Skip to content

[Snyk] Security upgrade jsdom from 16.4.0 to 16.5.0 #12

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Security upgrade jsdom from 16.4.0 to 16.5.0 #12

wants to merge 1 commit into from

Conversation

victornpb
Copy link
Owner

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json
    • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
medium severity 718/1000
Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 6.5		 Prototype Pollution
SNYK-JS-TOUGHCOOKIE-5672873		 No Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: jsdom The new version differs by 30 commits.
  • 2d82763 Version 16.5.0
  • 9741311 Fix loading of subresources with Unicode filenames
  • 5e46553 Use domenic's ESLint config as the base
  • 19b35da Fix the URL of about:blank iframes
  • 017568e Support inputType on InputEvent
  • 29f4fdf Upgrade dependencies
  • e2f7639 Refactor create‑event‑accessor.js to remove code duplication
  • ff69a75 Convert JSDOM to use callback functions
  • 19df6bc Update links in contributing guidelines
  • 1e34ff5 Test triage
  • 1d6cb3c XHR: clear response buffer on errors
  • 1e86b2e XHR: mark Content-Length as CORS-safelisted
  • 6a8f012 XHR: avoid a redundant final progress event
  • 021555b Allow mutating disabled <input type=checkbox/radio>
  • a62d9fe Remove ondragexit from GlobalEventHandlers
  • 745fbaf Call mutation observer callbacks with the MutationObserver as this
  • 6c758c9 Implement window.event
  • a88d0bf Clean up navigator.plugins and navigator.mimeTypes
  • 31eb938 Implement queueMicrotask()
  • 2ab99ad Stop replacing / with : in the File constructor
  • ffd4aa3 Reduce log spam when starting WPT server
  • e0de8be Upgrade to-upstream WPTs to Python 3
  • c94ceeb Automatically omit all testdriver tests
  • b3f6056 Update WPT

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution

@socket-security
Copy link

Updated dependencies detected. Learn more about Socket for GitHub ↗︎

Packages Version New capabilities Transitives Size Publisher
jsdom 16.4.0...16.5.0 eval +17/-21 6.62 MB domenic

@socket-security
Copy link

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Issue Package Version Note Source
Dynamic require url-parse 1.5.10
Obfuscated require url-parse 1.5.10
Suspicious strings psl 1.9.0
Uses eval lodash 4.17.21

Next steps

What is dynamic require?

Dynamic require can indicate the package is performing dangerous or unsafe dynamic code execution.

Packages should avoid dynamic imports when possible. Audit the use of dynamic require to ensure it is not executing malicious or vulnerable code.

What is obfuscated require?

Package accesses dynamic properties of require and may be obfuscating code execution.

The package should not access dynamic properties of module. Instead use import or require directly.

What are suspicious strings?

This package contains suspicious text patterns which are commonly associated with bad behavior

The package code should be reviewed before installing

What is eval?

Package uses eval() which is a dangerous function. This prevents the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.

Avoid packages that use eval, since this could potentially execute any code.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore [email protected] bar@* or ignore all packages with @SocketSecurity ignore-all

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@victornpb @snyk-bot