[Snyk] Fix for 25 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	616/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.9	Server-Side Request Forgery (SSRF) SNYK-JS-AXIOS-1038255	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-AXIOS-1579269	No	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Cross-site Scripting (XSS) SNYK-JS-DOMPURIFY-1016634	No	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Cross-site Scripting (XSS) SNYK-JS-DOMPURIFY-1035544	No	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Cross-site Scripting (XSS) SNYK-JS-DOMPURIFY-2863266	No	No Known Exploit
	671/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7	Remote Code Execution (RCE) SNYK-JS-HANDLEBARS-1056767	No	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-HANDLEBARS-1279029	No	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-JQUERY-174006	Yes	Proof of Concept
	701/1000 Why? Mature exploit, Has a fix available, CVSS 6.3	Cross-site Scripting (XSS) SNYK-JS-JQUERY-565129	Yes	Mature
	711/1000 Why? Mature exploit, Has a fix available, CVSS 6.5	Cross-site Scripting (XSS) SNYK-JS-JQUERY-567880	Yes	Mature
	676/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.1	Cross-site Scripting (XSS) SNYK-JS-JQUERYUI-1767167	No	Proof of Concept
	633/1000 Why? Currently trending on Twitter, Has a fix available, CVSS 7.1	Cross-site Scripting (XSS) SNYK-JS-JQUERYUI-1767175	No	No Known Exploit
	676/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.1	Cross-site Scripting (XSS) SNYK-JS-JQUERYUI-1767767	No	Proof of Concept
	484/1000 Why? Has a fix available, CVSS 5.4	Cross-site Scripting (XSS) SNYK-JS-JQUERYUI-2946728	No	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	No	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	No	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-1070800	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-2342073	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-2342082	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Directory Traversal SNYK-JS-MOMENT-2440688	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOMENT-2944238	No	Proof of Concept
	444/1000 Why? Has a fix available, CVSS 4.6	Cross-site Scripting (XSS) SNYK-JS-NEXTCLOUDDIALOGS-1245465	Yes	No Known Exploit
	519/1000 Why? Has a fix available, CVSS 6.1	Cross-site Scripting (XSS) SNYK-JS-SELECT2-456562	Yes	No Known Exploit
	596/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.5	Arbitrary Code Injection SNYK-JS-UNDERSCORE-1080984	No	Proof of Concept
	484/1000 Why? Has a fix available, CVSS 5.4	Cross-site Scripting (XSS) npm:jquery:20150627	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @nextcloud/axios

The new version differs by 34 commits.

• 24c2a12 1.5.0
• b6b8003 Update changelog
• 17a67a8 Merge pull request Show error message if config file is not readable nextcloud/server#185 from nextcloud/dependabot/npm_and_yarn/axios-0.21.0
• c5444bc Merge pull request Version on download.nextcloud.com is 9.0.51 nextcloud/server#184 from nextcloud/dependabot/npm_and_yarn/babel-jest-26.6.1
• 446edae Bump axios from 0.20.0 to 0.21.0
• 5c51964 Bump babel-jest from 26.5.2 to 26.6.1
• 01f61ac Merge pull request Recommendations for Configuring Memory Caching nextcloud/server#183 from nextcloud/dependabot/npm_and_yarn/jest-26.6.1
• 0c095da Bump jest from 26.5.3 to 26.6.1
• 0bdf5f6 Merge pull request white screen if webserver has no read access to config.php nextcloud/server#180 from nextcloud/dependabot/npm_and_yarn/jest-26.5.3
• eb0f642 Merge pull request Right Click Custom Context nextcloud/server#182 from nextcloud/dependabot/npm_and_yarn/babel/preset-env-7.12.1
• c5584ba Merge pull request Adjust message "This server has no working Internet connection" nextcloud/server#181 from nextcloud/dependabot/npm_and_yarn/babel/core-7.12.3
• 96e9931 Merge pull request The ability to FTP/FTPS/SFTP Files & Folders DIRECTLY into the Nextcloud Data Store. nextcloud/server#179 from nextcloud/dependabot/npm_and_yarn/babel/preset-typescript-7.12.1
• 078b015 Bump jest from 26.5.2 to 26.5.3
• 9dcd541 Bump @ babel/preset-env from 7.11.5 to 7.12.1
• 5fd9000 Bump @ babel/core from 7.11.6 to 7.12.3
• 6c173f3 Merge pull request [stable9] Branding nextcloud/server#178 from nextcloud/dependabot/npm_and_yarn/babel/cli-7.12.1
• cfee66e Bump @ babel/preset-typescript from 7.10.4 to 7.12.1
• d0a2aaa Bump @ babel/cli from 7.11.6 to 7.12.1
• 6ca1093 Merge pull request v9.0.51 nextcloud/server#177 from nextcloud/dependabot/npm_and_yarn/babel-jest-26.5.2
• b58f984 Bump babel-jest from 26.3.0 to 26.5.2
• e4d2321 Merge pull request replaced ownCloud by Nextcloud in config sample nextcloud/server#176 from nextcloud/dependabot/npm_and_yarn/jest-26.5.2
• 6ee239a Bump jest from 26.4.2 to 26.5.2
• 36eb1fa Merge pull request Port WND nextcloud/server#175 from nextcloud/dependabot/npm_and_yarn/typedoc-0.19.2
• 0a857a1 Bump typedoc from 0.19.1 to 0.19.2

See the full diff

Package name: @nextcloud/dialogs

The new version differs by 213 commits.

• 9e4acef 3.1.2
• b41ec38 Prepare changelog for v3.1.2
• 66922d9 Add releasing info to README
• 7ae200f Merge pull request Tuning of Theming (color) options  nextcloud/server#328 from nextcloud/bump-toastify-js
• e0dc11d Run l10n:extract
• 441785f Define as nullable
• da92227 Bump ToastifyJS to 1.10.0
• 770eed0 Merge pull request Fix config sample text nextcloud/server#319 from nextcloud/dependabot/npm_and_yarn/rollup/plugin-node-resolve-11.2.1
• 5674ac9 Merge pull request Cloud Sync to Backblaze B2 nextcloud/server#288 from nextcloud/dependabot/npm_and_yarn/babel-loader-exclude-node-modules-except-1.1.2
• 47770b4 Merge pull request [stable9] Use paramterized parameter for \OC\SystemTag\SystemTagManager nextcloud/server#298 from nextcloud/dependabot/npm_and_yarn/rollup/plugin-babel-5.3.0
• 621eb38 Merge pull request Add "goto" links for files in non-default file lists nextcloud/server#312 from nextcloud/dependabot/npm_and_yarn/typescript-4.0.7
• 00ed6ac Merge pull request Added occ install option for database-port nextcloud/server#323 from nextcloud/dependabot/npm_and_yarn/rollup/plugin-commonjs-18.0.0
• e05efd7 Merge pull request max upload size can't be saved nextcloud/server#322 from nextcloud/dependabot/npm_and_yarn/rollup-plugin-typescript2-0.30.0
• 1c6653c Merge pull request Fix docker image naming issue for CI nextcloud/server#324 from nextcloud/dependabot/npm_and_yarn/babel/preset-env-7.13.12
• 89a0692 Merge pull request [stable9] Fix docker image naming issue for CI nextcloud/server#325 from nextcloud/dependabot/npm_and_yarn/babel/cli-7.13.14
• 58ff492 Merge pull request Use the search bar to search for files by tag nextcloud/server#326 from nextcloud/dependabot/npm_and_yarn/babel/core-7.13.14
• 2b3f05c Bump @ babel/core from 7.12.13 to 7.13.14
• 1a2b4ba Bump @ babel/cli from 7.12.13 to 7.13.14
• 2db64ff Bump @ babel/preset-env from 7.13.9 to 7.13.12
• 8a10a57 Bump @ rollup/plugin-commonjs from 17.0.0 to 18.0.0
• a9cb557 Bump rollup-plugin-typescript2 from 0.29.0 to 0.30.0
• ec96fd3 Bump @ rollup/plugin-node-resolve from 11.0.1 to 11.2.1
• 244b42d Merge pull request Public links for calendar nextcloud/server#318 from nextcloud/dependabot/npm_and_yarn/rollup-2.42.0
• aa11a0e Bump rollup from 2.38.5 to 2.42.0

See the full diff

Package name: @nextcloud/moment

The new version differs by 250 commits.

• 6564877 Merge pull request [Stable10] AppFramework do not get default response nextcloud/server#508 from nextcloud/release/v1.2.1
• 2d24e14 1.2.1
• 026411e Update changelog for 1.2.1
• 26fd5b2 Merge pull request Fix more mailmap entries nextcloud/server#506 from nextcloud/dependencies
• 4b39169 Merge pull request Update emails and license headers with latest changes nextcloud/server#507 from nextcloud/revert-505-dependabot/npm_and_yarn/moment-2.29.2
• ca8976b Revert "Bump moment from 2.29.1 to 2.29.2"
• b21f798 Merge pull request Fix the license script nextcloud/server#505 from nextcloud/dependabot/npm_and_yarn/moment-2.29.2
• 75e5317 update and widen dependencies
• 0d51ced Bump moment from 2.29.1 to 2.29.2
• 97bb906 1.2.0
• f48e2dd v1.2.0 changelog
• ae15d2f Dep update
• 4f77cd5 Migrate lock file
• d1d20cb Merge pull request [stable10] move closing div to the right place nextcloud/server#495 from nextcloud/test/french-seconds-ago
• 7db0b2d Test alleged translation bug with 'seconds ago' and French
• fdefa7f Merge pull request Colorize checkboxes depending on theming color nextcloud/server#415 from nextcloud/dependabot/npm_and_yarn/webpack-node-externals-3.0.0
• 0aca8cd Merge pull request move closing div to the right place nextcloud/server#477 from nextcloud/dependabot/npm_and_yarn/types/node-gettext-3.0.3
• 50721e2 Merge pull request files don't update since a while nextcloud/server#423 from nextcloud/dependabot/npm_and_yarn/handlebars-4.7.7
• 2c09db4 Merge pull request User import/export migration ability nextcloud/server#424 from nextcloud/dependabot/npm_and_yarn/lodash-4.17.21
• c3b9ee6 Merge pull request Make configurable length of shared link token nextcloud/server#419 from nextcloud/dependabot/npm_and_yarn/mocha-8.4.0
• b00ff99 Merge pull request [3rdparty] Remove assetic nextcloud/server#430 from nextcloud/dependabot/npm_and_yarn/ts-loader-9.2.1
• 9df24ba Merge pull request AppFramework default response for OCS is xml nextcloud/server#480 from nextcloud/dependabot/npm_and_yarn/mochapack-2.1.4
• 99093bd Merge pull request [master] Port Same-Site Cookies to master nextcloud/server#476 from nextcloud/dependabot/npm_and_yarn/jsdom-19.0.0
• b419347 Merge pull request SQLite: Both PDO and vendor specific driver needed according to installation wizard and running instance nextcloud/server#481 from nextcloud/dependabot/npm_and_yarn/tar-4.4.19

See the full diff

Package name: @nextcloud/vue

The new version differs by 162 commits.

• 06f5ad8 2.8.0
• 6171d6a Merge pull request API getRemoteThumbnailByServer nextcloud/server#1490 from nextcloud/fix/rich-content-multiline
• 6ee899e Fix multiLine prop
• 1283661 Merge pull request Return 404 on v2.php when the app is disabled nextcloud/server#1489 from nextcloud/fix/avatar-cleanup
• 988eb3e Cleanup avatar fetching methods
• 141a716 Merge pull request [Upstream] fix birthday calendar component nextcloud/server#1457 from nextcloud/poc-cache-hasavatar
• 8c7576c Merge pull request Reduce server requirements by redirecting webdav-transfer directly to object storage nextcloud/server#1486 from nextcloud/dependabot/npm_and_yarn/babel/core-7.12.3
• b2640ac Merge pull request Move integration tests to single execution containers in .drone.yml nextcloud/server#1487 from nextcloud/dependabot/npm_and_yarn/vue2-datepicker-3.6.3
• 8c87d6d Bump vue2-datepicker from 3.6.2 to 3.6.3
• b6009b9 Bump @ babel/core from 7.12.1 to 7.12.3
• 93dd0f7 Merge pull request Hide collaborative tag input when empty nextcloud/server#1469 from nextcloud/translations_l10n-messages-pot--master_gl
• 734fc0b Merge pull request Autocomplete for occ app commands nextcloud/server#1476 from nextcloud/translations_l10n-messages-pot--master_de_DE
• becc663 Merge pull request Fix the font in the select2 placeholders nextcloud/server#1473 from nextcloud/translations_l10n-messages-pot--master_it
• 76ec8fc Merge pull request Invitations not sent when added meetings from Android and Gnome nextcloud/server#1482 from nextcloud/translations_l10n-messages-pot--master_pl
• 20e6377 Merge pull request [stable10] add audio and video icons nextcloud/server#1484 from nextcloud/translations_l10n-messages-pot--master_cs_CZ
• 4b83bc2 Merge pull request deleted files, fix mimetype detection nextcloud/server#1346 from nextcloud/tests/noid/color-snapshot
• 1ea8340 Merge pull request Add Developer Certificate of Origin (DCO) nextcloud/server#1481 from nextcloud/fix/tribute-popup
• 39e925d Translate /l10n/messages.pot in cs_CZ
• 508833d Merge pull request Hide the tags input field when it's empty nextcloud/server#1478 from nextcloud/dependabot/npm_and_yarn/babel/core-7.12.1
• 161a470 Merge pull request fix sidebar tab headers margin nextcloud/server#1477 from nextcloud/dependabot/npm_and_yarn/stylelint-webpack-plugin-2.1.1
• ea34a86 Translate /l10n/messages.pot in pl
• 7613d44 Use browser storage for storaing hasAvatar state
• 97bcf17 Fix autocomplete popup size and shadow
• 4c91063 Merge pull request [stable10] redirect to default app after solving the 2FA challenge nextcloud/server#1479 from nextcloud/dependabot/npm_and_yarn/babel/preset-env-7.12.1

See the full diff

Package name: dompurify

The new version differs by 89 commits.

• e7086f7 chore: prepared 2.2.3 release
• 0c2edea fix: addressed an mXSS problem caused by nested headlines
• 2c0017c see Rename file logging from "ownCloud" to "file" nextcloud/server#490
• feeeaa9 docs: Changed granlem's URL
• 042dac1 docs: added a fellow sponsor to the README
• 89fee39 Fix [stable10] Use proper branding nextcloud/server#489
• 66de7be Merge branch 'main' of git@github.com:cure53/DOMPurify.git into main
• 185abbb Merge pull request [master] Use proper branding nextcloud/server#488 from jochenberger/patch-2
• 9dd85f4 Fix multi-license declaration
• 77d1281 Merge branch 'main' of git@github.com:cure53/DOMPurify.git into main
• 4aacbcd Merge pull request Use proper documentation links nextcloud/server#483 from yejiel/patch-1
• 25b269f Update license Header to match current Version
• b84f6ba fix: oh dear, reverted the code removal
• 4c8a84c chore: experimentally removed some possibly redundant mXSS check
• 7923e10 chore: Preparing 2.2.2 release
• 7719c5b test: Added test cases for reported bypasses
• e43de71 fix: squished another variation of the mXSS
• 0771f47 chore: Preparing 2.2.1 release
• ee33fae fix: Fixed a mXSS bypass reported in PostgreSQL: faulty database connection upon completing installation wizard nextcloud/server#482
• e95b0de see AppFramework default response for OCS is xml nextcloud/server#480
• 83b7acb See Implement brute force protection nextcloud/server#479
• 0e31dce chore: preparing 2.2.0 release
• 307c7d0 test: added tests to cover new RETURN_DOM_IMPORT default being true
• 5aab0bb fix: fixed a typo in the config option logic for DOM_RETURN_IMPORT

See the full diff

Package name: handlebars

The new version differs by 8 commits.

• a9a8e40 v4.7.7
• e66aed5 Update release notes
• 7d4d170 disable IE in Saucelabs tests
• eb860c0 fix weird error in integration tests
• b6d3de7 fix: check prototype property access in strict-mode (Read-only mode (for backups) nextcloud/server#1736)
• f058970 fix: escape property names in compat mode (Read-only mode (for backups) nextcloud/server#1736)
• 77825f8 refator: In spec tests, use expectTemplate over equals and shouldThrow (Add app name to the call nextcloud/server#1683)
• 3789a30 chore: start testing on Node.js 12 and 13

See the full diff

Package name: jquery-ui

The new version differs by 160 commits.

• d6c028c 1.13.2
• 8cc5bae Checkboxradio: Don't re-evaluate text labels as HTML
• b53e7be All: Remove deprecated .click() usage in demos/tests
• bb00536 Build: Update AUTHORS.txt
• 9d1fc97 Datepicker: Capitalize some Indonesian words
• 1f467ba Selectmenu: Remove a call to the deprecated .focus() method
• ac1866f Build: Update AUTHORS.txt
• 395aa7d Datepicker: Add missing localization for prevText and nextText
• 218c6af Datepicker: Remove symbols in localization
• 3126e12 Datepicker: Remove symbols in localization
• e853971 Build(deps): Bump actions/checkout from 2 to 3
• d55645c Build(deps): Bump actions/cache from 2 to 3
• a4060a2 Build(deps): Bump actions/setup-node from 1 to 3
• d66fdd5 Build: Add dependabot.yml config (GitHub Actions)
• 50d35e6 Build: Update Grunt to resolve CVE-2022-1537
• e21a254 Build: Include all the files published to the CDN in npm/Bower packages
• 54074fc Build: Updating the main version to 1.13.2-pre.
• d2779bd Build: Update some npm dependencies
• 0c5becc Widget: Optimize attachment of the _untrackClassesElement listener
• 4a7cec3 Build: Add Felix to .mailmap, update AUTHORS.txt
• 933ce5d Autocomplete: Rewrite with a delay instead of appending the live region
• e90096e Build: Add extra Github action job for PR required checks configuration
• e0a78d4 Build: Switch from Travis to GitHub actions
• ed637b0 Widget: Make contextless widget construction work

See the full diff

Package name: lodash

The new version differs by 1 commits.

• c6e281b Bump to v4.17.21

See the full diff

Package name: marked

The new version differs by 250 commits.

• ae01170 chore(release): 4.0.10 [skip ci]
• fceda57 🗜️ build [skip ci]
• 8f80657 fix(security): fix redos vulnerabilities
• c4a3ccd Merge pull request from GHSA-rrrm-qjm4-v8hf
• d7212a6 chore(deps-dev): Bump jasmine from 4.0.0 to 4.0.1 (CRC error with zip files downloaded from web UI nextcloud/server#2352)
• 5a84db5 chore(deps-dev): Bump rollup from 2.62.0 to 2.63.0 (Make it possible to disable sticky favourites at the top of the list nextcloud/server#2350)
• 2bc67a5 chore(deps-dev): Bump markdown-it from 12.3.0 to 12.3.2 (do not remember session tokens by default nextcloud/server#2351)
• 98996b8 chore(deps-dev): Bump @ babel/preset-env from 7.16.5 to 7.16.7 (copy remember-me value when renewing a session token nextcloud/server#2353)
• ebc2c95 chore(deps-dev): Bump highlight.js from 11.3.1 to 11.4.0 (Add an "email me" notification for logins nextcloud/server#2354)
• e5171a9 chore(release): 4.0.9 [skip ci]
• 41990a5 🗜️ build [skip ci]
• a9696e2 fix: retain line breaks in tokens properly (use public share fileclient when available nextcloud/server#2341)
• 6aacd13 chore(deps-dev): Bump jasmine from 3.10.0 to 4.0.0 ([Minor] Fix link to external storage settings on error notification nextcloud/server#2343)
• 55e5df9 chore(deps-dev): Bump @ babel/core from 7.16.5 to 7.16.7 (Link to GitHub issue tracker is broken on Nextcloud support page nextcloud/server#2344)
• 4f4cab4 chore(deps-dev): Bump eslint-plugin-import from 2.25.3 to 2.25.4 (Calendar invites: Sender is server instance, not user email address nextcloud/server#2345)
• 97ea9f2 chore(deps-dev): Bump eslint from 8.5.0 to 8.6.0 (Gallery button stays on position even if sidebar is not longer opened nextcloud/server#2346)
• 4c3b853 chore(deps-dev): Bump rollup-plugin-license from 2.6.0 to 2.6.1 (Recent file list layout adjustment nextcloud/server#2347)
• 9396896 chore(deps-dev): Bump rollup from 2.61.1 to 2.62.0 (Accept calendar invitation directly in the invitation email  nextcloud/server#2338)
• 103a56c chore(deps-dev): Bump @ babel/preset-env from 7.16.4 to 7.16.5 (Move file dialog is broken nextcloud/server#2333)
• be771c9 chore(deps-dev): Bump eslint from 8.4.1 to 8.5.0 (Move files expose complete folder structure on public links nextcloud/server#2334)
• 67d5a65 chore(deps-dev): Bump @ babel/core from 7.16.0 to 7.16.5 (Bring back grouping for activities nextcloud/server#2335)
• 991493a chore(deps-dev): Bump eslint-plugin-promise from 5.2.0 to 6.0.0 (bring back permissions for mail shares nextcloud/server#2336)
• 59375fb chore(release): 4.0.8 [skip ci]
• 4734c82 🗜️ build [skip ci]

See the full diff

Package name: select2

The new version differs by 250 commits.

• a389a6d Merge pull request Integrity check false alert on fresh installation nextcloud/server#5578 from select2/develop
• eeefa1e Merge pull request Cannot delete User which is deleted in LDAP nextcloud/server#5577 from select2/release/4.0.8
• 5005c56 Update changelog for 4.0.8
• 8b55e47 Recompile dist for 4.0.8
• 6fbe132 Bump versions for 4.0.8 release
• bbd320d Convert source and tests to unix newlines
• 1b5a962 Revert change to focusing behaviour in 4.0.6 (URL rewrite to lose index.php with Apache & fastcgi ? nextcloud/server#5576)
• d926025 Fix infinite scroll when the scrollbar is not visible (allow to disable upload to lookup server, by default it is enabled nextcloud/server#5575)
• 8a5aeab Remove deprecated jQuery shorthand (No login image and logo on NC accessed using web nextcloud/server#5564)
• 9c4f0c8 Fix typos (It takes forever to upload in web UI nextcloud/server#5574)
• bd7ac9d Results respect disabled state of `<option>` (Sharing password input for visitors is wrongly styled nextcloud/server#5560)
• b5f136f Add `computedstyle` option for calculating the width (Overview of all shared files nextcloud/server#5559)
• f9decd6 Fix tag creation being broken in 4.0.7 (After deleting an (image) file, the preview files remain forever nextcloud/server#5558)
• 9491e1a Test against jQuery 3.4.1 (Upgrade fails from NC11-12 nextcloud/server#5531)
• d66e55d removed select2-selection__placeholder from _multiple.scss (Don't create activities for email and password change before login nextcloud/server#5508)
• 5d2fdd7 Update grunt-contrib-qunit to latest version (/dev/urandom warning seems unnecessary  nextcloud/server#5530)
• 70ca392 Update dev dependencies (Optimize performance / Load CSS and JS in parallel on firefox nextcloud/server#5529)
• 36b226d Improve French Translation ([stable12] Don't create activities for email and password change before login nextcloud/server#5521)
• d53958a Clean up docs (Plural missing on CalDAV Activity when creating multiple Calendar events nextcloud/server#5528)
• 0a612f9 Automatically deploy to NPM (Reverse Proxy, PHP cache, custom logo, CSS bug (does http instead of https) nextcloud/server#5527)
• 04fce55 Merge pull request [stable12] Use realpath to obtain the webroot nextcloud/server#5507 from select2/develop
• f8193c6 Merge pull request Use realpath to obtain the webroot nextcloud/server#5506 from select2/release/4.0.7
• 5285eef Recompile dist for 4.0.7
• 20ffd12 Bump versions for 4.0.7 release

See the full diff

Package name: underscore

The new version differs by 76 commits.

• bf5a0ed Merge branch 'template-variable-parameter'
• 7e3d404 Update annotated sources and minified bundles for 1.12.1
• 5343fbc Add version 1.12.1 to the documentation
• 44df929 Bump the version to 1.12.1
• 7e89b79 Un-document the fix for Rebrand to "Nextcloud" and add 100% coverage nextcloud/server#2911 for the time being
• 4c73526 Fix Rebrand to "Nextcloud" and add 100% coverage nextcloud/server#2911
• ef646cc Reflect real issue of Rebrand to "Nextcloud" and add 100% coverage nextcloud/server#2911 in test from Add 100% coverage for response.php nextcloud/server#2912
• a6159ff Fix indentation in the test from Add 100% coverage for response.php nextcloud/server#2912
• 798eafa Update the link to the preview release (bugfix)
• 07cc415 Convert all RawGit links to Statically
• db7fb6a Add temporary note about preview release to index.html
• 548fa01 Merge pull request Update bundled CA Certificates nextcloud/server#2913 from ognjenjevremovic/test/time-tampering-tests
• 3a5c878 test: Assertion comment updates; `_.throttle` and `_.debounce`.
• 4d5d198 test: 💍 Time tampering tests for _.throttle and _.deobounce
• a4cc7c0 Add a test to confirm we are not vulnerable to CVE-2021-23337 (Rebrand to "Nextcloud" and add 100% coverage nextcloud/server#2911)
• 745e9b7 Merge pull request Point 3rdparty to master nextcloud/server#2896 from anderlaw/master
• af2f919 Correct "Non-numerical values in list will be ignored"
• c9b4b63 Put back test/vendor/qunit.* static files to fix live website tests
• 311b04e Merge pull request Adds user controller tests nextcloud/server#2892 from kritollm/master
• 6568211 Make a comment render more nicely
• 0b93f06 Fixed a few more details
• 913bcf2 Resolved changes requested.
• 769a494 throttle cleanup
• 03f9781 Reimplementing timer optimization Deprecate OCSRespone nextcloud/server#1269

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Server-Side Request Forgery (SSRF)
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Cross-site Scripting (XSS)
🦉 More lessons are available in Snyk Learn