Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Upgrade parse-server from 4.5.0 to 4.10.13 #2

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Upgrade parse-server from 4.5.0 to 4.10.13 #2

wants to merge 1 commit into from

Conversation

snyk-bot
Copy link

Snyk has created this PR to upgrade parse-server from 4.5.0 to 4.10.13.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

  • The recommended version is 16 versions ahead of your current version.
  • The recommended version was released a month ago, on 2022-06-30.

The recommended version fixes:

Severity Issue PriorityScore (*) Exploit Maturity
Information Exposure
SNYK-JS-PARSESERVER-2938529		 624/1000
Why? Has a fix available, CVSS 8.2		 No Known Exploit
Denial of Service (DoS)
SNYK-JS-PARSESERVER-2932143		 624/1000
Why? Has a fix available, CVSS 8.2		 No Known Exploit
Authentication Bypass
SNYK-JS-PARSESERVER-2806358		 624/1000
Why? Has a fix available, CVSS 8.2		 No Known Exploit
Improper Authentication
SNYK-JS-PARSESERVER-1727337		 624/1000
Why? Has a fix available, CVSS 8.2		 No Known Exploit
Regular Expression Denial of Service (ReDoS)
SNYK-JS-REDIS-1255645		 624/1000
Why? Has a fix available, CVSS 8.2		 No Known Exploit
Authentication Bypass
SNYK-JS-PARSESERVER-2932021		 624/1000
Why? Has a fix available, CVSS 8.2		 No Known Exploit
Prototype Pollution
SNYK-JS-PARSESERVER-2422282		 624/1000
Why? Has a fix available, CVSS 8.2		 No Known Exploit
Denial of Service (DoS)
SNYK-JS-PARSESERVER-1582380		 624/1000
Why? Has a fix available, CVSS 8.2		 No Known Exploit
Improper Verification of Cryptographic Signature
SNYK-JS-NODEFORGE-2430339		 624/1000
Why? Has a fix available, CVSS 8.2		 No Known Exploit
Command Injection
SNYK-JS-LODASH-1040724		 624/1000
Why? Has a fix available, CVSS 8.2		 Proof of Concept
Regular Expression Denial of Service (ReDoS)
SNYK-JS-AXIOS-1579269		 624/1000
Why? Has a fix available, CVSS 8.2		 Proof of Concept
Prototype Pollution
SNYK-JS-AWSSDK-1059424		 624/1000
Why? Has a fix available, CVSS 8.2		 Proof of Concept
Information Exposure
SNYK-JS-PARSESERVER-1567777		 624/1000
Why? Has a fix available, CVSS 8.2		 No Known Exploit
Improper Verification of Cryptographic Signature
SNYK-JS-NODEFORGE-2430341		 624/1000
Why? Has a fix available, CVSS 8.2		 No Known Exploit
Improper Verification of Cryptographic Signature
SNYK-JS-NODEFORGE-2430337		 624/1000
Why? Has a fix available, CVSS 8.2		 No Known Exploit
Prototype Pollution
SNYK-JS-NODEFORGE-2331908		 624/1000
Why? Has a fix available, CVSS 8.2		 No Known Exploit
Open Redirect
SNYK-JS-NODEFORGE-2330875		 624/1000
Why? Has a fix available, CVSS 8.2		 Proof of Concept
Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-1018905		 624/1000
Why? Has a fix available, CVSS 8.2		 Proof of Concept
Information Exposure
SNYK-JS-FOLLOWREDIRECTS-2332181		 624/1000
Why? Has a fix available, CVSS 8.2		 Proof of Concept
Information Exposure
SNYK-JS-FOLLOWREDIRECTS-2332181		 624/1000
Why? Has a fix available, CVSS 8.2		 Proof of Concept
Server-Side Request Forgery (SSRF)
SNYK-JS-AXIOS-1038255		 624/1000
Why? Has a fix available, CVSS 8.2		 Proof of Concept
Information Exposure
SNYK-JS-FOLLOWREDIRECTS-2396346		 624/1000
Why? Has a fix available, CVSS 8.2		 No Known Exploit
Information Exposure
SNYK-JS-FOLLOWREDIRECTS-2396346		 624/1000
Why? Has a fix available, CVSS 8.2		 No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Release notes
Package name: parse-server
  • 4.10.13 - 2022-06-30

    4.10.13 (2022-06-30)

    Bug Fixes

    • protected fields exposed via LiveQuery; this removes protected fields from the client response; this may be a breaking change if your app is currently expecting to receive these protected fields (GHSA-crrq-vr9j-fxxh) (#8074) (054f3e6)
  • 4.10.12 - 2022-06-17

    4.10.12 (2022-06-17)

    Bug Fixes

    • invalid file request not properly handled; this fixes a security vulnerability in which an invalid file request can crash the server (GHSA-xw6g-jjvf-wwf9) (#8059) (5f42322)
  • 4.10.11 - 2022-06-17
  • 4.10.10 - 2022-05-01
  • 4.10.9 - 2022-03-28
  • 4.10.8 - 2022-03-24
  • 4.10.7 - 2022-03-11
  • 4.10.6 - 2022-02-12
  • 4.10.5 - 2022-02-12
  • 4.10.4 - 2021-09-30
  • 4.10.3 - 2021-09-02
  • 4.10.2 - 2021-08-23
  • 4.10.1 - 2021-08-23
  • 4.10.0 - 2021-08-20
  • 4.5.2 - 2021-08-18
  • 4.5.1 - 2021-08-18
  • 4.5.0 - 2020-12-15
from parse-server GitHub release notes
Commit messages
Package name: parse-server
  • 4748e9b chore(release): 4.10.13 [skip ci]
  • 054f3e6 fix: protected fields exposed via LiveQuery; this removes protected fields from the client response; this may be a breaking change if your app is currently expecting to receive these protected fields ([GHSA-crrq-vr9j-fxxh](https://snyk.io/redirect/github/parse-community/parse-server/security/advisories/GHSA-crrq-vr9j-fxxh)) (#8074)
  • 6286d2e chore(release): 4.10.12 [skip ci]
  • 5f42322 fix: invalid file request not properly handled; this fixes a security vulnerability in which an invalid file request can crash the server ([GHSA-xw6g-jjvf-wwf9](https://snyk.io/redirect/github/parse-community/parse-server/security/advisories/GHSA-xw6g-jjvf-wwf9)) (#8059)
  • ad680bd chore(release): 4.10.11 [skip ci]
  • 145838d fix: certificate in Apple Game Center auth adapter not validated; this fixes a security vulnerability in which authentication could be bypassed using a fake certificate; if you are using the Apple Gamer Center auth adapter it is your responsibility to keep its root certificate up-to-date and we advice you read the security advisory ([GHSA-rh9j-f5f8-rvgc](https://snyk.io/redirect/github/parse-community/parse-server/security/advisories/GHSA-rh9j-f5f8-rvgc))
  • 8580a52 fix CI timeout
  • 53afafa Update gcenter.js
  • c411c48 Create game_center.pem
  • 07786c1 fix adapter
  • b00b041 chore(release): 4.10.10 [skip ci]
  • 1930a64 fix: authentication bypass and denial of service (DoS) vulnerabilities in Apple Game Center auth adapter (GHSA-qf8x-vqjv-92gr) (#7963)
  • cd354b7 chore(release): 4.10.9 [skip ci]
  • 3d80ee5 fix: security upgrade @ parse/push-adapter from 3.4.1 to 4.1.2 (#7897)
  • bf88869 chore(release): 4.10.8 [skip ci]
  • d347613 fix: sensitive keyword detection may produce false positives (#7883)
  • 02f88f4 docs: add details to changelog (#7842)
  • 7c84477 chore(release): 4.10.7 [skip ci]
  • 886bfd7 fix: security vulnerability that allows remote code execution (ghsa p6h4 93qp jhcm) (#7841)
  • 318c203 ci: fix changelog file path (#7835)
  • 6f25ea9 ci: add manual docker release workflow (#7809)
  • cd41626 chore(release): 4.10.6 [skip ci]
  • 350ecde fix: update graphql dependencies to work with Parse Dashboard (#7658)
  • b465f7b chore(release): 4.10.5 [skip ci]

Compare

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@snyk-bot