[Snyk] Fix for 17 vulnerabilities

[ekmixon]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • src/pybind/mgr/dashboard/frontend/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	676/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.1	Cross-site Request Forgery (CSRF) SNYK-JS-AXIOS-6032459	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	669/1000 Why? Has a fix available, CVSS 9.1	Authentication Bypass SNYK-JS-HTTPAUTH-471683	No	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-HTTPCACHESEMANTICS-3248783	Yes	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Information Exposure SNYK-JS-NODEFETCH-2342118	Yes	No Known Exploit
	520/1000 Why? Has a fix available, CVSS 5.9	Denial of Service SNYK-JS-NODEFETCH-674311	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Open Redirect SNYK-JS-NODEFORGE-2330875	Yes	Proof of Concept
	529/1000 Why? Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-NODEFORGE-2331908	Yes	No Known Exploit
	494/1000 Why? Has a fix available, CVSS 5.6	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430337	Yes	No Known Exploit
	579/1000 Why? Has a fix available, CVSS 7.3	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430339	Yes	No Known Exploit
	494/1000 Why? Has a fix available, CVSS 5.6	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430341	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Improper Input Validation SNYK-JS-POSTCSS-5926692	Yes	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @compodoc/compodoc

The new version differs by 215 commits.

• ffe8abb 1.1.14
• 3cd09ba 1.1.14
• 9bb5772 1.1.14
• c65504e fix(app): correct supports ArrayType and tuples
• 0e02e05 fix(app): correct supports ArrayType
• d6d9955 fix(app): tuple types
• 162ea28 fix(app): union type and literaltypenode
• 4a6ad03 fix(app): union type and literaltypenode
• 47fe06d fix(app): rawDescription for JSDoc and visitEnumTypeAliasFunctionDeclarationDescription
• a888f25 fix(app): rawDescription for JSDoc and visitEnumTypeAliasFunctionDeclarationDescription
• 0bb000d fix(app): rawDescription for JSDoc and visitInputAndHostBinding
• f698d96 feat(github): new ISSUE_TEMPLATE
• 809432e feat(github): new ISSUE_TEMPLATE
• 95073c3 Update issue templates
• f4ac68c feat(github): new ISSUE_TEMPLATE
• 9713982 feat(github): new ISSUE_TEMPLATE
• c2a69c9 feat(github): new ISSUE_TEMPLATE
• d8722c2 feat(github): new ISSUE_TEMPLATE
• 125641b fix(app): rawDescription for JSDoc and variables
• c1282d2 fix(app): support for Type Reference and template literal
• 9c180f5 fix(app): drop usage of ts-simple-ast for ts-morph
• 7bb9a40 fix(app): drop usage of ts-simple-ast for ts-morph
• ee0d9c3 fix(app): support for Type Reference / WIP
• 0c7a052 fix(theme): dark mode support

See the full diff

Package name: jest

The new version differs by 250 commits.

• be16e47 v27.0.0
• 63102ec chore: update changelog for release
• 564694a docs(blog): Jest 27 blog post (Rgw lifecycle testing ceph/ceph#11131)
• b68d91b feat(pretty-print): add option `printBasicPrototype` (qa: add test of envlibrados for rocksdb ceph/ceph#11441)
• 2226742 chore: minor simplify format results error (doc: Update install-ceph-gateway.rst ceph/ceph#11432)
• 78eb25d chore: remove needless assign (jewel: rbd: mirror: improve resiliency of stress test case ceph/ceph#11433)
• 696c455 chore: update lockfile after publish
• e2eb9ae v27.0.0-next.11
• 3b253f8 Wait for closed resources to actually close before detecting open handles (src/common/ceph_context.h: Help Clang decide for the correct log() reference ceph/ceph#11429)
• 27bee72 fix: run GC before collecting open handles (rgw: obsolete 'radosgw-admin period prepare' command ceph/ceph#11278)
• 50451df feat: use fallback if prettier not found (jewel: rbd: krbd-related CLI patches ceph/ceph#11400)
• 150dbd8 chore: update lockfile after publish
• 6f44529 v27.0.0-next.10
• cbcec7d Upgrade fsevents in jest-haste-map (src/CMakeLists.txt: Moved some more modules to generic build. ceph/ceph#11428)
• 9633a26 feat: support reporters written in ESM (test/store_test: fix errors on the whole test suite run caused by the… ceph/ceph#11427)
• 59f42d8 fix: do not cache modules that throw during evaluation (os/bluestore: sloppy reshard boundaries to avoid spanning blobs ceph/ceph#11263)
• 57e32e9 Detect open handles with done callbacks (osd/PGBackend: fix collection_list shadow return value ceph/ceph#11382)
• a397607 Document and test dontThrow for custom inline snapshot matchers (rgw multisite: feature of bucket sync enable/disable ceph/ceph#10995)
• 4fa3a0b feat: custom haste (msg/Stack.h: delete copy constr and assign op ceph/ceph#11107)
• 2047a36 chore: bump deps (jewel: fs: Failure in snaptest-git-ceph.sh ceph/ceph#11419)
• a4358d6 chore: run prettier on changelog
• bdd6282 Move all default values into `jest-config` (common/config: fix return type of string::find and use string::npos ceph/ceph#9924)
• db643a1 Link to Jest config (os/bluestore: make clone_range copy-on-write ceph/ceph#11106)
• b16082c Fix locale issue build: fix wrong indent caused compile warning ceph/ceph#10014 (jewel: mds: Duplicate damage table entries ceph/ceph#11412)

See the full diff

Package name: jest-silent-reporter

The new version differs by 1 commits.

• f0843f4 Update jest-utils (build(deps): bump url-parse from 1.5.1 to 1.5.10 in /src/pybind/mgr/dashboard/frontend #20)

See the full diff

Package name: stylelint-config-sass-guidelines

The new version differs by 28 commits.

• 96fc51a Released version 9.0.0
• a1f3423 Remove build script from release scripts
• ca20be1 Update README.md and CHANGELOG.md (Wip log boot ceph/ceph#202)
• 0678273 Release prep changes (Wip osd throttle ceph/ceph#201)
• b31de86 Bump postcss-scss from 4.0.1 to 4.0.2 (Wip osd throttle ceph/ceph#199)
• cc65e31 Bump stylelint from 14.0.0 to 14.0.1 (Fixes for pybind ceph/ceph#200)
• 4d9bf13 Remove node 10 from the CI (Fix some install and rpm SPEC issues ceph/ceph#198)
• 0fe0f3e Stylelint v14 Compatibility (mds: verify mds tell 'dumpcache <filename>' target does not exist ceph/ceph#197)
• cbfae2a Bump tape from 5.2.2 to 5.3.0 (mon: make 'osd crush rm|unlink ...' idempotent ceph/ceph#193)
• a3fc9ef Bump stylelint-scss from 3.19.0 to 3.20.1 (mon: limit warnings about low mon disk space ceph/ceph#192)
• ec0d9ee Removed babel dev dependency (mds: Remove failed mds from resolve/rejoin ceph/ceph#190)
• 3c1e880 Update package-lock.json
• ffa15c4 Bump @ babel/core from 7.12.13 to 7.14.2 (Mutex: include address in name ceph/ceph#177)
• f23702a Bump @ babel/preset-env from 7.12.13 to 7.14.2 (Fix client with cache disabled, and a use-after-free ceph/ceph#178)
• 280420a Bump tape from 5.1.1 to 5.2.2 (Fix some python issues introduced by wip-disk-list ceph/ceph#154)
• ed4b55e Bump @ babel/cli from 7.12.13 to 7.13.16 (Wip disk list ceph/ceph#166)
• 0f83c2a Bump stylelint from 13.10.0 to 13.13.1 (Wip ceph json ceph/ceph#172)
• 95fa775 Bump lodash from 4.17.20 to 4.17.21 (fix nspace assignment in LFNIndex::lfn_parse_object_name ceph/ceph#176)
• fe3ea58 Released version 8.0.0
• 94ce390 Update changelog
• 7e836e6 Bump tape from 5.0.1 to 5.1.1 ([doc] undisplayed notes, tips, and important sections ceph/ceph#127)
• e18f12a Bump @ babel/preset-env from 7.11.5 to 7.12.13 (test: add ceph_rename test ceph/ceph#130)
• 0ea26d8 Bump @ babel/core from 7.11.5 to 7.12.13 (crush cli commands ceph/ceph#129)
• cf7ed43 Bump @ babel/cli from 7.11.5 to 7.12.13 (Wip osd shutdown notification ceph/ceph#131)

See the full diff

Package name: stylelint-declaration-use-variable

The new version differs by 13 commits.

• cf5f8ac Bump version
• ebd5328 Fix the duplicated dev dependency
• 8de355a Add project not maintained note
• 7917cd4 Merge pull request [Snyk] Security upgrade lxml from 4.7.0 to 4.9.1 #52 from sh-waqar/dependabot/npm_and_yarn/minimist-1.2.5
• e459a65 Merge pull request [Snyk] Security upgrade pylint from 2.6.0 to 2.7.0 #51 from sh-waqar/dependabot/npm_and_yarn/yargs-parser-20.2.7
• c0eca30 Merge pull request Configure Mend Bolt for GitHub #39 from thomasparsons/master
• d8f22c1 Bump minimist from 0.0.8 to 1.2.5
• 3d0ae6a Bump yargs-parser from 10.1.0 to 20.2.7
• 2a00511 Merge pull request [Snyk] Security upgrade lxml from 4.7.0 to 4.9.1 #50 from iegik/patch-1
• a9c4df3 Update package.json
• 6ffdfec chore: bump stylelint dependency
• e146c14 fixed spelling mistake
• bfb02cb Bump lodash from 4.17.15 to 4.17.19

See the full diff

Package name: swagger-ui

The new version differs by 200 commits.

• 4b2c585 Merge pull request rgw: user quota may not adjust on bucket removal ceph/ceph#7586 from swagger-api/dependabot/npm_and_yarn/open-8.4.0
• 34fd921 chore(deps-dev): bump open from 8.2.1 to 8.4.0
• 32b3b97 chore(release): return release scripts back to original
• e7e977c ci: enable dependabot after v4 effort
• c0ef8d9 chore(deps): fix security vulnerabilities
• ab6bb57 chore(deps): bump DOMPurify to latest version v2.3.3
• 286ac5f chore(release): cut the v4.0.0-rc.4 release
• ea66060 chore(deps-dev): update husky to 7.0.2 version
• aa12144 chore(deps): fix all security vulnerabilities
• be3b54c chore(nvm): use recommended version of Node.js@16.8.x
• 93bd1c9 chore(deps): update swagger-client to 3.17.0 version
• e364073 fix(root-inject): handle errors in functional components properly
• 46b4e5c fix(highlight-code): handle mousewheel events properly
• c31cb30 feat: allow using functional components with hooks
• c6058f8 chore(release): cut the v4.0.0-rc.3 release
• 5a5a27e fix(param-body): fix loosing focus in Try It when typing (librbd: reduce mem copies to user-buffer during read ceph/ceph#7548)
• 8553943 refactor(highlight-code): add UNSAFE prefix for lifecycle methods
• e2b33a8 chore(release): cut the v4.0.0-rc.2 release
• efff3a6 build(webpack): remove duplicates from the build
• b90c6b5 chore(deps): remove unused stream library
• 346af3d chore(release): cut the v4.0.0-rc.1 release
• 640aa3a chore(deps-dev): fix all fixable security issues in dev deps
• ece5945 fix(security): fix security issue in prismjs dep
• d6c2604 chore(deps): bump url-parse from 1.5.1 to 1.5.3

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Cross-site Request Forgery (CSRF)
🦉 Open Redirect
🦉 More lessons are available in Snyk Learn

[secure-code-warrior-for-github]

Micro-Learning Topic: Regular expression denial of service (Detected by phrase)

Matched on "Regular Expression Denial of Service"

What is this? (2min video)

Denial of Service (DoS) attacks caused by Regular Expression which causes the system to hang or cause them to work very slowly when attacker sends a well-crafted input(exponentially related to input size).Denial of service attacks significantly degrade the service quality experienced by legitimate users. These attacks introduce large response delays, excessive losses, and service interruptions, resulting in direct impact on availability.

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Weak input validation (Detected by phrase)

Matched on "Improper Input Validation"

Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Try a challenge in Secure Code Warrior

Helpful references

• OWASP Top Ten 2021 A03: Injection - OWASP Top Ten articles provide basic techniques to protect against these high risk problem areas, and guidance on where to go next.
• OWASP Injection Prevention Cheat Sheet in Java - This article is focused on providing clear, simple, actionable guidance for preventing injection flaws in your Java applications.
• OWASP Input Validation Cheat Sheet - This cheatsheet is focused on providing clear, simple, actionable guidance for preventing injection and input validation flaws in your applications.
• OWASP Injection Prevention Cheat Sheet - This article is focused on providing clear, simple, actionable guidance for preventing injection flaws in your applications.
• OWASP Top Ten Proactive Controls 2018 C5: Validate All Inputs - Detailed article on input validation as a programming technique for ensuring that only properly formatted data may enter a software system component.

Micro-Learning Topic: Authentication bypass (Detected by phrase)

Matched on "Authentication Bypass"

What is this? (2min video)

Improper authentication happens when mechanisms intended to identify the user are flawed (easily tamperable or insufficient). This would allow an attacker to bypass access controls or to easily impersonate a user.

Try a challenge in Secure Code Warrior

Helpful references

• OWASP Improper Authentication prevention cheat sheet - This article is focused on providing clear, simple, actionable guidance for preventing improper authentication flaws in your applications.

Micro-Learning Topic: Cross-site request forgery (Detected by phrase)

Matched on "Cross-site Request Forgery"

What is this? (2min video)

Session-related but not session-based, this attack is based on the ability of an attacker to force an action on a user’s browser (commonly in the form of a POST request) to perform an unauthorized action on behalf of the user. This can often occur without the user even noticing it… or only noticing when it is too late. The root cause is that browsers automatically send session cookies with all requests to a given domain, regardless of where the source of the request came from, and the application server cannot differentiate between a request that came from pages it served or a request that came from an unrelated page.

Try a challenge in Secure Code Warrior

Helpful references

• Securing Rails Applications - Cross-Site Request Forgery (CSRF) - A Rails Guide that describes common security problems in web applications and how to avoid them with Rails.
• Spring Security - Cross Site Request Forgery (CSRF) - A Spring Security article that describes Spring support for protecting against Cross Site Request Forgery attacks.
• csurf Node.js CSRF protection middleware - Documentation on CSRF protection provided by the csurf middleware for Express.
• XSRF/CSRF Prevention in ASP.NET MVC and Web Pages - A detailed Microsoft article on how to prevent cross-site request forgery in ASP.NET MVC and Web Pages.
• Django Documentation - Cross Site Request Forgery protection - Documentation on CSRF protection provided by the Django framework.
• OWASP Cross-Site Request Forgery Prevention Cheat Sheet - This cheatsheet is focused on providing clear, simple, actionable guidance for preventing cross-site request forgery flaws in your applications.
• Laravel Docs - CSRF Protection - Documentation on CSRF protection provided by the Laravel framework.
• OWASP Cross Site Request Forgery (CSRF) - OWASP community page with comprehensive information about cross-site request forgery, and links to various OWASP resources to help detect or prevent it.
• Preventing Cross-Site Request Forgery (CSRF) Attacks in ASP.NET MVC Application - A detailed Microsoft article on how to prevent cross-site request forgery in ASP.NET MVC.

Micro-Learning Topic: Denial of service (Detected by phrase)

Matched on "Denial of Service"

The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Information disclosure (Detected by phrase)

Matched on "Information Exposure"

Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser. Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Open redirect (Detected by phrase)

Matched on "Open Redirect"

What is this? (2min video)

This vulnerability refers to the ability of an attacker to arbitrarily perform a redirection (external) or forward (internal) against the system. It arises due to insufficient validation or sanitisation of inputs used to perform a redirect or forward and may result in privilege escalation (in the case of a forward) or may be used to launch phishing attacks against users (in the case of redirects).

Try a challenge in Secure Code Warrior

Helpful references

• OWASP Unvalidated Redirects and Forwards Cheat Sheet - This cheatsheet is focused on providing clear, simple, actionable guidance for preventing redirection and forwarding flaws in your applications.
• Preventing Open Redirection Attacks (C#) - A detailed Microsoft article on how to prevent open redirection vulnerabilities in ASP.NET MVC.

Micro-Learning Topic: Prototype pollution (Detected by phrase)

Matched on "Prototype Pollution"

What is this? (2min video)

By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf).

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Server-side request forgery (Detected by phrase)

Matched on "Server-side Request Forgery"

What is this? (2min video)

Server-Side Request Forgery (SSRF) vulnerabilities are caused when an attacker can supply or modify a URL that reads or sends data to the server. The attacker can create a malicious request with a manipulated URL, when this request reaches the server, the server-side code executes the exploit URL causing the attacker to be able to read data from services that shouldn't be exposed.

Try a challenge in Secure Code Warrior