New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Security upgrade serverless from 1.80.0 to 2.43.1 #61

Open

twilio-product-security wants to merge 1 commit into master from snyk-fix-080fa407eea478147353bfb20ab67059

twilio-product-security commented Nov 25, 2023

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
- package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	484/1000 Why? Has a fix available, CVSS 5.4	Open Redirect SNYK-JS-GOT-2932019	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-HTTPCACHESEMANTICS-3248783	Yes	Proof of Concept
	490/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-RAMDA-1582370	Yes	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Command Injection SNYK-JS-SIMPLEGIT-2421199	Yes	Proof of Concept
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') SNYK-JS-SIMPLEGIT-2434306	Yes	Proof of Concept
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Remote Code Execution (RCE) SNYK-JS-SIMPLEGIT-3112221	Yes	Proof of Concept
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Remote Code Execution (RCE) SNYK-JS-SIMPLEGIT-3177391	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: serverless

The new version differs by 250 commits.

a1fcaa6 chore: Release 2.43.1
79a1f1a chore: Bump dependencies
9b2a111 fix(Telemetry): Ensure to pass proper config for local fallback
ee66585 fix(Variables): Ensure proper resolution in case of errors
2984adb refactor(CLI Onboarding): Use "Starter" not "Empty" for templates
716b312 refactor: Use `download` from `@ serverless/utils`
c265905 refactor(Telemetry): Improve AWS stack error codes (#9510)
bbff029 fix(AWS Local Invocation): Fix invalid result handling
06c28e2 chore: Release v2.43.0
abe42f2 chore: Bump dependencies
db16df2 refactor: Do not recognize YAML Exception as user error
aa8f7be refactor: Do not rely on serverless.yamlParser
bab39c6 test: Convert to async/await
6adaa9f refactor: Ensure codes for user errors
18a9b2b fix(AWS Deploy): Fix stack errors processing
29f0e9c fix: Dont depend on default execution role when custom role provided
dee54ed feat(CLI Onboarding): Present default project name if possible
225c5ac chore: Release v2.42.0
afa3581 chore: Upgrade `@ serverless/utils` to v5
71e1cf4 chore: Bump dependencies
8d0ff07 feat(Telemetry): Report awsUserResourceTypes
f1a288c feat(CLI Onboarding): Support `template` and `template-url` options
a6f4dc3 refactor: Improve granularity of stack deployment error codes
a46abe3 refactor: Ensure to propagate as is stack monitoring error

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Open Redirect
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Server-side Request Forgery (SSRF)
🦉 More lessons are available in Snyk Learn


          fix: package.json & package-lock.json to reduce vulnerabilities

054db18

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-GOT-2932019
- https://snyk.io/vuln/SNYK-JS-HTTPCACHESEMANTICS-3248783
- https://snyk.io/vuln/SNYK-JS-RAMDA-1582370
- https://snyk.io/vuln/SNYK-JS-REQUEST-3361831
- https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199
- https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306
- https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221
- https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-3177391
- https://snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873
- https://snyk.io/vuln/SNYK-JS-UNSETVALUE-2400660

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet