[Snyk] Fix for 1 vulnerabilities

[dotam99]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	658/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: copy-webpack-plugin

The new version differs by 4 commits.

• 46af20a chore(release): 7.0.0
• 5d5635f refactor: code (Fix default GPG key type github/docs#567)
• c6f68a5 refactor: code
• 4cea28b refactor: next

See the full diff

Package name: linkinator

The new version differs by 108 commits.

• 2cab633 feat: create new release with notes (Missed slash in "if" and minor formatting github/docs#508)
• a376199 fix!: stream CSV results (repo sync github/docs#507)
• 18d808c chore(deps): update dependency @ types/update-notifier to v6 (repo sync github/docs#503)
• 0ee27e0 chore(deps): update dependency got to 11.8.5 [security] (Update testing-webhooks.md github/docs#505)
• 5ef0e1e build!: drop support for nodejs 12.x (docs: add tnir as a contributor github/docs#506)
• eeebebd build(deps-dev): bump semantic-release from 19.0.2 to 19.0.3 (Multiple deploy keys github/docs#501)
• da166dd build(deps): bump semver-regex from 3.1.3 to 3.1.4 (Multiple Unique Deployment Keys on One Server. github/docs#500)
• 4c63eb8 build(deps): bump npm from 8.3.1 to 8.12.0 (Fix and extend push webhook documentation. github/docs#499)
• 5ca5a46 feat: allow --skip to be defined multiple times (https://github.com/github/docs/pull/398#issue-501049475 github/docs#399)
• 9c2b5d8 chore(deps): update dependency sinon to v14 (Update defining-the-mergeability-of-pull-requests.md github/docs#398)
• d334dc6 fix(deps): upgrade node-glob to v8 (.Update keyboard-shortcuts.md github/docs#397)
• ba3b9a8 fix(deps): upgrade to htmlparser2 v8.0.1 (Translation of the last line into Portuguese github/docs#396)
• 48af50e fix(deps): update dependency gaxios to v5 (Repairing .allcontributorsrc github/docs#391)
• 78ae8b5 chore(deps): update github/codeql-action action to v2 (Update autolinked-references-and-urls.md github/docs#393)
• 0b31851 chore(deps): update dependency mocha to v10 (Update identifying-and-authorizing-users-for-github-apps.md github/docs#394)
• e586584 build(deps): bump minimist from 1.2.5 to 1.2.6 (docs: Add Chinese translation github/docs#387)
• 1cc3a88 docs: Update latest major version specified in SECURITY.md (repo sync github/docs#380)
• 833fd33 chore(deps): update actions/checkout action to v3 (#385)
• 1835248 chore(deps): update actions/setup-node action to v3 (#383)
• 4a16353 build(deps): bump simple-get from 3.1.0 to 3.1.1 (repo sync github/docs#379)
• 65dfb90 chore(deps): update dependency simple-get to 3.1.1 [security] (Neftali github/docs#378)
• 96d3ddf chore(deps): update dependency nanoid to 3.1.31 [security] (repo sync github/docs#377)
• ad1e73e build(deps): bump node-fetch from 2.6.1 to 2.6.7 (API Libraries Design update github/docs#376)
• 9b287c3 chore(deps): update dependency sinon to v13 (repo sync github/docs#375)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)

[guardrails]

⚠️ We detected 98 security issues in this pull request:

Mode: paranoid | Total findings: 98 | Considered vulnerability: 98

Insecure File Management (11)

Severity	Details	Docs
High	Title: Path Traversal from user input docs/middleware/contextualizers/rest.js Line 14 in 23e4613 '/developers/apps'	📚
High	Title: Path Traversal from user input docs/lib/rewrite-local-links.js Line 40 in 23e4613 newHref = path.join('/', languageCode, href)	📚
High	Title: Path Traversal from user input docs/lib/rewrite-local-links.js Line 47 in 23e4613 newHref = path.join('/', languageCode, href)	📚
High	Title: Path Traversal from user input docs/middleware/early-access-breadcrumbs.js Line 63 in 23e4613 const mapTopicOrArticlePath = path.posix.join(categoryPath, pathParts[2])	📚
High	Title: Path Traversal from user input docs/middleware/early-access-breadcrumbs.js Line 50 in 23e4613 const categoryPath = removeFPTFromPath(path.posix.join('/', 'en', req.context.currentVersion, 'early-access', pathParts[0], pathParts[1]))	📚
High	Title: Path Traversal from user input docs/middleware/breadcrumbs.js Line 35 in 23e4613 title: product.title	📚
High	Title: Path Traversal from user input docs/middleware/breadcrumbs.js Line 49 in 23e4613 const categoryPath = removeFPTFromPath(path.posix.join('/', req.context.currentLanguage, req.context.currentVersion, productPath, pathParts[1]))	📚
High	Title: Path Traversal from user input docs/middleware/breadcrumbs.js Line 21 in 23e4613 const productPath = path.posix.join('/', req.context.currentProduct)	📚
High	Title: Path Traversal from user input docs/middleware/breadcrumbs.js Line 34 in 23e4613 href: removeFPTFromPath(path.posix.join('/', req.context.currentLanguage, req.context.currentVersion, productPath)),	📚
High	Title: Path Traversal from user input docs/middleware/archived-enterprise-versions-assets.js Line 22 in 23e4613 const proxyPath = path.join('/', requestedVersion, assetPath)	📚
High	Title: Path Traversal from user input docs/lib/get-link-data.js Line 37 in 23e4613 const href = removeFPTFromPath(path.join('/', context.currentLanguage, version, linkPath))	📚

More info on how to fix Insecure File Management in JavaScript.

---

Vulnerable Libraries (32)

Severity	Details
Informational	pkg:npm/compression@1.7.4@1.7.4 (t) upgrade to: 3.1.0
Critical	pkg:npm/browser-date-formatter@3.0.3@3.0.3 (t) upgrade to: 1.2.6, 1.0.7
High	pkg:npm/walk-sync@1.1.4@1.1.4 (t) upgrade to: 3.0.5
Critical	pkg:npm/mini-css-extract-plugin@1.4.1@1.4.1 (t) upgrade to: 2.0.4, 3.2.1, 1.2.6, 2.2.2, 2.0.3, 1.4.2
High	pkg:npm/node-fetch@2.6.1@2.6.1 (t) upgrade to: 3.1.1,2.6.7
Informational	pkg:npm/algoliasearch@3.35.1@3.35.1 (t) upgrade to: 3.1.0
Medium	pkg:npm/webpack-cli@4.6.0@4.6.0 (t) upgrade to: 1.0.7
Critical	pkg:npm/copy-webpack-plugin@7.0.0@7.0.0 (t) upgrade to: 2.2.2, 1.2.6
Critical	pkg:npm/style-loader@1.2.1@1.2.1 (t) upgrade to: 2.0.3, 1.4.2, 2.0.4, 3.2.1, 2.2.2, 1.2.6
Critical	pkg:npm/babel-loader@8.1.0@8.1.0 (t) upgrade to: 1.4.2, 2.0.4, 3.2.1, 2.0.3, 2.2.2, 1.2.6
High	pkg:npm/got@9.6.0@9.6.0 (t) upgrade to: 10.2.7, 4.1.1
High	pkg:npm/remark-parse@7.0.2@7.0.2 (t) upgrade to: 0.0.3
High	pkg:npm/rimraf@3.0.0@3.0.0 (t) upgrade to: 3.0.5
High	pkg:npm/hast-util-select@4.0.2@4.0.2 (t) upgrade to: 2.0.1
Informational	pkg:npm/rehype-highlight@3.1.0@3.1.0 (t) upgrade to: 10.4.1
High	pkg:npm/rss-parser@3.12.0@3.12.0 (t) - no patch available
High	pkg:npm/cheerio@1.0.0-rc.3@1.0.0-rc.3 (t) upgrade to: 4.17.21, 2.0.1
Informational	pkg:npm/morgan@1.9.1@1.9.1 (t) upgrade to: 3.1.0
High	pkg:npm/sass@1.32.8@1.32.8 (t) upgrade to: 5.1.2, 6.0.1
High	pkg:npm/express@4.17.1@4.17.1 (t) upgrade to: 4.17.3,6.10.3,6.9.7,6.8.3,6.7.3,6.6.1,6.5.3,6.4.1,6.3.3,6.2.4
Critical	pkg:npm/sass-loader@9.0.2@9.0.2 (t) upgrade to: 2.0.4, 3.2.1, 2.2.2, 1.2.6, 2.0.3, 1.4.2
High	pkg:npm/lodash@4.17.20@4.17.20 (t) upgrade to: 4.17.21,4.17.21
Medium	pkg:npm/webpack@5.30.0@5.30.0 (t) upgrade to: 4.16.5, 4.8.1, 5.14.2
Critical	pkg:npm/linkinator@4.0.0@4.0.0 (t) upgrade to: 1.2.6
Critical	pkg:npm/css-loader@5.0.0@5.0.0 (t) upgrade to: 1.2.6, 2.2.2, 2.0.3, 1.4.2, 2.0.4, 3.2.1, 3.1.31
High	pkg:npm/throng@5.0.0@5.0.0 (t) upgrade to: 4.17.21
Critical	pkg:npm/resolve-url-loader@4.0.0@4.0.0 (t) upgrade to: 1.2.6, 2.0.3, 1.4.2, 2.0.4, 3.2.1, 2.2.2
High	pkg:npm/babel-preset-env@1.7.0@1.7.0 (t) upgrade to: 4.17.21, 3.1.0
High	pkg:npm/remark-rehype@5.0.0@5.0.0 (t) upgrade to: 0.0.3
High	pkg:npm/@babel/plugin-transform-runtime@7.11.0@7.11.0 (t) upgrade to: 4.17.21, 1.0.7
Medium	pkg:npm/liquidjs@9.22.1@9.22.1 (t) upgrade to: 10.0.0
N/A	pkg:npm/flat@5.0.0@5.0.0 (t) upgrade to: 5.0.1

More info on how to fix Vulnerable Libraries in JavaScript.

---

Insecure Use of Regular Expressions (1)

Severity	Details	Docs
Medium	Title: Tainted input passed to Regular Expression docs/middleware/find-page.js Line 8 in 23e4613 const englishPath = req.path.replace(new RegExp(`^/${req.language}`), '/en')	📚

More info on how to fix Insecure Use of Regular Expressions in JavaScript.

---

Insecure Processing of Data (6)

Severity	Details	Docs
High	Title: Insecure Deserialization (js-yaml) docs/tests/unit/actions-workflows.js Line 11 in 23e4613 const data = yaml.load(fs.readFileSync(fullpath, 'utf8'), { fullpath })	📚
High	Title: Insecure Deserialization (js-yaml) docs/tests/helpers/crowdin-config.js Line 7 in 23e4613 return yaml.load(fs.readFileSync(filename, 'utf8'), { filename })	📚
Medium	Title: Tainted input passed to Express response docs/middleware/dev-toc.js Line 8 in 23e4613 return res.send(await liquid.parseAndRender(layouts['dev-toc'], req.context))	📚
Medium	Title: Tainted input passed to Express response docs/middleware/loaderio-verification.js Line 5 in 23e4613 return res.send(req.path.replace(/\//g, ''))	📚
Medium	Title: Tainted input passed to Express response docs/middleware/enterprise-server-releases.js Line 12 in 23e4613 return res.send(await liquid.parseAndRender(layouts['enterprise-server-releases'], req.context))	📚
Medium	Title: Tainted input passed to Express response docs/middleware/render-page.js Line 144 in 23e4613 res.send(addCsrf(req, output))	📚

More info on how to fix Insecure Processing of Data in JavaScript.

---

Insecure Use of Language/Framework API (42)

Severity	Details	Docs
Medium	Title: User Controlled Method Invocation docs/script/graphql/utils/remove-hidden-schema-members.rb Line 99 in 23e4613 schema.send(:own_orphan_types).clear	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/tests/content/lint-files.js Line 203 in 23e4613 const changedFilesRelPaths = execSync('git diff --name-only origin/main | egrep "^translations/.*/.+.(yml|md)$"', { maxBuffer: 1024 * 1024 * 100 }).toString().split('\n')	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/update-crowdin-issue.js Line 26 in 23e4613 const fixable = execSync(`cat ${fixableErrorsLog} | egrep "^translations/.*/(.+.md|.+.yml)$" | sed -e 's/^/- [ ] /' | uniq`).toString()	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/update-crowdin-issue.js Line 29 in 23e4613 const filesToAdd = execSync(`cat ${parsingErrorsLog} ${renderingErrorsLog} | egrep "^translations/.*/(.+.md|.+.yml)$" | sed -e 's/^/- [ ] /' | uniq`).toString()	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/update-crowdin-issue.js Line 32 in 23e4613 const allErrors = execSync('cat ~/docs-*').toString()	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/reset-translated-file.js Line 56 in 23e4613 execSync(`git checkout main -- ${relativePath}`, { stdio: 'pipe' })	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/rest/update-files.js Line 48 in 23e4613 const githubBranch = execSync('git rev-parse --abbrev-ref HEAD', { cwd: githubRepoDir }).toString().trim()	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/rest/update-files.js Line 53 in 23e4613 execSync('git pull', { cwd: githubRepoDir })	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/rest/update-files.js Line 62 in 23e4613 execSync(`${path.join(githubRepoDir, 'bin/openapi')} bundle -o ${tempDocsDir} --include_unpublished`, { stdio: 'inherit' })	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/rest/update-files.js Line 69 in 23e4613 execSync(`find ${tempDocsDir} -type f -name "*deref.json" -exec mv '{}' ${dereferencedPath} ';'`)	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/reconcile-filenames-with-ids.js Line 62 in 23e4613 const gitStatusOfFile = execSync(`git status --porcelain ${oldContentPath}`).toString()	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/reconcile-filenames-with-ids.js Line 66 in 23e4613 execSync(`mv ${oldContentPath} ${newContentPath}`)	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/reconcile-filenames-with-ids.js Line 68 in 23e4613 execSync(`git mv ${oldContentPath} ${newContentPath}`)	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/reset-known-broken-translation-files.js Line 44 in 23e4613 await exec(`script/reset-translated-file.js --prefer-main ${file}`)	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/prevent-pushes-to-main.js Line 13 in 23e4613 const currentBranch = execSync('git symbolic-ref --short HEAD', { encoding: 'utf8' }).trim()	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/prevent-translation-commits.js Line 20 in 23e4613 const filenames = execSync('git diff --cached --name-only').toString().trim().split('\n')	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/purge-fastly-by-url.js Line 74 in 23e4613 const result = execSync(`${purgeCommand} ${localizedUrl}`).toString()	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/purge-fastly-by-url.js Line 78 in 23e4613 const secondResult = execSync(`${purgeCommand} ${localizedUrl}`).toString()	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/lint-translation-files.js Line 16 in 23e4613 execSync(`TEST_TRANSLATION=true npx jest content/lint-files > ${parsingErrorsLog}`)	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/lint-translation-files.js Line 19 in 23e4613 execSync(`script/test-render-translation.js > ${renderErrorsLog}`)	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/lint-translation-files.js Line 22 in 23e4613 execSync(`cat ${parsingErrorsLog} ${renderErrorsLog} | egrep "^translations/.*/(.+.md|.+.yml)$" | uniq | xargs -L1 script/reset-translated-file.js --prefer-main`)	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/move-category-to-product.js Line 51 in 23e4613 execSync(`mkdir ${productDir}`)	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/move-category-to-product.js Line 56 in 23e4613 execSync(`git mv ${oldCategoryDir} ${productDir}`)	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/helpers/find-unused-assets.js Line 89 in 23e4613 const grepResults = execSync(grepCmd).toString()	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/fix-translation-errors.js Line 50 in 23e4613 const changedFilesRelPaths = execSync(cmd).toString().split('\n')	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/get-new-dotcom-path.js Line 39 in 23e4613 const newPath = execSync(`find ${newDotcomDir} -name ${filename}`).toString()	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/graphql/update-files.js Line 29 in 23e4613 execSync('gem which graphql')	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/graphql/update-files.js Line 123 in 23e4613 execSync('npx prettier -w "**/*.{yml,yaml}"')	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/graphql/update-files.js Line 205 in 23e4613 const remoteClean = execSync(`${removeHiddenMembersScript} ${tempSchemaFilePath}`).toString()	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/enterprise-server-deprecations/archive-version.js Line 110 in 23e4613 execSync('npm run build', { stdio: 'inherit' })	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/early-access/clone-for-build.js Line 36 in 23e4613 currentBranch = execSync('git branch --show-current').toString()	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/early-access/clone-for-build.js Line 74 in 23e4613 let branchExists = execSync(`git ls-remote --heads ${earlyAccessFullRepo} ${earlyAccessBranch}`).toString()	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/early-access/clone-for-build.js Line 82 in 23e4613 branchExists = execSync(`git ls-remote --heads ${earlyAccessFullRepo} ${earlyAccessBranch}`).toString()	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/early-access/clone-for-build.js Line 100 in 23e4613 cwd: earlyAccessCloningParentDir	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/anonymize-branch.js Line 27 in 23e4613 exec(`git reset $(git merge-base ${base} HEAD)`)	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/anonymize-branch.js Line 28 in 23e4613 exec('git add -A')	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/anonymize-branch.js Line 29 in 23e4613 exec(`git commit -m "${message}"`)	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/lib/liquid-tags/octicon.js Line 34 in 23e4613 while ((optionsMatch = OptionsSyntax.exec(match.groups.options))) {	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/.github/actions-scripts/openapi-schema-branch.js Line 31 in 23e4613 const changedFiles = execSync('git diff --name-only HEAD').toString()	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/test-render-translation.js Line 36 in 23e4613 const changedFilesRelPaths = execSync('git diff --name-only origin/main | egrep "^translations/.*/.+.md$"', { maxBuffer: 1024 * 1024 * 100 })	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/content-migrations/remove-unused-assets.js Line 137 in 23e4613 const grepResults = execSync(grepCmd).toString()	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/lib/liquid-tags/link.js Line 61 in 23e4613 const match = liquidVariableSyntax.exec(this.param)	📚

More info on how to fix Insecure Use of Language/Framework API in Ruby and JavaScript.

---

Insecure Access Control (6)

Severity	Details	Docs
Medium	Title: Tainted input passed to an open redirect (express) docs/middleware/redirects/external.js Line 6 in 23e4613 return res.redirect(301, externalSites[req.path])	📚
Medium	Title: Tainted input passed to an open redirect (express) docs/middleware/redirects/handle-redirects.js Line 50 in 23e4613 return res.redirect(301, redirect)	📚
Medium	Title: Tainted input passed to an open redirect (express) docs/middleware/contextualizers/enterprise-release-notes.js Line 94 in 23e4613 return res.redirect(`https://enterprise.github.com/releases/${requestedVersion}.0/notes`)	📚
Medium	Title: Tainted input passed to an open redirect (express) docs/middleware/archived-enterprise-versions.js Line 24 in 23e4613 return res.redirect(301, req.baseUrl + req.path.replace(/^\/en/, ''))	📚
Medium	Title: Tainted input passed to an open redirect (express) docs/middleware/archived-enterprise-versions.js Line 33 in 23e4613 return res.redirect(301, redirect)	📚
Medium	Title: Tainted input passed to an open redirect (express) docs/middleware/redirects/language-code-redirects.js Line 15 in 23e4613 return res.redirect(301, req.path.replace(redirectPattern, `/${language.code}`))	📚

More info on how to fix Insecure Access Control in JavaScript.

---

👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.