Skip to content

[Snyk] Security upgrade vm2 from 3.9.2 to 3.9.4 #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[Snyk] Security upgrade vm2 from 3.9.2 to 3.9.4 #2

wants to merge 1 commit into from

Conversation

snyk-bot
Copy link
Contributor

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

✨ Snyk has automatically assigned this pull request, set who gets assigned.

As this is a private repository, Snyk-bot does not have access. Therefore, this PR has been created automatically, but appears to have been created by a real user.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json
    • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
critical severity 883/1000
Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 9.8		 Prototype Pollution
SNYK-JS-VM2-1585918		 No Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: vm2 The new version differs by 39 commits.
  • 1eabc2a Update Version
  • 6820f56 Merge pull request #367 from XmiliaH/security-fix
  • b4f6e2b Security Fixes
  • 82caa5b Merge pull request #346 from XmiliaH/fix-330
  • 12e721b Fix formatting
  • 4ead241 Merge pull request #313 from XmiliaH/fix-strict-modules
  • 6fee336 Merge pull request #319 from XmiliaH/fix-318
  • cc63160 Merge pull request #347 from XmiliaH/updates
  • 72152d2 Update readme
  • 807e2b2 Bring files up to date
  • 7ecf9c7 Merge pull request #320 from contra/patch-1
  • b5e2bb0 Node 13 is EOL.
  • 42c7b83 Frozen object tries to create property on receiver
  • e95165b Use bound functions instead of anonymous ones
  • a4c5b17 Fix tests
  • a1817b4 Fix tests
  • d470fd9 Release 3.9.3
  • ff894fc Fix dynamic import attack
  • 20fbb73 chore: add newer versions of node to test matrix
  • 8feb2ae Fix uninitialized buffer allocation
  • 3b94321 Add option to run NodeVM modules in strict mode
  • a81e12c Merge pull request #305 from patriksimek/dependabot/npm_and_yarn/lodash-4.17.19
  • d12bdbd Merge pull request #300 from XmiliaH/fix-297
  • 77a7681 Merge pull request #301 from XmiliaH/fix-295

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

👩‍💻 Set who automatically gets assigned

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@snyk-bot