[Snyk] Security upgrade url-parse from 1.5.4 to 1.5.9 by snyk-bot · Pull Request #494 · CognitiveScale/cortex-cli

snyk-bot · 2022-02-22T06:16:29Z

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
- package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	713/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 6.4	Authorization Bypass SNYK-JS-URLPARSE-2407759	No	Proof of Concept
	718/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 6.5	Authorization Bypass SNYK-JS-URLPARSE-2407770	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: url-parse

The new version differs by 19 commits.

ad23357 1.5.9
0e3fb54 [fix] Strip all control characters from the beginning of the URL
61864a8 [security] Add credits for CVE-2022-0686
bb0104d 1.5.8
d5c6479 [fix] Handle the case where the port is specified but empty
4f2ae67 [security] Add credits for CVE-2022-0639
8b3f5f2 1.5.7
ef45a13 [fix] Readd the empty userinfo to `url.href` (Ccf 12660 develop rebase #226)
88df234 [doc] Add soft deprecation notice
78e9f2f [security] Fix nits
e6fa434 [security] Add credits for incorrect handling of userinfo vulnerability
4c9fa23 1.5.6
7b0b8a6 Merge pull request Update dependencies and remove deprecation warnings #223 from unshiftio/fix/at-sign-handling-in-userinfo
e4a5807 1.5.5
193b44b [minor] Simplify whitespace regex
319851b [fix] Remove CR, HT, and LF
4e53a8c [doc] Document that the returned hostname might be invalid
9be7ee8 [fix] Correctly handle userinfo containing the at sign
f7774f6 [security] Fix typos in SECURITY.md

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-URLPARSE-2407759 - https://snyk.io/vuln/SNYK-JS-URLPARSE-2407770

fix: package.json & package-lock.json to reduce vulnerabilities

7043c0a

The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-URLPARSE-2407759 - https://snyk.io/vuln/SNYK-JS-URLPARSE-2407770

yreddy-CS approved these changes Feb 23, 2022

View reviewed changes

yreddy-CS merged commit 089b89b into develop Feb 23, 2022

jgielstra-cs deleted the snyk-fix-2aa2bb8d5df6400f2db0d2765e7d5246 branch March 14, 2022 19:41

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Snyk] Security upgrade url-parse from 1.5.4 to 1.5.9#494

[Snyk] Security upgrade url-parse from 1.5.4 to 1.5.9#494
yreddy-CS merged 1 commit intodevelopfrom
snyk-fix-2aa2bb8d5df6400f2db0d2765e7d5246

snyk-bot commented Feb 22, 2022

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

snyk-bot commented Feb 22, 2022

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Vulnerabilities that will be fixed

With an upgrade:

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants