Wiz: Upgrade multiple dependencies (resolves 128 findings)

[wiz-5e8b1019be]

Wiz has created this PR to fix 128 findings detected in this project

Changes were made to the following file(s):

• package.json
• packages/react-router-native/android/build.gradle
• website/package.json
• yarn.lock

Vulnerabilities:

Component	Findings	Locations
@octokit/plugin-paginate-rest 1.1.2 → 8.2.1	CVE-2025-25288	/package.json
@octokit/request 5.6.3 → 8.2.1	CVE-2025-25290	/package.json
@octokit/request-error 1.2.1 → 8.2.1	CVE-2025-25289	/package.json
@octokit/request-error 2.1.0 → 8.2.1	CVE-2025-25289	/package.json
ajv 5.5.2 → 1.0.0-beta.0	CVE-2020-15366	/website/package.json
babel-traverse 6.26.0 → 2.0.0-alpha.1	CVE-2023-45133	/website/package.json
braces 2.3.2 → 27.0.0-next.0	CVE-2024-4068	/package.json /website/package.json
com.google.guava:guava 17.0 → 8.5.0-alpha07	CVE-2023-2976 CVE-2018-10237 CVE-2020-8908	/packages/react-router-native/android/build.gradle
cross-spawn 5.1.0 → 2.0.0	CVE-2024-21538	/package.json
form-data 2.3.3 → 5.0.0-alpha.0	CVE-2025-7783	/package.json
hermes-engine 0.2.1 → 0.67.0-rc.4	CVE-2020-1911 CVE-2020-1914 CVE-2021-24044 CVE-2021-24037 CVE-2020-1912 CVE-2020-1915 CVE-2020-1913	/package.json
highlight.js 9.18.5 → 1.0.0	GHSA-7wwv-vh3v-89cq	/package.json
html-minifier 3.5.21 → 4.0.0-beta.10	CVE-2022-37620	/website/package.json
http-cache-semantics 3.8.1 → 4.0.0	CVE-2022-25881	/package.json
http-proxy-middleware 0.19.1 → 4.0.0-rc.0	CVE-2024-21536	/website/package.json
ip 1.1.5 → 4.0.0	CVE-2023-42282 CVE-2024-29415	/package.json
ip 1.1.9 → 4.8.0	CVE-2024-29415	/website/package.json
json5 0.5.1 → 4.0.0-alpha	CVE-2022-46175	/website/package.json
loader-utils 0.2.17 → 4.0.0-alpha	CVE-2022-37601	/website/package.json
loader-utils 1.1.0 → 1.4.2	CVE-2022-37601 CVE-2022-37599 CVE-2022-37603	/website/package.json
lodash.pick 4.4.0 → 1.0.0-rc.1	CVE-2020-8203	/website/package.json
lodash.set 4.3.2 → 4.0.0	CVE-2020-8203	/package.json
lodash.template 4.5.0 → 5.1.2	CVE-2021-23337	/package.json
logkitty 0.6.1 → 0.62.0-rc.2	CVE-2020-8149	/package.json
markdown-it 7.0.1 → 12.3.2	CVE-2022-21670	/website/package.json
mem 1.1.0 → 1.0.0	GHSA-4xcv-9jjx-gfj3	/package.json
micromatch 3.1.10 → 27.0.0-next.0	CVE-2024-4067	/package.json /website/package.json
node-fetch 1.7.3 → 3.0.0	CVE-2022-0235	/package.json /website/package.json
node-forge 0.10.0 → 4.7.3	CVE-2022-24771 CVE-2022-24772 CVE-2022-0122 CVE-2022-24773 GHSA-gf8q-jrpm-jvxq GHSA-5rrq-pxf6-6jx5	/website/package.json
node-notifier 5.4.5 → 26.0.0-alpha.0	CVE-2020-7789	/package.json
nth-check 1.0.2 → 1.0.0-rc.5	CVE-2021-3803	/website/package.json
org.apache.commons:commons-compress 1.8.1 → 9.0.0-alpha01	CVE-2021-35517 CVE-2021-35515 CVE-2021-36090 CVE-2021-35516 CVE-2024-25710 CVE-2018-11771	/packages/react-router-native/android/build.gradle
org.apache.httpcomponents:httpclient 4.1.1 → 3.2.0-alpha06	CVE-2014-3577 CVE-2012-6153 CVE-2015-5262	/packages/react-router-native/android/build.gradle
org.bouncycastle:bcpkix-jdk15on 1.48 → 8.9.0-alpha04	CVE-2025-8916	/packages/react-router-native/android/build.gradle
org.bouncycastle:bcprov-jdk15on 1.48 → 8.9.0-alpha04	CVE-2016-1000343 CVE-2016-1000342 CVE-2024-29857 CVE-2016-1000344 CVE-2018-1000180 CVE-2016-1000352 CVE-2016-1000338 CVE-2020-26939 CVE-2018-5382 CVE-2016-1000345 CVE-2016-1000339 CVE-2015-7940 CVE-2023-33202 CVE-2024-30171 CVE-2020-15522 CVE-2016-1000341 CVE-2016-1000346	/packages/react-router-native/android/build.gradle
parse-path 4.0.4 → 5.1.8	CVE-2022-0624	/package.json
parse-url 6.0.5 → 5.5.2	CVE-2022-2900 CVE-2022-3224	/package.json
postcss 6.0.23 → 4.0.0	CVE-2021-23382 CVE-2023-44270	/website/package.json
postcss 7.0.39 → 5.0.0	CVE-2023-44270	/website/package.json
react-devtools-core 3.6.3 → 0.62.0-rc.0	CVE-2023-5654	/package.json
react-native 0.61.5 → 0.62.3	CVE-2020-1920	/package.json
request 2.88.2 → 5.0.0-alpha.0	CVE-2023-28155	/package.json
rollup 1.32.1 → 2.79.2	CVE-2024-47068	/package.json
serialize-javascript 1.9.1 → 5.1.2	CVE-2020-7660 CVE-2019-16769	/website/package.json
ssri 5.3.0 → 5.0.0	CVE-2021-27290	/website/package.json
tar 4.4.19 → 5.0.0-alpha.0	CVE-2024-28863	/package.json
tmp 0.0.33 → 7.3.0	CVE-2025-54798	/package.json /website/package.json
tough-cookie 2.5.0 → 5.0.0-alpha.0	CVE-2023-26136	/package.json
trim-newlines 1.0.0 → 4.0.0	CVE-2021-33623	/package.json
trim-newlines 2.0.0 → 4.0.0	CVE-2021-33623	/package.json
webpack-dev-middleware 3.7.3 → 4.0.0-rc.0	CVE-2024-29180	/website/package.json
webpack-dev-server 3.11.3 → 5.2.1	CVE-2025-30359 CVE-2025-30360	/website/package.json
ws 3.3.3 → 0.62.0-rc.0	CVE-2024-37890	/package.json

To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension.

[wiz-5e8b1019be]

⚠️ Lock file update issue

Please update the lock file manually before merging this PR.

website/yarn.lock

warning You don't appear to have an internet connection. Try the --offline flag to use the cache for registry queries.
warning You don't appear to have an internet connection. Try the --offline flag to use the cache for registry queries.
warning You don't appear to have an internet connection. Try the --offline flag to use the cache for registry queries.
(node:18) [DEP0169] DeprecationWarning: `url.parse()` behavior is not standardized and prone to errors that have security implications. Use the WHATWG URL API instead. CVEs are not issued for `url.parse()` vulnerabilities.
(Use `node --trace-deprecation ...` to show where the warning was created)
warning babel-preset-env > browserslist@1.7.7: Browserslist 2 could fail on reading Browserslist >3.0 config used in other tools.
warning cheerio > cheerio-select-tmp@0.1.1: Use cheerio-select instead
warning eslint@7.3.0: This version is no longer supported. Please see https://eslint.org/version-support for other options.
warning html-loader > htmlnano > svgo@1.3.2: This SVGO version is no longer supported. Upgrade to v2.x.x.
warning html-loader > htmlnano > svgo > stable@0.1.8: Modern JS already guarantees Array#sort() is a stable sort, so this library is deprecated. See the compatibility table on MDN: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/sort#browser_compatibility
warning html-loader > htmlnano > cssnano > autoprefixer > browserslist@1.7.7: Browserslist 2 could fail on reading Browserslist >3.0 config used in other tools.
warning html-loader > htmlnano > cssnano > postcss-svgo > svgo@0.7.2: This SVGO version is no longer supported. Upgrade to v2.x.x.
warning html-loader > htmlnano > cssnano > postcss-merge-rules > browserslist@1.7.7: Browserslist 2 could fail on reading Browserslist >3.0 config used in other tools.
warning html-loader > htmlnano > svgo > coa > q@1.5.1: You or someone you depend on is using Q, the JavaScript Promise library that gave JavaScript developers strong feelings about promises. They can almost certainly migrate to the native JavaScript promise now. Thank you literally everyone for joining me in this bet against the odds. Be excellent to each other.

(For a CapTP with native promises, see @endo/eventual-send and @endo/captp)
warning html-loader > htmlnano > cssnano > postcss-svgo > svgo > coa > q@1.5.1: You or someone you depend on is using Q, the JavaScript Promise library that gave JavaScript developers strong feelings about promises. They can almost certainly migrate to the native JavaScript promise now. Thank you literally everyone for joining me in this bet against the odds. Be excellent to each other.

(For a CapTP with native promises, see @endo/eventual-send and @endo/captp)
warning html-loader > htmlnano > cssnano > postcss-merge-rules > caniuse-api > browserslist@1.7.7: Browserslist 2 could fail on reading Browserslist >3.0 config used in other tools.
warning html-loader > htmlnano > cssnano > postcss-merge-rules > postcss-selector-parser > flatten@1.0.3: flatten is deprecated in favor of utility frameworks such as lodash.
warning html-webpack-plugin@4.0.0-beta.10: please switch to a stable version
warning webpack > acorn-dynamic-import@4.0.0: This is probably built in to whatever tool you're using. If you still need it... idk
warning webpack-cli > webpack-log > uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
warning " > @codesandbox/react-embed@0.0.14" has incorrect peer dependency "react@^15.0.0 | ^16.0.0".
warning " > @typescript-eslint/eslint-plugin@2.3.1" has incorrect peer dependency "eslint@^5.0.0 || ^6.0.0".
warning "@typescript-eslint/eslint-plugin > tsutils@3.17.1" has unmet peer dependency "typescript@>=2.8.0 || >= 3.2.0-dev || >= 3.3.0-dev || >= 3.4.0-dev || >= 3.5.0-dev || >= 3.6.0-dev || >= 3.6.0-beta || >= 3.7.0-dev || >= 3.7.0-beta".
warning " > @typescript-eslint/parser@2.3.1" has incorrect peer dependency "eslint@^5.0.0 || ^6.0.0".
warning " > copy-webpack-plugin@5.1.2" has incorrect peer dependency "webpack@^4.0.0 || ^5.0.0".
warning " > css-loader@5.0.0" has incorrect peer dependency "webpack@^4.27.0 || ^5.0.0".
warning " > eslint-config-react-app@5.0.2" has incorrect peer dependency "eslint@6.x".
warning " > eslint-plugin-import@2.18.2" has incorrect peer dependency "eslint@2.x - 6.x".
warning " > eslint-plugin-jsx-a11y@6.2.3" has incorrect peer dependency "eslint@^3 || ^4 || ^5 || ^6".
warning " > eslint-plugin-react@7.14.3" has incorrect peer dependency "eslint@^3.0.0 || ^4.0.0 || ^5.0.0 || ^6.0.0".
warning " > eslint-plugin-react-hooks@1.7.0" has incorrect peer dependency "eslint@^3.0.0 || ^4.0.0 || ^5.0.0 || ^6.0.0".
warning " > file-loader@1.1.11" has incorrect peer dependency "webpack@^2.0.0 || ^3.0.0 || ^4.0.0".
warning " > html-loader@1.0.0-alpha.0" has incorrect peer dependency "webpack@^3.0.0 || ^4.0.0".
warning " > html-webpack-plugin@4.0.0-beta.10" has incorrect peer dependency "webpack@^4.0.0".
warning " > postcss-loader@4.0.0" has incorrect peer dependency "webpack@^4.0.0 || ^5.0.0".
warning " > postcss-loader@4.0.0" has unmet peer dependency "postcss@^7.0.0".
warning " > sw-precache-webpack-plugin@0.11.5" has incorrect peer dependency "webpack@^1 || ^2 || ^2.1.0-beta || ^2.2.0-beta || ^3 || ^4".
warning " > url-loader@1.0.0-beta.0" has incorrect peer dependency "webpack@^3.0.0 || ^4.0.0".
warning "webpack > terser-webpack-plugin@1.4.6" has incorrect peer dependency "webpack@^4.0.0".
warning " > webpack-cli@4.0.0-alpha" has incorrect peer dependency "webpack@4.x.x".
error /workspace/src/website/node_modules/webpack-cli: Command failed.
Exit code: 127
Command: lerna bootstrap
Arguments: 
Directory: /workspace/src/website/node_modules/webpack-cli
Output:
/bin/sh: lerna: not found