[Snyk] Fix for 19 vulnerabilities

[adamlaska]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • packages/migrations/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	482/1000 Why? Proof of Concept exploit, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	482/1000 Why? Proof of Concept exploit, CVSS 7.5	Prototype Pollution SNYK-JS-ASYNC-2441827	Yes	Proof of Concept
	/1000 Why?	Incomplete List of Disallowed Inputs SNYK-JS-BABELTRAVERSE-5962463	Yes	Proof of Concept
	372/1000 Why? Proof of Concept exploit, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-BROWSERSLIST-1090194	Yes	Proof of Concept
	270/1000 Why? CVSS 5.4	Open Redirect SNYK-JS-GOT-2932019	Yes	No Known Exploit
	/1000 Why?	Missing Release of Resource after Effective Lifetime SNYK-JS-INFLIGHT-6095116	Yes	Proof of Concept
	/1000 Why?	Prototype Pollution SNYK-JS-JSON5-3182856	Yes	Proof of Concept
	372/1000 Why? Proof of Concept exploit, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	467/1000 Why? Proof of Concept exploit, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Information Exposure SNYK-JS-NODEFETCH-2342118	Yes	No Known Exploit
	520/1000 Why? Has a fix available, CVSS 5.9	Denial of Service SNYK-JS-NODEFETCH-674311	Yes	No Known Exploit
	/1000 Why?	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	/1000 Why?	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	Yes	Proof of Concept
	/1000 Why?	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
	382/1000 Why? Proof of Concept exploit, CVSS 5.5	Arbitrary Code Injection SNYK-JS-UNDERSCORE-1080984	Yes	Proof of Concept
	375/1000 Why? CVSS 7.5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit
	165/1000 Why? CVSS 3.3	Insecure Credential Storage SNYK-JS-WEB3-174533	Yes	No Known Exploit
	372/1000 Why? Proof of Concept exploit, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	Yes	Proof of Concept
	/1000 Why?	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @0x/base-contract

The new version differs by 15 commits.

• aad2bd4 Publish
• ae6753a Updated CHANGELOGS & MD docs
• 91344c0 Bump CirciCI to nodejs16 ([Snyk] Fix for 5 vulnerabilities #68)
• ae232fa Bump CI to node16
• b89d468 Cannot run installation against specific package ([Snyk] Fix for 5 vulnerabilities #67)
• e003034 fix: Update deps fix ([pull] development from 0xProject:development #65)
• 14e5370 empty
• 27955e3 chore: Update deps ([Snyk] Security upgrade moment from 2.21.0 to 2.29.4 #64)
• 7e7e6dc fix: Fix subprovider tests
• dbd0dc0 bump ts
• 094c081 Bump subprovider deps
• 3c0bb9e Update @ ethereumjs/common
• 9d28e7d Unpin merkle-patricia-tree
• b543924 Add repository to @ 0x/subproviders
• 3b01e1d Update package.json to include the repository

See the full diff

Package name: @0x/contracts-zero-ex

The new version differs by 250 commits.

• ad2d41f Publish
• 721b984 Updated CHANGELOGS & MD docs
• 72433ea fix: Revert changelog commits from previous failed publish ([Snyk] Security upgrade jest from 24.9.0 to 28.0.0 #710)
• f919e8e Publish
• dbcc7dd Updated CHANGELOGS & MD docs
• 33b7515 Bump package versions for lerna ([Snyk] Security upgrade jest from 24.9.0 to 27.0.0 #709)
• f96b944 Updated CHANGELOGS & MD docs
• 0fbdc1d fix: Revert changelog commits from previous failed publish ([Snyk] Fix for 7 vulnerabilities #708)
• 484d9ca Publish
• e73885c Updated CHANGELOGS & MD docs
• 948b17e Add publishConfig in governance/package.json ([Snyk] Security upgrade jest from 24.9.0 to 25.0.0 #707)
• 2b13dcf Publish
• d2bea4a Updated CHANGELOGS & MD docs
• dc926a0 Update Ethereum FillQuoteTransformer address ([Snyk] Security upgrade lerna from 3.4.3 to 6.5.0 #706)
• 5cc5359 feat: Add Barter support to EthereumBridgeAdapter [LIT-981] ([Snyk] Security upgrade nyc from 11.9.0 to 12.0.0 #703)
• 57ca2c0 Correct final audit document ([Snyk] Security upgrade @0x/dev-utils from 3.3.6 to 5.0.0 #702)
• b0d2dee Publish
• 1422ad7 Updated CHANGELOGS & MD docs
• 9d216f9 fix: add version in changelog for utils ([Snyk] Security upgrade nyc from 11.9.0 to 12.0.0 #700)
• ff74738 chore: add forge to publish action ([Snyk] Security upgrade @0x/dev-utils from 3.3.6 to 5.0.0 #699)
• fe4fe48 chore: update dependencies ([Snyk] Security upgrade @0x/dev-utils from 3.3.6 to 5.0.0 #698)
• 356e74a Integration test for migrating 0x stake ([Snyk] Security upgrade @0x/dev-utils from 3.3.6 to 5.0.0 #697)
• 70590e3 Actual script for governance deployment ([Snyk] Security upgrade nyc from 11.9.0 to 12.0.0 #696)
• 4e0b671 Integration test catastrophic mode in staking v3 ([Snyk] Security upgrade nyc from 11.9.0 to 12.0.0 #691)

See the full diff

Package name: @0x/subproviders

The new version differs by 53 commits.

• c33f74a Publish
• d0fe875 Updated CHANGELOGS & MD docs
• 06d1d34 Merge pull request [Snyk] Security upgrade @0x/utils from 5.6.4 to 7.0.0 #93 from 0xProject/david/subproviders-8
• 8d21ec1 chore: update subproviders version to 8.0.0
• 1e26144 Merge pull request [Snyk] Security upgrade @0x/base-contract from 6.5.0 to 7.0.0 #91 from 0xProject/david/subproviders-clean
• bf9aaea chore: clean unused code from @ 0x/subproviders
• 8c79268 Publish
• d6e3f73 Updated CHANGELOGS & MD docs
• 8df4471 Merge pull request [Snyk] Security upgrade @0x/utils from 5.6.4 to 7.0.0 #86 from 0xProject/feat/parse-imports-single-quotes
• 6f68b71 add ability to parse single quote imports
• 2ca3096 Merge pull request [Snyk] Security upgrade @0x/utils from 5.6.4 to 7.0.0 #85 from 0xProject/dependabot/npm_and_yarn/json5-1.0.2
• 2d90e21 Bump json5 from 1.0.1 to 1.0.2
• 913ee4b Merge pull request [Snyk] Fix for 2 vulnerabilities #84 from 0xProject/dependabot/npm_and_yarn/decode-uri-component-0.2.2
• 03c2f93 Bump decode-uri-component from 0.2.0 to 0.2.2
• 2b6d538 Merge pull request [Snyk] Security upgrade @0x/utils from 5.6.4 to 7.0.0 #76 from 0xProject/dependabot/npm_and_yarn/change-case-4.1.2
• 1650f30 Changed functions names
• 540286e Merge pull request [Snyk] Security upgrade @0x/utils from 5.6.4 to 7.0.0 #79 from 0xProject/dependabot/npm_and_yarn/depcheck-1.4.3
• 7696d3b Bump change-case from 3.1.0 to 4.1.2
• 1ee8ccf Bump depcheck from 0.6.11 to 1.4.3
• 5eb26b0 Merge pull request [Snyk] Fix for 2 vulnerabilities #77 from 0xProject/dependabot/npm_and_yarn/sinon-15.0.0
• b444777 Merge pull request [Snyk] Security upgrade @0x/utils from 5.6.4 to 7.0.0 #73 from 0xProject/dependabot/github_actions/actions/setup-python-4
• 4cd16d3 Merge pull request [Snyk] Fix for 2 vulnerabilities #75 from 0xProject/dependabot/npm_and_yarn/loader-utils-1.4.2
• f91bf18 Bump actions/setup-python from 2 to 4
• cb2f8d5 Merge pull request [Snyk] Security upgrade @0x/base-contract from 6.5.0 to 7.0.0 #74 from 0xProject/dependabot/github_actions/actions/setup-node-3

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Open Redirect
🦉 More lessons are available in Snyk Learn

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.