid99/abi_crosswalk_update_13

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Server-side Request Forgery (SSRF)
🦉 More lessons are available in Snyk Learn

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Snyk] Security upgrade node-pre-gyp from 0.6.39 to 0.17.0#4

[Snyk] Security upgrade node-pre-gyp from 0.6.39 to 0.17.0#4
takeratta wants to merge 1 commit intomastertakeratta/nodegit:masterfrom
snyk-fix-8cbb40b6de050c924d4633a8e4bdaa36takeratta/nodegit:snyk-fix-8cbb40b6de050c924d4633a8e4bdaa36Copy head branch name to clipboard

takeratta commented Feb 3, 2024

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Search code, repositories, users, issues, pull requests...

Conversation

takeratta commented Feb 3, 2024

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Vulnerabilities that will be fixed

With an upgrade:

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants