[Snyk] Fix for 31 vulnerabilities

[lili2311]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • docs/package.json
  • docs/package-lock.json
  • docs/.snyk

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-ASYNCVALIDATOR-2311201	No	Proof of Concept
	616/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.9	Server-Side Request Forgery (SSRF) SNYK-JS-AXIOS-1038255	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-AXIOS-1579269	No	Proof of Concept
	591/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.4	Cross-site Scripting (XSS) SNYK-JS-BRAINTREESANITIZEURL-2339882	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-ENGINEIO-1056749	No	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-FILETYPE-2958042	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	484/1000 Why? Has a fix available, CVSS 5.4	Open Redirect SNYK-JS-GOT-2932019	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Improper Certificate Validation SNYK-JS-NODESASS-1059081	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-NTHCHECK-1586032	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-PARSEURL-3023021	Yes	Proof of Concept
	571/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5	Improper Input Validation SNYK-JS-PARSEURL-3024398	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-POSTCSS-1255640	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Command Injection SNYK-JS-REACTDEVUTILS-1083268	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-SCSSTOKENIZER-2339884	Yes	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Remote Code Execution (RCE) SNYK-JS-SHARP-2848109	Yes	No Known Exploit
	619/1000 Why? Has a fix available, CVSS 8.1	Remote Code Execution (RCE) SNYK-JS-SHELLQUOTE-1766506	Yes	No Known Exploit
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536528	Yes	No Known Exploit
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536531	Yes	No Known Exploit
	410/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579147	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579152	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579155	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-THREE-1064931	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-TRIM-1017038	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-TRIMNEWLINES-1298042	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	No	Proof of Concept
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Arbitrary Code Injection SNYK-JS-XMLHTTPREQUESTSSL-1082936	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Access Restriction Bypass SNYK-JS-XMLHTTPREQUESTSSL-1255647	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @mdx-js/mdx

The new version differs by 30 commits.

• bf7deab v2.0.0-next.5
• 5c15a00 fix(remark-mdx): move remark-stringify to deps ([Easy] Remove duplicate code for property name of SqlaTable apache/superset#1190)
• f59b174 Make type test run in their own action, closes Bring DB in sync with the models.py apache/superset#1172 ([filtering] define combo of slice/fields unafected by filtering apache/superset#1179)
• 9ac9755 docs(typescript): document how to use mdx 2 with typescript (Query filters cannot be removed from saved slice apache/superset#1181)
• 42077e4 ci(github): update github actions to latest versions (Simplifying the source_registry apache/superset#1180)
• cc95646 ci(github): update github actions and dtslint to latest ( prototype new layout for explore view with fixed chart on right and scrolling controls on left apache/superset#1178)
• 6098d94 Remove deprecated plugin options, fixes Dashboard Autorefresh Settings Persist apache/superset#718 ([sqllab] db migration - setting Database.allow_run_sync=True apache/superset#1174)
• 0da2fcf Specify pre-dist-tag
• e1b45e3 v2.0.0-next.4
• 649dbd8 Implement inline link serialization that doesn't wrap them in angle (Druid metadata cannot be retrieved when the whole dataset has the same timestamp apache/superset#1171)
• d08c5b6 Make testing matrix simpler (Provide ability to import / export the slices / dashboards metadata apache/superset#1173)
• d0059c8 v2.0.0-next.3
• fa091d2 v2.0.0-next.2
• 7829b88 Move publish to its own action
• afd60c2 Break out linting into its own action
• 3ca8e0a Fix linting (caravel filter views returns invalid data apache/superset#1161)
• 577d48f Fix some linting
• db93304 Improve export name extraction for shortcode generation ([SQL Lab] Adding indexes to table metadata apache/superset#1160)
• ea9970a Bump deps, fix core-js version in babel configs
• 166fd9d v2.0.0-next.1
• 569f82f Make preid next to match dist tag
• a3d8f08 types: add types to test utils (cant use from_unixtime apache/superset#1083)
• e2eb4ee types: add typescript typings for remark-mdx, remark-mdx-remove-exports, remark-mdx-remove-imports, @ mdx-js/util ([sql lab] cherry pick ui polish from master apache/superset#1082)
• 65af47c Break three main tests into their own scripts

See the full diff

Package name: antd

The new version differs by 250 commits.

• 870b72a docs: 4.17.0 changelog (#32859)
• 3a5b6b8 chore(deps-dev): bump stylelint-config-standard from 23.0.0 to 24.0.0 (#32866)
• 7e2dc80 chore(.gitignore):add ignore for pnpm (#32860)
• 491cc4f fix: borderLeftRadius error for Input.Search #32808 (#32812)
• 958df3d docs: add demo for Input.Group (#32837)
• ce006bd docs: Version Robin (#32830)
• 3f495bb chore: Upgrade react router v6 (#32821)
• 43569b9 docs: update customize-theme-variable.zh-CN.md
• 7ed7c60 style: fix Tree icon align bug (#32822)
• 01887b4 fix: if breadcrumbRender return false, breadcrumb will hidden (#32738)
• 5f642cb fix: tag animation demo (#32804)
• 852a451 chore(Tag): update tween-one (#32800)
• 90aff3a docs: fix Spin API ts description (#32786)
• 8a3b5d9 fix: Form horizontal broken style when select item is too long (#32778)
• a73f4a3 docs: Fix the link in Table's API doc (#32779)
• ecc54dd fix: codepen demo error using hooks (#32766)
• cf15379 docs: add 4.17.0-alpha.10 changelog (#32775)
• f7380b7 chore(deps-dev): bump eslint-plugin-unicorn from 37.0.1 to 38.0.0 (#32765)
• b1ea2e4 fix: opening animation of the bottom drawer (#32761)
• 10a8578 fix: Spin tip can be react node (#32733)
• fa65cd3 chore(deps-dev): bump @ types/gtag.js from 0.0.7 to 0.0.8 (#32746)
• f88bd4d refactor: Move part mixins less to theme instead (#32763)
• 5360722 chore: update form demo
• ea52572 chore(💄): fix issue template

See the full diff

Package name: gatsby

The new version differs by 250 commits.

• 2c324f6 chore(release): Publish
• 55c7183 feat(contentful): add support for tables in Rich Text (#33870)
• 053180a fix(gatsby): Better TS compilation error (#35594)
• 0cf0bd9 chore(release): Publish next
• 9a91295 fix(gatsby-plugin-image): fix image flickers (#35226)
• f358dc3 chore(release): Publish next
• 966aca8 feat(gatsby): Improvements to GraphQL TypeScript Generation (#35581)
• 8bad9b3 perf(gatsby): Minify page-data (#35578)
• 39e9840 chore(gatsby): Expose `serverDataStatus` field in SSR type declaration file (#35505)
• ebd63b2 feat(gatsby-source-wordpress): use image cdn for non-resizable images in html (svgs/gifs mainly) (#35529)
• 5e51519 fix(gatsby-source-wordpress): update test deps and fix int tests (#35582)
• 128c7bb feat(gatsby-source-wordpress): always include draft slugs (#35573)
• abc6dca feat(gatsby-plugin-image): add check for node.gatsbyImage in the getImage helper (#35507)
• e51c3a3 chore(release): Publish next
• c9d98a4 feat(gatsby): Initial GraphQL Typegen Implementation (#35487)
• 17cbc7c fix(deps): update minor and patch dependencies for gatsby-source-graphql (#35545)
• 10752ed fix(deps): update dependency fs-extra to ^10.1.0 (#34976)
• 0abdcd6 fix(deps): update dependency coffeescript to ^2.7.0 for gatsby-plugin-coffeescript (#35550)
• 7cda002 fix(deps): update dependency eslint-plugin-import to ^2.26.0 (#35551)
• 3e74a9f fix(deps): update dependency eslint-plugin-react-hooks to ^4.5.0 (#35552)
• fb98116 fix(deps): update minor and patch dependencies for gatsby-source-drupal (#35554)
• c09287a chore(deps): update starters and examples (#35565)
• bf854ca fix(deps): update dependency prop-types to ^15.8.1 for gatsby-link (#35291)
• 71eb414 chore(deps): update dependency typescript to ^4.6.4 (#34984)

See the full diff

Package name: gatsby-plugin-manifest

The new version differs by 250 commits.

• f6734b9 chore(release): Publish
• 9a616c0 fix(gatsby): wait for LMDB upserts to finish before emitting ENGINES_READY (#34853) (#34896)
• f5705b9 fix(create-gatsby): Add required deps for theme-ui option (#34885) (#34897)
• 9a579f1 fix(gatsby-core-utils): fix 304 when file does not exists (#34842) (#34888)
• 148d016 fix(gatsby): Remove double enhanced-resolve dep (#34854) (#34889)
• 19b0304 feat(gatsby-core-utils): improve fetch-remote-file (#34758)
• ac1d777 fix(gatsby-source-contentful): avoid confusion of Gatsby node and Contentful node count in logs (#34830)
• ee8c874 refactor(gatsby-source-contentful): remove unnecessary check for existing node (#34829)
• 056b48e test(gatsby): Add a memory test suite command to the memory benchmark (#34810)
• 45cb1f1 chore(release): Publish next
• 4c832bf documentation: Add Third Party Schema (#34820)
• 9f23dec chore(gatsby): cache shouldn't reference nodes strongly (#34821)
• f2d4830 feat(gatsby-core-utils): create proper mutex (#34761)
• 21ef185 chore(changelogs): update changelogs (#34826)
• a2f99af fix(deps): update starters and examples gatsby packages to ^4.7.2 (#34822)
• 76c89d8 chore(release): Publish next
• 54d29c4 chore(gatsby): upgrade from lmdb-store to lmdb (#34576)
• 3df8583 fix(core): Make filter/sort query only hold onto node properties it needs (#34747)
• 3c3362b refactor(core): Make load plugins modular, prepare for TS (#34813)
• 3d74584 feat(gatsby): allow referencing derived types in schema customization (#34787)
• bfd04d3 fix(gatsby): Content Sync DSG bug (#34799)
• 326a483 fix(deps): update dependency sharp to ^0.30.1 (#34755)
• 7b958f9 docs: update typo Forestry (#34805)
• ba8e21c feat(gatsby): Match node manifest pages by page context slug (#34790)

See the full diff

Package name: gatsby-plugin-sharp

The new version differs by 250 commits.

• 92543af chore(release): Publish
• e79623c fix(create-gatsby): Missing "plugins" in cmses.json (#36566)
• a373d80 chore(docs): Remove `content` from sourcing guide (#36562)
• 8b59183 fix(gatsby): Remove default support for non ESM browsers (#36522)
• fab2db2 chore: setup v5 release channel (#36540)
• bac1e7a chore(gatsby): Update `react-refresh` to `^0.14.0` (#36553)
• 5f6ad91 chore(deps): update dependency autoprefixer to ^10.4.8 for gatsby-plugin-sass (#36273)
• cc3ef79 fix(deps): update dependency eslint-plugin-react-hooks to ^4.6.0 (#36040)
• 856b695 chore(deps): update [dev] minor and patch dependencies for gatsby-legacy-polyfills (#35547)
• 0b6e823 chore(deps): update dependency @ types/semver to ^7.3.12 (#36510)
• 0e56ad6 chore(deps): update dependency microbundle to ^0.15.1 for gatsby-link (#36512)
• 80f6616 chore(deps): update dependency microbundle to ^0.15.1 for gatsby-script (#36513)
• 34c8e51 fix(deps): update dependency eslint-plugin-jsx-a11y to ^6.6.1 (#36039)
• afba8ca chore(deps): update [dev] minor and patch dependencies for gatsby-source-shopify (#34363)
• b55e1d5 chore(docs): monorepos support (#36504)
• 8aeae21 fix(gatsby): pass custom graphql context provided by createResolverContext to materialization executor (#36552)
• 9c5eacf fix(gatsby): Handle renderToPipeableStream errors (#36555)
• 42e241c feat(gatsby): split up head & page component loading (#36545)
• dc9aa9a chore(gatsby): perfect `GatsbyConfig.proxy` type (#36548)
• 1125e58 fix: ci pipeline (#36544)
• 7fe8e51 fix(deps): update dependency react-docgen to ^5.4.3 for gatsby-transformer-react-docgen (#36277)
• bc04e8f chore(docs): migrate cloud docs to dotcom(1) (#36452)
• 59c1f4f fix(deps): update starters and examples - gatsby (#36503)
• 0d4dfe9 chore(docs): update url of `deleteNode` (#36502)

See the full diff

Package name: gatsby-source-filesystem

The new version differs by 250 commits.

• b8eac2d chore(release): Publish
• 3253a38 fix(gatsby-plugin-mdx): Hashing and pluginOptions (#36387) (#36395)
• 1880491 fix(gatsby-script): Reach router import (#36385) (#36394)
• f664ad2 feat(gatsby): Telemetry tracking for Head API (#36352)
• ab55e4e chore: Update `got` (#36366)
• 2b4ff76 fix(gatsby): Make runtime error overlay work in non-v8 browsers (#36365)
• f990e08 fix(test): clear and close lmdb after each test suite (#36343)
• 7fcf580 fix(gatsby): e.remove() is not a function when using Gatsby Head API (#36338)
• 25fb9d1 chore: Fix pipeline tests (#36363)
• a9132a5 chore(deps): update sharp (#35539)
• bc80c23 chore: Add note about rehype-slug-custom-id
• 5b6f1f6 chore(gatsby): upgrade multer (#36359)
• f2f0acf chore(gatsby-telemetry): upgrade git-up (#36358)
• 86a8efc chore(release): Publish next
• 0705ac7 chore(gatsby-plugin-mdx): Update .gitignore
• c92db36 BREAKING CHANGE(gatsby-plugin-mdx): MDX v2 (#35650)
• 3c0dd6d chore(release): Publish next
• 86b6ee9 Revert "chore(gatsby): Make `plugins` in `PluginOptions` type optional (#36351)"
• a2fa5a2 chore(gatsby): Make `plugins` in `PluginOptions` type optional (#36351)
• 6ecfe4a fix(gatsby-source-contentful): Correctly overwrite field type on Assets (#36337)
• 0ed362c chore(docs): Pre-encoded unicode characters can't be used in paths (#36325)
• 2bbe96d fix(deps): update dependency file-type to ^16.5.4 for gatsby-source-filesystem (#36276)
• 2be3fa7 chore(docs): Add first batch of Cloud docs (#36218)
• 4238142 chore(docs): Remove outdated examples and recipes (#36335)

See the full diff

Package name: gatsby-transformer-sharp

The new version differs by 250 commits.

• f6734b9 chore(release): Publish
• 9a616c0 fix(gatsby): wait for LMDB upserts to finish before emitting ENGINES_READY (#34853) (#34896)
• f5705b9 fix(create-gatsby): Add required deps for theme-ui option (#34885) (#34897)
• 9a579f1 fix(gatsby-core-utils): fix 304 when file does not exists (#34842) (#34888)
• 148d016 fix(gatsby): Remove double enhanced-resolve dep (#34854) (#34889)
• 19b0304 feat(gatsby-core-utils): improve fetch-remote-file (#34758)
• ac1d777 fix(gatsby-source-contentful): avoid confusion of Gatsby node and Contentful node count in logs (#34830)
• ee8c874 refactor(gatsby-source-contentful): remove unnecessary check for existing node (#34829)
• 056b48e test(gatsby): Add a memory test suite command to the memory benchmark (#34810)
• 45cb1f1 chore(release): Publish next
• 4c832bf documentation: Add Third Party Schema (#34820)
• 9f23dec chore(gatsby): cache shouldn't reference nodes strongly (#34821)
• f2d4830 feat(gatsby-core-utils): create proper mutex (#34761)
• 21ef185 chore(changelogs): update changelogs (#34826)
• a2f99af fix(deps): update starters and examples gatsby packages to ^4.7.2 (#34822)
• 76c89d8 chore(release): Publish next
• 54d29c4 chore(gatsby): upgrade from lmdb-store to lmdb (#34576)
• 3df8583 fix(core): Make filter/sort query only hold onto node properties it needs (#34747)
• 3c3362b refactor(core): Make load plugins modular, prepare for TS (#34813)
• 3d74584 feat(gatsby): allow referencing derived types in schema customization (#34787)
• bfd04d3 fix(gatsby): Content Sync DSG bug (#34799)
• 326a483 fix(deps): update dependency sharp to ^0.30.1 (#34755)
• 7b958f9 docs: update typo Forestry (#34805)
• ba8e21c feat(gatsby): Match node manifest pages by page context slug (#34790)

See the full diff

Package name: node-sass

The new version differs by 90 commits.

• 3b556c1 7.0.2
• c716359 Bump sass-graph@^4.0.1 ([sql lab] add pending to the list of searchable statuses apache/superset#3292)
• 24741b3 docs(readme): fix docpad plugin link
• 1523330 feat: Drop Node 12
• 365d357 update https://registry.npm.taobao.org to https://registry.npmmirror.com
• 1456114 build(deps): bump actions/upload-artifact from 2 to 3
• b465b69 chore: bump GitHub Actions to Windows 2019 ([bugfix] wrong 'Cant have overlap between Series and Breakdowns' apache/superset#3254)
• e6194b1 build(deps): bump make-fetch-happen from 9.1.0 to 10.0.4
• 4edf594 build(deps): bump node-gyp from 8.4.1 to 9.0.0
• 29e2344 build(deps): bump actions/checkout from 2 to 3
• 85b0d22 build(deps): bump actions/setup-node from 2 to 3
• 3bb51da Use make-fetch-happen instead of request (Add BigQuery engine specifications apache/superset#3193)
• adc2f8b build(deps): bump true-case-path from 1.0.3 to 2.2.1 (No user created an error occured - sqlite3.IntegrityError apache/superset#3000)
• 77d12f0 chore: disable Apline for Node 16/17 builds
• 308d533 ci: use Python 3 for Node 12
• c818907 ci: unpin actions/setup-node to v2
• 99242d7 7.0.1
• 77049d1 build(deps): bump sass-graph from 2.2.5 to 4.0.0 (SQL_ALCHEMY_DATABASE_URI ignored from Apache mod_wsgi apache/superset#3224)
• c929f25 build(deps): bump node-gyp from 7.1.2 to 8.4.1 (Extra % added in SQL Lab during visualisation  apache/superset#3209)
• 918dcb3 Lint fix
• 0a21792 Set rejectUnauthorized to true by default (Word Cloud losing the top result apache/superset#3149)
• e80d4af chore: Drop EOL Node 15 (Add a dummy new viz object in superset apache/superset#3122)
• d753397 feat: Add Node 17 support (Failed connexion to druid with superset apache/superset#3195)
• dcf2e75 build(deps-dev): bump eslint from 7.32.0 to 8.0.0

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Server-Side Request Forgery (SSRF)
🦉 More lessons are available in Snyk Learn