From 0ed682113622d1ae05a1216321017ed6a259984c Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Sat, 20 Aug 2022 01:19:14 +0000 Subject: [PATCH] fix: package.json & .snyk to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-ANSIHTML-1296849 - https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908 - https://snyk.io/vuln/SNYK-JS-ASYNC-2441827 - https://snyk.io/vuln/SNYK-JS-EJS-1049328 - https://snyk.io/vuln/SNYK-JS-EJS-2803307 - https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905 - https://snyk.io/vuln/SNYK-JS-GOT-2932019 - https://snyk.io/vuln/SNYK-JS-NODEFETCH-2342118 - https://snyk.io/vuln/SNYK-JS-NODEFETCH-674311 - https://snyk.io/vuln/SNYK-JS-NODEFORGE-2330875 - https://snyk.io/vuln/SNYK-JS-NODEFORGE-2331908 - https://snyk.io/vuln/SNYK-JS-NODEFORGE-2430337 - https://snyk.io/vuln/SNYK-JS-NODEFORGE-2430339 - https://snyk.io/vuln/SNYK-JS-NODEFORGE-2430341 - https://snyk.io/vuln/SNYK-JS-NODEFORGE-598677 - https://snyk.io/vuln/SNYK-JS-NODESASS-1059081 - https://snyk.io/vuln/SNYK-JS-NODESASS-535497 - https://snyk.io/vuln/SNYK-JS-NODESASS-542662 - https://snyk.io/vuln/SNYK-JS-PATHPARSE-1077067 - https://snyk.io/vuln/SNYK-JS-POSTCSS-1255640 - https://snyk.io/vuln/SNYK-JS-SERIALIZEJAVASCRIPT-536840 - https://snyk.io/vuln/SNYK-JS-SERIALIZEJAVASCRIPT-570062 - https://snyk.io/vuln/SNYK-JS-SHELLJS-2332187 - https://snyk.io/vuln/SNYK-JS-SOCKJS-575261 - https://snyk.io/vuln/SNYK-JS-SSRI-1246392 - https://snyk.io/vuln/SNYK-JS-STYLELINT-1585622 - https://snyk.io/vuln/SNYK-JS-STYLELINT-460283 - https://snyk.io/vuln/SNYK-JS-TAR-1536528 - https://snyk.io/vuln/SNYK-JS-TAR-1536531 - https://snyk.io/vuln/SNYK-JS-TAR-1536758 - https://snyk.io/vuln/SNYK-JS-TAR-1579147 - https://snyk.io/vuln/SNYK-JS-TAR-1579152 - https://snyk.io/vuln/SNYK-JS-TAR-1579155 - https://snyk.io/vuln/SNYK-JS-TRIMNEWLINES-1298042 - https://snyk.io/vuln/SNYK-JS-UGLIFYJS-1727251 - https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381 The following vulnerabilities are fixed with a Snyk patch: - https://snyk.io/vuln/SNYK-JS-LODASH-567746 - https://snyk.io/vuln/npm:minimatch:20160620 --- .snyk | 101 +++++++++++++++++++++++++++++++++++++++++++++++++++ package.json | 40 +++++++++++--------- 2 files changed, 123 insertions(+), 18 deletions(-) create mode 100644 .snyk diff --git a/.snyk b/.snyk new file mode 100644 index 0000000000..a54dc50864 --- /dev/null +++ b/.snyk @@ -0,0 +1,101 @@ +# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities. +version: v1.25.0 +ignore: {} +# patches apply the minimum changes required to fix a vulnerability +patch: + SNYK-JS-LODASH-567746: + - '@babel/register > lodash': + patched: '2022-08-20T01:19:07.765Z' + - babel-plugin-transform-react-jsx-img-import > lodash: + patched: '2022-08-20T01:19:07.765Z' + - eslint > lodash: + patched: '2022-08-20T01:19:07.765Z' + - html-webpack-plugin > lodash: + patched: '2022-08-20T01:19:07.765Z' + - stylelint > lodash: + patched: '2022-08-20T01:19:07.765Z' + - stylelint-scss > lodash: + patched: '2022-08-20T01:19:07.765Z' + - webpack-bundle-analyzer > lodash: + patched: '2022-08-20T01:19:07.765Z' + - '@babel/preset-env > @babel/plugin-transform-block-scoping > lodash': + patched: '2022-08-20T01:19:07.765Z' + - babel-eslint > @babel/traverse > lodash: + patched: '2022-08-20T01:19:07.765Z' + - ava > @babel/core > lodash: + patched: '2022-08-20T01:19:07.765Z' + - babel-plugin-transform-react-jsx-img-import > babel-types > lodash: + patched: '2022-08-20T01:19:07.765Z' + - eslint > inquirer > lodash: + patched: '2022-08-20T01:19:07.765Z' + - eslint > table > lodash: + patched: '2022-08-20T01:19:07.765Z' + - stylelint > table > lodash: + patched: '2022-08-20T01:19:07.765Z' + - htmlhint > async > lodash: + patched: '2022-08-20T01:19:07.765Z' + - htmlhint > jshint > lodash: + patched: '2022-08-20T01:19:07.765Z' + - node-sass > sass-graph > lodash: + patched: '2022-08-20T01:19:07.765Z' + - stylelint > postcss-reporter > lodash: + patched: '2022-08-20T01:19:07.765Z' + - webpack-dev-server > http-proxy-middleware > lodash: + patched: '2022-08-20T01:19:07.765Z' + - '@babel/preset-env > @babel/plugin-transform-modules-umd > @babel/helper-module-transforms > lodash': + patched: '2022-08-20T01:19:07.765Z' + - babel-eslint > @babel/traverse > @babel/generator > lodash: + patched: '2022-08-20T01:19:07.765Z' + - stylelint > postcss-jsx > @babel/core > lodash: + patched: '2022-08-20T01:19:07.765Z' + - ava > @babel/core > @babel/traverse > lodash: + patched: '2022-08-20T01:19:07.765Z' + - jsdom > request-promise-native > request-promise-core > lodash: + patched: '2022-08-20T01:19:07.765Z' + - node-sass > gaze > globule > lodash: + patched: '2022-08-20T01:19:07.765Z' + - '@babel/preset-env > @babel/plugin-transform-parameters > @babel/helper-call-delegate > @babel/traverse > lodash': + patched: '2022-08-20T01:19:07.765Z' + - babel-eslint > @babel/traverse > @babel/helper-split-export-declaration > @babel/types > lodash: + patched: '2022-08-20T01:19:07.765Z' + - stylelint > postcss-jsx > @babel/core > @babel/traverse > lodash: + patched: '2022-08-20T01:19:07.765Z' + - ava > @ava/babel-preset-transform-test-files > babel-plugin-espower > @babel/generator > lodash: + patched: '2022-08-20T01:19:07.765Z' + - ava > @babel/core > @babel/helpers > @babel/traverse > lodash: + patched: '2022-08-20T01:19:07.765Z' + - '@babel/preset-env > @babel/plugin-transform-exponentiation-operator > @babel/helper-builder-binary-assignment-operator-visitor > @babel/helper-explode-assignable-expression > @babel/traverse > lodash': + patched: '2022-08-20T01:19:07.765Z' + - stylelint > postcss-jsx > @babel/core > @babel/helpers > @babel/traverse > lodash: + patched: '2022-08-20T01:19:07.765Z' + - ava > @ava/babel-preset-transform-test-files > babel-plugin-espower > @babel/generator > @babel/types > lodash: + patched: '2022-08-20T01:19:07.765Z' + - babel-eslint > @babel/traverse > @babel/helper-function-name > @babel/helper-get-function-arity > @babel/types > lodash: + patched: '2022-08-20T01:19:07.765Z' + - ava > @babel/core > @babel/helpers > @babel/traverse > @babel/generator > lodash: + patched: '2022-08-20T01:19:07.765Z' + - stylelint > postcss-jsx > @babel/core > @babel/helpers > @babel/traverse > @babel/generator > lodash: + patched: '2022-08-20T01:19:07.765Z' + - '@babel/preset-env > @babel/plugin-transform-exponentiation-operator > @babel/helper-builder-binary-assignment-operator-visitor > @babel/helper-explode-assignable-expression > @babel/traverse > @babel/generator > lodash': + patched: '2022-08-20T01:19:07.765Z' + - ava > @babel/core > @babel/helpers > @babel/traverse > @babel/helper-split-export-declaration > @babel/types > lodash: + patched: '2022-08-20T01:19:07.765Z' + - stylelint > postcss-jsx > @babel/core > @babel/helpers > @babel/traverse > @babel/helper-split-export-declaration > @babel/types > lodash: + patched: '2022-08-20T01:19:07.765Z' + - '@babel/preset-env > @babel/plugin-transform-exponentiation-operator > @babel/helper-builder-binary-assignment-operator-visitor > @babel/helper-explode-assignable-expression > @babel/traverse > @babel/helper-split-export-declaration > @babel/types > lodash': + patched: '2022-08-20T01:19:07.765Z' + - ava > @ava/babel-preset-stage-4 > @babel/plugin-transform-exponentiation-operator > @babel/helper-builder-binary-assignment-operator-visitor > @babel/helper-explode-assignable-expression > @babel/traverse > @babel/generator > lodash: + patched: '2022-08-20T01:19:07.765Z' + - ava > @ava/babel-preset-stage-4 > @babel/plugin-transform-exponentiation-operator > @babel/helper-builder-binary-assignment-operator-visitor > @babel/helper-explode-assignable-expression > @babel/traverse > @babel/helper-split-export-declaration > @babel/types > lodash: + patched: '2022-08-20T01:19:07.765Z' + - stylelint > postcss-jsx > @babel/core > @babel/helpers > @babel/traverse > @babel/helper-function-name > @babel/helper-get-function-arity > @babel/types > lodash: + patched: '2022-08-20T01:19:07.765Z' + - '@babel/preset-env > @babel/plugin-transform-exponentiation-operator > @babel/helper-builder-binary-assignment-operator-visitor > @babel/helper-explode-assignable-expression > @babel/traverse > @babel/helper-function-name > @babel/helper-get-function-arity > @babel/types > lodash': + patched: '2022-08-20T01:19:07.765Z' + - ava > @ava/babel-preset-stage-4 > @babel/plugin-transform-exponentiation-operator > @babel/helper-builder-binary-assignment-operator-visitor > @babel/helper-explode-assignable-expression > @babel/traverse > @babel/helper-function-name > @babel/helper-get-function-arity > @babel/types > lodash: + patched: '2022-08-20T01:19:07.765Z' + - node-sass > lodash: + patched: '2022-08-20T01:19:07.765Z' + 'npm:minimatch:20160620': + - spritesheet.js > glob > minimatch: + patched: '2022-08-20T01:19:07.765Z' diff --git a/package.json b/package.json index 09ddb1397f..3d5ce04569 100644 --- a/package.json +++ b/package.json @@ -30,7 +30,9 @@ "stats": "rimraf ./dist && webpack --mode=production --json", "spritesheet": "npm run spritesheet:system-action && npm run spritesheet:system-notice", "spritesheet:system-action": "spritesheet-js -f json -p src/assets/images/spritesheets/ --padding 8 --divisibleByTwo -n sprite-system-action-spritesheet --powerOfTwo src/assets/images/sprites/action/*", - "spritesheet:system-notice": "spritesheet-js -f json -p src/assets/images/spritesheets/ --padding 8 --divisibleByTwo -n sprite-system-notice-spritesheet --powerOfTwo src/assets/images/sprites/notice/*" + "spritesheet:system-notice": "spritesheet-js -f json -p src/assets/images/spritesheets/ --padding 8 --divisibleByTwo -n sprite-system-notice-spritesheet --powerOfTwo src/assets/images/sprites/notice/*", + "prepublish": "npm run snyk-protect", + "snyk-protect": "snyk-protect" }, "ava": { "files": [ @@ -104,7 +106,8 @@ "three-to-ammo": "github:infinitelee/three-to-ammo", "uuid": "^3.2.1", "webrtc-adapter": "^6.0.2", - "zip-loader": "^1.1.0" + "zip-loader": "^1.1.0", + "@snyk/protect": "latest" }, "devDependencies": { "@babel/core": "^7.3.3", @@ -114,14 +117,14 @@ "@babel/preset-env": "^7.3.1", "@babel/preset-react": "^7.0.0", "@babel/register": "^7.0.0", - "ava": "^1.4.1", + "ava": "^4.0.0", "babel-eslint": "^10.0.1", "babel-loader": "^8.0.5", "babel-plugin-react-intl": "^3.0.1", "babel-plugin-transform-react-jsx-img-import": "^0.1.4", - "copy-webpack-plugin": "^4.5.1", + "copy-webpack-plugin": "^5.1.2", "cors": "^2.8.4", - "css-loader": "^1.0.0", + "css-loader": "^2.0.0", "dotenv": "^5.0.1", "eslint": "^5.16.0", "eslint-config-prettier": "^2.9.0", @@ -130,35 +133,36 @@ "esm": "^3.2.5", "fast-plural-rules": "0.0.3", "file-loader": "^1.1.10", - "html-loader": "^0.5.5", - "html-webpack-plugin": "^3.1.0", - "htmlhint": "^0.11.0", + "html-loader": "^1.0.0", + "html-webpack-plugin": "^4.0.0", + "htmlhint": "^0.16.2", "jsdom": "^15.1.1", "localstorage-memory": "^1.0.3", "mini-css-extract-plugin": "^0.8.0", "ncp": "^2.0.0", - "node-fetch": "^2.6.0", - "node-sass": "^4.13.0", + "node-fetch": "^2.6.7", + "node-sass": "^7.0.1", "ora": "^4.0.2", "phoenix-channels": "^1.0.0", "prettier": "^1.7.0", "raw-loader": "^0.5.1", "rimraf": "^2.6.2", "sass-loader": "^6.0.7", - "selfsigned": "^1.10.2", - "shelljs": "^0.8.1", + "selfsigned": "^1.10.13", + "shelljs": "^0.8.5", "spritesheet-js": "github:mozillareality/spritesheet.js#hubs/master", "style-loader": "^0.20.2", - "stylelint": "^9.10.1", + "stylelint": "^14.0.0", "stylelint-config-recommended-scss": "^3.2.0", "stylelint-scss": "^3.5.3", "svg-inline-loader": "^0.8.0", - "tar": "^5.0.5", + "tar": "^5.0.10", "url-loader": "^1.0.1", "webpack": "^4.32.2", - "webpack-bundle-analyzer": "^3.3.2", - "webpack-cli": "^3.2.3", - "webpack-dev-server": "^3.1.14", + "webpack-bundle-analyzer": "^4.0.0", + "webpack-cli": "^3.3.5", + "webpack-dev-server": "^4.0.0", "worker-loader": "^2.0.0" - } + }, + "snyk": true }