From c68a7bca647f9c4dd45ce39787ef850da4e1d8ca Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Fri, 7 Oct 2022 14:09:03 +0000 Subject: [PATCH] fix: package.json & .snyk to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-EJS-1049328 - https://snyk.io/vuln/SNYK-JS-EJS-2803307 - https://snyk.io/vuln/SNYK-JS-ENGINEIO-1056749 - https://snyk.io/vuln/SNYK-JS-MONGODB-473855 - https://snyk.io/vuln/SNYK-JS-PASSPORT-2840631 - https://snyk.io/vuln/SNYK-JS-REDIS-1255645 - https://snyk.io/vuln/SNYK-JS-SOCKETIO-1024859 - https://snyk.io/vuln/SNYK-JS-SOCKETIOPARSER-1056752 - https://snyk.io/vuln/SNYK-JS-STRIPTAGS-1312310 - https://snyk.io/vuln/SNYK-JS-WS-1296835 - https://snyk.io/vuln/npm:base64-url:20180512 - https://snyk.io/vuln/npm:debug:20170905 - https://snyk.io/vuln/npm:engine.io-client:20160426 - https://snyk.io/vuln/npm:fresh:20170908 - https://snyk.io/vuln/npm:mime:20170907 - https://snyk.io/vuln/npm:ms:20151024 - https://snyk.io/vuln/npm:ms:20170412 - https://snyk.io/vuln/npm:negotiator:20160616 - https://snyk.io/vuln/npm:qs:20170213 - https://snyk.io/vuln/npm:ws:20160104 - https://snyk.io/vuln/npm:ws:20160624 - https://snyk.io/vuln/npm:ws:20160920 - https://snyk.io/vuln/npm:ws:20171108 The following vulnerabilities are fixed with a Snyk patch: - https://snyk.io/vuln/npm:uglify-js:20151024 --- .snyk | 8 ++++++++ package.json | 32 ++++++++++++++++++-------------- 2 files changed, 26 insertions(+), 14 deletions(-) create mode 100644 .snyk diff --git a/.snyk b/.snyk new file mode 100644 index 00000000..9f964db7 --- /dev/null +++ b/.snyk @@ -0,0 +1,8 @@ +# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities. +version: v1.25.0 +ignore: {} +# patches apply the minimum changes required to fix a vulnerability +patch: + 'npm:uglify-js:20151024': + - jade > transformers > uglify-js: + patched: '2022-10-07T14:08:42.092Z' diff --git a/package.json b/package.json index 52126262..c6cf28ce 100644 --- a/package.json +++ b/package.json @@ -4,42 +4,45 @@ "description": "Easily trade currencies in a secure environment, earning profitable returns.", "main": "index.js", "scripts": { - "start": "node index.js" + "start": "node index.js", + "prepublish": "npm run snyk-protect", + "snyk-protect": "snyk-protect" }, "dependencies": { "async": "0.9.0", "authy-node": "1.0.1", "bcryptjs": "~2.3.0", - "body-parser": "1.12.3", + "body-parser": "1.18.2", "bson": "~0.3.1", "clone": "~1.0.2", "cookie-parser": "1.3.4", - "ejs": "2.5.5", - "express": "4.12.3", + "ejs": "3.1.7", + "express": "4.16.0", "express-partials": "0.3.0", - "express-session": "1.11.1", + "express-session": "1.15.6", "irc": "0.3.11", "jade": "^1.11.0", "kapitalize": "0.3.3", "keygrip": "1.0.1", "merge-recursive": "0.0.3", - "mongodb": "~2.0.39", + "mongodb": "~3.1.13", "mongodb-core": "~1.2.7", "mongoose": "^5.5.12", - "object-manage": "^0.8.0", + "object-manage": "^1.1.1", "object-merge": "^2.5.1", - "passport": "0.2.1", + "passport": "0.6.0", "passport-local": "1.0.0", "redis": "0.12.1", "requirejs": "^2.3.2", "sendmail": "^0.2.1", - "serve-favicon": "2.2.0", - "socket.io": "1.3.5", - "socket.io-client": "1.3.5", + "serve-favicon": "2.4.5", + "socket.io": "3.0.0", + "socket.io-client": "2.4.0", "stripe": "^4.14.0", - "striptags": "^2.1.1", + "striptags": "^3.2.0", "uuid": "^3.0.1", - "wildcard-subdomains": "^0.1.0" + "wildcard-subdomains": "^0.1.0", + "@snyk/protect": "latest" }, "repository": { "type": "git", @@ -54,5 +57,6 @@ "url": "https://github.com/bentbot/pilotplus/issues" }, "homepage": "https://pilot.plus/", - "engine": "0.10.33" + "engine": "0.10.33", + "snyk": true }