[Snyk] Fix for 8 vulnerabilities

[ekmixon]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

⚠️ Warning

Failed to update the package-lock.json, please update manually before merging.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-DECODEURICOMPONENT-3149970	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-JPEGJS-2859218	Yes	Proof of Concept
	644/1000 Why? Has a fix available, CVSS 8.6	Prototype Pollution SNYK-JS-JSONSCHEMA-1920922	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Information Exposure SNYK-JS-NODEFETCH-2342118	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Poisoning SNYK-JS-QS-3153490	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: nightwatch

The new version differs by 250 commits.

• efb9468 2.0.1
• d4df3f3 updated readme
• 5459c74 2.0.0
• 9b1a125 2.0.0-dev.23
• a44f536 updated cucumber to RC2 and fixed a small issue
• 202e2f0 2.0.0-dev.22
• 17b0ff3 fixed assertion name in examples
• 95bdc25 2.0.0-dev.21
• 0de9e5f updated example tests and output formatting
• 73f9c96 2.0.0-dev.20
• 6238933 2.0.0-dev.19
• 8cb5b7f 2.0.0-rc.0
• 6e57d49 updated api docs
• f873e78 added high-level tests for expect() (#3013)
• a328977 Refactoring tests for new element commands (#3012)
• 4025048 Update CONTRIBUTING.md
• 55ac7bf updated api docs for some assertions
• 5296838 Merge branch 'main' of github.com:nightwatchjs/nightwatch
• 80fb01a added several new assertions
• f0baa6b 2.0.0-dev.19
• cfdea8c Merge branch 'gravityvi-features/get-child-element-commands'
• bb3ac87 Fix #2955 - an issue caused by missing the browserName capability
• 9e1fe15 Added textEquals assertion (#2972)
• 0e8b0b9 test case added for #2539 (#2979)

See the full diff

Package name: node-sass

The new version differs by 47 commits.

• 3b556c1 7.0.2
• c716359 Bump sass-graph@^4.0.1 (#3292)
• 24741b3 docs(readme): fix docpad plugin link
• 1523330 feat: Drop Node 12
• 365d357 update https://registry.npm.taobao.org to https://registry.npmmirror.com
• 1456114 build(deps): bump actions/upload-artifact from 2 to 3
• b465b69 chore: bump GitHub Actions to Windows 2019 (#3254)
• e6194b1 build(deps): bump make-fetch-happen from 9.1.0 to 10.0.4
• 4edf594 build(deps): bump node-gyp from 8.4.1 to 9.0.0
• 29e2344 build(deps): bump actions/checkout from 2 to 3
• 85b0d22 build(deps): bump actions/setup-node from 2 to 3
• 3bb51da Use make-fetch-happen instead of request (#3193)
• adc2f8b build(deps): bump true-case-path from 1.0.3 to 2.2.1 (#3000)
• 77d12f0 chore: disable Apline for Node 16/17 builds
• 308d533 ci: use Python 3 for Node 12
• c818907 ci: unpin actions/setup-node to v2
• 99242d7 7.0.1
• 77049d1 build(deps): bump sass-graph from 2.2.5 to 4.0.0 (#3224)
• c929f25 build(deps): bump node-gyp from 7.1.2 to 8.4.1 (#3209)
• 918dcb3 Lint fix
• 0a21792 Set rejectUnauthorized to true by default (#3149)
• e80d4af chore: Drop EOL Node 15 (#3122)
• d753397 feat: Add Node 17 support (#3195)
• dcf2e75 build(deps-dev): bump eslint from 7.32.0 to 8.0.0

See the full diff

Package name: tesseract.js

The new version differs by 21 commits.

• 44d322e 3.0.0
• e3c4a6b Updated README for version 3
• f372818 Added automatic detection of simd support (Bug Report: PHP Deserialize - NULL values are incorrectly converted to JSON gchq/CyberChef#641)
• 8b56760 Updated to webpack 5 for compatibility with Node.js 18 (Operation request: Word Cloud Generator gchq/CyberChef#640)
• 13b95f6 Updated to Tesseract.js v.3; added exif-based rotation (Feature request: Hex to ascii gchq/CyberChef#638)
• a9ac00c Removed exif auto-rotation for browser per Bug report: Register not usable for ingredient type "number" gchq/CyberChef#604 (Enigma Rota Wiring Tables - Off by one gchq/CyberChef#634)
• 75ddd63 Revert "Add support for ImageData and fix a hang in buffer handling (Bug report: JSON to CSV not working for me gchq/CyberChef#610)"
• 1136e0a Revert "Ran linter"
• 2e478bd Ran linter
• 6784846 Add support for ImageData and fix a hang in buffer handling (Bug report: JSON to CSV not working for me gchq/CyberChef#610)
• be956cd Replaced child_process with worker_threads per Feature: MIME RFC2047 Decoding gchq/CyberChef#630 (Misc: Won't run on Localhost Chrome Windows 10 gchq/CyberChef#631)
• 61d0e55 Temporarily removed Node 18 since this fails on master.
• 74be03c Updated versions of node used in workflows
• 9442d9c Merge pull request Add Quoted-printable example gchq/CyberChef#629 from naptha/feat/benchmark
• 6aba959 Added benchmark code and assets per Operation request: Optical Character Recognition (OCR) gchq/CyberChef#628
• 58d2894 Ran linter
• a8287a9 Merge pull request Feature: Add swap input values button gchq/CyberChef#621 from SusanDoggie/patch-1
• 66085a7 Merge pull request Added PGP verify operation gchq/CyberChef#585 from andreialecu/fix-cachebadresponse
• 50a53f5 Fix for passing wrong arguments while calling fork function
• 01e8335 Fix caching of bad langData responses
• adcb5b8 Update FUNDING.yml

See the full diff

Package name: webpack-dev-server

The new version differs by 250 commits.

• c9271b9 chore(release): 4.0.0
• 18bf369 test: fix stability (#3676)
• cdcabb2 fix: respect protocol from browser for manual setup (#3675)
• 1768d6b fix: initial reloading for lazy compilation (#3662)
• 4f5bab1 docs: improve examples (#3672)
• f2d87fb fix: improve https CLI output (#3673)
• 0277c5e chore: remove redundant console statements (#3671)
• 16fcdbc docs: add `ipc` example (#3667)
• 8915fb8 test: add e2e tests for built in routes (#3669)
• 4d1cbe1 docs: ask `version` information in issue template (#3668)
• b6c1881 chore(deps-dev): bump core-js from 3.16.1 to 3.16.2 (#3666)
• ffa8cc5 chore(deps-dev): bump supertest from 6.1.5 to 6.1.6 (#3665)
• f1fdaa7 chore(release): 4.0.0-rc.1
• c4678bc fix: legacy API (#3660)
• d8bdd03 test: fix stability (#3661)
• 22b1414 refactor: remove `killable` (#3657)
• 75bafbf test: add e2e tests for module federation (#3658)
• 493ccbd chore(deps): update `ws` (#3652)
• ae8c523 test: add e2e test for universal compiler (#3656)
• f94b84f chore(deps): update (#3655)
• 1923132 test: fix cli
• 2adfd01 test: fix todo (#3653)
• 6e2cbde fix: proxy logging and allow to pass options without the `target` option (#3651)
• c9ccc96 fix: respect infastructureLogging.level for client.logging (#3613)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Denial of Service (DoS)
🦉 Prototype Pollution

[secure-code-warrior-for-github]

Micro-Learning Topic: Regular expression denial of service (Detected by phrase)

Matched on "Regular Expression Denial of Service"

What is this? (2min video)

Denial of Service (DoS) attacks caused by Regular Expression which causes the system to hang or cause them to work very slowly when attacker sends a well-crafted input(exponentially related to input size).Denial of service attacks significantly degrade the service quality experienced by legitimate users. These attacks introduce large response delays, excessive losses, and service interruptions, resulting in direct impact on availability.

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Denial of service (Detected by phrase)

Matched on "Denial of Service"

The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Information disclosure (Detected by phrase)

Matched on "Information Exposure"

Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser. Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Prototype pollution (Detected by phrase)

Matched on "Prototype Pollution"

What is this? (2min video)

By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf).

Try a challenge in Secure Code Warrior