[Snyk] Upgrade: marked, nuxt, sockjs-client

[Nagraj-Shankar]

Snyk has created this PR to upgrade multiple dependencies.

👯 The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name	Versions	Released on

marked
from 4.0.10 to 4.3.0 | 25 versions ahead of your current version | a year ago
on 2023-03-22
nuxt
from 2.16.0 to 2.18.1 | 10 versions ahead of your current version | 2 months ago
on 2024-06-28
sockjs-client
from 1.6.0 to 1.6.1 | 1 version ahead of your current version | 2 years ago
on 2022-05-28

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Incomplete List of Disallowed Inputs SNYK-JS-BABELTRAVERSE-5962462	786	Proof of Concept
	Improper Verification of Cryptographic Signature SNYK-JS-BROWSERIFYSIGN-6037026	786	No Known Exploit
	Path Traversal SNYK-JS-WEBPACKDEVMIDDLEWARE-6476555	786	Proof of Concept
	Denial of Service (DoS) SNYK-JS-WS-7266574	786	Proof of Concept
	Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-7577916	786	Proof of Concept
	Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-7577917	786	Proof of Concept
	Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-7577918	786	Proof of Concept
	Server-side Request Forgery (SSRF) SNYK-JS-IP-6240864	786	Proof of Concept
	Information Exposure SNYK-JS-EVENTSOURCE-2823375	786	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-HTMLMINIFIER-3091181	786	Proof of Concept
	Prototype Pollution SNYK-JS-JSON5-3182856	786	Proof of Concept
	Uncontrolled Resource Consumption ('Resource Exhaustion') SNYK-JS-TAR-6476909	786	Proof of Concept

Release notes

Package name: marked

• 4.3.0 - 2023-03-22
  

  4.3.0 (2023-03-22)

  Bug Fixes

  • always return promise if async (#2728) (042dcc5)
  • fenced code doesn't need a trailing newline (#2756) (3acbb7f)

  Features

  • add preprocess and postprocess hooks (#2730) (9b452bc)
• 4.2.12 - 2023-01-14
  

  4.2.12 (2023-01-14)

  Sorry for all of the quick releases. We were testing out different ways to build the files for releases. v4.2.5 - v4.2.12 have no changes to how marked works. The only addition is the version number in the comment in the build files.

  Bug Fixes

  • revert to build script in ci (d2ab474)
• 4.2.11 - 2023-01-14
  

  4.2.11 (2023-01-14)

  Bug Fixes

  • just build in version (22ac2cf)
• 4.2.10 - 2023-01-14
  

  4.2.10 (2023-01-14)

  Bug Fixes

  • use version (fd759b3)
• 4.2.9 - 2023-01-14
  

  4.2.9 (2023-01-14)

  Bug Fixes

  • fix version (96380c3)
• 4.2.8 - 2023-01-14
  

  4.2.8 (2023-01-14)

  Bug Fixes

  • build in postversion for build file version (60c3b7f)
• 4.2.7 - 2023-01-14
  

  4.2.7 (2023-01-14)

  Bug Fixes

  • fix build file version (94fa76f)
• 4.2.6 - 2023-01-14
  

  4.2.6 (2023-01-14)

  Bug Fixes

  • add version to build files (79b8c0b)
• 4.2.5 - 2022-12-23
  

  4.2.5 (2022-12-23)

  Bug Fixes

  • fix paragraph continuation after block element (#2686) (1bbda68)
  • fix tabs at beginning of list items (#2679) (e692634)
• 4.2.4 - 2022-12-07
  

  4.2.4 (2022-12-07)

  Bug Fixes

  • loose list items are loose (#2672) (df4eb0e)
  • remove quotes at the end of gfm autolink (#2673) (697ac2a)
  • use paragraph token in blockquote in list (#2671) (edc857c)
• 4.2.3 - 2022-11-20
• 4.2.2 - 2022-11-05
• 4.2.1 - 2022-11-02
• 4.2.0 - 2022-10-31
• 4.1.1 - 2022-10-01
• 4.1.0 - 2022-08-30
• 4.0.19 - 2022-08-21
• 4.0.18 - 2022-07-11
• 4.0.17 - 2022-06-13
• 4.0.16 - 2022-05-17
• 4.0.15 - 2022-05-02
• 4.0.14 - 2022-04-11
• 4.0.13 - 2022-04-08
• 4.0.12 - 2022-01-27
• 4.0.11 - 2022-01-26
• 4.0.10 - 2022-01-13

from marked GitHub release notes

Package name: nuxt

• 2.18.1 - 2024-06-28
  

  👉 Changelog

  compare changes

  🩹 Fixes

  • webpack: Depend on earlier version of mkdirp (f67056b9e)

  ❤️ Contributors

  • Daniel Roe (@ danielroe)
• 2.18.0 - 2024-06-27
  

  👉 Changelog

  compare changes

  🚀 Enhancements

  • webpack: Migrate to memfs (#27652)

  🩹 Fixes

  • vue-app: Don't throw if we can't read sessionStorage (#27662)
  • config: Add back md4 monkey-patch for wider ecosystem (#27865)

  🏡 Chore

  • Bump internal versions (9e829b59a)
  • Add non-applicable advisory GHSA-3h5v-q93c-6h6q (5ef7311f0)

  ❤️ Contributors

  • Daniel Roe (@ danielroe)
• 2.17.4 - 2024-06-14
  

  👉 Changelog

  compare changes

  🩹 Fixes

  • types: Bump serve-static types to v1.15.7 (1c44c376d)
  • generator: Use maintained html-minifier-terser (#26914)
  • vue-app: Prevent double page mount (#10874)
  • core: Don't skip loading runtime modules if one is improperly resolved (#10193)
  • vue-app: Prevent error page mounting twice (#27484)

  🏡 Chore

  • Update repository field for @ nuxt/config (c283cc039)
  • Mark GHSA-2p57-rm9w-gvfp as not applicable (4782e3c90)
  • Update repository urls (07668eafb)
  • Mark GHSA-grv7-fg5c-xmjg as not applicable (eeb6207c9)
  • Refresh yarn lockfile (#27612)

  ✅ Tests

  • Properly close page in e2e tests (1700aa131)
  • Wait for navigation in redirect test (e74715606)
  • Don't register promise in external nav (#27468)

  🤖 CI

  • Add label PR workflow (#25580)
  • Make edge releases on commit basis (1eb08d1ba)
  • Remove ref for release workflows (06f91349f)
  • Don't skip tests from branch named dev (2a5d05257)
  • Update test conditions (940fc7dcb)

  ❤️ Contributors

  • Dmitriy (@ Kolobok12309)
  • Ivan Ehreshi (@ IvanEh)
  • Daniel Roe (@ danielroe)
  • Damian Głowala (@ DamianGlowala)
• 2.17.3 - 2024-01-12
• 2.17.2 - 2023-10-24
• 2.17.1 - 2023-07-14
• 2.17.0 - 2023-06-09
• 2.16.3 - 2023-03-17
• 2.16.2 - 2023-03-01
• 2.16.1 - 2023-02-13
• 2.16.0 - 2023-02-03

from nuxt GitHub release notes

Package name: sockjs-client

• 1.6.1 - 2022-05-28
  

  Fixes

  • Update eventsource to 2.0.2 due to CVE-2022-1650. Fixes #590
  • Update minimist to 1.2.6. Fixes #585
• 1.6.0 - 2022-02-27
  

  Fixes

  • Remove agent: false to allow usage of globalAgent. Fixes #421

  dependencies

  • Update url-parse due to CVE-2022-0686, CVE-2022-0639, and CVE-2022-0512. Fixes #576
  • Remove json3 dependency. Fixes #476
  • Update eventsource to 1.1.0
  • Update faye-websocket to 0.11.4
  • Update debug to 3.2.7

  devDependencies

  • Update follow-redirects (devDep) due to CVE-2022-0536 and CVE-2022-0155
  • Update karma (devDep) due to CVE-2022-0437
  • Update cached-path-relative (devDep) due to CVE-2021-23518
  • Update fsevents (devDep) to fix:
    • ini CVE-2020-7788
    • minimist CVE-2020-7598
    • tar CVE-2021-37713, CVE-2021-37701, CVE-2021-32804, CVE-2021-32803
  • Update copy-props (devDep) due to CVE-2020-28503
  • Update eslint, mocha, gulp-replace, karma-browserify, gulp-sourcemaps, and browserify

  Other Changes

  • Remove bower
  • Remove Travis CI
  • Require Node.js 12

from sockjs-client GitHub release notes

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.
• Max score is 1000. Note that the real score may have changed since the PR was raised.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[//]: # 'snyk:metadata:{"customTemplate":{"variablesUsed":[],"fieldsUsed":[]},"dependencies":[{"name":"marked","from":"4.0.10","to":"4.3.0"},{"name":"nuxt","from":"2.16.0","to":"2.18.1"},{"name":"sockjs-client","from":"1.6.0","to":"1.6.1"}],"env":"prod","hasFixes":true,"isBreakingChange":false,"isMajorUpgrade":false,"issuesToFix":[{"exploit_maturity":"proof-of-concept","id":"SNYK-JS-BABELTRAVERSE-5962462","issue_id":"SNYK-JS-BABELTRAVERSE-5962462","priority_score":786,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"9.3","score":465},{"type":"scoreVersion","label":"v1","score":1}],"severity":"critical","title":"Incomplete List of Disallowed Inputs"},{"exploit_maturity":"no-known-exploit","id":"SNYK-JS-BROWSERIFYSIGN-6037026","issue_id":"SNYK-JS-BROWSERIFYSIGN-6037026","priority_score":589,"priority_score_factors":[{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"7.5","score":375},{"type":"scoreVersion","label":"v1","score":1}],"severity":"high","title":"Improper Verification of Cryptographic Signature"},{"exploit_maturity":"proof-of-concept","id":"SNYK-JS-WEBPACKDEVMIDDLEWARE-6476555","issue_id":"SNYK-JS-WEBPACKDEVMIDDLEWARE-6476555","priority_score":691,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"7.4","score":370},{"type":"scoreVersion","label":"v1","score":1}],"severity":"high","title":"Path Traversal"},{"exploit_maturity":"proof-of-concept","id":"SNYK-JS-WS-7266574","issue_id":"SNYK-JS-WS-7266574","priority_score":696,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"7.5","score":375},{"type":"scoreVersion","label":"v1","score":1}],"severity":"high","title":"Denial of Service (DoS)"},{"exploit_maturity":"proof-of-concept","id":"SNYK-JS-ELLIPTIC-7577916","issue_id":"SNYK-JS-ELLIPTIC-7577916","priority_score":776,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"9.1","score":455},{"type":"scoreVersion","label":"v1","score":1}],"severity":"critical","title":"Improper Verification of Cryptographic Signature"},{"exploit_maturity":"proof-of-concept","id":"SNYK-JS-ELLIPTIC-7577917","issue_id":"SNYK-JS-ELLIPTIC-7577917","priority_score":776,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"9.1","score":455},{"type":"scoreVersion","label":"v1","score":1}],"severity":"critical","title":"Improper Verification of Cryptographic Signature"},{"exploit_maturity":"proof-of-concept","id":"SNYK-JS-ELLIPTIC-7577918","issue_id":"SNYK-JS-ELLIPTIC-7577918","priority_score":776,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"9.1","score":455},{"type":"scoreVersion","label":"v1","score":1}],"severity":"critical","title":"Improper Verification of Cryptographic Signature"},{"exploit_maturity":"proof-of-concept","id":"SNYK-JS-IP-6240864","issue_id":"SNYK-JS-IP-6240864","priority_score":751,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"8.6","score":430},{"type":"scoreVersion","label":"v1","score":1}],"severity":"high","title":"Server-side Request Forgery (SSRF)"},{"exploit_maturity":"proof-of-concept","id":"SNYK-JS-EVENTSOURCE-2823375","issue_id":"SNYK-JS-EVENTSOURCE-2823375","priority_score":646,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"6.5","score":325},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Information Exposure"},{"exploit_maturity":"proof-of-concept","id":"SNYK-JS-HTMLMINIFIER-3091181","issue_id":"SNYK-JS-HTMLMINIFIER-3091181","priority_score":586,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"5.3","score":265},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Regular Expression Denial of Service (ReDoS)"},{"exploit_maturity":"proof-of-concept","id":"SNYK-JS-JSON5-3182856","issue_id":"SNYK-JS-JSON5-3182856","priority_score":641,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"6.4","score":320},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Prototype Pollution"},{"exploit_maturity":"proof-of-concept","id":"SNYK-JS-TAR-6476909","issue_id":"SNYK-JS-TAR-6476909","priority_score":646,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"6.5","score":325},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Uncontrolled Resource Consumption ('Resource Exhaustion')"}],"prId":"8bca1be1-e36d-4a4d-ba2a-3ad8386f47ff","prPublicId":"8bca1be1-e36d-4a4d-ba2a-3ad8386f47ff","packageManager":"npm","priorityScoreList":[786,589,691,696,776,776,776,751,646,586,641,646],"projectPublicId":"323b2ded-22d3-407f-aebc-4d64e7376adb","projectUrl":"https://app.snyk.io/org/nps2003/project/323b2ded-22d3-407f-aebc-4d64e7376adb?utm_source=github&utm_medium=referral&page=upgrade-pr","prType":"upgrade","templateFieldSources":{"branchName":"default","commitMessage":"default","description":"default","title":"default"},"templateVariants":["priorityScore"],"type":"auto","upgrade":["SNYK-JS-BABELTRAVERSE-5962462","SNYK-JS-BROWSERIFYSIGN-6037026","SNYK-JS-WEBPACKDEVMIDDLEWARE-6476555","SNYK-JS-WS-7266574","SNYK-JS-ELLIPTIC-7577916","SNYK-JS-ELLIPTIC-7577917","SNYK-JS-ELLIPTIC-7577918","SNYK-JS-IP-6240864","SNYK-JS-EVENTSOURCE-2823375","SNYK-JS-HTMLMINIFIER-3091181","SNYK-JS-JSON5-3182856","SNYK-JS-TAR-6476909"],"upgradeInfo":{"versionsDiff":25,"publishedDate":"2023-03-22T05:54:41.043Z"},"vulns":["SNYK-JS-BABELTRAVERSE-5962462","SNYK-JS-BROWSERIFYSIGN-6037026","SNYK-JS-WEBPACKDEVMIDDLEWARE-6476555","SNYK-JS-WS-7266574","SNYK-JS-ELLIPTIC-7577916","SNYK-JS-ELLIPTIC-7577917","SNYK-JS-ELLIPTIC-7577918","SNYK-JS-IP-6240864","SNYK-JS-EVENTSOURCE-2823375","SNYK-JS-HTMLMINIFIER-3091181","SNYK-JS-JSON5-3182856","SNYK-JS-TAR-6476909"]}'