[Snyk] Fix for 22 vulnerabilities

[ekmixon]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • src/pybind/mgr/dashboard/frontend/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	786/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 9.3	Incomplete List of Disallowed Inputs SNYK-JS-BABELTRAVERSE-5962462	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-BROWSERSLIST-1090194	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-DECODEURICOMPONENT-3149970	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-HOSTEDGITINFO-1088355	Yes	Proof of Concept
	641/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.4	Prototype Pollution SNYK-JS-JSON5-3182856	Yes	Proof of Concept
	644/1000 Why? Has a fix available, CVSS 8.6	Prototype Pollution SNYK-JS-JSONSCHEMA-1920922	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHPARSE-1077067	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Poisoning SNYK-JS-QS-3153490	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SSRI-1246392	Yes	Proof of Concept
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536528	Yes	No Known Exploit
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536531	Yes	No Known Exploit
	410/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579147	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579152	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579155	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-TMPL-1583443	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-Y18N-1021887	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @compodoc/compodoc

The new version differs by 215 commits.

• ffe8abb 1.1.14
• 3cd09ba 1.1.14
• 9bb5772 1.1.14
• c65504e fix(app): correct supports ArrayType and tuples
• 0e02e05 fix(app): correct supports ArrayType
• d6d9955 fix(app): tuple types
• 162ea28 fix(app): union type and literaltypenode
• 4a6ad03 fix(app): union type and literaltypenode
• 47fe06d fix(app): rawDescription for JSDoc and visitEnumTypeAliasFunctionDeclarationDescription
• a888f25 fix(app): rawDescription for JSDoc and visitEnumTypeAliasFunctionDeclarationDescription
• 0bb000d fix(app): rawDescription for JSDoc and visitInputAndHostBinding
• f698d96 feat(github): new ISSUE_TEMPLATE
• 809432e feat(github): new ISSUE_TEMPLATE
• 95073c3 Update issue templates
• f4ac68c feat(github): new ISSUE_TEMPLATE
• 9713982 feat(github): new ISSUE_TEMPLATE
• c2a69c9 feat(github): new ISSUE_TEMPLATE
• d8722c2 feat(github): new ISSUE_TEMPLATE
• 125641b fix(app): rawDescription for JSDoc and variables
• c1282d2 fix(app): support for Type Reference and template literal
• 9c180f5 fix(app): drop usage of ts-simple-ast for ts-morph
• 7bb9a40 fix(app): drop usage of ts-simple-ast for ts-morph
• ee0d9c3 fix(app): support for Type Reference / WIP
• 0c7a052 fix(theme): dark mode support

See the full diff

Package name: jest

The new version differs by 250 commits.

• be16e47 v27.0.0
• 63102ec chore: update changelog for release
• 564694a docs(blog): Jest 27 blog post (Rgw lifecycle testing ceph/ceph#11131)
• b68d91b feat(pretty-print): add option `printBasicPrototype` (qa: add test of envlibrados for rocksdb ceph/ceph#11441)
• 2226742 chore: minor simplify format results error (doc: Update install-ceph-gateway.rst ceph/ceph#11432)
• 78eb25d chore: remove needless assign (jewel: rbd: mirror: improve resiliency of stress test case ceph/ceph#11433)
• 696c455 chore: update lockfile after publish
• e2eb9ae v27.0.0-next.11
• 3b253f8 Wait for closed resources to actually close before detecting open handles (src/common/ceph_context.h: Help Clang decide for the correct log() reference ceph/ceph#11429)
• 27bee72 fix: run GC before collecting open handles (rgw: obsolete 'radosgw-admin period prepare' command ceph/ceph#11278)
• 50451df feat: use fallback if prettier not found (jewel: rbd: krbd-related CLI patches ceph/ceph#11400)
• 150dbd8 chore: update lockfile after publish
• 6f44529 v27.0.0-next.10
• cbcec7d Upgrade fsevents in jest-haste-map (src/CMakeLists.txt: Moved some more modules to generic build. ceph/ceph#11428)
• 9633a26 feat: support reporters written in ESM (test/store_test: fix errors on the whole test suite run caused by the… ceph/ceph#11427)
• 59f42d8 fix: do not cache modules that throw during evaluation (os/bluestore: sloppy reshard boundaries to avoid spanning blobs ceph/ceph#11263)
• 57e32e9 Detect open handles with done callbacks (osd/PGBackend: fix collection_list shadow return value ceph/ceph#11382)
• a397607 Document and test dontThrow for custom inline snapshot matchers (rgw multisite: feature of bucket sync enable/disable ceph/ceph#10995)
• 4fa3a0b feat: custom haste (msg/Stack.h: delete copy constr and assign op ceph/ceph#11107)
• 2047a36 chore: bump deps (jewel: fs: Failure in snaptest-git-ceph.sh ceph/ceph#11419)
• a4358d6 chore: run prettier on changelog
• bdd6282 Move all default values into `jest-config` (common/config: fix return type of string::find and use string::npos ceph/ceph#9924)
• db643a1 Link to Jest config (os/bluestore: make clone_range copy-on-write ceph/ceph#11106)
• b16082c Fix locale issue build: fix wrong indent caused compile warning ceph/ceph#10014 (jewel: mds: Duplicate damage table entries ceph/ceph#11412)

See the full diff

Package name: jest-silent-reporter

The new version differs by 1 commits.

• f0843f4 Update jest-utils (build(deps): bump url-parse from 1.5.1 to 1.5.10 in /src/pybind/mgr/dashboard/frontend #20)

See the full diff

Package name: stylelint

The new version differs by 219 commits.

• 060310c 14.0.0
• ff4a1ef Prepare CHANGELOG
• 8d2f6e1 Bump postcss (osd: os/FileJournal: Fix journal write fail, align for direct io ceph/ceph#5619)
• f552608 Merge pull request doc:radosgw: correct the command typo to remove a subuser ceph/ceph#5618 from stylelint/dependabot/npm_and_yarn/husky-7.0.4
• 7ed17ad Bump husky from 7.0.2 to 7.0.4
• 4d9f75e Merge pull request rgw: url_decode bucket name and prefix from X-Object-Manifest during GET on Swift DLO. ceph/ceph#5617 from stylelint/dependabot/npm_and_yarn/jest-27.3.1
• bc9dd0b Bump jest from 27.2.5 to 27.3.1
• 82e2507 Merge pull request cmake: add DiffIterate.cc to librbd ceph/ceph#5604 from stylelint/v14
• 16d259f Update CHANGELOG.md
• 70b1149 Fix false positives for dynamic-range keywords in media-feature-name-no-unknown (Fix compile warning unused-result ceph/ceph#5613)
• 8dca498 Show more info in missing customSyntax warning (osd: final prereq patches for newstore ceph/ceph#5611)
• 2eee0a9 Remove v14 CI triggers (cmake: make check ceph/ceph#5610)
• 12f8081 14.0.0-0
• 5dd7ec1 Prepare 14.0.0
• 67313a3 Add support for `extends` in `overrides` config (doc: add the description for min_read_recency_for_promote ceph/ceph#5603)
• b6fd2fc Document no need for postcss-html maintainer (add rados api set_client_priority ceph/ceph#5602)
• bf28025 Recommend using shared configs (rgw: Remove useless code in calc_hmac_sha1() ceph/ceph#5598)
• 07118d6 Update CHANGELOG.md
• 367142a Change `ignoreFiles` to be extendable (Update ceph-selinux rpm spec ceph/ceph#5596)
• 1b4162f Fix conflicts in dependabot
• 87c5fde Bump picocolors from 0.2.1 to 1.0.0 (doc: fix the format of peering.rst ceph/ceph#5601)
• 1f32094 Bump typescript from 4.4.3 to 4.4.4 (Wip sam proxy write ceph/ceph#5599)
• 88b9575 Revise contributors section of README (mon,osd: use GMT time for the object name of hitsets ceph/ceph#5585)
• e38da70 Use problem rather than violation in docs and types (fix bugs of rbd metadata operation ceph/ceph#5592)

See the full diff

Package name: stylelint-declaration-use-variable

The new version differs by 13 commits.

• cf5f8ac Bump version
• ebd5328 Fix the duplicated dev dependency
• 8de355a Add project not maintained note
• 7917cd4 Merge pull request [Snyk] Security upgrade lxml from 4.7.0 to 4.9.1 #52 from sh-waqar/dependabot/npm_and_yarn/minimist-1.2.5
• e459a65 Merge pull request [Snyk] Security upgrade pylint from 2.6.0 to 2.7.0 #51 from sh-waqar/dependabot/npm_and_yarn/yargs-parser-20.2.7
• c0eca30 Merge pull request Configure Mend Bolt for GitHub #39 from thomasparsons/master
• d8f22c1 Bump minimist from 0.0.8 to 1.2.5
• 3d0ae6a Bump yargs-parser from 10.1.0 to 20.2.7
• 2a00511 Merge pull request [Snyk] Security upgrade lxml from 4.7.0 to 4.9.1 #50 from iegik/patch-1
• a9c4df3 Update package.json
• 6ffdfec chore: bump stylelint dependency
• e146c14 fixed spelling mistake
• bfb02cb Bump lodash from 4.17.15 to 4.17.19

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Arbitrary File Overwrite

[secure-code-warrior-for-github]

Micro-Learning Topic: Regular expression denial of service (Detected by phrase)

Matched on "Regular Expression Denial of Service"

What is this? (2min video)

Denial of Service (DoS) attacks caused by Regular Expression which causes the system to hang or cause them to work very slowly when attacker sends a well-crafted input(exponentially related to input size).Denial of service attacks significantly degrade the service quality experienced by legitimate users. These attacks introduce large response delays, excessive losses, and service interruptions, resulting in direct impact on availability.

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Denial of service (Detected by phrase)

Matched on "Denial of Service"

The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Prototype pollution (Detected by phrase)

Matched on "Prototype Pollution"

What is this? (2min video)

By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf).

Try a challenge in Secure Code Warrior

[guardrails]

⚠️ We detected 8 security issues in this pull request:

Vulnerable Libraries (8)

Severity	Details
N/A	pkg:npm/stylelint@13.13.1 (t) upgrade to: 15.10.1
Critical	pkg:npm/stylelint-declaration-use-variable@1.7.2 (t) upgrade to: > 1.7.2
Critical	pkg:npm/jest-silent-reporter@0.2.1 (t) upgrade to: > 0.2.1
Critical	pkg:npm/@angular/cli@10.1.6 (t) upgrade to: > 10.1.6
Critical	pkg:npm/@compodoc/compodoc@1.1.11 (t) upgrade to: > 1.1.11
Critical	pkg:npm/jest@26.5.2 (t) upgrade to: > 26.5.2
Critical	pkg:npm/@applitools/eyes-cypress@3.22.0 (t) upgrade to: > 3.22.0
Critical	pkg:npm/@angular-devkit/build-angular@0.1002.3 (t) upgrade to: > 0.1002.3

More info on how to fix Vulnerable Libraries in JavaScript.

---

👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.

[secure-code-warrior-for-github]

Micro-Learning Topic: Vulnerable library (Detected by phrase)

Matched on "Vulnerable Libraries"

What is this? (2min video)

Use of vulnerable components will introduce weaknesses into the application. Components with published vulnerabilities will allow easy exploitation as resources will often be available to automate the process.

Try a challenge in Secure Code Warrior