[Snyk] Upgrade util from 0.12.4 to 0.12.5 #3

AkbarTrilaksana · 2022-11-07T04:58:42Z

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to upgrade util from 0.12.4 to 0.12.5.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

The recommended version is 1 version ahead of your current version.
The recommended version was released 21 days ago, on 2022-10-16.

The recommended version fixes:

Issue	PriorityScore (*)	Exploit Maturity
Arbitrary File Write SNYK-JS-TAR-1579155	425/1000 Why? CVSS 8.5	No Known Exploit
Arbitrary File Write SNYK-JS-TAR-1579152	425/1000 Why? CVSS 8.5	No Known Exploit
Arbitrary File Write SNYK-JS-TAR-1579147	425/1000 Why? CVSS 8.5	No Known Exploit
Arbitrary File Overwrite SNYK-JS-TAR-1536531	425/1000 Why? CVSS 8.5	No Known Exploit
Arbitrary File Overwrite SNYK-JS-TAR-1536528	425/1000 Why? CVSS 8.5	No Known Exploit
Prototype Pollution SNYK-JS-JSONSCHEMA-1920922	425/1000 Why? CVSS 8.5	No Known Exploit
Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	425/1000 Why? CVSS 8.5	Proof of Concept
Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	425/1000 Why? CVSS 8.5	No Known Exploit
Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758	425/1000 Why? CVSS 8.5	No Known Exploit
Prototype Pollution SNYK-JS-MINIMIST-2429795	425/1000 Why? CVSS 8.5	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Release notes

Package name: util

0.12.5 - 2022-10-16
0.12.5
0.12.4 - 2021-05-28
- Avoid SharedArrayBuffer until required. (@ snyamathi in #59)
  
  This fixes a security warning for SharedArrayBuffer.

from util GitHub release notes

Commit messages

Package name: util

ef98472 0.12.5
e84cfd5 deps: move safe-buffer to devDependencies, fixes Version tags for Bower? web3/web3.js#65
a292d8a Merge pull request add formatter for gasPrice and balance web3/web3.js#71 from CommanderRoot/refactor/rm-deprecated-substr
073daed refactor: replace deprecated String.prototype.substr()
ad9dbe0 Merge pull request Add working tests and fixed return value of from/toWei web3/web3.js#69 from MatrixFrog/patch-1
51d163f Update README.md
46e101e Indicate that util is not automatically included in webpack 5+

Compare

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

Snyk has created this PR to upgrade util from 0.12.4 to 0.12.5. See this package in npm: https://www.npmjs.com/package/util See this project in Snyk: https://app.snyk.io/org/akbartrilaksana/project/03eb700b-1598-4ead-a854-f39ab3b7ecca?utm_source=github&utm_medium=referral&page=upgrade-pr

cnp-for-devops · 2022-11-07T04:58:45Z

Authentication to CNP for DevOps failed. Click here to try again: https://portal.cwp.radwarecloud.com/github-plugin.html?installation_id=27555900&setup_action=install

guardrails · 2022-11-07T04:59:23Z

⚠️ We detected 2 security issues in this pull request:

Vulnerable Libraries (2)

Severity	Details
Low	pkg:npm/[email protected]@2.6.7 (t) - no patch available
Medium	pkg:npm/[email protected]@0.10.62 (t) - no patch available

More info on how to fix Vulnerable Libraries in JavaScript.

👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.

socket-security · 2022-11-07T05:00:46Z

Socket Security Pull Request Report

Dependency issues detected. If you merge this pull request, you will not be alerted to the instances of these issues again.

📜 Install scripts

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Package	Script field	Location
[email protected] (added)	`postinstall`	`packages/web3-core-requestmanager/package.json` via [email protected], [email protected],`packages/web3-providers-ws/package.json` via [email protected]

Pull request report summary

Issue	Status
Install scripts	⚠️ 1 issue
Native code	✅ 0 issues
Bin script confusion	✅ 0 issues
Bin script shell injection	✅ 0 issues
Unresolved require	✅ 0 issues
Invalid package.json	✅ 0 issues
HTTP dependency	✅ 0 issues
Git dependency	✅ 0 issues
Non-existent author	✅ 0 issues
Potential typo squat	✅ 0 issues
Known Malware	✅ 0 issues
Telemetry	✅ 0 issues
Protestware/Troll package	✅ 0 issues

Bot Commands

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore [email protected] [email protected]

@SocketSecurity ignore [email protected]

Powered by socket.dev

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Snyk] Upgrade util from 0.12.4 to 0.12.5 #3

[Snyk] Upgrade util from 0.12.4 to 0.12.5 #3

AkbarTrilaksana commented Nov 7, 2022

cnp-for-devops bot commented Nov 7, 2022

guardrails bot commented Nov 7, 2022

socket-security bot commented Nov 7, 2022

[Snyk] Upgrade util from 0.12.4 to 0.12.5 #3

Are you sure you want to change the base?

[Snyk] Upgrade util from 0.12.4 to 0.12.5 #3

Conversation

AkbarTrilaksana commented Nov 7, 2022

Snyk has created this PR to upgrade util from 0.12.4 to 0.12.5.

cnp-for-devops bot commented Nov 7, 2022

guardrails bot commented Nov 7, 2022

socket-security bot commented Nov 7, 2022

Socket Security Pull Request Report