Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Security upgrade socket.io from 2.5.0 to 3.0.5 #68

Open
wants to merge 47 commits into
base: master
Choose a base branch
from

fix: package.json to reduce vulnerabilities

4250b97
Select commit
Loading
Failed to load commit list.
Open

[Snyk] Security upgrade socket.io from 2.5.0 to 3.0.5 #68

fix: package.json to reduce vulnerabilities
4250b97
Select commit
Loading
Failed to load commit list.
Mend Bolt for GitHub / WhiteSource Security Check failed Dec 6, 2023 in 3m 13s

Security Report

15 new vulnerabilities were introduced in this branch.

❌ New vulnerabilities:

CVE Severity CVSS Score Vulnerable Library Suggested Fix Issue
CVE-2023-26136

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/tough-cookie/package.json

Dependency Hierarchy:

-> email-templates-2.4.1.tgz (Root Library)

   -> juice-2.0.0.tgz

     -> cheerio-0.20.0.tgz

       -> jsdom-7.2.2.tgz

         -> ❌ tough-cookie-2.5.0.tgz (Vulnerable Library)

Critical 9.8 tough-cookie-2.5.0.tgz Upgrade to version: tough-cookie - 4.1.3 None
CVE-2023-26136

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/request/node_modules/tough-cookie/package.json

Dependency Hierarchy:

-> request-2.88.0.tgz (Root Library)

   -> ❌ tough-cookie-2.4.3.tgz (Vulnerable Library)

Critical 9.8 tough-cookie-2.4.3.tgz Upgrade to version: tough-cookie - 4.1.3 None
CVE-2023-26136

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-gcm/node_modules/tough-cookie/package.json

Dependency Hierarchy:

-> node-gcm-1.0.0.tgz (Root Library)

   -> request-2.85.0.tgz

     -> ❌ tough-cookie-2.3.4.tgz (Vulnerable Library)

Critical 9.8 tough-cookie-2.3.4.tgz Upgrade to version: tough-cookie - 4.1.3 None
CVE-2022-2564

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mongoose/package.json

Dependency Hierarchy:

-> ❌ mongoose-5.11.7.tgz (Vulnerable Library)

Critical 9.8 mongoose-5.11.7.tgz Upgrade to version: mongoose - 6.4.6 None
CVE-2021-23438

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mpath/package.json

Dependency Hierarchy:

-> mongoose-5.11.7.tgz (Root Library)

   -> ❌ mpath-0.8.1.tgz (Vulnerable Library)

Critical 9.8 mpath-0.8.1.tgz Upgrade to version: mpath - 0.8.4 None
CVE-2023-32695

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/socket.io-parser/package.json

Dependency Hierarchy:

-> socket.io-3.0.5.tgz (Root Library)

   -> ❌ socket.io-parser-4.0.5.tgz (Vulnerable Library)

High 7.5 socket.io-parser-4.0.5.tgz Upgrade to version: socket.io-parser - 3.4.3,4.2.3 None
CVE-2022-31129

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/moment/package.json

Dependency Hierarchy:

-> ❌ moment-2.29.1.tgz (Vulnerable Library)

High 7.5 moment-2.29.1.tgz Upgrade to version: moment - 2.29.4 None
CVE-2022-24785

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/moment/package.json

Dependency Hierarchy:

-> ❌ moment-2.29.1.tgz (Vulnerable Library)

High 7.5 moment-2.29.1.tgz Upgrade to version: moment - 2.29.2 None
CVE-2022-21676

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/engine.io/package.json

Dependency Hierarchy:

-> socket.io-3.0.5.tgz (Root Library)

   -> ❌ engine.io-4.0.6.tgz (Vulnerable Library)

High 7.5 engine.io-4.0.6.tgz Upgrade to version: engine.io - 4.1.2;5.2.1;6.1.1 None
CVE-2021-32050

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mongoose/node_modules/mongodb/package.json

Dependency Hierarchy:

-> mongoose-5.11.7.tgz (Root Library)

   -> ❌ mongodb-3.6.3.tgz (Vulnerable Library)

High 7.5 mongodb-3.6.3.tgz Upgrade to version: mongodb - 3.6.10,4.17.0,5.8.0 None
CVE-2022-41940

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/engine.io/package.json

Dependency Hierarchy:

-> socket.io-3.0.5.tgz (Root Library)

   -> ❌ engine.io-4.0.6.tgz (Vulnerable Library)

Medium 6.5 engine.io-4.0.6.tgz Upgrade to version: engine.io - 3.6.1,6.2.1 None
CVE-2020-11023

Path to dependency file: /public/js-plugin/bootstrap-select/package.json

Path to vulnerable library: /public/js-plugin/bootstrap-select/node_modules/jquery/package.json

Dependency Hierarchy:

-> ❌ jquery-1.12.4.tgz (Vulnerable Library)

Medium 6.1 jquery-1.12.4.tgz Upgrade to version: jquery - 3.5.0;jquery-rails - 4.4.0 None
CVE-2020-11022

Path to dependency file: /public/js-plugin/bootstrap-select/package.json

Path to vulnerable library: /public/js-plugin/bootstrap-select/node_modules/jquery/package.json

Dependency Hierarchy:

-> ❌ jquery-1.12.4.tgz (Vulnerable Library)

Medium 6.1 jquery-1.12.4.tgz Upgrade to version: jQuery - 3.5.0 None
CVE-2019-11358

Path to dependency file: /public/js-plugin/bootstrap-select/package.json

Path to vulnerable library: /public/js-plugin/bootstrap-select/node_modules/jquery/package.json

Dependency Hierarchy:

-> ❌ jquery-1.12.4.tgz (Vulnerable Library)

Medium 6.1 jquery-1.12.4.tgz Upgrade to version: jquery - 3.4.0 None
CVE-2015-9251

Path to dependency file: /public/js-plugin/bootstrap-select/package.json

Path to vulnerable library: /public/js-plugin/bootstrap-select/node_modules/jquery/package.json

Dependency Hierarchy:

-> ❌ jquery-1.12.4.tgz (Vulnerable Library)

Medium 6.1 jquery-1.12.4.tgz Upgrade to version: jQuery - 3.0.0 None

Base branch total remaining vulnerabilities: 74
Base branch commit: 0d78dbf70eb12573bf33b16a0619d9b9faf6b61e


Total libraries scanned: 554

Scan token: 8fe1597fc9d24dedaf41c02d32b5b14a

View more details on Mend Bolt for GitHub