[Snyk] Fix for 28 vulnerabilities

[adamlaska]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • packages/instant/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-ASYNC-2441827	Yes	Proof of Concept
	679/1000 Why? Has a fix available, CVSS 9.3	Incomplete List of Disallowed Inputs SNYK-JS-BABELTRAVERSE-5962463	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-BROWSERSLIST-1090194	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	484/1000 Why? Has a fix available, CVSS 5.4	Open Redirect SNYK-JS-GOT-2932019	Yes	No Known Exploit
	429/1000 Why? Has a fix available, CVSS 4.3	Reverse Tabnabbing SNYK-JS-ISTANBULREPORTS-2328088	Yes	No Known Exploit
	641/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.4	Prototype Pollution SNYK-JS-JSON5-3182856	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-MERGE-1040469	Yes	No Known Exploit
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-MERGE-1042987	Yes	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Information Exposure SNYK-JS-NODEFETCH-2342118	Yes	No Known Exploit
	520/1000 Why? Has a fix available, CVSS 5.9	Denial of Service SNYK-JS-NODEFETCH-674311	Yes	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
	596/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.5	Arbitrary Code Injection SNYK-JS-UNDERSCORE-1080984	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Improper Input Validation SNYK-JS-URLPARSE-1078283	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Open Redirect SNYK-JS-URLPARSE-1533425	Yes	Proof of Concept
	641/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.4	Access Restriction Bypass SNYK-JS-URLPARSE-2401205	Yes	Proof of Concept
	641/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.4	Authorization Bypass SNYK-JS-URLPARSE-2407759	Yes	Proof of Concept
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Improper Input Validation SNYK-JS-URLPARSE-2407770	Yes	Proof of Concept
	631/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.2	Authorization Bypass Through User-Controlled Key SNYK-JS-URLPARSE-2412697	Yes	Proof of Concept
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Improper Input Validation SNYK-JS-URLPARSE-543307	Yes	Proof of Concept
	379/1000 Why? Has a fix available, CVSS 3.3	Insecure Credential Storage SNYK-JS-WEB3-174533	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @0x/asset-swapper

The new version differs by 250 commits.

• 92e681f Publish
• 3f65dd6 Updated CHANGELOGS & MD docs
• 4425c31 chore: update packages ([Snyk] Security upgrade @0x/dev-utils from 3.3.6 to 5.0.0 #553)
• 9058839 WooFi Gas Estimates ([Snyk] Security upgrade nyc from 11.9.0 to 12.0.0 #551)
• 46a7a2e Revert "chore: Remove unused addresses in addresses.json [TKR-519] ([Snyk] Security upgrade @0x/dev-utils from 3.3.6 to 5.0.0 #548)"
• b35dccd Offboard Cream ([Snyk] Security upgrade @0x/dev-utils from 3.3.6 to 5.0.0 #546)
• 08e0c2e chore: Add checks for `addresses.json` [TKR-519] ([Snyk] Fix for 1 vulnerabilities #549)
• 8aa313a chore: Remove unused addresses in addresses.json [TKR-519] ([Snyk] Security upgrade @0x/dev-utils from 3.3.6 to 5.0.0 #548)
• 8e9699c Publish
• 939b708 Updated CHANGELOGS & MD docs
• 1617e3f Fix Polygon and Ganache FillQuoteTransformer addresses ([Snyk] Security upgrade @0x/mesh-rpc-client from 7.0.4-beta-0xv3 to 8.1.0 #547)
• e0d7057 Publish
• 01a6d93 Updated CHANGELOGS & MD docs
• 9b9f0b9 Move woofi tokens to constant.ts and run prettier ([Snyk] Security upgrade @0x/dev-utils from 3.3.6 to 5.0.0 #544)
• 0d0fef8 PR #
• 17adfbe changelogs
• 8059462 empty commit to run workflow
• 0dba5a5 lowercase addresses ([Snyk] Fix for 1 vulnerabilities #542)
• 4dae8de feat: add Foundry support to contracts/zero-ex ([Snyk] Security upgrade @0x/dev-utils from 3.3.6 to 5.0.0 #534)
• 0046bb2 Update WooFi sampler logicand addresses.json w/ new FQT's
• fe935f7 Use @ 0x/fast-abi instead of deprecated fast-abi ([Snyk] Security upgrade @0x/subproviders from 6.6.5 to 7.0.0 #540)
• 1b527ff Clean up Mirror and UST related stuff ([Snyk] Fix for 1 vulnerabilities #539)
• 9f5324d Publish
• 3647392 Updated CHANGELOGS & MD docs

See the full diff

Package name: @0x/subproviders

The new version differs by 15 commits.

• aad2bd4 Publish
• ae6753a Updated CHANGELOGS & MD docs
• 91344c0 Bump CirciCI to nodejs16 ([Snyk] Fix for 5 vulnerabilities #68)
• ae232fa Bump CI to node16
• b89d468 Cannot run installation against specific package ([Snyk] Fix for 5 vulnerabilities #67)
• e003034 fix: Update deps fix ([pull] development from 0xProject:development #65)
• 14e5370 empty
• 27955e3 chore: Update deps ([Snyk] Security upgrade moment from 2.21.0 to 2.29.4 #64)
• 7e7e6dc fix: Fix subprovider tests
• dbd0dc0 bump ts
• 094c081 Bump subprovider deps
• 3c0bb9e Update @ ethereumjs/common
• 9d28e7d Unpin merkle-patricia-tree
• b543924 Add repository to @ 0x/subproviders
• 3b01e1d Update package.json to include the repository

See the full diff

Package name: nyc

The new version differs by 21 commits.

• 4a6b327 chore(release): 13.0.1
• ae5318b chore: Update istanbul dependencies. (Update Lerna & other small changes 0xProject/0x-monorepo#896)
• d0b76e2 fix: Enable es-modules by default. (Update Versions & Changelogs 0xProject/0x-monorepo#889)
• 6b6cd5e fix: add flag to allow control of intrumenter esModules option, default to looser parsing (Refactor 0x.js 0xProject/0x-monorepo#863)
• c325799 docs: reference babel 7 in all places (Fix bugs having to do with block timestamps and order expirationTimes 0xProject/0x-monorepo#881)
• 7483ed9 fix: use uuid/v4 to generate unique identifiers. (New tslint rules 0xProject/0x-monorepo#883)
• 8ab1ae3 chore: update dependencies (Bump npm-run-all from 4.1.2 to 4.1.3 0xProject/0x-monorepo#872)
• 52b69ef fix: Update caching-transform options. (Bump nodemon from 1.17.3 to 1.18.1 0xProject/0x-monorepo#873)
• 624a723 chore: update dependencies (Integrate Heap analytics into the website 0xProject/0x-monorepo#866)
• a5818f5 chore(release): 13.0.0
• f0d98a5 docs: update README.md with babel configuration info (Bump nodemon from 1.17.3 to 1.18.0 0xProject/0x-monorepo#860)
• 893345a feat: allow rows with 100% statement, branch, and function coverage to be skipped in text report (Bump less-loader from 2.2.3 to 4.1.0 0xProject/0x-monorepo#859)
• f09cf02 chore: update dependencies ([SoHoAudit] Externally supplied variable salt is used explicitly as timestamp within MixinExchangeCore.sol#47-55 which may lead to confusion 0xProject/0x-monorepo#855)
• d0f654c fix: source was being instrumented twice, due to upstream fix in ista… ([SoHoAudit] Combined taker fees exceeding MAX_INT will revert execution rather than successfully process MixinMatchOrders.sol#281-284: 0xProject/0x-monorepo#853)
• adb310c chore(release): 12.0.2
• ddc9331 fix: stop bundling istanbul-lib-instrument due to npm issue on Node 6 ([SoHoAudit] Suggested usage of transfer in place of call.value() on line AssetProxyOwner.sol#91 0xProject/0x-monorepo#854)
• b4c325b fix: don't bundle istanbul-lib-instrument due to Node 6 issues
• 9fc20e4 chore(release): 12.0.1
• 3e087d4 chore: upgrade to version of istanbul with optional catch binding ([SoHoAudit] Misleading verbiage within batch processing in batchFillOrders, batchFillOrKillOrders, marketSellOrders, marketSellOrdersNoThrow, marketBuyOrders, marketBuyOrdersNoThrow, and batchCancelOrders 0xProject/0x-monorepo#851)
• eaf3f70 chore(release): 12.0.0
• 19b7d21 chore: upgrade to newest version of istanbul codebase (Add revert reasons and optimization to safeMath 0xProject/0x-monorepo#848)

See the full diff

Package name: rollbar-sourcemap-webpack-plugin

The new version differs by 8 commits.

• 3f3c329 Release v3.0.0
• ae00f46 Add new required args to github_changelog_generator command ([Snyk] Fix for 1 vulnerabilities #265)
• 1fe68c7 Update deps ([Snyk] Security upgrade nyc from 11.9.0 to 15.0.0 #264)
• f663b23 Upgrade http client ([Snyk] Security upgrade nyc from 11.9.0 to 15.0.0 #260)
• 5cc7c2b chore(ci): remove travis.yml ([Snyk] Fix for 1 vulnerabilities #262)
• c7569dd BREAKING CHANGE: drop support for Webpack v3 ([Snyk] Security upgrade nyc from 11.9.0 to 15.0.0 #259)
• 80b1bfe chore(deps): update dependencies ([Snyk] Security upgrade @0x/dev-utils from 3.3.6 to 5.0.3 #253)
• 2fddb37 Bump eslinit, lint-staged, and prettier to latest ([Snyk] Security upgrade nyc from 11.9.0 to 15.0.0 #247)

See the full diff

Package name: webpack

The new version differs by 250 commits.

• 610f368 5.0.0
• 5ce65c1 update examples
• bbe1230 Merge pull request #11628 from webpack/bugfix/real-content-hash
• 75ecff2 5.0.0-rc.6
• bfc35d6 Merge pull request #11603 from MayaWolf/master
• 76e8cbd Merge pull request #11622 from webpack/dependabot/npm_and_yarn/types/node-13.13.25
• 9fd1be2 chore(deps-dev): bump @ types/node from 13.13.23 to 13.13.25
• 36bcfaa Merge pull request #11621 from webpack/bugfix/11619
• 9130d10 fix called variables with ProvidePlugin
• 3e42105 Merge pull request #11620 from webpack/bugfix/11617
• 4709719 skip connections copied to concatenated module
• 57b493f 5.0.0-rc.5
• 1658e2f Merge pull request #11618 from webpack/bugfix/11615
• a8fb45d fixes crash in SideEffectsFlagPlugin
• 84b196d emit error instead of crashing when unexpected problem occurs
• 5573fed Merge pull request #11601 from Hornwitser/improve-suggested-polyfill-config
• 9b5cce9 Merge pull request #11609 from snitin315/export-types
• 37c495c export type RuleSetUseItem
• 39faf34 export type RuleSetUse
• e5fd246 export type RuleSetConditionAbsolute
• 660baad export RuleSetCondition types
• 13e3ca5 Merge pull request #11602 from webpack/bugfix/shared-runtime-chunk
• 9c0587e Merge pull request #11606 from webpack/dependabot/npm_and_yarn/simple-git-2.21.0
• 502d166 Merge pull request #11607 from webpack/dependabot/npm_and_yarn/acorn-8.0.4

See the full diff

Package name: webpack-dev-server

The new version differs by 250 commits.

• c9271b9 chore(release): 4.0.0
• 18bf369 test: fix stability (#3676)
• cdcabb2 fix: respect protocol from browser for manual setup (#3675)
• 1768d6b fix: initial reloading for lazy compilation (#3662)
• 4f5bab1 docs: improve examples (#3672)
• f2d87fb fix: improve https CLI output (#3673)
• 0277c5e chore: remove redundant console statements (#3671)
• 16fcdbc docs: add `ipc` example (#3667)
• 8915fb8 test: add e2e tests for built in routes (#3669)
• 4d1cbe1 docs: ask `version` information in issue template (#3668)
• b6c1881 chore(deps-dev): bump core-js from 3.16.1 to 3.16.2 (#3666)
• ffa8cc5 chore(deps-dev): bump supertest from 6.1.5 to 6.1.6 (#3665)
• f1fdaa7 chore(release): 4.0.0-rc.1
• c4678bc fix: legacy API (#3660)
• d8bdd03 test: fix stability (#3661)
• 22b1414 refactor: remove `killable` (#3657)
• 75bafbf test: add e2e tests for module federation (#3658)
• 493ccbd chore(deps): update `ws` (#3652)
• ae8c523 test: add e2e test for universal compiler (#3656)
• f94b84f chore(deps): update (#3655)
• 1923132 test: fix cli
• 2adfd01 test: fix todo (#3653)
• 6e2cbde fix: proxy logging and allow to pass options without the `target` option (#3651)
• c9ccc96 fix: respect infastructureLogging.level for client.logging (#3613)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Open Redirect
🦉 More lessons are available in Snyk Learn

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[socket-security]

New and updated dependencies detected. Learn more about Socket for GitHub ↗︎

Packages	Version	New capabilities	Transitives	Size	Publisher
nyc	13.3.0	eval, environment	+19	24.6 MB	coreyfarrell
jest	26.6.3	eval, network	+168	15.9 MB	simenb
@0x/asset-swapper	16.66.4	None	+266	147 MB	tobernguyen
tslint	5.16.0	eval	+7	56.3 MB	palantir
@0x/subproviders	7.0.1	None	+92	36.3 MB	tobernguyen
webpack-dev-server	4.15.1	network, shell, environment	+96	6.09 MB	evilebottnawi
typescript	3.9.10	None	+0	54.1 MB	typescript-bot
rollbar-sourcemap-webpack-plugin	2.4.0...3.3.0	filesystem	+5/-4	346 kB	brandondoran