[Snyk] Upgrade: , , uuid, , , axios, mysql2, sequelize, sequelize-cli #160

WontonSam · 2024-09-19T03:20:01Z

Snyk has created this PR to upgrade multiple dependencies.

👯 The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

Name	Versions	Released on

@google-cloud/pubsub
from 2.19.4 to 4.7.0 | 41 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 23 days ago
on 2024-08-26
@google-cloud/scheduler
from 3.3.1 to 4.3.0 | 5 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 4 months ago
on 2024-05-21
uuid
from 8.3.2 to 10.0.0 | 4 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 3 months ago
on 2024-06-09
@google-cloud/spanner
from 5.18.0 to 7.14.0 | 40 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | a month ago
on 2024-08-14
@google-cloud/trace-agent
from 5.1.6 to 8.0.0 | 5 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 7 months ago
on 2024-02-07
axios
from 0.26.1 to 1.7.5 | 47 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | a month ago
on 2024-08-23
mysql2
from 1.7.0 to 3.11.0 | 66 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 2 months ago
on 2024-07-27
sequelize
from 5.22.5 to 6.37.3 | 105 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 5 months ago
on 2024-04-13
sequelize-cli
from 5.5.1 to 6.6.2 | 14 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | a year ago
on 2023-11-03

Issues fixed by the recommended upgrade:

Issue	Score	Exploit Maturity
Prototype Pollution SNYK-JS-PROTOBUFJS-2441248	731	Proof of Concept
Prototype Pollution SNYK-JS-PROTOBUFJS-5756498	731	Proof of Concept
Prototype Pollution SNYK-JS-PROTOBUFJS-5756498	731	Proof of Concept
SQL Injection SNYK-JS-SEQUELIZE-2932027	731	Proof of Concept
SQL Injection SNYK-JS-SEQUELIZE-2959225	731	No Known Exploit
Improper Filtering of Special Elements SNYK-JS-SEQUELIZE-3324088	731	No Known Exploit
Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	731	Proof of Concept
Cross-site Request Forgery (CSRF) SNYK-JS-AXIOS-6032459	731	Proof of Concept
Prototype Pollution SNYK-JS-MYSQL2-6861580	731	Proof of Concept
Information Exposure SNYK-JS-SEQUELIZE-3324089	731	No Known Exploit
Access of Resource Using Incompatible Type ('Type Confusion') SNYK-JS-SEQUELIZE-3324090	731	No Known Exploit
Regular Expression Denial of Service (ReDoS) SNYK-JS-AXIOS-6124857	731	Proof of Concept
Uncontrolled Resource Consumption SNYK-JS-GRPCGRPCJS-7242922	731	No Known Exploit
Missing Release of Resource after Effective Lifetime SNYK-JS-INFLIGHT-6095116	731	Proof of Concept
Prototype Poisoning SNYK-JS-MYSQL2-6591084	731	Proof of Concept
Remote Code Execution (RCE) SNYK-JS-MYSQL2-6591085	731	Proof of Concept
Improper Input Validation SNYK-JS-MYSQL2-6591300	731	Proof of Concept
Arbitrary Code Injection SNYK-JS-MYSQL2-6670046	731	Proof of Concept

Release notes

Package name: @google-cloud/pubsub

4.7.0 - 2024-08-26
4.7.0 (2024-08-24)

Features
- Add support for OTel context propagation and harmonized spans (#1833) (4b5c90d)
4.6.0 - 2024-08-23
4.6.0 (2024-07-12)

Features
- Add max messages batching for Cloud Storage subscriptions (#1956) (90546f6)
- Add use_topic_schema for Cloud Storage Subscriptions (#1948) (120fa1b)
Bug Fixes
- docs samples: Update missing argv in sample metadata for push subscription (#1946) (34b8c03)
4.5.0 - 2024-06-11
4.5.0 (2024-06-11)

Features
- Add service_account_email for export subscriptions (#1927) (c532854)
4.5.0-otel-beta.2 - 2024-08-08
4.4.1 - 2024-05-30
4.4.1 (2024-05-30)

Bug Fixes
- An existing message UpdateVehicleLocationRequest is removed (5451d15)
- An existing method SearchFuzzedVehicles is removed from service VehicleService (5451d15)
- An existing method UpdateVehicleLocation is removed from service VehicleService (5451d15)
- deps: Update dependency protobufjs to ~7.3.0 (#1921) (c5afd34)
- Pull in new gax for protobufjs vuln fix (#1925) (8024c6d)
4.4.0 - 2024-05-06
4.4.0 (2024-05-03)

Features
- Add several fields to manage state of database encryption update (#1904) (aba9aee)
Bug Fixes
- deps: Update dependency @ types/long to v5 (#1901) (d13d395)
4.3.3 - 2024-03-06
4.3.3 (2024-03-03)

Bug Fixes
- Add client library version to headers (#1891) (6b59195)
4.3.3-otel-beta.1 - 2024-04-04
4.3.2 - 2024-02-13
4.3.2 (2024-02-13)

Bug Fixes
- Update minimum google-gax versions for auth fixes (#1888) (08acade)
4.3.1 - 2024-02-08
4.3.1 (2024-02-08)

Bug Fixes
- Add option to disable emulator auth handling (temp fix) (#1861) (761cdc8)
4.3.0 - 2024-02-05
4.3.0 (2024-02-05)

Features
- Trusted Private Cloud support, use the universeDomain parameter (#1878) (d89fd1d)
Bug Fixes
- Updated google-gax required for TPC (#1882) (1445856)
4.2.0 - 2024-02-01
4.2.0 (2024-02-01)

Features
- Add enforce_in_transit fields and optional annotations (#1873) (09fc424)
- Add schema revision samples (#1870) (044e149)
Bug Fixes
- deps: Update dependency @ opentelemetry/semantic-conventions to ~1.20.0 (#1871) (2ee0dba)
- deps: Update dependency @ opentelemetry/semantic-conventions to ~1.21.0 (#1876) (0fe61a9)
4.1.1 - 2024-01-09
4.1.0 - 2023-12-14
4.0.7 - 2023-11-09
4.0.6 - 2023-09-15
4.0.5 - 2023-09-07
4.0.4 - 2023-09-06
4.0.3 - 2023-09-05
4.0.2 - 2023-08-24
4.0.1 - 2023-08-14
4.0.0 - 2023-08-03
3.7.5 - 2023-09-20
3.7.3 - 2023-07-26
3.7.2 - 2023-07-24
3.7.1 - 2023-06-08
3.7.0 - 2023-05-26
3.6.0 - 2023-05-12
3.5.2 - 2023-04-28
3.5.1 - 2023-04-25
3.5.0 - 2023-04-17
3.4.1 - 2023-03-08
3.4.0 - 2023-03-06
3.3.0 - 2023-01-23
3.2.1 - 2022-11-04
3.2.0 - 2022-09-22
3.1.1 - 2022-09-07
3.1.0 - 2022-07-15
3.0.3 - 2022-07-13
3.0.1 - 2022-05-30
3.0.0 - 2022-05-26
2.19.4 - 2022-05-05

from @google-cloud/pubsub GitHub release notes

Package name: @google-cloud/scheduler

4.3.0 - 2024-05-21
4.2.0 - 2024-04-02
4.1.0 - 2024-02-13
4.0.1 - 2023-09-06
4.0.0 - 2023-08-07
3.3.1 - 2023-04-14

from @google-cloud/scheduler GitHub release notes

Package name: uuid

10.0.0 - 2024-06-09
chore: typo in CHANGELOG
9.0.1 - 2023-09-12
chore(release): 9.0.1
9.0.0 - 2022-09-05
chore(release): 9.0.0
9.0.0-beta.0 - 2022-08-05
8.3.2 - 2020-12-08
chore(release): 8.3.2

from uuid GitHub release notes

Package name: @google-cloud/spanner

7.14.0 - 2024-08-14
7.14.0 (2024-08-14)

Features
- spanner: Add resource reference annotation to backup schedules (#2093) (df539e6)
Bug Fixes
- deps: Update dependency google-gax to v4.3.9 (#2094) (487efc0)
7.13.0 - 2024-08-09
7.13.0 (2024-08-09)

Features
- spanner: Add support for Cloud Spanner Incremental Backups (#2085) (33b9645)
Bug Fixes
- Unhandled exception error catch (#2091) (e277752)
7.12.0 - 2024-08-02
7.12.0 (2024-08-02)

Features
- Grpc keep alive settings (#2086) (7712c35)
7.11.0 - 2024-07-29
7.11.0 (2024-07-29)

Features
- Add support for blind writes (#2065) (62fc0a4)
- spanner: Add samples for instance partitions (#2083) (b91e284)
7.10.0 - 2024-07-19
7.10.0 (2024-07-19)

Features
- Add field lock_hint in spanner.proto (47520e9)
- Add field order_by in spanner.proto (47520e9)
- Add QueryCancellationAction message in executor protos (47520e9)
- Add support for change streams transaction exclusion option for Batch Write (#2070) (2a9e443)
- spanner: Add support for Cloud Spanner Scheduled Backups (#2045) (47520e9)
- Update Nodejs generator to send API versions in headers for GAPICs (47520e9)
Bug Fixes
- Callback in getDatabaseDialect (#2078) (7e4a8e9)
- deps: Update dependency google-gax to v4.3.8 (#2077) (e927880)
7.9.1 - 2024-06-26
7.9.1 (2024-06-26)

Bug Fixes
- Retry with timeout (#2071) (a943257)
7.9.0 - 2024-06-24
7.9.0 (2024-06-21)

Features
- spanner: Add support for batchWrite (#2054) (06aab6e)
Bug Fixes
- deps: Update dependency google-gax to v4.3.4 (#2051) (80abf06)
- deps: Update dependency google-gax to v4.3.5 (#2055) (702c9b0)
- deps: Update dependency google-gax to v4.3.6 (#2057) (74ebf1e)
- deps: Update dependency google-gax to v4.3.7 (#2068) (28fec6c)
7.8.0 - 2024-05-27
7.8.0 (2024-05-24)

Features
- Add RESOURCE_EXHAUSTED to the list of retryable error codes (#2032) (a4623c5)
- Add support for multi region encryption config (81fa610)
- Add support for Proto columns (#1991) (ae59c7f)
- spanner: Add support for change streams transaction exclusion option (#2049) (d95cab5)
Bug Fixes
- deps: Update dependency google-gax to v4.3.3 (#2038) (d86c1b0)
- Drop table statement (#2036) (f31d7b2)
7.7.0 - 2024-04-22
7.7.0 (2024-04-17)

Features
- OptimisticLock option for getTransaction method (#2028) (dacf869)
- spanner: Adding EXPECTED_FULFILLMENT_PERIOD to the indicate instance creation times (with FULFILLMENT_PERIOD_NORMAL or FULFILLMENT_PERIOD_EXTENDED ENUM) with the extended instance creation time triggered by On-Demand Capacity Feature (#2024) (5292e03)
Bug Fixes
- deps: Update dependency google-gax to v4.3.2 (#2026) (0ee9831)
7.6.0 - 2024-03-26
7.6.0 (2024-03-26)

Features
- Add instance partition support to spanner instance proto (#2001) (4381047)
- Managed Autoscaler (#2015) (547ca1b)
- spanner: Add a sample for max commit delays (#1993) (91c7204)
- spanner: Add support for float32 (#2020) (99e2c1d)
7.5.0 - 2024-03-04
7.4.0 - 2024-02-23
7.3.0 - 2024-02-08
7.2.0 - 2024-01-11
7.1.0 - 2023-11-16
7.0.0 - 2023-08-30
6.16.0 - 2023-08-07
6.15.0 - 2023-08-04
6.14.0 - 2023-07-22
6.13.0 - 2023-07-21
6.12.0 - 2023-06-22
6.11.0 - 2023-06-07
6.10.1 - 2023-05-30
6.10.0 - 2023-05-19
6.9.0 - 2023-04-26
6.8.0 - 2023-04-06
6.7.2 - 2023-02-17
6.7.1 - 2023-01-31
6.7.0 - 2023-01-18
6.6.0 - 2022-12-16
6.5.0 - 2022-12-05
6.4.0 - 2022-10-31
6.3.0 - 2022-10-17
6.2.0 - 2022-09-21
6.1.4 - 2022-09-07
6.1.3 - 2022-07-18
6.1.2 - 2022-07-07
6.1.1 - 2022-07-07
6.1.0 - 2022-07-05
6.0.0 - 2022-06-20
5.18.0 - 2022-04-03

from @google-cloud/spanner GitHub release notes

Package name: @google-cloud/trace-agent

8.0.0 - 2024-02-07
8.0.0 (2024-02-07)

⚠ BREAKING CHANGES
- upgrade to Node 14 (#1517)
Features
- Support restify v9-v11 (#1489) (746f30c)
Bug Fixes
- Assert oldMethod existence, and pin typescript version (#1549) (66a39fa)
- deps: Update dependency require-in-the-middle to v6 (#1483) (ddd4bbb)
- deps: Update dependency require-in-the-middle to v7 (#1494) (58e7821)
- Skip flaky test (#1495) (bb03060), closes #1334
Miscellaneous Chores
- Upgrade to Node 14 (#1517) (8b6c967)
7.1.2 - 2022-09-26
7.1.2 (2022-09-08)

Bug Fixes
- deps: Update dependency uuid to v9 (#1475) (d77f2e1)
7.1.1 - 2022-08-29
7.1.1 (2022-08-29)

Bug Fixes
- pg: Return patched promise instead of original (#1470) (e79407e)
- redis: Apply instrumentation only for Redis <4.0 (b75f5d8)
- remove pip install statements (#1546) (#1468) (fbcc88c)
- Remove unused type arg (#1467) (ed422ed)
7.1.0 - 2022-08-10
7.1.0 (2022-08-10)

Features
- mysql: update MySQL wrapper to propagate fields. (#1412) (1b92362)
7.0.0 - 2022-08-10
7.0.0 (2022-08-10)

⚠ BREAKING CHANGES
- update library to use Node 12 (#1442)
- drop support for node.js 8.x (#1239)
- When initialized with clsMechanism: 'none', calling Tracer#createChildSpan will potentially result in a warning, as these spans are considered to be uncorrelated. To ensure that warnings do not occur, disable any plugins that patch modules that create outgoing RPCs (gRPC, HTTP client and database calls). (Use of the custom span API Tracer#createChildSpan is not recommended in this configuration -- use RootSpan#createChildSpan instead.)
- This change modifies/removes APIs that assume a particular format for trace context headers; in other words, any place where the user would deal with a stringified trace context, they would now deal with a TraceContext object instead. This affects three APIs: getResponseTraceContext (input/output has changed from string to TraceContext), createRootSpan (input RootSpanOptions now accepts a TraceContext instead of a string in the traceContext field), and Span#getTraceContext (output has changed from string to TraceContext).
- contextHeaderBehavior and ignoreContextHeader now act independently of one another. The former controls how a sampling decision is made based on incoming context header, and the latter controls whether trace context is propagated to the current request.
- upgrade engines field to >=8.10.0 (#1011)
- TraceAgent has been renamed to Tracer. In plugins, Patch has been renamed Monkeypatch, and Patch is now Monkeypatch|Intercept (this is a rename of Instrumentation). There are no user-visible JS changes.
- The change in distributed trace context propagation across gRPC is not backwards-compatible. In other words, distributed tracing will not work between two Node instances communicating using gRPC with v2 and v3 of the Trace Agent, respectively.
- This commit drops support for Node 4 and 9.
Features
- add config.disableUntracedModulesWarn (#1070) (f688e33)
- add contextHeaderBehavior option (#900) (199cb42)
- add getProjectId and getCurrentRootSpan (#782) (f7ae770)
- add ignoreMethods option (#920) (67ddb8f)
- add options to set the cls mechanism to async-hooks or async-listener (#741) (f34aac5)
- add rootSpan.createChildSpan and change none CLS semantics (#731) (d0009ff)
- add rootSpanNameOverride option (#826) (a03e7b2)
- add singular cls option (#748) (000643f)
- allow "disabling" cls, and relax requirements for creating root spans (#728) (5d000e9)
- allow timestamps to be passed to endSpan (#747) (319642a)
- allow users to specify a trace policy impl (#1027) (b37aa3d)
- downgrade soft/hard span limit logs to warn level (#1269) (3f55458)
- emit an error log on potential memory leak scenario (#870) (0072e5f)
- expand version range for pg to 7.x (#701) (c8c5bfc)
- hapi 17 tracing support (#710) (028032f)
- implement (de)serialization of binary trace context (#812) (f96c827)
- move ts target to es2018 from es2016 (#1280) (b33df71)
- rename TraceAgent/TraceApi to Tracer (#815) (dde86d3)
- support @ hapi/hapi (#1108) (d545e93)
- support child spans with tail latencies (#913) (d1de959)
- support context propagation in bluebird (#872) (29bb15c)
- support knex 0.16 (#940) (0b404a1)
- support mongodb-core@3 (#760) (d227b6d)
- support restify 8 (#1250) (f52fa4d)
- support restify@7 (#917) (4b74f5a)
- support tracing for untranspiled async/await in Node 8+ (#775) (30d0529)
- support user-specified context header propagation (#1029) (28ecb16)
- use small HTTP dependency (#858) (210dc3f)
- use source-map-support wrapCallSite to apply source maps to call stacks (#1015) (c558455)
- use well-known format for propagating trace context thru grpc (#814) (63b13ca)
Bug Fixes
- add build/src/cls in output files (#736) (49a900a)
- add log level to logger prefix (#875) (c19850d)
- add support for pg 7 changes (#702) (f070636)
- adjust async_hooks cls behavior (#734) (79ab435)
- allow non-objects for plugins to disable automatic tracing (#720) (068260c)
- allow sampling rate to be less than 1 (#896) (5220f9b)
- always assign a trace ID to each request (#1033) (6b427ab)
- apache license URL (#468) (#1232) (ac7e886)
- avoid memory leaks due to undisposed promise resources (#885) (8454389)
- build: migrate to using main branch (#1373) (f065f97)
- class-ify cls implementations (#708) (132db9b)
- copy credentials in internal config (#1052) (8930df3)
- delete cache as it is not working anyways (#864) (13f617a)
- deps: TypeScript 3.7.0 causes breaking change in typings (#1163) (6448c94)
- deps: update dependency @ google-cloud/common to ^0.23.0 (#834) (ee350a2)
- deps: update dependency @ google-cloud/common to ^0.26.0 (#892) (8c6a614)
- deps: update dependency @ google-cloud/common to ^0.27.0 (#925) (10bb78b)
- deps: update dependency @ google-cloud/common to ^0.28.0 (#941) (96863e7)
- deps: update dependency @ google-cloud/common to ^0.29.0 (#947) (bc98aa3)
- deps: update dependency @ google-cloud/common to ^0.30.0 (#961) (...

Snyk has created this PR to upgrade: - @google-cloud/pubsub from 2.19.4 to 4.7.0. See this package in npm: https://www.npmjs.com/package/@google-cloud/pubsub - @google-cloud/scheduler from 3.3.1 to 4.3.0. See this package in npm: https://www.npmjs.com/package/@google-cloud/scheduler - uuid from 8.3.2 to 10.0.0. See this package in npm: https://www.npmjs.com/package/uuid - @google-cloud/spanner from 5.18.0 to 7.14.0. See this package in npm: https://www.npmjs.com/package/@google-cloud/spanner - @google-cloud/trace-agent from 5.1.6 to 8.0.0. See this package in npm: https://www.npmjs.com/package/@google-cloud/trace-agent - axios from 0.26.1 to 1.7.5. See this package in npm: https://www.npmjs.com/package/axios - mysql2 from 1.7.0 to 3.11.0. See this package in npm: https://www.npmjs.com/package/mysql2 - sequelize from 5.22.5 to 6.37.3. See this package in npm: https://www.npmjs.com/package/sequelize - sequelize-cli from 5.5.1 to 6.6.2. See this package in npm: https://www.npmjs.com/package/sequelize-cli See this project in Snyk: https://app.snyk.io/org/cachiman-inc/project/99d13bc1-28f2-4e5a-8d33-855fc070bac6?utm_source=github&utm_medium=referral&page=upgrade-pr

google-cla · 2024-09-19T03:20:06Z

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[Snyk] Upgrade: , , uuid, , , axios, mysql2, sequelize, sequelize-cli #160

Are you sure you want to change the base?

[Snyk] Upgrade: , , uuid, , , axios, mysql2, sequelize, sequelize-cli #160

Conversation

WontonSam commented Sep 19, 2024

Snyk has created this PR to upgrade multiple dependencies.

Issues fixed by the recommended upgrade:

4.7.0 (2024-08-24)

Features

4.6.0 (2024-07-12)

Features

Bug Fixes

4.5.0 (2024-06-11)

Features

4.4.1 (2024-05-30)

Bug Fixes

4.4.0 (2024-05-03)

Features

Bug Fixes

4.3.3 (2024-03-03)

Bug Fixes

4.3.2 (2024-02-13)

Bug Fixes

4.3.1 (2024-02-08)

Bug Fixes

4.3.0 (2024-02-05)

Features

Bug Fixes

4.2.0 (2024-02-01)

Features

Bug Fixes

7.14.0 (2024-08-14)

Features

Bug Fixes

7.13.0 (2024-08-09)

Features

Bug Fixes

7.12.0 (2024-08-02)

Features

7.11.0 (2024-07-29)

Features

7.10.0 (2024-07-19)

Features

Bug Fixes

7.9.1 (2024-06-26)

Bug Fixes

7.9.0 (2024-06-21)

Features

Bug Fixes

7.8.0 (2024-05-24)

Features

Bug Fixes

7.7.0 (2024-04-17)

Features

Bug Fixes

7.6.0 (2024-03-26)

Features

8.0.0 (2024-02-07)

⚠ BREAKING CHANGES

Features

Bug Fixes

Miscellaneous Chores

7.1.2 (2022-09-08)

Bug Fixes

7.1.1 (2022-08-29)

Bug Fixes

7.1.0 (2022-08-10)

Features

7.0.0 (2022-08-10)

⚠ BREAKING CHANGES

Features

Bug Fixes

google-cla bot commented Sep 19, 2024