Bump ws, webpack-bundle-analyzer and webpack-serve#75
Conversation
Bumps [ws](https://github.com/websockets/ws) to 6.2.4 and updates ancestor dependencies [ws](https://github.com/websockets/ws), [webpack-bundle-analyzer](https://github.com/webpack/webpack-bundle-analyzer) and [webpack-serve](https://github.com/shellscape/webpack-serve). These dependencies need to be updated together. Updates `ws` from 6.2.1 to 6.2.4 - [Release notes](https://github.com/websockets/ws/releases) - [Commits](websockets/ws@6.2.1...6.2.4) Updates `webpack-bundle-analyzer` from 2.13.1 to 5.3.0 - [Release notes](https://github.com/webpack/webpack-bundle-analyzer/releases) - [Changelog](https://github.com/webpack/webpack-bundle-analyzer/blob/main/CHANGELOG.md) - [Commits](webpack/webpack-bundle-analyzer@v2.13.1...v5.3.0) Updates `webpack-serve` from 0.3.2 to 4.0.0 - [Release notes](https://github.com/shellscape/webpack-serve/releases) - [Commits](shellscape/webpack-serve@v0.3.2...v4.0.0) --- updated-dependencies: - dependency-name: ws dependency-version: 6.2.4 dependency-type: indirect - dependency-name: webpack-bundle-analyzer dependency-version: 5.3.0 dependency-type: direct:production - dependency-name: webpack-serve dependency-version: 4.0.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
![semgrep-code-auth0-extensions-1[bot]](https://avatars.githubusercontent.com/in/1194156?s=60&v=4){kind=small}
| "version": "3.0.2", | ||
| "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-3.0.2.tgz", | ||
| "integrity": "sha1-mGbfOVECEw449/mWvOtlRDIJwls=" | ||
| }, | ||
| "js-yaml": { | ||
| "node_modules/js-yaml": { |
There was a problem hiding this comment.
Medium severity vulnerability may affect your project—review required:
Line 6030 lists a dependency (js-yaml) with a known Medium severity vulnerability.
ℹ️ Why this matters
Affected versions of js-yaml are vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'). js-yaml is vulnerable to prototype pollution through its YAML merge key (<<) handling. When parsing untrusted YAML with load, loadAll, safeLoad, or safeLoadAll, a crafted document containing a __proto__ key inside a merged mapping can modify the prototype of the resulting object, leading to integrity violations in the application.
To resolve this comment:
Check if you are using js-yaml on the CLI.
- If you're affected, upgrade this dependency to at least version 3.14.2 at package-lock.json.
- If you're not affected, comment
/fp we don't use this [condition]
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| } | ||
| }, | ||
| "webpack-dev-server": { | ||
| "node_modules/webpack-dev-server": { |
There was a problem hiding this comment.
Medium severity vulnerability may affect your project—review required:
Line 10632 lists a dependency (webpack-dev-server) with a known Medium severity vulnerability.
ℹ️ Why this matters
Affected versions of webpack-dev-server are vulnerable to Exposed Dangerous Method or Function. webpack-dev-server serves bundled assets without rejecting cross-origin classic script requests. Because such <script src> requests bypass the same-origin policy, a malicious website visited by a developer running the dev server can load the application bundle cross-origin and, via prototype pollution of the webpack runtime, extract the application source code.
To resolve this comment:
Check if you are using webpack dev server CLI setup.
- If you're affected, upgrade this dependency to at least version 5.2.1 at package-lock.json.
- If you're not affected, comment
/fp we don't use this [condition]
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| } | ||
| }, | ||
| "webpack-dev-server": { | ||
| "node_modules/webpack-dev-server": { |
There was a problem hiding this comment.
Medium severity vulnerability may affect your project—review required:
Line 10632 lists a dependency (webpack-dev-server) with a known Medium severity vulnerability.
ℹ️ Why this matters
Affected versions of webpack-dev-server are vulnerable to Origin Validation Error. webpack-dev-server improperly validates the WebSocket connection Origin header, unconditionally accepting any IP-address-based Origin. A malicious website can perform a cross-site WebSocket hijack against a running dev server and exfiltrate the developer source code carried in Hot Module Reloading (HMR) messages. The insecure origin check is the package default and is reached on every WebSocket connection, so any project running an affected version is vulnerable.
To resolve this comment:
Check if you are using webpack dev server CLI setup and access untrusted web site with non-Chromium based browser.
- If you're affected, upgrade this dependency to at least version 5.2.1 at package-lock.json.
- If you're not affected, comment
/fp we don't use this [condition]
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| } | ||
| }, | ||
| "terser": { | ||
| "node_modules/terser": { |
There was a problem hiding this comment.
High severity vulnerability introduced by a package you're using:
Line 9537 lists a dependency (terser) with a known High severity vulnerability. Fixing requires upgrading or replacing the dependency.
ℹ️ Why this matters
terser versions before 4.8.1, >= 5.0.0 before 5.14.2 are vulnerable to Inefficient Regular Expression Complexity.
To resolve this comment:
Upgrade this dependency to at least version 4.8.1 at package-lock.json.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| }, | ||
| "get-func-name": { | ||
| "node_modules/get-func-name": { |
There was a problem hiding this comment.
High severity vulnerability introduced by a package you're using:
Line 4802 lists a dependency (get-func-name) with a known High severity vulnerability. Fixing requires upgrading or replacing the dependency.
ℹ️ Why this matters
Affected version of get-func-name is vulnerable to Uncontrolled Resource Consumption / Inefficient Regular Expression Complexity. The current regex implementation for parsing values in the module is susceptible to excessive backtracking, leading to potential DoS attacks.
To resolve this comment:
Upgrade this dependency to at least version 2.0.1 at package-lock.json.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| "resolved": "https://registry.npmjs.org/regenerator-runtime/-/regenerator-runtime-0.13.2.tgz", | ||
| "integrity": "sha512-S/TQAZJO+D3m9xeN1WTI8dLKBBiRgXBlTJvbWjCThHWZj9EvHK70Ff50/tYj2J/fvBY6JtFVwRuazHN2E7M9BA==" | ||
| }, | ||
| "node_modules/@babel/preset-env": { |
There was a problem hiding this comment.
Critical severity vulnerability may affect your project—review required:
Line 1046 lists a dependency (@babel/preset-env) with a known Critical severity vulnerability.
ℹ️ Why this matters
Affected versions of @babel/traverse and babel-traverse are vulnerable to Incomplete List of Disallowed Inputs / Incorrect Comparison. Compiling untrusted code with Babel using plugins that invoke the internal path.evaluate() or path.evaluateTruthy() methods (for example @babel/plugin-transform-runtime, @babel/preset-env with useBuiltIns, or any polyfill‐provider plugin) allows a maliciously crafted AST to execute arbitrary code on the build machine during compilation.
To resolve this comment:
Check if you use Babel to compile untrusted JavaScript.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| } | ||
| }, | ||
| "@babel/plugin-transform-runtime": { | ||
| "node_modules/@babel/plugin-transform-runtime": { |
There was a problem hiding this comment.
Critical severity vulnerability may affect your project—review required:
Line 933 lists a dependency (@babel/plugin-transform-runtime) with a known Critical severity vulnerability.
ℹ️ Why this matters
Affected versions of @babel/traverse and babel-traverse are vulnerable to Incomplete List of Disallowed Inputs / Incorrect Comparison. Compiling untrusted code with Babel using plugins that invoke the internal path.evaluate() or path.evaluateTruthy() methods (for example @babel/plugin-transform-runtime, @babel/preset-env with useBuiltIns, or any polyfill‐provider plugin) allows a maliciously crafted AST to execute arbitrary code on the build machine during compilation.
To resolve this comment:
Check if you use Babel to compile untrusted JavaScript.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| "@babel/code-frame": "^7.0.0", | ||
| "@babel/parser": "^7.4.0", | ||
| "@babel/types": "^7.4.0" | ||
| } | ||
| }, | ||
| "@babel/traverse": { | ||
| "node_modules/@babel/traverse": { |
There was a problem hiding this comment.
Critical severity vulnerability may affect your project—review required:
Line 1161 lists a dependency (@babel/traverse) with a known Critical severity vulnerability.
ℹ️ Why this matters
Affected versions of @babel/traverse and babel-traverse are vulnerable to Incomplete List of Disallowed Inputs / Incorrect Comparison. Compiling untrusted code with Babel using plugins that invoke the internal path.evaluate() or path.evaluateTruthy() methods (for example @babel/plugin-transform-runtime, @babel/preset-env with useBuiltIns, or any polyfill‐provider plugin) allows a maliciously crafted AST to execute arbitrary code on the build machine during compilation.
To resolve this comment:
Check if you use Babel to compile untrusted JavaScript.
- If you're affected, upgrade this dependency to at least version 7.23.2 at package-lock.json.
- If you're not affected, comment
/fp we don't use this [condition]
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
Bumps ws to 6.2.4 and updates ancestor dependencies ws, webpack-bundle-analyzer and webpack-serve. These dependencies need to be updated together.
Updates
wsfrom 6.2.1 to 6.2.4Release notes
Sourced from ws's releases.
Commits
86d3e8a[dist] 6.2.4a76e211[security] Limit retained message partsd87f3b6[dist] 6.2.3eeb76d3[security] Fix crash when the Upgrade header cannot be read (#2231)9bdb580[dist] 6.2.278c676d[security] Fix ReDoS vulnerabilityUpdates
webpack-bundle-analyzerfrom 2.13.1 to 5.3.0Release notes
Sourced from webpack-bundle-analyzer's releases.
Changelog
Sourced from webpack-bundle-analyzer's changelog.
... (truncated)
Commits
9ba43c7chore(release): new release (#714)8a91940ci: trusted publishers (#713)b3f44b0fix: race condition inwriteStats(#711)3710653refactor: adding typescript jsdocs types (#710)77599a4refactor: improve prop types and fix mobx (#709)26b83f6test: refactor infra (#708)2588e54ci: add codecov and fix test (#705)be761efupdate eslint and applyeslint-config-webpack(#701)1c23a2arefactor: more ES6 code and code improvements (#700)4af64e3chore: improve package.json (#695)Maintainer changes
This version was pushed to npm by GitHub Actions, a new releaser for webpack-bundle-analyzer since your current version.
Updates
webpack-servefrom 0.3.2 to 4.0.0Release notes
Sourced from webpack-serve's releases.
Commits
db1f0abchore(release): 4.0.0597dd31chore: update dependencies, test snapshots. credt:@jdavis-software#15287aac5chore(dev): npm audit fix26ea537chore(release): 3.2.0e29f861chore: update dependenciesfe46696chore: update funding.ymld0c47fdchore(release): 3.1.1b11a999chore: update dependencies, npm audit fixb60e028chore: adding funding.ymla8bec26chore(deps): audit fix (#8)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.