fix(deps): [Snyk] Fix for 9 vulnerabilities#545
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-JSPDF-14873131 - https://snyk.io/vuln/SNYK-JS-REACTROUTER-14908286 - https://snyk.io/vuln/SNYK-JS-MARKDOWNIT-6483324 - https://snyk.io/vuln/SNYK-JS-AXIOS-6032459 - https://snyk.io/vuln/SNYK-JS-AXIOS-12613773 - https://snyk.io/vuln/SNYK-JS-MAMMOTH-13554470 - https://snyk.io/vuln/SNYK-JS-AXIOS-9292519 - https://snyk.io/vuln/SNYK-JS-AXIOS-6124857 - https://snyk.io/vuln/SNYK-JS-AXIOS-9403194
✅ Deploy Preview for ap-template-playground ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
|
This PR is stale because it has been open 15 days with no activity. Remove stale label or comment or this will be closed in 10 days. |
There was a problem hiding this comment.
Pull request overview
This is an automated Snyk security fix PR that updates npm dependencies to address 9 reported vulnerabilities ranging from critical to medium severity. The PR claims to fix vulnerabilities in axios, react-router, markdown-it, jspdf, and mammoth packages through dependency upgrades. However, the actual code changes only update Accord Project core dependencies and react-router-dom.
Changes:
- Updated 5 Accord Project dependencies (@accordproject/concerto-core, markdown-common, markdown-template, markdown-transform, template-engine) to newer minor/patch versions
- Updated react-router-dom from 6.24.1 to 6.30.2 to address Open Redirect vulnerability
package.json
Outdated
| "@accordproject/concerto-core": "^3.15.0", | ||
| "@accordproject/markdown-common": "^0.16.23", | ||
| "@accordproject/markdown-template": "^0.16.23", | ||
| "@accordproject/markdown-transform": "^0.16.21", | ||
| "@accordproject/template-engine": "^2.6.5", |
There was a problem hiding this comment.
The PR description claims to fix vulnerabilities in html2pdf.js (upgrading 0.12.1 to 0.13.0), jspdf, mammoth, and markdown-it. However, the package.json diff only shows updates to @accordproject dependencies and react-router-dom. The html2pdf.js version remains at 0.14.0 (not 0.12.1 as mentioned), and jspdf/mammoth are not direct dependencies. This discrepancy suggests either the PR description is incorrect, the changes are incomplete, or these vulnerabilities are being fixed through transitive dependency updates in package-lock.json. Please verify that all mentioned vulnerabilities are actually being addressed by these changes.
package.json
Outdated
| @@ -49,7 +49,7 @@ | |||
| "react-icons": "^5.5.0", | |||
| "react-markdown": "^9.0.1", | |||
| "react-resizable-panels": "^3.0.3", | |||
| "react-router-dom": "^6.24.1", | |||
| "react-router-dom": "^6.30.2", | |||
There was a problem hiding this comment.
This PR must include Developer Certificate of Origin (DCO) sign-off on all commits as required by the project. According to the Accord Project commit conventions, every commit must be signed using 'git commit --signoff'. Additionally, the commit message should follow the format 'type(scope): description' (e.g., 'chore(deps): fix for 9 vulnerabilities'). Since this is an automated Snyk PR, please ensure it adheres to these project requirements before merging.
Signed-off-by: mttrbrts <code@rbrts.uk>
mttrbrts
changed the title
Signed-off-by: mttrbrts <code@rbrts.uk>
* fix: package.json & package-lock.json to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-JSPDF-14873131 - https://snyk.io/vuln/SNYK-JS-REACTROUTER-14908286 - https://snyk.io/vuln/SNYK-JS-MARKDOWNIT-6483324 - https://snyk.io/vuln/SNYK-JS-AXIOS-6032459 - https://snyk.io/vuln/SNYK-JS-AXIOS-12613773 - https://snyk.io/vuln/SNYK-JS-MAMMOTH-13554470 - https://snyk.io/vuln/SNYK-JS-AXIOS-9292519 - https://snyk.io/vuln/SNYK-JS-AXIOS-6124857 - https://snyk.io/vuln/SNYK-JS-AXIOS-9403194 * Implement feature X to enhance user experience and fix bug Y in module Z Signed-off-by: mttrbrts <code@rbrts.uk> * chore(deps): bump ap versions Signed-off-by: mttrbrts <code@rbrts.uk> --------- Signed-off-by: mttrbrts <code@rbrts.uk> Co-authored-by: snyk-bot <snyk-bot@snyk.io>
* fix: package.json & package-lock.json to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-JSPDF-14873131 - https://snyk.io/vuln/SNYK-JS-REACTROUTER-14908286 - https://snyk.io/vuln/SNYK-JS-MARKDOWNIT-6483324 - https://snyk.io/vuln/SNYK-JS-AXIOS-6032459 - https://snyk.io/vuln/SNYK-JS-AXIOS-12613773 - https://snyk.io/vuln/SNYK-JS-MAMMOTH-13554470 - https://snyk.io/vuln/SNYK-JS-AXIOS-9292519 - https://snyk.io/vuln/SNYK-JS-AXIOS-6124857 - https://snyk.io/vuln/SNYK-JS-AXIOS-9403194 * Implement feature X to enhance user experience and fix bug Y in module Z Signed-off-by: mttrbrts <code@rbrts.uk> * chore(deps): bump ap versions Signed-off-by: mttrbrts <code@rbrts.uk> --------- Signed-off-by: mttrbrts <code@rbrts.uk> Co-authored-by: snyk-bot <snyk-bot@snyk.io> Signed-off-by: hemantch01 <hemantchaudhary905@gmail.com>
Snyk has created this PR to fix 9 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
package.jsonpackage-lock.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-JSPDF-14873131
SNYK-JS-REACTROUTER-14908286
SNYK-JS-MARKDOWNIT-6483324
SNYK-JS-AXIOS-6032459
SNYK-JS-AXIOS-12613773
SNYK-JS-MAMMOTH-13554470
SNYK-JS-AXIOS-9292519
SNYK-JS-AXIOS-6124857
SNYK-JS-AXIOS-9403194
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Allocation of Resources Without Limits or Throttling
🦉 Cross-site Request Forgery (CSRF)
🦉 Regular Expression Denial of Service (ReDoS)
🦉 More lessons are available in Snyk Learn