[Snyk] Fix for 14 vulnerabilities #130

Bhanditz · 2023-06-25T16:55:40Z

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- packages/strapi-helper-plugin/package.json

Vulnerabilities that will be fixed

With an upgrade:

Priority Score (*)	Issue	Breaking Change	Exploit Maturity
619/1000 Why? Has a fix available, CVSS 8.1	Prototype Pollution SNYK-JS-AJV-584908	Yes	No Known Exploit
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-BROWSERSLIST-1090194	Yes	Proof of Concept
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-COLORSTRING-1082939	Yes	Proof of Concept
636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Arbitrary File Write via Archive Extraction (Zip Slip) SNYK-JS-DECOMPRESS-557358	Yes	Proof of Concept
526/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.1	Arbitrary Code Injection SNYK-JS-EJS-1049328	Yes	Proof of Concept
726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Remote Code Execution (RCE) SNYK-JS-EJS-2803307	Yes	Proof of Concept
506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:braces:20180219	Yes	Proof of Concept
506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Yes	Proof of Concept
704/1000 Why? Has a fix available, CVSS 9.8	Arbitrary Code Injection npm:growl:20160721	Yes	No Known Exploit
469/1000 Why? Has a fix available, CVSS 5.1	Denial of Service (DoS) npm:mem:20180117	Yes	No Known Exploit
399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	No	No Known Exploit
399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	No	No Known Exploit
576/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.1	Uninitialized Memory Exposure npm:tunnel-agent:20170305	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: babel-plugin-istanbul

The new version differs by 4 commits.

ad1177e chore(release): 5.0.1
7a2d891 chore: Update istanbul dependency versions.
9f006e9 chore(release): 5.0.0
a9e1564 feat: upgrade to babel 7 and newest istanbul libraries ([Snyk] Security upgrade strapi-utils from 3.0.0-alpha.9.2 to 3.6.11 #158)

See the full diff

Package name: css-loader

The new version differs by 80 commits.

634ab49 chore(release): 2.0.0
6ade2d0 refactor: remove unused file (Multiple relationships on different models with the same name is not allowed strapi/strapi#860)
e7525c9 test: nested url (Custom primaryKey on MySQL strapi/strapi#859)
7259faa test: css hacks (npm run setup doesn't work in 3.0.0-alpha.12 strapi/strapi#858)
5e6034c feat: allow to filter import at-rules (3.0.0-alpha.11.2 strapi/strapi#857)
5e702e7 feat: allow filtering urls (Fix pre release strapi/strapi#856)
9642aa5 test: css stuff (Database conector MSSQL strapi/strapi#855)
3338656 fix: reduce number of require for url (Add Cloudinary upload provider strapi/strapi#854)
533abbe test: issue 636 (Use npx in package's npm scripts strapi/strapi#853)
08c551c refactor: better warning on invalid url resolution (Fixes #826 strapi/strapi#852)
b0aa159 test: issue Remove trivial decimal implementation and use float type instead #550 strapi/strapi#589 (Fixes #850 strapi/strapi#851)
f599c70 fix: broken unucode characters (The sorting and limit options are not persisted in the ctm strapi/strapi#850)
1e551f3 test: issue 286 (Login loop when create new Content Type, add non-exist field or table, and make relations to another content type using PostgreSQL as database strapi/strapi#849)
419d27b docs: improve readme (Allow default values in ctb strapi/strapi#848)
d94a698 refactor: webpack-default (Lost all data 2 times in content types with unknown reason strapi/strapi#847)
b97d997 feat: schema options
453248f fix: support module resolution in composes (Request params layer validation strapi/strapi#845)
8a6ea10 refactor: postcss plugins (Spread Operator not recognized by babel when building strapi/strapi#844)
fdcf687 fix: url resolving logic (Wrong file URL after upload strapi/strapi#843)
889dc7f feat: allow to disable css modules and disable their by default (Users permissions disappearance strapi/strapi#842)
ee2d253 test: importLoaders option (It should be possible to link an existing file to an entity strapi/strapi#841)
1dad1fb feat: reuse postcss ast from other loaders (i.e `postcss-loader`) (User: Skipping password hash and contain plain password on the database strapi/strapi#840)
fe94ebc test: icss reserved keywords (Support JSON-LD strapi/strapi#839)
9eaba66 refactor: migrate on message api for postcss-icss-plugin (Trigger server restart create/delete language settings manager plugin strapi/strapi#838)

See the full diff

Package name: eslint

The new version differs by 148 commits.

36ced0a 5.0.0
5fd5632 Build: changelog update for 5.0.0
0feedfd New: Added max-lines-per-function rule (fixes Add button to copy permissions from a existing role strapi/strapi#9842) (Bump eslint from 7.24.0 to 7.25.0 strapi/strapi#10188)
daefbdb Upgrade: eslint-scope and espree to 4.0.0 (refs Add Icon Search strapi/strapi#10458) (Create wrong sql with publish_at strapi/strapi#10500)
077358b Docs: no-process-exit: recommend process.exitCode (Add Image into nested components strapi/strapi#10478)
f93d6ff Fix: do not fail on unknown operators from custom parsers (fixes [BUG] Admin panel errors out when proxied from NextJs frontend strapi/strapi#10475) (Add context in model lifecycles strapi/strapi#10476)
05343fd Fix: add parens for yield statement (fixes AWS deployment not working strapi/strapi#10432) (Cannot save UTF-8 emotes in JSON fields, becomes ???? strapi/strapi#10468)
d477c5e Fix: check destructuring for "no-shadow-restricted-names" (fixes Cannot submit an auto-generated but required field on non-draft collection strapi/strapi#10467) (🌐 update ZH translation to match EN strapi/strapi#10470)
7a7580b Update: Add considerPropertyDescriptor option to func-name-matching (Mongo, populate nested field only from collection strapi/strapi#9078)
e0a0418 Fix: crash on optional catch binding (Cannot access to the admin panel after deploy on heroku strapi/strapi#10429)
de4dba9 Docs: styling team members (malicious requests crashed server strapi/strapi#10460)
5e453a3 Docs: display team members in tables. ([CLI] Add interactive options for templates and starters strapi/strapi#10433)
b1895eb Docs: Restore intentional spelling mistake (Admin APIs strapi/strapi#10459)
a9da57d 5.0.0-rc.0
3ac3df6 Build: changelog update for 5.0.0-rc.0
abf400d Update: Add ignoreDestructing option to camelcase rule (fixes Bump @babel/runtime from 7.13.7 to 7.13.10 strapi/strapi#9807) (Move listview settings reducer and add tests strapi/strapi#10373)
e2b394d Upgrade: espree and eslint-scope to rc versions (Load only the needed translations for the admin panel strapi/strapi#10457)
a370da2 Chore: small opt to improve readability (Incorrect graphql aggregate count result for i18n enabled content type strapi/strapi#10241)
640bf07 Update: Fixes multiline no-warning-comments rule. (fixes [I18N] Fix padding in dropdown locale (settings) strapi/strapi#9884) (Update slack to discord strapi/strapi#10381)
831c39a Build: Adding rc release script to package.json (Not able to create a collection type named Versions or Version strapi/strapi#10456)
dc4075e Update: fix false negative in no-use-before-define (fixes Bump @babel/preset-env from 7.13.15 to 7.14.1 strapi/strapi#10227) (Move edit settings reducer and add tests strapi/strapi#10396)
3721841 Docs: Add new experimental syntax policy to README (fixes Content type's attributes marked as private are being exposed strapi/strapi#9804) ([I18N] improve simplified Chinese translation strapi/strapi#10408)
d0aae3c Docs: Create docs landing page (Replace Media does not change photo preview outside of details modal strapi/strapi#10453)
fe8bec3 Fix: fix writing config file when `source` is `prompt` (Unable to create relation between two content types in Postgres DB strapi/strapi#10422)

See the full diff

Package name: html-webpack-plugin

The new version differs by 250 commits.

873d75b chore(release): 5.5.0
ddeb774 chore: update examples
1e42625 feat: Support type=module via scriptLoading option
7d3645b Bump pretty-error to 4.0.0 to fix transitive vuln for ansi-regex CVE-2021-3807
79be779 [chore] changes actions to run on pull_requests
b7e5859 [chore] fixes CI to avoid race conditions
48131d3 chore(release): 5.4.0
16a841a [chore] rebuild examples
3bb7c17 Update index.js
e38ac97 Update index.js
f08bd02 [chore] updates fixtures
d62a10f [chore] upgrades html-minifier-terser@5.0.0 -> 6.0.2
2f5de7a Remove archived plugin
8f8f7c5 chore(release): 5.3.2
053c6e6 chore: update snapshot tests for webpack 5.4.0
9c7fba0 Fix security vulnerabilities
b98fbeb Fix security vulnerabilities
25cdfc7 Added inject-body-webpack-plugin to readme
0e4c1fb Update README to document actual behavior
0a6568d chore(release): 5.3.1
82d0ee8 fix: remove loader-utils from plugin core
6f39192 chore(release): 5.3.0
d654f5b feat: allow to modify the interpolation options in webpack config
41d7a50 feat: drop loader-utils dependency

See the full diff

Package name: image-webpack-loader

The new version differs by 44 commits.

f1a9439 4.6.0
01d18fd https
4b23f5d Merge pull request [Snyk] Fix for 2 vulnerabilities #174 from ersel/resolve-npm-audit-warnings
aba504a resolve npm audit warnings
ce6f669 4.5.0
d0b73ec Merge pull request [Snyk] Fix for 2 vulnerabilities #172 from aaboyd/master
e0de6ed Update imagemin dependencies to latest version
c7b50a6 Merge pull request [Snyk] Security upgrade strapi-generate from 3.0.0-alpha.9.2 to 3.6.11 #169 from markwoon/patch-1
b8d9ea2 Remove unnecessary peer dependency
c3bb33f 4.4.0
e41a33e Merge pull request [Snyk] Security upgrade knex from 0.13.0 to 0.95.0 #165 from maturanomx/master
de849ec Update `imagemin-pngquant` version
0942611 Merge pull request [Snyk] Security upgrade webpack-bundle-analyzer from 2.13.1 to 4.0.0 #163 from amilajack/patch-1
757072f Fix failing CI
9b568be Tests against latest node on CI
8f874ac update some packages
6337d3a 4.3.1
605862b Merge pull request [Snyk] Security upgrade strapi-utils from 3.0.0-alpha.9.2 to 3.6.11 #157 from goto-bus-stop/dev-webpack
2bcd82f Move webpack-cli to devDependencies
a797c9b 4.3.0
f864e8a Merge pull request [Snyk] Security upgrade strapi-utils from 3.0.0-alpha.9.2 to 3.6.11 #156 from Eterion/master
ea8107f Update of imagemin dependencies
e424808 Disable option for webpack@2.x
4dcac71 Added package-lock and rm -rf replaced with rimraf for windows compatibility

See the full diff

Package name: mocha

The new version differs by 233 commits.

d69bf14 Release v4.0.0
171b9f9 pfix "prepublishOnly" potential portability problem
60e39d9 Update link to wiki (GitHub at the leading `--`)
804f9d5 Update link because GitHub ate the leading `--`
3326c23 update CHANGELOG for v4.0.0 [ci skip]
6dd9252 add link to wiki on --compilers deprecation
96318e1 Deprecate --compilers
92beda9 drop bower support
58a4c6a remove unused .npmignore
7af6611 kill Date#toISOString shim
43501a2 reduce noise about slow tests; make a few tests faster, etc.
fa228e9 update --exit / --no-exit integration test for new default behavior
3fdd3ff Switch default from forced exit to no-exit
c5d69e0 add integration tests for --exit/--no-exit
3a7f8dc enhance runMochaJSON() helper by returning the subprocess instance
0690d1a remove unused manual tests which remained in test/misc/
49e01d5 move the "only" specs out of test/misc/only/ and into test/only/
16ffca2 remove shims to avoid decrease in coverage
1f3b39a upgrade diff
e6e3519 upgrade commander
f1efc14 remove special treatment of unsupported node version in travis before-install script
bc50020 upgrade debug
1103f9c upgrade coveralls
f09ebf6 remove readable-stream

See the full diff

Package name: node-sass

The new version differs by 74 commits.

99242d7 7.0.1
77049d1 build(deps): bump sass-graph from 2.2.5 to 4.0.0 (Load local commands when necessary with strapi cli strapi/strapi#3224)
c929f25 build(deps): bump node-gyp from 7.1.2 to 8.4.1 (Fix filters on timestamp attributes strapi/strapi#3209)
918dcb3 Lint fix
0a21792 Set rejectUnauthorized to true by default (Mongodb relationship strapi/strapi#3149)
e80d4af chore: Drop EOL Node 15 (Ignore strapi/strapi#3122)
d753397 feat: Add Node 17 support (Content request and/or advice: Revision History? strapi/strapi#3195)
dcf2e75 build(deps-dev): bump eslint from 7.32.0 to 8.0.0
bfa1a3c build(deps): bump actions/setup-node from 2.4.0 to 2.4.1
80d6c00 chore: Windows x86 on GitHub Actions ([Question] Should I put build directories to git repository? strapi/strapi#3041)
566dc27 build(deps-dev): bump fs-extra from 0.30.0 to 10.0.0 (The date time value is decreasing by utc value. strapi/strapi#3102)
7bb5157 build(deps): bump npmlog from 4.1.2 to 5.0.0 (Updating an entry removes it's one to many relation strapi/strapi#3156)
2efb38f build(deps): bump chalk from 1.1.3 to 4.1.2 (OpenID Connect login provider strapi/strapi#3161)
fca5257 build(deps): bump actions/setup-node from 2.3.0 to 2.4.0
6200b21 docs: Double word "support" (All requests return data as if they were get-all requests when in production environment strapi/strapi#3159)
eaf791a build(deps): bump actions/setup-node from 2.1.5 to 2.3.0
16b8d4b build(deps): bump coverallsapp/github-action from 1.1.2 to 1.1.3
c167004 6.0.1
911d4db remove mkdirp dep (Split admin and users. strapi/strapi#3108)
30a52f7 build(deps): bump meow from 3.7.0 to 9.0.0
7e08463 build(deps-dev): bump mocha from 8.4.0 to 9.0.1
cfcbb2c chore: Use default Apline version from docker-node (Added a paragraph about developing with Strapi and Heroku strapi/strapi#3121)
886319b chore: Drop Node 10 support
c908f4f fix: Bump OSX minimum to 10.11

See the full diff

Package name: postcss-cssnext

The new version differs by 11 commits.

03b6017 3.0.0
cf9fb19 Docs: fix chalk update issue
b7d6ffd Merge pull request Improve documentation for sorting filters strapi/strapi#400 from MoOx/postcss6-upgrade
1781dc7 Docs: Fix id of overflow wrap property in index (Redirection problem strapi/strapi#393)
8b99180 Ensure a version of caniuse-db that includes css-image-set (Fix stm add language bug strapi/strapi#380)
db0f0fa Add a warning for custom property sets that are going to be removed + an option to hide the warning
cc7c864 Change: support node4+ up to 8
7bb55c1 chore: add package-lock.json and yarn.lock files
20ae74d Change: upgrade to PostCSS 6
af5f9c1 Change link to custom media queries specification
974e40b Fix PR link

See the full diff

Package name: precss

The new version differs by 10 commits.

9556604 4.0.0
ec41a10 Update dependencies
2c81353 3.1.2
298a55f 3.1.1
c675034 Add list of plugins to readme
a1a0949 3.1.0
8876377 Use PostCSS Preset Env
aaedc9e Update CHANGELOG.md
2fe95ae Use consistent package.json dependencies versioning
bafe9c3 3.0.0

See the full diff

Package name: style-loader

The new version differs by 22 commits.

5d73db7 chore(release): 0.20.0
08ce425 chore(package): update dependencies
28f603f refactor: remove comments from bundle source code
dda8b89 test: rename && update HMR tests
23c3567 fix(options): add `transform` option validation (`{String}`)
e0c4b19 fix(options): support passing a `{Function}` (`options.insertInto`)
ac8430c ci(travis): update `node` v4.3.0...4.8.0
0eb8fe7 feat: support passing a `{Function}` (`options.insertInto`) (Model attribute length's conditions not used strapi/strapi#279)
3a4cb53 fix(index): enable HMR in case `locals` (`css-modules`) are unchanged (Fix life cycle strapi/strapi#298)
9b46128 fix(addStyles): check if `HTMLIFrameElement` exist (Fix get nature strapi/strapi#296)
a7734e6 chore(package): update repository url (Unset public schema on MySQL strapi/strapi#290)
6ca2ecb chore(release): 0.19.1
2bfc93e fix(addStyles): correctly check `singleton` behavior when `{Boolean}` (`options.singleton`) (Edit links on the strapi docs page don't work strapi/strapi#285)
57c457d docs: fixed missing commas in configuration examples (Strapi won't install via yarn due to koa-ssl requiring iojs 1.2.0 strapi/strapi#266)
c9707f1 chore(release): 0.19.0
378e906 feat: add option to enable/disable HMR (`options.hmr`) (Improve button library and fix db connector strapi/strapi#264)
67120f8 feat: support 'before' insertions (`options.insertAt`) (Plugin/content manager strapi/strapi#253)
a2ae3ac docs(README): fix bash code highlight (Improvement/plugin strapi/strapi#262)
ce53bd9 docs(readme): fix typo (Plugin requirement hoc strapi/strapi#260)
57e171f docs: Fixes typo in readme (Fix table values display strapi/strapi#258)
01ceef8 docs(README): fix example (`options.insertInto`) (Plugin/content manager dev strapi/strapi#251)
25e8e89 feat: add support for iframes (`options.insertInto`) (waterline hook migrate in production reset is not right strapi/strapi#248)

See the full diff

Package name: url-loader

The new version differs by 8 commits.

11dce14 docs: Update changelog with nsp advisory
1934507 chore(release): 0.6.0
a1e1fef chore: Fix mime version
d19ee2d chore: update `mime` package to avoid deprecation mime type with `woff` and `woff2` ([Snyk] Security upgrade mongoose from 5.13.8 to 6.0.4 #87)
636ebed feat: add `fallback` option ([Snyk] Fix for 4 vulnerabilities #88)
f3f5fce docs(README): remove confusing `prefix` option (`options.prefix`) ([Snyk] Security upgrade knex from 0.13.0 to 0.16.4 #89)
2de70bb docs(README): fix typo in example ([Snyk] Security upgrade node-sass from 4.14.1 to 6.0.1 #81)
ced5990 feat(index): add options validation (`schema-utils`) ([Snyk] Security upgrade css-loader from 0.28.11 to 1.0.0 #78)

See the full diff

Package name: webpack

The new version differs by 250 commits.

213226e 4.0.0
fde0183 Merge pull request #6081 from webpack/formating/prettier
b6396e7 update stats
f32bd41 fix linting
5238159 run prettier on existing code
518d1e0 replace js-beautify with prettier
4c25bfb 4.0.0-beta.3
dd93716 Merge pull request Error on start with mongo rc.1 strapi/strapi#6296 from shellscape/fix/hmr-before-node-stuff
7a07901 Merge pull request Fix bootstrap use cases strapi/strapi#6563 from webpack/performance/assign-depth
c7eb895 Merge pull request image keeps on crashing in the site strapi/strapi#6452 from webpack/update_acorn
9179980 Merge pull request [fixing #6089] No need to check for platform and replace backslash strapi/strapi#6551 from nveenjain/fix/templatemd
e52f323 optimize performance of assignDepth
6bf5df5 Fixed template.md
90ab23a Merge branch 'master' into fix/hmr-before-node-stuff
b0949cb add integration test for spread operator
39438c7 unittest now also walks the ast
15ab027 Merge pull request added Japanese translations strapi/strapi#6536 from jevan0307/sideEffects-selectors
1611ce1 Merge pull request Update README NPM badge from beta to latest strapi/strapi#6561 from joshunger/patch-1
6e175bc Merge pull request #6549 from webpack/md4_hash
0637531 Add a hyperlink to create a new issue
0e1f9c6 Merge pull request #6554 from webpack/deps/end-of-beta
72477f4 upgrade versions to stable versions
ed30285 Merge pull request Remove platform check strapi/strapi#6546 from webpack/bot/review-permission
40ee8c7 Use MD4 for hashing

See the full diff

Package name: webpack-bundle-analyzer

The new version differs by 250 commits.

ee6c7a9 Merge pull request Features strapi/strapi#389 from webpack-contrib/support-webpack-5
8d1a752 Update version
37ab03e Fix typo
2153401 Add `--watch-ignore` flag to `test-dev` npm script
35b62db Add `private: true` flag to `package.json` files in `test/webpack-versions`
ef36924 Add changelog entry
f819548 Update version
d8f2dd7 Fix lint issues
d32cbdb Add changelog for v4.0.0
3094dbc Update dependencies
b85ba7d Add tests for Webpack 5
c35bda3 Properly parse Webpack 5 entry modules
7bbe89f Properly parse Webpack 5 bundle format (except concatenated entry module)
b34b249 Update package-lock.json
abc298a Remove Node.js 6 and 8 from .travis.yml
a81b7b8 - Support multiple Webpack versions in tests
591adf1 Add more ignores to .npm-upgrade.json
d5698f4 Update dependencies
e4a8974 Merge pull request Feature request: Add parameter to choose the sorting order strapi/strapi#382 from wbobeirne/fix-opener-error
b0f717b Catch uncaught opener errors
e4b2677 v3.9.0
afde5a8 Merge pull request Error using Mysql Database with strapi strapi/strapi#378 from dabbott/fix-missing-child-bundles
0ddc92d Add test for dynamic imports in worker bundles
b39594c Fix missing child bundles throwing an error