[Snyk] Fix for 2 vulnerabilities

[ekmixon]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • src/pybind/mgr/dashboard/frontend/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-DECODEURICOMPONENT-3149970	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @compodoc/compodoc

The new version differs by 179 commits.

• 3d61871 1.1.13
• 6266425 1.1.13
• 7eb1d65 1.1.13
• 72228fd fix(dark): better dark mode
• f93090b fix(dark): better dark mode
• f846caf feat(tools): move live-server to compodoc fork + update dependencies
• fdfe925 feat(cli): Support --watch with --exportFormat json
• 13546c0 fix(test): duplicates
• a1f2c4b feat(app): add tests for modules informations in json export format
• a1d5a1a fix(cli): remove sleep package | wait 10s if --inspect flag in CONTRIBUTING.md and docs/README.md
• d2ad4fb Merge pull request Wip user quota ceph/ceph#1091 from joshcomley/develop
• 74ed104 Mapping module missing data
• 08a1f59 1.1.12
• 8ef351f 1.1.12
• 0f6e568 1.1.12
• 6801707 feat(tools): update auto-changelog npm script
• df2aba2 fix(app): directive with no option, and inheritance between component and directives
• a6c678c fix(app): directive with no option, and inheritance between component and directives
• 9544ad0 feat(app): update Angular APIs references
• fc77cdb feat(app): bump dev/dependencies + Drop support for Node.js 10
• 0b2ecde feat(app): @ deprecated support
• 3226d01 fix(app): main comment parsing for ```
• 909ae8a feat(app): bump dev/dependencies
• 8190df5 fix(app): setters arguments correctly documented

See the full diff

Package name: jest

The new version differs by 250 commits.

• be16e47 v27.0.0
• 63102ec chore: update changelog for release
• 564694a docs(blog): Jest 27 blog post (Rgw lifecycle testing ceph/ceph#11131)
• b68d91b feat(pretty-print): add option `printBasicPrototype` (qa: add test of envlibrados for rocksdb ceph/ceph#11441)
• 2226742 chore: minor simplify format results error (doc: Update install-ceph-gateway.rst ceph/ceph#11432)
• 78eb25d chore: remove needless assign (jewel: rbd: mirror: improve resiliency of stress test case ceph/ceph#11433)
• 696c455 chore: update lockfile after publish
• e2eb9ae v27.0.0-next.11
• 3b253f8 Wait for closed resources to actually close before detecting open handles (src/common/ceph_context.h: Help Clang decide for the correct log() reference ceph/ceph#11429)
• 27bee72 fix: run GC before collecting open handles (rgw: obsolete 'radosgw-admin period prepare' command ceph/ceph#11278)
• 50451df feat: use fallback if prettier not found (jewel: rbd: krbd-related CLI patches ceph/ceph#11400)
• 150dbd8 chore: update lockfile after publish
• 6f44529 v27.0.0-next.10
• cbcec7d Upgrade fsevents in jest-haste-map (src/CMakeLists.txt: Moved some more modules to generic build. ceph/ceph#11428)
• 9633a26 feat: support reporters written in ESM (test/store_test: fix errors on the whole test suite run caused by the… ceph/ceph#11427)
• 59f42d8 fix: do not cache modules that throw during evaluation (os/bluestore: sloppy reshard boundaries to avoid spanning blobs ceph/ceph#11263)
• 57e32e9 Detect open handles with done callbacks (osd/PGBackend: fix collection_list shadow return value ceph/ceph#11382)
• a397607 Document and test dontThrow for custom inline snapshot matchers (rgw multisite: feature of bucket sync enable/disable ceph/ceph#10995)
• 4fa3a0b feat: custom haste (msg/Stack.h: delete copy constr and assign op ceph/ceph#11107)
• 2047a36 chore: bump deps (jewel: fs: Failure in snaptest-git-ceph.sh ceph/ceph#11419)
• a4358d6 chore: run prettier on changelog
• bdd6282 Move all default values into `jest-config` (common/config: fix return type of string::find and use string::npos ceph/ceph#9924)
• db643a1 Link to Jest config (os/bluestore: make clone_range copy-on-write ceph/ceph#11106)
• b16082c Fix locale issue build: fix wrong indent caused compile warning ceph/ceph#10014 (jewel: mds: Duplicate damage table entries ceph/ceph#11412)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Denial of Service (DoS)
🦉 Prototype Pollution

[secure-code-warrior-for-github]

Micro-Learning Topic: Denial of service (Detected by phrase)

Matched on "Denial of Service"

The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Prototype pollution (Detected by phrase)

Matched on "Prototype Pollution"

What is this? (2min video)

By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf).

Try a challenge in Secure Code Warrior

[sourcery-ai]

Hey @ekmixon - I've reviewed your changes and they look great!

General suggestions:

• Ensure that the major version upgrade of @angular-devkit/build-angular is thoroughly tested for compatibility with the project's Angular version and other dependencies.
• Consider aligning the versions of @angular/cli, @angular/compiler-cli, and @angular/language-service with the upgraded Angular version to leverage new features and improvements.
• Review the broader impact of the major version upgrades, especially for jest, on the project's testing framework and adjust configurations or tests as necessary.

Here's what I looked at during the review

• 🟡 General issues: 3 issues found
• 🟢 Security: all looks good
• 🟢 Testing: all looks good
• 🟢 Complexity: all looks good
• 🟢 Docstrings: all looks good

Thanks for using Sourcery. We offer it for free for open source projects and would be very grateful if you could help us grow. If you like it, would you consider sharing Sourcery on your favourite social media? ✨

Share Sourcery

• X
• Mastodon
• LinkedIn
• Facebook

---

Help me be more useful! Please click 👍 or 👎 on each comment to tell me if it was helpful.