[Snyk] Fix for 9 vulnerabilities

[kaled336]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	676/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.1	Cross-site Request Forgery (CSRF) SNYK-JS-AXIOS-6032459	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASHSET-1320032	No	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-POSTCSS-1255640	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Improper Input Validation SNYK-JS-POSTCSS-5926692	Yes	No Known Exploit
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-PROTOBUFJS-2441248	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @11ty/eleventy

The new version differs by 250 commits.

• 05c6263 v2.0.0
• 5c2a5bf Update dev-dependencies
• 7ed1fef Merge pull request covid banner GoogleChrome/web.dev#2781 from danburzo/mdlib-set
• 97243b6 v2.0.0-beta.3
• 55e0a62 v2.0.0-canary.35
• 23b80d9 Merge pull request Capture audit report for the Desktop Simulation GoogleChrome/web.dev#2783 from mrmartineau/fix/serverless-var
• 9f13b8e Fixes serverlessFilePath is not defined (2.0.0-beta.2) add missing localStorage import GoogleChrome/web.dev#2782
• b466258 Make markdown library .set() method optional
• bde84b4 v2.0.0-beta.2
• 6f877de v2.0.0-canary.34
• 153ea8f One more update to the dev server dep
• c5ce8df A few notes about beta/canary
• 6fedb86 Update dev server dependency
• 2decde9 Fixes content: TODO GoogleChrome/web.dev#2755
• 786105e Fixes Ignore paths that were triggering percy. GoogleChrome/web.dev#2773
• 99140d8 Adds `runMode` to `eleventy` global data. Fixes content: charset guide [2020 May 29] GoogleChrome/web.dev#2770
• 4504820 Update license date
• 2cb8ba2 debug log ignores for glob search
• 3810ccf Fixes Add custom frontmatter linter GoogleChrome/web.dev#2758 by normalizing references for `.canary` to `.alpha`.
• a79788c v2.0.0-beta.1
• 06434e6 v2.0.0-canary.33
• e35db93 Use new Edge CDN version
• 571b305 v2.0.0-canary.32
• e215445 Update deps

See the full diff

Package name: firebase-tools

The new version differs by 250 commits.

• 1838068 11.1.0
• cb6fd64 typescript src/api and remove extra methods (content: Update encoding and conversiondestination definition GoogleChrome/web.dev#4630)
• 20d51a1 replace tweetsodium with libsodium-wrappers (Promote json extension instead of webmanifest for manifest GoogleChrome/web.dev#4561)
• da5860b fix GH actions + sudo (INTL: Serve EN content when user has set English as the highest priority language  GoogleChrome/web.dev#4642)
• 8ed6b40 CF3v2 support for Build type (fix(meta): replace lt/gt sign with single l/r pointing angle quotation mark GoogleChrome/web.dev#4564)
• fe2816f typescript the entry point in bin/ (Updated encoding and conversiondestination definition GoogleChrome/web.dev#4631)
• bf90102 remove api.request. finally. (Using Javascript window.open, I am not able to open the new window in chrome Mac.  GoogleChrome/web.dev#4629)
• 24fc632 use apiv2 in auth (Remove unnecessary interpolation escape GoogleChrome/web.dev#4574)
• 78c01b9 Fix error when frameworkawareness is on and there is no hosting config in firebase.json… (content: TODO GoogleChrome/web.dev#4624)
• 3d0a1db Adds v2 RTDB triggers to function deploy (Next and previous footer links for Courses GoogleChrome/web.dev#4582)
• 30d1a1a update src folder files to ts (#4620)
• a11aa5b typescript a bunch of random files that need it (Minor updates to PWA IA & code cleanup GoogleChrome/web.dev#4622)
• b82913c migrate src commands folder to typescript (Play games app money real GoogleChrome/web.dev#4618)
• 04a861a ts apispec and update its generator (content: Debugging layout shfits [2021-03-05] GoogleChrome/web.dev#4619)
• e384a54 chore: bump google-cloud/pubsub from 2.19.4 to 3.0.1 (Integration tests are slow because they optimize images and do a full site build. GoogleChrome/web.dev#4612)
• f78f654 Remove references to usageMode from auth emulator (Updated link to canonical source GoogleChrome/web.dev#4607)
• 81ec803 typescript the profile report (Migrate and update "Generic Sensor API" article from WebFu GoogleChrome/web.dev#4603)
• b623a48 properly download and write db rules (Track user state in Courses GoogleChrome/web.dev#4601)
• 3c2a507 rewrite a few more files into typescript (Improve body banner and list styles GoogleChrome/web.dev#4602)
• 8ca960b bump minimum version of 16 to make sure dns method is present (Add an instruction to set up a reporting endpoint to COOP/COEP article GoogleChrome/web.dev#4587)
• 8b7f649 [firebase-release] Removed change log and reset repo after 11.0.1 release
• cd727f8 11.0.1
• 08e3d29 Fixes issue where --local flag would cause extensions commands to error out (Search for Courses GoogleChrome/web.dev#4584)
• 5d2f23f Improve Node.js version warning for standalone. Fix firebase loading fix GoogleChrome/web.dev#2791. (Side nav for Courses GoogleChrome/web.dev#4583)

See the full diff

Package name: lighthouse

The new version differs by 46 commits.

• ff52c9d v9.5.0 (#13733)
• f0a30a3 report: fix timespan/snapshot sticky header (#13732)
• f7ca582 deps(snyk): update snyk snapshot (#13731)
• 3628cea misc: support --chrome-flags in run devtools script (#13625)
• 13eb37f core(user-flow): audit flow from artifacts json (#13715)
• 5488cbe core(full-page-screenshot): leave emulated width unchanged (#13643)
• 57c7fea core(lighthouse-logger): convert to ES modules (#13720)
• 44cf433 clients: convert devtools and lightrider entries to ES modules (#13722)
• 138541a tests(devtools): add yarn install timeout (#13717)
• a281215 deps(snyk): update snyk snapshot (#13712)
• d684e76 core(script-treemap-data): correct value for size (#13716)
• cded21a core(fr): separate audit phase for flows (#13623)
• ceb03cb tests: add more cases for oopif smoke test (#13705)
• a1de8e9 tests(smoke): enable more devtools smoke tests (#13624)
• 2cef5c9 deps(lodash): replace `lodash` per-method packages with full `lodash` (#13695)
• 0d88dd5 tests(smoke): add _excludes and _runner (#13707)
• 5c558fb core(inspector-issues): update sameSiteCookie to cookie (#13708)
• 74bf436 core(fr): use frame url in gather context (#13699)
• 9addbda core(fr): add `logLevel` to config context (#13681)
• f02c6b3 tests(devtools): update Lighthouse sniffer for smokes (#13693)
• 1b4748a tests(devtools): navigation web test (#13673)
• e3fdffc v9.4.0 (#13672)
• 09cf541 deps(sentry): move from raven to @ sentry/node (content is out-dated and has broken links GoogleChrome/web.dev#9325)
• 0d9f0b9 core(a11y): change link in category description to web.dev (#13638)

See the full diff

Package name: rollup-plugin-postcss

The new version differs by 29 commits.

• 118253e fix: update to cssnano 5 (About - Headings' font sizes and weights don't match the design GoogleChrome/web.dev#357)
• a03c7bf build(deps): bump ini from 1.3.5 to 1.3.7 (Homepage: narrow vertical spacing between the hero image and the why section at <1024 GoogleChrome/web.dev#344)
• ceee1bc feat: upgrade postcss to 8.x
• 375412c change postcss to 8.x (set title text to Home GoogleChrome/web.dev#343)
• 6480f02 chore: upgrade dependencies (Top nav should be height 64px (not 48px) - per design GoogleChrome/web.dev#342)
• 700eb14 chore: update postcss version to 8 (reliable/http-cache: minor tweaks and fixes GoogleChrome/web.dev#325)
• 661c9ca chore: Fix typo in comment (Images in figure element is resized too small GoogleChrome/web.dev#318)
• 3de028d fix: make sourceMaps relative to the CSS output file (Profile: entering new url doesn't stash it as saved url. GoogleChrome/web.dev#274)
• a7299a4 fix(types): `options` is actually optional (Flip order of cache strategy images to reflect text GoogleChrome/web.dev#311)
• 2946eae fix: extract css in same order as imports (Google sign in buttons should not have purple hover GoogleChrome/web.dev#295)
• c38f356 fix: Typing of namedExports option
• a13a987 Fix typing of namedExports
• 7ce6415 build(deps): bump lodash from 4.17.15 to 4.17.19 (Link to "Edit on GitHub" GoogleChrome/web.dev#294)
• 304538d fix: Add types file to package.json files (measure: only hide login button on sign in. GoogleChrome/web.dev#297)
• cbab326 build(deps): bump elliptic from 6.5.2 to 6.5.3 (Add in a measure section and fix broken links GoogleChrome/web.dev#300)
• f7f3fdb fix: allow module config while using autoModules (Accessibility: Measure Page GoogleChrome/web.dev#281) (Homepage | CTA's have ellipsis in smaller mobile screens GoogleChrome/web.dev#292)
• 9489eca build: tweak release action
• a5fd035 fix: replace const keyword with var keyword in output (Accessibility: Audit results page GoogleChrome/web.dev#283)
• b17c15d fix: revert "feat: allow multiple entry files and outputs (Discoverable content QA: 'How to measure search engine optimization with LH' Guide GoogleChrome/web.dev#264)" (Profile: coming back from sign in doesnt hide top banner GoogleChrome/web.dev#272)
• 3ea986c feat: allow multiple entry files and outputs (Discoverable content QA: 'How to measure search engine optimization with LH' Guide GoogleChrome/web.dev#264)
• b27c3eb docs: add v3 usage (Refactor table GoogleChrome/web.dev#268)
• 91aa1e5 BREAKING CHANGE: upgrade rollup to v2 (Discoverable content QA: Guide page (write descriptive titles...) GoogleChrome/web.dev#266)
• 0e71f75 fix: extract relative path (Update index.md GoogleChrome/web.dev#262)
• df71f37 fix: AssetInfo modules used for chunk

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Cross-site Request Forgery (CSRF)
🦉 Prototype Pollution
🦉 More lessons are available in Snyk Learn