[Snyk] Fix for 4 vulnerabilities #73

twilio-product-security · 2022-01-31T14:46:35Z

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json

Vulnerabilities that will be fixed

With an upgrade:

Priority Score (*)	Issue	Breaking Change	Exploit Maturity
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
658/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 5.3	Information Exposure SNYK-JS-FOLLOWREDIRECTS-2332181	Yes	Proof of Concept
429/1000 Why? Has a fix available, CVSS 4.3	Reverse Tabnabbing SNYK-JS-ISTANBULREPORTS-2328088	Yes	No Known Exploit
490/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-RAMDA-1582370	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @twilio/cli-core

The new version differs by 184 commits.

ad437be chore(release): set `package.json` to 5.31.0 [skip ci]
3eb6bf3 oaiFeat: Updated api definitions
06e2cb1 feat: Added the github actions to send the slack notifications (#164)
ac25774 Resolve sec vulnerability (#166)
188120a chore: [Snyk] Security upgrade @ oclif/plugin-help from 2.2.3 to 3.2.0 (#165)
26e4594 chore(release): set `package.json` to 5.30.0 [skip ci]
c297f19 oaiFeat: Updated api definitions
7749030 fix:Added the following changes: (#161)
27bd508 chore: Added changes to use scripts instead of community Github actions (#155)
5367ba5 Fixing the protected branch issue (#158)
d454b81 fix: fix naming (#157)
8e5a785 chore(release): set `package.json` to 5.29.0 [skip ci]
906518f fix: Updated api definitions
c49a4c8 Fixed the semantic github issue (#156)
c098538 Corrected the homebrew inputs for the workflow (#154)
002dd1f feat: Enable GitHub actions. (#150)
5c579b9 Release 5.28.3
6ec8fe8 [Librarian] Regenerated @ 9a313923ef0eae61a7da7210b7d5de59e65a697c
cf3f4a0 Release 5.28.2
8beaa37 [Librarian] Regenerated @ fdad267944635962308083659322c23f28226702
56e9cd8 Removed sonar-code scan step
9c0b6eb Created workflow file with dispatch event.
6248e64 Release 5.28.1
a47b66a [Librarian] Regenerated @ 480d240ca25b1c4186b4f9485e0f0debf1e14978

See the full diff

Package name: eslint-config-oclif

The new version differs by 50 commits.

b41e879 chore(release): 3.1.1 [skip ci]
188f803 fix: allow release from main branch
d58f559 Update to latest standards (#85)
ec95e5d chore: sync dependabot.yml (#81)
849b2b7 build!: require node 12+ (#82)
8ae10c6 Remove Codecov
a850bb2 chore(deps): bump eslint-plugin-unicorn from 28.0.2 to 30.0.0 ([Snyk] Fix for 1 vulnerabilities #67)
799269e chore(deps): bump eslint-config-xo-space from 0.25.0 to 0.27.0 ([Snyk] Security upgrade twilio-run from 2.9.0 to 3.3.0 #63)
2f65616 chore(deps): bump eslint-plugin-mocha from 8.0.0 to 8.1.0 ([Snyk] Fix for 1 vulnerabilities #64)
93097f3 chore(deps-dev): bump eslint from 7.21.0 to 7.23.0 ([Snyk] Fix for 1 vulnerabilities #66)
af3acef chore(deps-dev): bump eslint from 7.17.0 to 7.21.0 ([Snyk] Fix for 1 vulnerabilities #61)
3fe82a9 chore(deps): bump eslint-plugin-unicorn from 25.0.1 to 28.0.2 ([Snyk] Fix for 1 vulnerabilities #62)
130c798 chore(deps-dev): bump eslint from 7.15.0 to 7.17.0 ([Snyk] Fix for 2 vulnerabilities #57)
4f130cc chore(deps): bump eslint-plugin-unicorn from 21.0.0 to 25.0.1 ([Snyk] Fix for 1 vulnerabilities #56)
ccf8472 chore: sync dependabot.yml ([Snyk] Security upgrade @twilio/cli-core from 4.6.0 to 5.0.0 #53)
8202c27 chore(deps-dev): bump eslint from 7.6.0 to 7.15.0 ([Snyk] Security upgrade nyc from 13.3.0 to 15.0.0 #52)
ad29e51 chore: sync dependabot.yml ([Snyk] Security upgrade @twilio/cli-core from 4.6.0 to 5.15.1 #43)
4c2f489 chore(deps): bump eslint-plugin-mocha from 7.0.1 to 8.0.0 (serverless:promote has conflicting command line options #40)
6c49e07 chore(deps-dev): bump eslint from 7.5.0 to 7.6.0 (chore(deps): upgrade twilio-run to 2.8.0 #39)
1df696d chore: sync dependabot.yml (Allow ngrok configuration to be passed in #38)
d93e12d chore(deps-dev): bump eslint from 7.4.0 to 7.5.0 (NGrok required dependency installer issue #37)
eb010e3 chore(deps): bump eslint-plugin-unicorn from 20.1.0 to 21.0.0 (Add support for -l flag within twilio serverless:init #36)
412a5f7 chore(deps): bump lodash from 4.17.15 to 4.17.19 (Production env adds "undefined" suffix #35)
a613406 chore(deps-dev): bump eslint from 7.3.1 to 7.4.0 (fix: imports getRegionAndEdge everywhere it is used #34)

See the full diff

Package name: nyc

The new version differs by 127 commits.

bebf4d6 chore(release): 15.0.0
2931730 chore: Update to final releases of dependencies (#1245)
d44ff19 chore: Update node-preload and use process-on-spawn (#1243)
5258e9f feat: Filenames relative to project cwd in coverage reports (#1212)
6039f29 chore: Unpin test-exclude, update to latest pre-releases (#1240)
f3c9e6c chore: Temporarily pin test-exclude (#1239)
28ed746 chore: Lazy load modules that are rarely/never needed in test processes. (#1232)
7307626 chore: Remove cp-file module (#1230)
dfd629d fix: Better error handling for main execution, reporting (#1229)
549c953 chore: Update dependencies, pin find-cache-dir (#1228)
a1dee03 chore: Update yargs (#1224)
8078a79 chore: Fix 404 in README.md. (#1220)
7a02cb7 chore: Add enterprise language (#1217)
ea94c7f chore: Remove unused functions (#1218)
53c66b9 docs: `npm home nyc` goes to github master branch README (#1201)
cf5e5d3 chore: Update dependencies
8411a26 fix: Correct handling of source-maps for pre-instrumented files (#1216)
f890360 docs: Fix URL to default excludes in README.md (#1214)
3726bbb chore: Update to async version of istanbul-lib-source-maps (#1199)
0efc6d1 chore: Tweak arguments for async coverage data readers (#1198)
cc77e13 chore: Add `use strict` to all except fixtures (#1197)
bcbe1df chore: Update dependencies (#1196)
2735ee2 chore: 100% coverage (#1195)
fd40d49 feat: Use @ istanbuljs/schema for yargs setup (#1194)

See the full diff

Package name: twilio-run

The new version differs by 250 commits.

1695a1d chore(release): publish %s
989307d feat: add support for request headers & cookies (#373)
d2321f3 test(runtime-handler): add assets redirect integration test
0d5aab9 fix(twilio-run): fall back to /assets/index.html for root path
54bfeda fix(runtime-handler): fall back to assets/index.html for root path
68232df Update clone command (#364)
ae05049 fix(twilio-run): support exact dependency ranges in templates (#370)
b5d6771 chore(serverless-runtime-types): release 2.1.2
3007a45 chore(serverless-runtime-types): add bundle to gitignore
7a24b87 feat(serverless-runtime-types): provide bundled type files (#369)
15501ea chore: update dependencies (#359)
5f3d4d8 chore: release pre-release version
cd28c72 chore(release): publish %s
67a8fd8 fix(twilio-run): limit json output in deploy command
5a24ed8 feat(twilio-run): add environment sid support
7702dca feat(serverless-api): add support for env SIDs in deploy
86de2ae fix(create-twilio-function): adds rootDir to generated tsconfig.json (#362)
75067a9 feat(twilio-run): updates env list command to use writeJsonOutput function
9476496 test(twilio-run): updates snapshot with help output for output-format
691513b feat(twilio-run): adds json output to twilio-run promote
0342f53 feat(twilio-run): adds json output to twilio-run list
d49d7e0 feat(twilio-run): adds json output to twilio-run list-templates
9ae1478 feat(twilio-run): adds json output to twilio-run deploy
da33cfb fix(twilio-run): expose env set and import commands (#341)