[Snyk] Fix for 12 vulnerabilities

[ekmixon]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • community-modules/angular/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-HTTPCACHESEMANTICS-3248783	No	Proof of Concept
	429/1000 Why? Has a fix available, CVSS 4.3	Reverse Tabnabbing SNYK-JS-ISTANBULREPORTS-2328088	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Improper Input Validation SNYK-JS-POSTCSS-5926692	Yes	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-USERAGENT-174737	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Prototype Pollution SNYK-JS-XML2JS-5414874	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: karma

The new version differs by 53 commits.

• 1b48637 chore(release): 5.0.0 [skip ci]
• a5dbe89 Update issue templates (IsColumnFuncParams export missing in main.d.ts ag-grid/ag-grid#3460)
• 1074f38 chore(ci): rely on karma-runnre/integration-tests for saucelabs config (How many lines does tooltipField in columnDefs support at most? ag-grid/ag-grid#3462)
• 4d45cf0 chore(ci): remove more old connection security stuffs (No Tab Navigation Inside Custom Cell Editor ag-grid/ag-grid#3459)
• be76fcc chore(ci): use travis UI for sauce config (Custom React cell renderers flick when using ReactNext ag-grid/ag-grid#3458)
• a04a542 chore(ci): remove secure encryption var (ag-Grid: unable to find bean reference frameworkOverrides while initialising BeanStub ag-grid/ag-grid#3457)
• 1eaf35e fix: install semantic-release as a regular dev dependency (Bar Chart Values on All Pivot Grids Wrong ag-grid/ag-grid#3455)
• 0647109 docs: Fix simple typo, overriden -> overridden (Custom popup editor closes when element inside is clicked ag-grid/ag-grid#3453)
• ec1e69a fix(server): replace optimist on yargs lib (Export csv : file name contains '.' makes export flow drop .csv extension ag-grid/ag-grid#3451)
• ffad7fa refactor(launcher): use class syntax (Moving columns callback ag-grid/ag-grid#3437)
• 7166ce2 fix(server): detection new MS Edge Chromium (The change event is not getting triggered in case syncfusion ejs-multiselect control is used in Ag-Grid custom cell editor ag-grid/ag-grid#3440)
• b8b2ed8 fix(ci): echo travis env that gates release after_success (Documentation update - Filter params newRowsAction options ag-grid/ag-grid#3446)
• 33a069f refactor: use native Promise instead of Bluebird (small typo ag-grid/ag-grid#3436)
• 131d154 refactor: drop safe-buffer dependency in favor of native Buffer (Popup Editor closes with Mat-Datepicker/Mat-Select before value Change can be detected ag-grid/ag-grid#3438)
• cb1bcbf fix(server): cleanup import of the removed method (Popup-Editor has a strange behaviour if you try to use the tab-key ag-grid/ag-grid#3439)
• 5c334f5 fix(server): createPreprocessor was removed (Grouping/Ungrouping hidden column unhides column ag-grid/ag-grid#3435)
• d7128d4 refactor(server): remove PromiseContainer class (Horizontal scroll does not with with pinned column ag-grid/ag-grid#3416)
• 057d527 feat(docs): document `DEFAULT_LISTEN_ADDR` constant (filtering by code doesn't work ag-grid/ag-grid#3443)
• a673aa8 ci: drop node 8, adopt node 12 (infinite scroll ag Grid angular mutiple datasource ag-grid/ag-grid#3430)
• 9eb6436 chore(server): Convert PromiseContainer to object and remove (Select all shouldn't trigger onRowSelected event for each row ag-grid/ag-grid#3401)
• 0856234 chore(travis): release on node 10 success (How to access Column API inside Custom Tool Panel ag-grid/ag-grid#3428)
• 708ae13 feat(preprocessor): obey Pattern.isBinary when set (Excel Export for Multiple Grid in single page ag-grid/ag-grid#3422)
• 00d536f chore(test): logLevel debug in proxy test (ServerSide Row Model with pagination does not work  ag-grid/ag-grid#3427)
• da9d8bd chore(docs): delete PULL_REQUEST_TEMPLATE.md

See the full diff

Package name: karma-coverage-istanbul-reporter

The new version differs by 6 commits.

• 5304cd6 chore(release): 3.0.0
• 31b1a40 chore: swap out newer istanbul loader
• f01c19e docs: update readme with newer loader
• 9cd809e build: fix linting
• baba524 build: upgrade dependencies
• 28cbbfb feat: upgrade to latest istanbul api

See the full diff

Package name: protractor

The new version differs by 63 commits.

• 5d8da04 chore(release): version bump to 6.0.0 and update the changelog
• d777738 chore(tests): circleci - chrome 69 requires chromdriver to 2.44 (Delete .idea directory ag-grid/ag-grid#5182)
• 3d50b68 chore(deps): update based on npm audit
• e478ba8 chore(release): bump version to 6.0.1-beta
• 7054827 chore(types): fix types to use not @ types/selenium-webdriver (AG-6677 - Better null/undefined handling for scatter series charts. ag-grid/ag-grid#5127)
• 2e5c2e6 chore(jasmine): prevent random execution order in jasmine 3 (AG-6733 - Fix pivot column agg values ag-grid/ag-grid#5126)
• 8afc4e2 chore(release): release 6.0.0-beta and update the changelog
• 5fd711c chore(webdriver-manager): use webdriver-manager@13.0.0-beta
• 96ae17c deps(jasmine): upgrade jasmine 3.3 (fix peerDependencies ag-grid/ag-grid#5102)
• 68491dd chore(expectedConditions): update generic Function typings (AG-5629 - Delta sorting ag-grid/ag-grid#5101)
• cf43651 chore(debugprint): convert debugprint to TypeScript (Ag grid custom pagination option is missing ag-grid/ag-grid#5074)
• d213aa9 deps(selenium): upgrade to selenium 4 (AG-6666 - Fix charts SonarCloud high priority issues ag-grid/ag-grid#5095)
• 4672265 chore(browser): remove timing issues with restart and fork (this.cellComp is undefined in CellCtrl.createCellRendererParams with AgGridReact ag-grid/ag-grid#5085)
• b4dbcc2 chore(elementexplorer): remove explorer bin file (autoHeight + wrapText in print layout creates a redraw rows loop  ag-grid/ag-grid#5094)
• 7de6d85 docs(api): update examples to use async/await (Ag-Grid will not keep a custom component registered in Cell Renderer, rendered when scrolling the main window ag-grid/ag-grid#5081)
• 1b2036e typings(selenium): try out new version of typings (SSRM Expandable Pivot Column Groups ag-grid/ag-grid#5084)
• befb457 chore(bin): update webdriver-manager require to use the cli (AG-6119 - Fix Integrated Charts proxy override of cursor style unless necessary. ag-grid/ag-grid#5093)
• 509f1b2 deps(latest): upgrade to the gulp and typescript (AG-6674 - Fix sparklines label fontSize type ag-grid/ag-grid#5089)
• 2def202 deps(webdriver-manager): use replacement (Fix errors due to this.cellComp being undefined in refreshCell ag-grid/ag-grid#5088)
• 9d510db chore(test): remove jasmine addMatcher test (AG-4571 reset column ordering when new secondary columns are added ag-grid/ag-grid#5072)
• 6522e40 chore(cleanup): clean up imports and wdpromises (AG-2168 - Improved SSRM example ag-grid/ag-grid#5073)
• 3b8f263 chore(ignoreSynchornization): clean up to use waitForAngularEnabled (Charts API reference, theme reference and API explorer docs pages ag-grid/ag-grid#5071)
• ffa3519 chore(debugger): remove debugger and explore methods (AG-6654 - Charts API Explorer Caching + Visual Improvements ag-grid/ag-grid#5070)
• 0f7a38a chore(test): error tests fixed (AG-2168 - Remove SSRM example ag-grid/ag-grid#5069)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Improper Input Validation
🦉 More lessons are available in Snyk Learn

[secure-code-warrior-for-github]

Micro-Learning Topic: Regular expression denial of service (Detected by phrase)

Matched on "Regular Expression Denial of Service"

What is this? (2min video)

Denial of Service (DoS) attacks caused by Regular Expression which causes the system to hang or cause them to work very slowly when attacker sends a well-crafted input(exponentially related to input size).Denial of service attacks significantly degrade the service quality experienced by legitimate users. These attacks introduce large response delays, excessive losses, and service interruptions, resulting in direct impact on availability.

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Weak input validation (Detected by phrase)

Matched on "Improper Input Validation"

Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Try a challenge in Secure Code Warrior

Helpful references

• OWASP Top Ten 2021 A03: Injection - OWASP Top Ten articles provide basic techniques to protect against these high risk problem areas, and guidance on where to go next.
• OWASP Injection Prevention Cheat Sheet in Java - This article is focused on providing clear, simple, actionable guidance for preventing injection flaws in your Java applications.
• OWASP Input Validation Cheat Sheet - This cheatsheet is focused on providing clear, simple, actionable guidance for preventing injection and input validation flaws in your applications.
• OWASP Injection Prevention Cheat Sheet - This article is focused on providing clear, simple, actionable guidance for preventing injection flaws in your applications.
• OWASP Top Ten Proactive Controls 2018 C5: Validate All Inputs - Detailed article on input validation as a programming technique for ensuring that only properly formatted data may enter a software system component.

Micro-Learning Topic: Denial of service (Detected by phrase)

Matched on "Denial of Service"

The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Prototype pollution (Detected by phrase)

Matched on "Prototype Pollution"

What is this? (2min video)

By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf).

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Server-side request forgery (Detected by phrase)

Matched on "Server-side Request Forgery"

What is this? (2min video)

Server-Side Request Forgery (SSRF) vulnerabilities are caused when an attacker can supply or modify a URL that reads or sends data to the server. The attacker can create a malicious request with a manipulated URL, when this request reaches the server, the server-side code executes the exploit URL causing the attacker to be able to read data from services that shouldn't be exposed.

Try a challenge in Secure Code Warrior