[Snyk] Fix for 26 vulnerabilities #49

snyk-bot · 2022-10-08T23:12:04Z

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
- package-lock.json
Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Priority Score (*)	Issue	Breaking Change	Exploit Maturity
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	No	Proof of Concept
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
616/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.9	Regular Expression Denial of Service (ReDoS) SNYK-JS-JSPDF-1073626	Yes	Proof of Concept
636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Cross-site Scripting (XSS) SNYK-JS-JSPDF-568273	Yes	Proof of Concept
636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Cross-site Scripting (XSS) SNYK-JS-JSPDF-575256	Yes	Proof of Concept
731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASHES-2434283	No	Proof of Concept
681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASHES-2434284	No	Proof of Concept
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASHES-2434285	No	Proof of Concept
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASHES-2434289	No	Proof of Concept
589/1000 Why? Has a fix available, CVSS 7.5	Directory Traversal SNYK-JS-MOMENT-2440688	No	No Known Exploit
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOMENT-2944238	No	Proof of Concept
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-NCONF-2395478	No	Proof of Concept
706/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.7	Server-side Request Forgery (SSRF) SNYK-JS-NETMASK-1089716	No	Proof of Concept
726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Remote Code Execution (RCE) SNYK-JS-PACRESOLVER-1564857	No	Proof of Concept
646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-PARSEURL-3023021	No	Proof of Concept
571/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5	Improper Input Validation SNYK-JS-PARSEURL-3024398	No	Proof of Concept
646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Validation Bypass SNYK-JS-SANITIZEHTML-1070780	No	Proof of Concept
539/1000 Why? Has a fix available, CVSS 6.5	Access Restriction Bypass SNYK-JS-SANITIZEHTML-1070786	No	No Known Exploit
479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-SANITIZEHTML-2957526	No	No Known Exploit
684/1000 Why? Has a fix available, CVSS 9.4	Arbitrary Code Execution SNYK-JS-SANITIZEHTML-585892	No	No Known Exploit
706/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.7	Arbitrary Code Injection SNYK-JS-SERIALIZEJAVASCRIPT-570062	No	Proof of Concept
737/1000 Why? Currently trending on Twitter, Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 6.4	Command Injection SNYK-JS-SNYK-3037342	No	Proof of Concept
737/1000 Why? Currently trending on Twitter, Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 6.4	Command Injection SNYK-JS-SNYKGOPLUGIN-3037316	No	Proof of Concept
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	Yes	Proof of Concept
589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-XSS-1584355	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: copy-webpack-plugin

The new version differs by 43 commits.

64e60c2 chore(release): 6.0.0
dd9ce50 test: coverage
29254e3 feat: implement the `directory` option for the `cacheTransform` option
bebafcf refactor: code
e3803ce feat: implement the `noErrorOnMissing` option (#465 remove transwiser reference bitshares/bitshares-ui#475)
8e5bc1b chore(deps): update (Fix #294 Vesting Stats bitshares/bitshares-ui#474)
6b85c86 docs: improve ([Critical] Transfer UI changes username in "To" field, sends to wrong account bitshares/bitshares-ui#473)
3ef3f25 refactor: drop test option in favor transformPath (display BTS-bitCNY same as BTS-BitUSD!!!!!!!!!!!!!!!!!!!!!!!!! bitshares/bitshares-ui#472)
045f629 refactor: code ([.1] Add Label to Box Column in Find Markets bitshares/bitshares-ui#471)
20c9ae5 docs: import documentation for the `from` option (Replace ACCOUNT -> See Open Orders with Expandable Show Open Orders bitshares/bitshares-ui#468)
bfb4f0e docs: improve the description for the `toType` option (typo bitshares/bitshares-ui#467)
c0c9fa7 test: transform && transformPath ([417] update electron version to fix missing extension issue bitshares/bitshares-ui#470)
197b0d8 fix: asset size
c176d7d feat: concurrency option (Fix #460 transfer qty validation issue bitshares/bitshares-ui#466)
e5e410a refactor: code (close transwiser service bitshares/bitshares-ui#465)
0be6470 refactor: remove the `ignore` option in favor globOptions.ignore (Design a new notification system bitshares/bitshares-ui#463)
6b07a63 refactor: code
42194f3 refactor: code (SEND button gray-out/active & unknown name auto-replaced bug bitshares/bitshares-ui#459)
1e2f3a1 test: refactor (Clickjacking vulnerability bitshares/bitshares-ui#458)
a728675 chore: update globby
64b2e1a refactor: remove the global `context` option (Can we add OPEN.MUSEOL-BTS pair to GUI homepage? bitshares/bitshares-ui#453)
f6da280 refactor: rename the `cache` option to `cacheTransform` ([3] Non committee/witness (private) feed producers within UI? bitshares/bitshares-ui#452)
aedd2bd refactor: plugin options (Why on earth is the readme.md in Chinese? bitshares/bitshares-ui#451)
383ff9d refactor: 'from' option ([1][gibbsfromncis] Add operation ID to transaction history bitshares/bitshares-ui#450)

See the full diff

Package name: jspdf

The new version differs by 250 commits.

9b8f1e9 2.3.1
20f271a Docs: improve output documentation ([0] develop.bitshares.org - Collateralized Debt Position - typo in link bitshares/bitshares-ui#3099)
d8bb3b3 fix ReDoS-vulnerable regexp in addImage (Update nodes bitshares/bitshares-ui#3091)
c91995d Fix: Wrong TypeScript type in jsPDF.table (First language update bitshares/bitshares-ui#3086) (Download of activity does not work on testnet bitshares/bitshares-ui#3087)
3592fc2 fix: scope is not defined in getTextDimensions (Not able to create local wallet on Opera bitshares/bitshares-ui#3078)
ef70f92 fix(FileSaver): HTMLAnchorElement is not defined (2473 dashboard portfolio trade asset bug(reformated) bitshares/bitshares-ui#3073)
63f89d4 update package-lock.json (Requirements to be a DEX Gateway like openledger or cryptobridge? bitshares/bitshares-ui#3065)
53ca33b 2.3.0
102f370 Merge pull request Bug with cancelled/expired open orders bitshares/bitshares-ui#3062 from HackbrettXXX/fix-text-encoding-flags
b686db7 fix text encoding flags
edab14a Added typings for internal events API (#2979 update vesting balances to table style bitshares/bitshares-ui#3014)
6579099 Resolve fonts using CSS Level 3 algorithm when using html() ([3] Adapt error messages to new JSON-RPC of bitshares-core 3.2.0 bitshares/bitshares-ui#3040)
75e6ed7 Replace zlib.js and pako with fflate (1908-TBAPI-0KA - Refactored menus bitshares/bitshares-ui#3054)
ec7e835 Merge pull request SHASUM For OSX Latest UI Release? bitshares/bitshares-ui#3047 from HackbrettXXX/fix-instable-encryption-tests
6e9ce29 fix 'jsPDF is not defined" exceptions in fontWeight tests
07a3569 fix instable encryption tests
7403adb Add fonts with different font-weights ([0.75] Unable to view the 5th page of account activities bitshares/bitshares-ui#3036)
451e131 fix textWithLink alignment (Issue 661, 2803 - Account Membership Stats bitshares/bitshares-ui#3026)
c0f6c54 Fix table header alignment ([9]UX Coordination 190705 bitshares/bitshares-ui#3032)
e834724 add a PR template that links to the contribution guidelines (Unable to claim direct debit bitshares/bitshares-ui#3035)
f2c578f 2.2.0
fb76604 fix escaping of font names ([1][react-cat] Market picker select nonexistent trading pair bitshares/bitshares-ui#3018)
a2a4474 replace exported enum types by string unions (Refine Customizable Table selector bitshares/bitshares-ui#3021)
1f23740 Replace Deflater with pako ([3] Promisify SendModal bitshares/bitshares-ui#2944)

See the full diff

Package name: react-tooltip

The new version differs by 8 commits.

5417187 Merge pull request [0.25][svk] Vesting balances display incorrectly when vesting period = 0 bitshares/bitshares-ui#426 from jgerlier/use_sanitize-html-react
3ba4d7a Merge pull request Onion routing support for coming stealth transactions bitshares/bitshares-ui#425 from MtBlue81/fix_state_initialization
4b84caa perf(Use sanitize-html-react instead of sanitize-html to avoid useless server side dependencies): Us
69dea07 fix(index.js): fix state initialization
be89b82 Merge pull request GUI Homepage bitCNY-BTS Trading should reverse to BTS-BitCNY bitshares/bitshares-ui#413 from an4ger/master
6add4b6 Merge remote-tracking branch 'upstream/master'
ab9c109 fix travis issues
4a0da8b fix(index.js): Use correct orientation when mouse enters

See the full diff

Package name: xss

The new version differs by 108 commits.

380a4ba publish: v1.0.10
699acde fix: Update README.md to explain bounty system bitshares/bitshares-ui#239 stripCommentTag DoS attack
9cbe2f1 Create SECURITY.md
bdd1b03 chore: fix nodejs.yml remove node-version 8.x
3be6a07 chore: update devDependencies to latest version
948dfb1 docs: update CI badge
831a6a2 chore: github action nodejs.yml run test-cov instead of test
0ba3cdb chore: remove .travis.yml
cdee88e chore: fix github action nodejs.yml
624aba9 chore: add github action nodejs.yml
901b771 style: reformat all source code by prettier
0b15109 docs: update changelog
3e153f5 fix: typings `onTag` options
82cb63f docs: update changelog
a1d9b44 fix: typings IWhiteList allow any tag name
005098b feat: Add `<strike>` to default whitelist
dcf1486 feat: Add `<audio crossorigin muted>`, `<video crossorigin muted playsinline poster>` to default whitelist
f4c0b29 Merge pull request [1] Hidden Asset Count is Wrong in Balances bitshares/bitshares-ui#220 from daraz999/patch-1
2f5dd55 fix: recover `<summary>` on the default whitelist
d94ac2a publish: v1.0.9
4452638 chore: add package-lock.json to .ignore
cff16d9 chore: build dist
730a0b5 Merge pull request Update membership link to include slash as per issue comments bitshares/bitshares-ui#218 from TomAnthony/fix-whitespace-bypass
6586f49 Merge pull request Clicking on Wallet Setting while looking at Wallet Setting Causes "select wallet to delete" to Disappear bitshares/bitshares-ui#216 from spacegaier/patch-1