[Snyk] Security upgrade npm from 5.6.0 to 7.21.0 #87

Omrisnyk · 2024-05-22T11:07:11Z

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- openshift/message-board/message-board-web/package.json
- openshift/message-board/message-board-web/package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Priority Score (*)	Issue	Breaking Change	Exploit Maturity	Reachability
159/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00348, Social Trends: No, Days since published: 982, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.65, Score Version: V5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept	No Path Found
140/1000 Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): Low, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00183, Social Trends: No, Days since published: 1575, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 5.62, Likelihood: 2.48, Score Version: V5	Prototype Pollution SNYK-JS-DOTPROP-543489	No	Proof of Concept	No Path Found
63/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00324, Social Trends: No, Days since published: 1155, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 2.35, Likelihood: 2.65, Score Version: V5	Regular Expression Denial of Service (ReDoS) SNYK-JS-HOSTEDGITINFO-1088355	No	Proof of Concept	No Path Found
151/1000 Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.01218, Social Trends: No, Days since published: 1258, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.62, Likelihood: 2.67, Score Version: V5	Prototype Pollution SNYK-JS-INI-1048974	No	Proof of Concept	No Path Found
45/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: Low, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00146, Social Trends: No, Days since published: 582, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 2.35, Likelihood: 1.89, Score Version: V5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	No	No Known Exploit	No Path Found
58/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Network, EPSS: 0.01248, Social Trends: No, Days since published: 792, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Low, Package Popularity Score: 99, Impact: 2.35, Likelihood: 2.45, Score Version: V5	Prototype Pollution SNYK-JS-MINIMIST-2429795	No	Proof of Concept	No Path Found
137/1000 Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Network, EPSS: 0.00105, Social Trends: No, Days since published: 1533, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 5.62, Likelihood: 2.42, Score Version: V5	Prototype Pollution SNYK-JS-MINIMIST-559764	No	Proof of Concept	No Path Found
169/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00091, Social Trends: No, Days since published: 336, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.81, Score Version: V5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	No	Proof of Concept	No Path Found
192/1000 Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.30429, Social Trends: No, Days since published: 1288, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.62, Likelihood: 3.4, Score Version: V5	Prototype Pollution SNYK-JS-Y18N-1021887	No	Proof of Concept	No Path Found
149/1000 Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00311, Social Trends: No, Days since published: 2219, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.62, Likelihood: 2.65, Score Version: V5	Prototype Pollution npm:deep-extend:20180409	No	Proof of Concept	No Path Found

(*) Note that the real score may have changed since the PR was raised.

Release notes

Package name: npm

7.21.0 - 2021-08-19
v7.21.0 (2021-08-19)

FEATURES
- ff34d6cd6 #3592 feat(cache): initial implementation of ls and rm (@ fritzy)
BUG FIXES
- 32e88c943 #3640 fix(did-you-mean): switch levenshtein libraries (@ wraithgar)
- 487731cd5 #3658 fix(logging): sanitize logged argv (@ wraithgar)
- 68a19bb02 #3661 fix(error-message): look for er.path not er.file (@ wraithgar)
DEPENDENCIES
- df57f0d53 @ npmcli/[email protected]
- 8183976cf [email protected]:
  - fix: account for "licence" as spelling variant
- f07772401 [email protected]
- 991a3bd39 [email protected]
- e9e5ee560 @ npmcli/[email protected]:
  - fix: treat top-level global packages as "top" nodes
  - fix: load global symlinks implicitly as file: deps
  - fix(reify): debug crash when extracting into symlink
  - fix: node_modules must be a directory
  - fix: make Node.children() a case-insensitive Map
  - fix(reify): verify existing deps in nm are dirs
- b6f40b5f8 [email protected]:
  - fix: prune dirCache properly for unicode, windows
  - fix: reserve paths properly for unicode, windows
  - fix: prevent path escape using drive-relative paths
  - fix: drop dirCache for symlink on all platforms
- 218cacadc [email protected]
- 7ac621cd1 [email protected]
- 94f92de13 [email protected]
- 71cdfd898 [email protected]:
  - update license list to v3.14
7.20.6 - 2021-08-12
v7.20.6 (2021-08-12)

DEPENDENCIES
- 5bebf280f [email protected]
  - fix: reserve paths case-insensitively
- 5d89de44d [email protected]:
  - fix: normalize paths on Windows systems
- a1bdbea97 #3569 remove byte-size (@ wraithgar)
- 61782fa85 @ npmcli/[email protected]:
  - fix: better error message for duplicate workspace names
- b88f770fa @ npmcli/[email protected]:
  - [#3632] Fix "cannot read property path of null" error in 'npm dedupe'
  - fix(shrinkwrap): always set name on the root node
DOCUMENTATION
- 001f2c1b7 #3621 fix(docs): do not include certain files (@ AkiJoey)
- d1812f1a6 #3630 fix(docs): update npm-publish access flag info (@ austincho)
- d5a099c7b #3615 fix(readme): add nvm-windows to installers links (@ Yash-Singh1)
7.20.5 - 2021-08-05
v7.20.5 (2021-08-05)

DEPENDENCIES
- 44377738e [email protected]
  - fix: start retrying immediately, stop after 60 seconds
7.20.4 - 2021-08-05
v7.20.4 (2021-08-05)

BUG FIXES
- 6a8086e25 #3463 fix(tests): move more tests to use real npm (@ wraithgar)
DEPENDENCIES
- 15fae4941 [email protected]:
  - fix: properly handle top-level files when using strip
  - Avoid an unlikely but theoretically possible redos
  - WriteEntry backpressure
  - fix(unpack): always resume parsing after an entry error
  - fix(unpack): fix hang on large file on open() fail
  - fix: properly prefix hard links
- 745326de0 [email protected]:
  - Clear progress bar which overlays confirm prompt
- e82bcd4e8 [email protected]:
  - fix: start retrying immediately, stop after 10 attempts
7.20.3 - 2021-07-29
v7.20.3 (2021-07-29)

BUG FIXES
- 66dc5f94d #3588 update eresolve explanations for new arborist data provided
- 99575acab #3591 fix(node_modules): remove duplicated file (@ wraithgar)
DEPENDENCIES
- 97cb5ec31 @ npmcli/[email protected]:
  - Refactor ideal tree building to handle more complicated
    peerDependencies use cases.
  - Do not modify ideal tree while checking if a peerSet can be placed.
- 7db1a0a26 chore(deps): [email protected] [email protected]
7.20.2 - 2021-07-27
v7.20.2 (2021-07-27)

DEPENDENCIES
- f5aab1f88 [email protected]
  - fix: strip absolute paths more comprehensively
- ce8fb0f69 [email protected]
  - fix: Remove paths from dirCache when no longer dirs
- ced85087a [email protected]
  - add missing dependency to package.json
7.20.1 - 2021-07-22
BUG FIXES
- 009ad1e68 #3561 fix(exit-handler): always warn if not called (@ wraithgar)
- eb67054c8 #3563 fix(config): consolidate use of npm.color (@ wraithgar)
DOCUMENTATION
- a014f3d28 #3562 fix(docs): typo in npm cmd docs (@ wraithgar)
- 1fe1c9b74 #3523 fix(docs): updated policy urls (@ DemiraDimitrova)
DEPENDENCIES
- d7f29e8c9 [email protected]:
  - feat: load directories.bin as a bin object
- b1fefa73d [email protected]
  - Drop support for node 6 and 8
- b6e09971a remove ignored files from node_modules ([@ Ruy Adorno](https://github.com/Ruy Adorno))
- cf737c505 [email protected]
7.20.0 - 2021-07-15
v7.20.0 (2021-07-15)

FEATURES
- f17aca5cd #3487 feat: add npm pkg command (@ ruyadorno)
- 98905ae37 #3471 feat(config): introduce location parameter (@ nlf)
BUG FIXES
- 4755b0728 #3498 friendlier errors for ERR_SOCKET_TIMEOUT (@ nlf)
- 3ecf19cdc #3508 fix(config): fix noproxy (@ wraithgar)
- c3bd10e46 #3499 fix(update-notifier): don't force black background (@ wraithgar)
- 89483e888 #3497 fix(usage): better audit/boolean flag usage output (@ wraithgar)
- feeb8e42a #3495 fix(publish): obey --ignore-scripts flag (@ wraithgar)
- 103c8c3ef #3479 chore(exit): log any un-ended timings (@ wraithgar)
- efc4313c2 #3482 chore(refactor): refactor exit handler and tests (@ wraithgar)
- d8eb49b70 #3540 fix(bundle-and-ignore): case sensitivity cleanup (@ wraithgar)
DOCUMENTATION
- 339145f64 #3491 fix(docs): clarify what install type gets .bin (@ wraithgar)
- 74c99755e #3494 fix(docs): add npm update example (@ wraithgar)
- 801a52330 #3542 fix(docs): correct Node.js JavaScript stylings (@ relrelb)
- 791416713 #3546 fix(docs): how to see background script output (@ cinderblock)
DEPENDENCIES
- 691816f3d @ npmcli/[email protected]
  - fixes running prepare scripts for workspaces on reify
  - ensure pacote always compares correct integrity values
- b9597e944 [email protected]
  - fix: retry socket timeout failures
  - fix: clean up invalid indexes and content after cacache read errors
- f573e7c56 [email protected]
  - fix: correctly handle error events that happen after response events
- 2d5797ea0 [email protected]
  - fix: show more actionable messages for git pathspec errors
  - fix: include all dep types when building for prepare
  - fix: do not set mtime when unpacking
7.19.1 - 2021-07-01
7.19.0 - 2021-06-24
7.18.1 - 2021-06-17
7.18.0 - 2021-06-17
7.17.0 - 2021-06-10
7.16.0 - 2021-06-03
7.15.1 - 2021-05-31
7.15.0 - 2021-05-27
7.14.0 - 2021-05-20
7.13.0 - 2021-05-13
7.12.1 - 2021-05-10
7.12.0 - 2021-05-06
7.11.2 - 2021-04-29
7.11.1 - 2021-04-23
7.11.0 - 2021-04-23
7.10.0 - 2021-04-15
7.9.0 - 2021-04-08
7.8.0 - 2021-04-01
7.7.6 - 2021-03-29
7.7.5 - 2021-03-25
7.7.4 - 2021-03-24
7.7.3 - 2021-03-24
7.7.2 - 2021-03-24
7.7.1 - 2021-03-24
7.7.0 - 2021-03-23
7.6.3 - 2021-03-11
7.6.2 - 2021-03-09
7.6.1 - 2021-03-04
7.6.0 - 2021-02-25
7.5.6 - 2021-02-22
7.5.5 - 2021-02-22
7.5.4 - 2021-02-12
7.5.3 - 2021-02-08
7.5.2 - 2021-02-02
7.5.1 - 2021-02-01
7.5.0 - 2021-01-28
7.4.3 - 2021-01-21
7.4.2 - 2021-01-15
7.4.1 - 2021-01-14
7.4.0 - 2021-01-07
7.3.0 - 2020-12-18
7.2.0 - 2020-12-15
7.1.2 - 2020-12-11
7.1.1 - 2020-12-09
7.1.0 - 2020-12-04
7.0.15 - 2020-11-27
7.0.14 - 2020-11-23
7.0.13 - 2020-11-20
7.0.12 - 2020-11-17
7.0.11 - 2020-11-13
7.0.10 - 2020-11-10
7.0.9 - 2020-11-06
7.0.8 - 2020-11-03
7.0.7 - 2020-10-30
7.0.6 - 2020-10-27
7.0.5 - 2020-10-23
7.0.4 - 2020-10-23
7.0.3 - 2020-10-20
7.0.2 - 2020-10-16
7.0.1 - 2020-10-15
7.0.0 - 2020-10-13
7.0.0-rc.4 - 2020-10-09
7.0.0-rc.3 - 2020-10-06
7.0.0-rc.2 - 2020-10-02
7.0.0-rc.1 - 2020-10-02
7.0.0-rc.0 - 2020-10-01
7.0.0-beta.13 - 2020-09-29
7.0.0-beta.12 - 2020-09-22
7.0.0-beta.11 - 2020-09-16
7.0.0-beta.10 - 2020-09-08
7.0.0-beta.9 - 2020-09-04
7.0.0-beta.8 - 2020-09-01
7.0.0-beta.7 - 2020-08-25
7.0.0-beta.6 - 2020-08-21
7.0.0-beta.5 - 2020-08-18
7.0.0-beta.4 - 2020-08-11
7.0.0-beta.3 - 2020-08-10
7.0.0-beta.2 - 2020-08-07
7.0.0-beta.1 - 2020-08-05
7.0.0-beta.0 - 2020-08-04
6.14.18 - 2022-12-21
6.14.17 - 2022-04-28
6.14.16 - 2022-01-19
6.14.15 - 2021-08-24
6.14.14 - 2021-07-27
6.14.14 (2021-07-27)

DEPENDENCIES
- 4627c0670 [email protected]
6.14.13 - 2021-04-12
6.14.12 - 2021-03-25
6.14.11 - 2021-01-08
6.14.10 - 2020-12-18
6.14.9 - 2020-11-20
6.14.8 - 2020-08-17
6.14.7 - 2020-07-21
6.14.6 - 2020-07-07
6.14.5 - 2020-05-04
6.14.4 - 2020-03-25
6.14.3 - 2020-03-19
6.14.2 - 2020-03-03
6.14.1 - 2020-02-27
6.14.0 - 2020-02-25
6.13.7 - 2020-01-28
6.13.6 - 2020-01-09
6.13.5 - 2020-01-09
6.13.4 - 2019-12-11
6.13.3 - 2019-12-10
6.13.2 - 2019-12-03
6.13.1 - 2019-11-18
6.13.0 - 2019-11-05
6.12.1 - 2019-10-29
6.12.0 - 2019-10-08
6.12.0-next.0 - 2019-09-26
6.11.3 - 2019-09-03
6.11.2 - 2019-08-22
6.11.1 - 2019-08-21
6.11.0 - 2019-08-20
6.10.3 - 2019-08-06
6.10.2 - 2019-07-23
6.10.2-next.3 - 2019-07-22
6.10.2-next.2 - 2019-07-21
6.10.2-next.1 - 2019-07-17
6.10.2-next.0 - 2019-07-16
6.10.1 - 2019-07-11
6.10.1-next.2 - 2019-07-10
6.10.1-next.1 - 2019-07-03
6.10.1-next.0 - 2019-07-03
6.10.0 - 2019-07-03
6.10.0-next.0 - 2019-07-01
6.9.2 - 2019-06-27
6.9.1-next.0 - 2019-03-20
6.9.0 - 2019-03-06
6.9.0-next.0 - 2019-02-21
6.8.0 - 2019-02-13
6.8.0-next.2 - 2019-02-07
6.8.0-next.1 - 2019-02-06
6.8.0-next.0 - 2019-01-31
6.7.0 - 2019-01-23
6.6.0 - 2019-01-17
6.6.0-next.1 - 2019-01-10
6.6.0-next.0 - 2018-12-12
6.5.0 - 2018-12-10
6.5.0-next.0 - 2018-11-28
6.4.1 - 2018-08-29
6.4.1-next.0 - 2018-08-23
6.4.0 - 2018-08-15
6.4.0-next.0 - 2018-08-09
6.3.0 - 2018-08-02
6.3.0-next.0 - 2018-07-25
6.2.0 - 2018-07-14
6.2.0-next.1 - 2018-07-05
6.2.0-next.0 - 2018-06-29
6.1.0 - 2018-05-24
6.1.0-next.0 - 2018-05-17
6.0.1 - 2018-05-10
6.0.1-next.0 - 2018-05-04
6.0.0 - 2018-04-24
6.0.0-next.2 - 2018-04-21
6.0.0-next.1 - 2018-04-13
6.0.0-next.0 - 2018-03-23
5.10.0 - 2018-05-11
5.10.0-next.1 - 2018-05-07
5.10.0-next.0 - 2018-04-13
5.9.0-next.0 - 2018-03-23
5.8.0 - 2018-03-23
5.8.0-next.0 - 2018-03-13
5.7.1 - 2018-02-22
5.7.0 - 2018-02-21
5.6.0 - 2017-11-28

from npm GitHub release notes

Commit messages

Package name: npm

The new version differs by 250 commits.

30a9844 7.21.0
0b2cd9d update AUTHORS
06461ec docs: changelog for v7.21.0
771a1cb chore(tests): fix snapshots
71cdfd8 [email protected]
94f92de [email protected]
7ac621c [email protected]
218caca [email protected]
ff6626a fix(docs): update npm-publish access flag info
b6f40b5 [email protected]
e9e5ee5 @ npmcli/[email protected]
991a3bd [email protected]
f077724 [email protected]
68a19bb fix(error-message): look for er.path not er.file
ff34d6c feat(cache): initial implementation of ls and rm
8183976 [email protected]
df57f0d @ npmcli/[email protected]
487731c fix(logging): sanitize logged argv
7a58264 chore(ci): check that docs are up to date in ci
22f3bbb chore(docs): add more 'autogenerated' comments
4314490 fix(docs): revert auto-generated portion of docs
32e88c9 fix(did-you-mean): switch levenshtein libraries
59b9851 7.20.6
2591e67 update AUTHORS

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution

[Snyk] Security upgrade npm from 5.6.0 to 7.21.0 #87

Are you sure you want to change the base?

[Snyk] Security upgrade npm from 5.6.0 to 7.21.0 #87

Uh oh!

Conversation

Omrisnyk commented May 22, 2024

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Vulnerabilities that will be fixed

With an upgrade:

v7.21.0 (2021-08-19)

FEATURES

BUG FIXES

DEPENDENCIES

v7.20.6 (2021-08-12)

DEPENDENCIES

DOCUMENTATION

v7.20.5 (2021-08-05)

DEPENDENCIES

v7.20.4 (2021-08-05)

BUG FIXES

DEPENDENCIES

v7.20.3 (2021-07-29)

BUG FIXES

DEPENDENCIES

v7.20.2 (2021-07-27)

DEPENDENCIES

BUG FIXES

DOCUMENTATION

DEPENDENCIES

v7.20.0 (2021-07-15)

FEATURES

BUG FIXES

DOCUMENTATION

DEPENDENCIES

6.14.14 (2021-07-27)

DEPENDENCIES

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants