[Snyk] Fix for 16 vulnerabilities #228

baophucct · 2023-11-27T20:49:50Z

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- packages/app/package.json

Vulnerabilities that will be fixed

With an upgrade:

Priority Score (*)	Issue	Breaking Change	Exploit Maturity
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	Yes	Proof of Concept
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	Yes	Proof of Concept
541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	Yes	Proof of Concept
681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASHTEMPLATE-1088054	Yes	Proof of Concept
589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-1019388	Yes	No Known Exploit
479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	Yes	No Known Exploit
646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit
636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	Yes	Proof of Concept
589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: airtable

The new version differs by 98 commits.

aead7b0 Fix bug with release scripts and git status
217cd20 airtable.js: add newline to end of package.json
e7d7c07 Fix deploy_part_2_do_deploy master prerelease check
411296f Release Airtable.js v0.9.0
212d99a Remove Promise Polyfill
df8a0e6 Add parse json body to response object
81fc8f3 Preserve error handling behavior for bodyless err
e75f09b Add test to handle errors with empty bodies
0be07ab Preserve behavior from request library
8ef7814 Add test for requests with empty bodies
b4b878f Add additional spelling fix in README.md
ba1881f Fix grammer in README
e87ed66 Minor fixes from review
d75454b Add polyfills for older browser versions
b9e8bef Add docs to README about requirements
939eda0 Ensure airtable.js browser build works
c133215 Replace second use of requests module
dc9c094 Ensure fetch works in node 8
40e89ff Add test of timeout abort
4ff6ac8 Rebuild the test/test_files/airtable.browser.js
fbbdeaa Add back timeout to request
c784122 Replace deprecated request library with node-fetch
5da4872 Add test of retry if hitting rate limit
a2f4967 Add test for custom user agent header if browser

See the full diff

Package name: gulp

The new version differs by 134 commits.

55eb23a Release: 4.0.0
173a532 Docs: Fix the installation instructions
ec54d09 Docs: Improve note about out-of-date docs
03b7c98 Docs: Update recipes to install gulp@next
2eba29e Docs: Remove run-sequence from recipes
76eb4d6 Docs: Add installation instructions & update badges
fbc162f Docs: Remove references to gulp-util
3011cf9 Scaffold: Normalize repository
f27be05 Update: Remove graceful-fs from test suite
361ab63 Upgrade: Update glob-watcher
064d100 Build: Avoid broken node 9
057df59 Release: 4.0.0-alpha.3
c1ba80c Breaking: Upgrade major versions of glob-watcher, gulp-cli & vinyl-fs
89acc5c Docs: Improve ES2015 task exporting examples (fix: add vendor prefix for file tab styling codesandbox/codesandbox-client#1999)
0ac9e04 Docs: Add "Project structure" section to CONTRIBUTING.md (Reset isForkingSandbox on error codesandbox/codesandbox-client#1859)
723cbc4 Docs: Fix syntax in recipe example (Fix(homepage): Second picked sandbox doesn't open in explore codesandbox/codesandbox-client#1715)
d420a6a Docs: Have gulp.lastRun take a function to avoid task registration (Error: "Invalid regular expression... Range out of order in character class" codesandbox/codesandbox-client#1828)
29ece6f Upgrade: Update undertaker
e931cb0 Docs: Fix changelog typos (Update prettier to 16.6.4 codesandbox/codesandbox-client#1696)
477db84 Docs: Add a "BrowserSync with Gulp 4" recipe (Stock vue template has a Babel error codesandbox/codesandbox-client#1659)
d4ed3c7 Docs: Add options.cwd for gulp.src API (Storybook codesandbox/codesandbox-client#1645)
5dc3b07 Docs: Update gulp.watch API to align with glob-watcher
0c66069 Breaking: Replace chokidar as gulp.watch with glob-watcher wrapper
c3dbc10 Docs: Clarify incremental builds example (Search Improvements codesandbox/codesandbox-client#1609)

See the full diff

Package name: gulp-postcss

The new version differs by 15 commits.

9166fdb Release 7.0.1
0af46f5 Merge pull request [Snyk] Security upgrade overmind-devtools from 19.0.1 to 29.0.0 #137 from ohbarye/drop-dependency-on-gulp-util
6f15b51 Drop dependency on gulp-util
3a1d0df Merge pull request [Snyk] Security upgrade rollup-plugin-scss from 0.4.0 to 3.0.0 #126 from gucong3000/coverage
2748681 fix eslint error, add test case
355d90b add coverage report
2cb352f Release 7.0.0
8dd0235 Merge pull request [Snyk] Security upgrade axios from 0.19.2 to 0.21.3 #116 from postcss/postcss60
18e31d8 Use PostCSS 6.0 and drop node 0.12
96f6d24 Merge pull request [Snyk] Security upgrade immer from 3.3.0 to 9.0.6 #113 from gucong3000/eslint
7c5e513 npm install --save-dev mocha@3.3.0 sinon@2.2.0
2b319cb fix broke tests for node 0.12
4201543 add `eslint`
dd03625 Merge pull request [Snyk] Security upgrade rollup-plugin-scss from 0.4.0 to 3.0.0 #112 from jorrit/patch-1
28e20ef Cleanup NPM package

See the full diff

Package name: gulp-rev

The new version differs by 21 commits.

bb3a3fd 8.1.1
e46406b Replace gulp-util with smaller modules ([Snyk] Security upgrade next from 8.1.0 to 10.0.6 #237)
6c9bcac Remove Code Sponsor
fe0c551 8.1.0
47ffbe0 Bump `rev-path`
fc74b5b Try out Code Sponsor
cdf63fa Pass resolved, absolute paths to relPath() ([Snyk] Security upgrade axios from 0.19.2 to 1.6.0 #220) ([Snyk] Security upgrade overmind-devtools from 19.0.1 to 29.0.4 #222)
567c340 Update readme.md ([Snyk] Fix for 6 vulnerabilities #224)
898dffc 8.0.0
d290ff8 Meta tweaks
a89f0df Make tests independent of platform specific path separator ([Snyk] Security upgrade next from 8.1.0 to 13.5.0 #219) ([Snyk] Security upgrade @codesandbox/common from 1.0.8 to 1.0.10 #221)
71a0377 Add a note about non-deterministic streams order ([Snyk] Security upgrade next from 8.1.0 to 10.0.2 #213)
f5ee9ee Meta tweaks
731be70 Move list of maintainers into the readme for visibility
192a075 Meta tweaks
7acdb13 Move tests from Mocha to AVA ([Snyk] Security upgrade next from 8.1.0 to 10.0.6 #212)
82c185c More realistic example ([Snyk] Security upgrade vscode-languageclient from 5.2.1 to 7.0.0 #203)
02fbeba add XO badge
8686e62 [breaking] ES2015ify and require Node.js 4
ed53cef meta tweaks
17d6bb4 docs: change number of approaches ([Snyk] Fix for 4 vulnerabilities #196)

See the full diff

Package name: jest-each

The new version differs by 22 commits.

ff9269b chore: bump most dated deps (#8850)
7594141 chore: upgrade to eslint@6 (#8855)
b33ce0d chore: upgrade to micromatch v4 (#8852)
d6ff72a chore: add node 12 to CI (fix: notification bubble codesandbox/codesandbox-client#8411)
7e9b4ea chore: upgrade jsdom (#8851)
4bb7a2d Use `weak-napi` instead of `weak` in `jest-leak-detector`
ce47c6c Get rid of Node 6 support (feat: add codeium in featured templates codesandbox/codesandbox-client#8455)
bc5c3c7 jest-snapshot: Remove only the added newlines in multiline snapshots (#8859)
d523fa8 bug.md: highlights placeholder should be removed (#8836)
08f109c expect: Display expectedDiff more carefully in toBeCloseTo (fix: show upgrade button only for admins codesandbox/codesandbox-client#8389)
b09de2d chore: bump node-notifier for node v6 support
557a39f fix(linter): Fix linting failure introduced in #8847 😓 (#8849)
012472b fix(docs): Update broken links in docs. (#8847)
ee2bea1 chore: sort member in imports (#8846)
9ba4594 add Chinese Jest work with AngularJS tutorial (#8828)
0e5b363 chore: reduce reliance on esModuleInterop (#8842)
d69f8d3 getTimerCount will not include cancelled immediates (#8764)
b4bd77b Fix grammar: "your jest's config"->"your Jest..." (#8843)
54b3dcf Fix grammar: "a known issues"->"a known issue" (#8844)
e76c7da docs: update matchMedia methods (#8835)
23b9860 chore: roll new version of docs
3cdbd55 Release 24.9.0