[Snyk] Fix for 2 vulnerabilities

[ekmixon]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • components/automate-workflow-web/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	718/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 6.5	Uncontrolled Resource Consumption ('Resource Exhaustion') SNYK-JS-TAR-6476909	Yes	Proof of Concept
	763/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 7.4	Path Traversal SNYK-JS-WEBPACKDEVMIDDLEWARE-6476555	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: karma

The new version differs by 250 commits.

• 42933c9 chore: release v4.2.0
• db1ea57 chore: update contributors
• a1049c6 chore: update eslint packages to latest and fix complaints ([automate-3198] reduce validation chef/automate#3312)
• 70b72a9 fix(logging): Util inspect for logging the config. (diagnostic run command fails to clean up project and token data. chef/automate#3332)
• 1087926 fix typo: (Replace stencil chef-table with angular chef-table chef/automate#3334)
• 182c04d fix(reporter): format stack with 1-based column ([automate-platform-tools] drop dep on core/glibc chef/automate#3325)
• f0c4677 docs(travis): Correct the docs to also show how to do it on Xenial (Bump inspec to 4.18.104/20200407121143 chef/automate#3316)
• 3aea7ec chore(deps): update core-js -> ^3.1.3 (Jamie/3249 animation chef/automate#3321)
• 5e11340 chore: revert back to Mocha 4 (Support the infra server's /version endpoint in the automate-deployed infra server chef/automate#3313)
• 1205bce chore(test): fix flaky test cases ([automate-3275] skip policy creation flag on project create chef/automate#3314)
• 7f40349 Cleanup dependencies (proposal: show more (all?) credentials in automate chef/automate#3309)
• 7828bea chore: update braces and chokidar to latest versions (add deprecation/new command warning for admin-token chef/automate#3307)
• fe9a1dd fix(server): Add error handler for webserver socket. (code tidy, remove redundant code and potential error prone check on ip chef/automate#3300)
• 13ed695 chore: release v4.1.0
• d844a48 chore: update contributors
• ce6825f fix(client): Only create the funky object if message is not a string ([infra-proxy-service] More specific foreign_key_violation error messages. chef/automate#3298)
• 7968db6 fix(client): Enable loading different file types when running in parent mode without iframe (test chef/automate#3289)
• 6556ab4 fix(launcher): Log state transitions in debug (Problem deleting chef server with attached orgs chef/automate#3294)
• 7eb48c5 fix(middleware): log invalid filetype (UI Unknown desktop duration counts chef/automate#3292)
• c7ebf0b chore: release v4.0.1
• c190c4a chore: update contributors
• 375bb5e fix(filelist): correct logger name. (update spelling issue chef/automate#3262)
• c43f584 fix: remove vulnerable dependency combine-lists (teams-service iam v2 force upgrade clean up chef/automate#3273)
• 4ec4f6f fix: remove vulnerable dependency expand-braces (Leaking subscriptions chef/automate#3270)

See the full diff

Package name: karma-webpack

The new version differs by 144 commits.

• 46a5505 Merge branch 'master' into next
• 71fc63a fix(config): ignore entry options (Early work on API docs chef/automate#479)
• 05cfa79 fix(docs): fixed warning inaccuracy (Integration test error checking chef/automate#478)
• 1598fa6 fix(config): force default output.filename (Reporting cleanup chef/automate#477)
• d603679 change(readme): made minor adjustments (Migration node-state index to allow projects to be indexed chef/automate#476)
• 5300200 refactor(*): break up into individual modules (Removing Error search bar type chef/automate#474)
• 8ad09d1 fix(test): handle scenario test rejection (Better tooltip and pop-up chef/automate#473)
• da86766 chore(release): 5.0.0-alpha.6
• 98b3ec9 chore(deps): bump hotfix dependencies (Service Groups health status filter hover style and icon update chef/automate#472)
• ea5dc8e fix(preprocess): auto fix missing webpack framework (Display empty data in Service Groups table rows and sidebar cards following newly unified patterns chef/automate#471)
• b044404 chore(test): refactored hash method into util (Dan/apps view e2e dev chef/automate#470)
• ea3dabe fix(controller): add entropy to default dir (Service groups table columns update chef/automate#469)
• 57b131e chore(test): fix testing on linux (one node view ui: list view chef/automate#468)
• 52ac365 chore(lint): fix linter settings ([A2-798] split partial result update calls for v2 and v2.1 chef/automate#467)
• 6369729 feat(ci): added github workflow for testing (Project filtering for reporting server ListProfiles endpoint. chef/automate#464)
• e8ad372 chore(test): set up integration testing (Client Runs search bar sort types chef/automate#461)
• f7af31f chore(readme): add next tag to install command
• 2cc5495 chore(readme): add info about webpack v5
• a300178 chore(release): 5.0.0-alpha.5
• 2e0ca74 chore(package): update peer dependency to webpack v5
• 2e2ca3f chore(release): 5.0.0-alpha.4
• 4fe1f60 chore(controller): change the webpack watch logic
• 8d7366f chore: fix support for webpack v5
• 3cc35b3 test(plugin): add tests to prevent some regressions (Support customized message on login page chef/automate#419)

See the full diff

Package name: node-sass

The new version differs by 50 commits.

• 7105b0a 5.0.0 (add proto annotations for data lifecycle chef/automate#3015)
• 0648b5a chore: Add Node 15 support (clarify some instructions around adding nodes chef/automate#2983)
• e2391c2 Add a deprecation message to the readme (Infra proxy role list views chef/automate#3011)
• 6a33e53 chore: Don't upload artifacts on PRs
• d763506 chore: Only run coverage on main repo
• d4ebe72 build(deps): update actions/setup-node requirement to v2.1.2
• 2bebe05 build(deps-dev): bump rimraf from 2.7.1 to 3.0.2
• f877689 chore: Don't double build DependaBot PRs
• b48fac4 chore: Add weekly DependaBot updates
• 91c40a0 Remove deprecated process.sass API
• 1f6df86 Replace lodash/assign in favor of the native Object.assign
• 522828a Remove workarounds for old Node.js versions
• 40e0f00 chore: Remove second NPM badge
• ab91bf6 chore: Remove Slack badge
• 6853a80 chore: Cleanup status badges
• fb1109c chore: Bump minimum engine version to v10
• d185440 chore: Add basic Node version support policy
• db25736 chore: Bump node-gyp to 7.1.0
• 2c5b110 chore: Bump cross-spawn to v7.0.3
• 38b9633 chore: Update Istanbul to NYC
• d63b5bf chore: Bump mocha to v8.1.3
• d0d8865 chore: Skip constructor tests on v14.6+
• ee3984d chore: Hoist test ESLint config
• feee448 chore: Remove disabled and recommended rules

See the full diff

Package name: webpack

The new version differs by 250 commits.

• 4be093d 2.2.0
• 2278469 2.2.0-rc.8
• b946eb4 Merge pull request [a1-upgrade] migrate infra server config chef/automate#3988 from malstoun/bug/2664
• 260e413 Merge pull request Updating the policy file term chef/automate#3986 from webpack/bugfix/revert_use_of_buffer_dot_from
• 0ec7de9 Fix regression with watch cli opt, add tests for this case
• 72226db add missing disable line
• 4d30675 build fresh yarn.lock file to remove buffer polyfill
• 91c1f35 fix(node): rollback changes of Buffer.from to new Buffer() and bump down travis to 4.3 min node v
• 0b47602 2.2.0-rc.7
• db6ccbc Merge pull request Updated toggle sort in Notification table. chef/automate#3978 from webpack/bugfix/conditional-reexports
• 82a5b03 Merge pull request Bump rack from 2.0.8 to 2.2.3 in /components/automate-workflow-ctl chef/automate#3977 from malstoun/bug/2664
• fc1a43b Merge pull request CDS download chef/automate#3976 from timse/rely-on-defaults
• a44694a hoist exports declarations too
• 682bde8 Fix lint
• c6d7d90 Add tests
• af8d49e remove defaults values to shave a few bytes
• 9796696 2.2.0-rc.6
• e9bdb05 Merge pull request #3971 from webpack/bugfix/fix_available_vars_in_fmtp
• bd45bdc add test case for global in harmony modules
• bfccb20 fix PR
• 5a3a23f fix(nmf): Fix exports for var injection to include free glob exports or arguments
• 437dce4 2.2.0-rc.5
• 91cb1df Merge pull request Sync swagger files for Automate docs. chef/automate#3970 from webpack/ci/appveyor
• 9fd55e5 Merge pull request Bump automate-compliance-profiles chef/automate#3969 from webpack/bugfix/issue-3964

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Uncontrolled Resource Consumption ('Resource Exhaustion')
🦉 Path Traversal

[secure-code-warrior-for-github]

Micro-Learning Topic: Path traversal (Detected by phrase)

Matched on "Path Traversal"

What is this? (2min video)

Path traversal vulnerabilities occur when inputs that have not been sufficiently validated or sanitised are used to build directory or file paths. If an attacker can influence the path being accessed by the server, they may be able to gain unauthorised access to files or even execute arbitrary code on the server (when coupled with file upload functionality).

Try a challenge in Secure Code Warrior

Helpful references

• OWASP Input Validation Cheat Sheet - This cheatsheet is focused on providing clear, simple, actionable guidance for preventing injection and input validation flaws in your applications, including defence against path traversal.
• OWASP Path Traversal - OWASP community page with comprehensive information about path traversal, and links to various OWASP resources to help detect or prevent it.

Micro-Learning Topic: Resource exhaustion (Detected by phrase)

Matched on "Resource Exhaustion"

What is this? (2min video)

Allocating objects or timers with user-controlled sizes or durations can cause resource exhaustion.

Try a challenge in Secure Code Warrior

[sourcery-ai]

We have skipped reviewing this pull request. It seems to have been created by a bot ('[Snyk]' found in title). We assume it knows what it's doing!