[Snyk] Fix for 9 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • packages/strapi-admin/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	616/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.9	Server-Side Request Forgery (SSRF) SNYK-JS-AXIOS-1038255	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-AXIOS-1579269	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-IMMER-1019369	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-IMMER-1540542	Yes	Proof of Concept
	641/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.4	Prototype Pollution SNYK-JS-JSON5-3182856	Yes	Proof of Concept
	534/1000 Why? Has a fix available, CVSS 6.4	Improper Authentication SNYK-JS-JSONWEBTOKEN-3180022	Yes	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Improper Restriction of Security Token Assignment SNYK-JS-JSONWEBTOKEN-3180024	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: axios

The new version differs by 57 commits.

• e367be5 [Releasing] 0.21.3
• 83ae383 Correctly add response interceptors to interceptor chain (Content Manager bug when navigating from one entry to another strapi/strapi#4013)
• c0c8761 [Updating] changelog to include links to issues and contributors
• 619bb46 [Releasing] v0.21.2
• 82c9455 Create SECURITY.md (Webpack error on strapi develop strapi/strapi#3981)
• 5b45711 Security fix for ReDoS (Trying to rename default table names strapi/strapi#3980)
• 5bc9ea2 Update ECOSYSTEM.md (MongoError: E11000 duplicate key error collection strapi/strapi#3817)
• e72813a Fixing README.md (Update schemas for example getstarted strapi/strapi#3818)
• e10a027 Fix README typo under Request Config (Post request API，Insert error on timestamp fields using MySQL strapi/strapi#3825)
• e091491 Update README.md ([Blocker] error TypeError: Cannot read property 'id' of null strapi/strapi#3936)
• b42fbad Removed un-needed bracket
• 520c8dc Updating CI status badge (Strapi unable to pull roles from alternative database strapi/strapi#3953)
• 4fbeecb Adding CI on Github Actions. (Fix typo in en.json strapi/strapi#3938)
• e9965bf Fixing the sauce labs tests (Unable to edit Strapi favicon or titles strapi/strapi#3813)
• dbc634c Remove charset in tests (The "Populate more user informations on POST /auth/login" commit causes localStorage problems strapi/strapi#3807)
• 3958e9f Add explanation of cancel token (.gitkeep in plugins causes ENOTDIR strapi/strapi#3803)
• 69949a6 Adding custom return type support to interceptor (Use koa-router and fix graphql-file-upload with global router strapi/strapi#3783)
• 49509f6 Create FUNDING.yml (Language selection confusion strapi/strapi#3796)
• 199c8aa Adding parseInt to config.timeout (Create model and link it strapi/strapi#3781)
• 94fc4ea Adding isAxiosError typeguard documentation (Mysql - unique and required doesn't work, 500 when I make POST request with another data than in model strapi/strapi#3767)
• 0ece97c Fixing quadratic runtime when setting a maxContentLength (The same updatedAt in the list file uploaded strapi/strapi#3738)
• a18a0ec Updating `lib/core/README.md` about Dispatching requests (update instead post strapi/strapi#3772)
• 59fa614 [Updated] follow-redirects to the latest version (Documentation updates strapi/strapi#3771)
• 7821ed2 Feat/json improvements (Update JSON save as String with Bookshelf strapi/strapi#3763)

See the full diff

Package name: html-webpack-plugin

The new version differs by 250 commits.

• 873d75b chore(release): 5.5.0
• ddeb774 chore: update examples
• 1e42625 feat: Support type=module via scriptLoading option
• 7d3645b Bump pretty-error to 4.0.0 to fix transitive vuln for ansi-regex CVE-2021-3807
• 79be779 [chore] changes actions to run on pull_requests
• b7e5859 [chore] fixes CI to avoid race conditions
• 48131d3 chore(release): 5.4.0
• 16a841a [chore] rebuild examples
• 3bb7c17 Update index.js
• e38ac97 Update index.js
• f08bd02 [chore] updates fixtures
• d62a10f [chore] upgrades html-minifier-terser@5.0.0 -> 6.0.2
• 2f5de7a Remove archived plugin
• 8f8f7c5 chore(release): 5.3.2
• 053c6e6 chore: update snapshot tests for webpack 5.4.0
• 9c7fba0 Fix security vulnerabilities
• b98fbeb Fix security vulnerabilities
• 25cdfc7 Added inject-body-webpack-plugin to readme
• 0e4c1fb Update README to document actual behavior
• 0a6568d chore(release): 5.3.1
• 82d0ee8 fix: remove loader-utils from plugin core
• 6f39192 chore(release): 5.3.0
• d654f5b feat: allow to modify the interpolation options in webpack config
• 41d7a50 feat: drop loader-utils dependency

See the full diff

Package name: immer

The new version differs by 85 commits.

• fa671e5 fix(security): Follow up on CVE-2020-28477 where `path: [["__proto__"], "x"]` could still pollute the prototype
• 2e0aa95 Create SECURITY.md
• 050522d chore: fix CI. maybe.
• 1195510 docs: Update example-setstate.mdx (introduction of userObj strapi/strapi#833)
• 648d39b docs: fixing link to RFC-6902 & fixing typo (Wysiwyg preview strapi/strapi#830)
• bc890f7 docs: Update example-setstate.mdx (Fixes #828 strapi/strapi#829)
• 16a3d0f chore(deps): bump prismjs from 1.23.0 to 1.24.0 in /website (Split project setup process strapi/strapi#822)
• 847492c docs: Extended / updated documenation (Optimize the build process time strapi/strapi#824)
• 7f41483 chore: [workflows] don't release from forks
• 3f9a94e chore: let's test before publish
• bfb8dec fix: release missing dist/ folder
• b314b19 chore: fix cpx usage
• a607d6c chore: Remove old shizzle
• 6fd5329 chore: fixes for deploy preview
• 144f886 chore: fix docs deployment attempt 3
• 38964fa chore: semantic-release + GH actions
• 06c6741 chore: fix docs deploy
• ad23da9 chore: fix test job
• b6d92f4 chore: publish docs automatically
• c59576a chore: setup GH action for test
• dc3f66c fix: Update styles.scss strapi/strapi#807 new undefined properties should end up in result object
• 5412c9f fix: Field names can clash with API code, causing errors when creating records strapi/strapi#791 return 'nothing' should produce undefined patch
• 58b74a6 chore(deps): bump ssri from 6.0.1 to 6.0.2 in /website (Wysiwyg strapi/strapi#818)
• c9deb48 chore(deps): bump color-string from 1.5.4 to 1.5.5 in /website ((doc) fix collection name in many-to-many example strapi/strapi#817)

See the full diff

Package name: jsonwebtoken

The new version differs by 17 commits.

• e1fa9dc Merge pull request from GHSA-8cf7-32gw-wr33
• 5eaedbf chore(ci): remove github test actions job (Possible to use numerical (sequential) id? strapi/strapi#861)
• cd4163e chore(ci): configure Github Actions jobs for Tests & Security Scanning (Fix pre release strapi/strapi#856)
• ecdf6cc fix!: Prevent accidental use of insecure key sizes & misconfiguration of secrets (Fixes #826 strapi/strapi#852)
• 8345030 fix(sign&verify)!: Remove default `none` support from `sign` and `verify` methods, and require it to be explicitly configured (Fixes #850 strapi/strapi#851)
• 7e6a86b Upload OpsLevel YAML (Login loop when create new Content Type, add non-exist field or table, and make relations to another content type using PostgreSQL as database strapi/strapi#849)
• 74d5719 docs: update references vercel/ms references (Block settings manager and content type builder in production strapi/strapi#770)
• d71e383 docs: document "invalid token" error
• 3765003 docs: fix spelling in README.md: Peak -> Peek (3.0.0 alpha.11 strapi/strapi#754)
• a46097e docs: make decode impossible to discover before verify
• 15a1bc4 refactor: make decode non-enumerable
• 5f10bf9 docs: add jwtid to options of jwt.verify (new texts translated strapi/strapi#704)
• 88cb9df Replace tilde-indexOf with includes (Fix indent configs js examples strapi/strapi#647)
• a6235fa Adds not to README on decoded payload validation (Hot fix provider login strapi/strapi#646)
• 5ed1f06 docs: fix tiny style change in readme (Nginx routing problem, possibly strapi/strapi#622)
• 9fb90ca style: add missing semicolon (I can login mongo admin using password. But when i try to install it show error strapi/strapi#641)
• a9e38b8 ci: use circleci (Remove trivial decimal implementation and use float type instead #550 strapi/strapi#589)

See the full diff

Package name: webpack-dev-server

The new version differs by 250 commits.

• c9271b9 chore(release): 4.0.0
• 18bf369 test: fix stability (Unable to extend email plugin following documentation strapi/strapi#3676)
• cdcabb2 fix: respect protocol from browser for manual setup (on create adds current dateTime to date fields strapi/strapi#3675)
• 1768d6b fix: initial reloading for lazy compilation (Unable to specify provider redirect_uri for development mode strapi/strapi#3662)
• 4f5bab1 docs: improve examples (Update content-manager schemas strapi/strapi#3672)
• f2d87fb fix: improve https CLI output (Missing envrionnment config for env: --dev. ( windows 10 ) strapi/strapi#3673)
• 0277c5e chore: remove redundant console statements (Using AWS - Receiving The pool is probably full error  strapi/strapi#3671)
• 16fcdbc docs: add `ipc` example (Cannot add new content's entry by click "Add new xxxx", if the content type "xxxx" is not created by self env.  strapi/strapi#3667)
• 8915fb8 test: add e2e tests for built in routes (Update JA translation strapi/strapi#3669)
• 4d1cbe1 docs: ask `version` information in issue template (New content manager schemas + wysiwyg type strapi/strapi#3668)
• b6c1881 chore(deps-dev): bump core-js from 3.16.1 to 3.16.2 (Minimal deployable artifact strapi/strapi#3666)
• ffa8cc5 chore(deps-dev): bump supertest from 6.1.5 to 6.1.6 (There is no admin folder strapi/strapi#3665)
• f1fdaa7 chore(release): 4.0.0-rc.1
• c4678bc fix: legacy API (Changing which field is displayed for model relations? strapi/strapi#3660)
• d8bdd03 test: fix stability (Don't force number conversion when field defined as "string" strapi/strapi#3661)
• 22b1414 refactor: remove `killable` (Confirmed account got  strapi/strapi#3657)
• 75bafbf test: add e2e tests for module federation (Confirmed account got "Your account email is not confirmed" when login strapi/strapi#3658)
• 493ccbd chore(deps): update `ws` (Error when using HTTP Delete strapi/strapi#3652)
• ae8c523 test: add e2e test for universal compiler (Confirmed account got  strapi/strapi#3656)
• f94b84f chore(deps): update (Multi operator filtering not as expected strapi/strapi#3655)
• 1923132 test: fix cli
• 2adfd01 test: fix todo (How to get user Id from GraphQL ? strapi/strapi#3653)
• 6e2cbde fix: proxy logging and allow to pass options without the `target` option (GraphQL query with where and variable not work strapi/strapi#3651)
• c9ccc96 fix: respect infastructureLogging.level for client.logging (Fix Google auth strapi/strapi#3613)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Server-Side Request Forgery (SSRF)
🦉 Prototype Pollution