chore(deps): update dependency ua-parser-js to 0.7.33 [security] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change
ua-parser-js	0.7.28 -> 0.7.33

GitHub Vulnerability Alerts

CVE-2022-25927

Description:

A regular expression denial of service (ReDoS) vulnerability has been discovered in ua-parser-js.

Impact:

This vulnerability bypass the library's MAX_LENGTH input limit prevention. By crafting a very-very-long user-agent string with specific pattern, an attacker can turn the script to get stuck processing for a very long time which results in a denial of service (DoS) condition.

Affected Versions:

All versions of the library prior to version 0.7.33 / 1.0.33.

Patches:

A patch has been released to remove the vulnerable regular expression, update to version 0.7.33 / 1.0.33 or later.

References:

Regular expression Denial of Service - ReDoS

Credits:

Thanks to @​Snyk who first reported the issue.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[renovate]

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: src/client/mobile/package-lock.json

ERR! lerna Unknown command "info"
ERR! lerna Did you mean init?
npm WARN react-ssr-advanced-seed@1.0.7 No repository field.

lerna notice cli v3.18.4
lerna info versioning independent
lerna notice filter excluding "__tests__"
lerna info filter [ '!__tests__' ]
lerna info Bootstrapping 27 packages
lerna info Installing external dependencies
lerna ERR! npm install --ignore-scripts --no-package-lock --ignore-scripts --no-audit --package-lock-only exited 1 in 'omega-web'
lerna ERR! npm install --ignore-scripts --no-package-lock --ignore-scripts --no-audit --package-lock-only stderr:
npm ERR! code ERESOLVE
npm ERR! ERESOLVE could not resolve
npm ERR! 
npm ERR! While resolving: omega-web@0.3.11
npm ERR! Found: react@16.14.0
npm ERR! node_modules/react
npm ERR!   peer react@"^16.8.0" from @material-ui/core@4.4.2
npm ERR!   node_modules/@material-ui/core
npm ERR!     @material-ui/core@"4.4.2" from the root project
npm ERR!     peer @material-ui/core@"^4.0.0" from @material-ui/icons@4.4.1
npm ERR!     node_modules/@material-ui/icons
npm ERR!       @material-ui/icons@"4.4.1" from the root project
npm ERR!   peer react@"^16.0.0" from react-dom@16.8.6
npm ERR!   node_modules/react-dom
npm ERR!     react-dom@"16.8.6" from the root project
npm ERR!     peer react-dom@"^16.8.0" from @material-ui/core@4.4.2
npm ERR!     node_modules/@material-ui/core
npm ERR!       @material-ui/core@"4.4.2" from the root project
npm ERR!       1 more (@material-ui/icons)
npm ERR!     2 more (@material-ui/icons, @material-ui/styles)
npm ERR!   2 more (@material-ui/icons, @material-ui/styles)
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! react-fade-in@"0.1.6" from the root project
npm ERR! 
npm ERR! Conflicting peer dependency: react@15.7.0
npm ERR! node_modules/react
npm ERR!   peer react@"^15.4.1" from react-fade-in@0.1.6
npm ERR!   node_modules/react-fade-in
npm ERR!     react-fade-in@"0.1.6" from the root project
npm ERR! 
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR! 
npm ERR! 
npm ERR! For a full report see:
npm ERR! /tmp/renovate-cache/others/npm/_logs/2023-03-18T22_32_13_423Z-eresolve-report.txt

npm ERR! A complete log of this run can be found in:
npm ERR!     /tmp/renovate-cache/others/npm/_logs/2023-03-18T22_32_13_423Z-debug-0.log

lerna ERR! npm install --ignore-scripts --no-package-lock --ignore-scripts --no-audit --package-lock-only exited 1 in 'omega-web'
lerna WARN complete Waiting for 1 child process to exit. CTRL-C to exit immediately.

[guardrails]

⚠️ We detected 41 security issues in this pull request:

Vulnerable Libraries (41)

Severity	Details
N/A	pkg:npm/yargs-parser@9.0.2@9.0.2 (t) - no patch available
Medium	pkg:npm/core-js@1.2.7@1.2.7 (t) - no patch available
Medium	pkg:npm/xmldom@0.5.0@0.5.0 (t) upgrade to: 0.7.0
High	pkg:npm/tmpl@1.0.4@1.0.4 (t) upgrade to: 1.0.5
High	pkg:npm/hermes-engine@0.4.3@0.4.3 (t) upgrade to: 0.5.2
Medium	pkg:npm/jsdom@11.12.0@11.12.0 (t) upgrade to: 16.5.0
Medium	pkg:npm/request@2.88.2@2.88.2 (t) - no patch available
High	pkg:npm/glob-parent@3.1.0@3.1.0 (t) upgrade to: 5.1.2
High	pkg:npm/yargs-parser@10.1.0@10.1.0 (t) - no patch available
High	pkg:npm/ansi-regex@3.0.0@3.0.0 (t) upgrade to: 6.0.1,5.0.1,4.1.1,3.0.1
High	pkg:npm/json5@2.2.0@2.2.0 (t) upgrade to: 2.2.2
High	pkg:npm/json5@0.5.1@0.5.1 (t) - no patch available
High	pkg:npm/decode-uri-component@0.2.0@0.2.0 (t) - no patch available
Critical	pkg:npm/unset-value@1.0.0@1.0.0 (t) - no patch available
Critical	pkg:npm/json-schema@0.2.3@0.2.3 (t) upgrade to: 0.4.0
Medium	pkg:npm/nwsapi@2.2.0@2.2.0 (t) - no patch available
Critical	pkg:npm/shell-quote@1.6.1@1.6.1 (t) upgrade to: 1.7.3
Medium	pkg:npm/ws@5.2.2@5.2.2 (t) upgrade to: 7.4.6,6.2.2,5.2.3
High	pkg:npm/typescript@3.5.3@3.5.3 (t) - no patch available
High	pkg:npm/ua-parser-js@0.7.33@0.7.33 (t) - no patch available
High	pkg:npm/prompts@2.4.1@2.4.1 (t) - no patch available
High	pkg:npm/minimatch@3.0.4@3.0.4 (t) upgrade to: 3.0.5
Medium	pkg:npm/ws@1.1.5@1.1.5 (t) - no patch available
N/A	pkg:npm/react@16.8.6@16.8.6 (t) - no patch available
Medium	pkg:npm/node-fetch@1.7.3@1.7.3 (t) - no patch available
Medium	pkg:npm/core-js@2.6.12@2.6.12 (t) - no patch available
Critical	pkg:npm/simple-plist@1.1.1@1.1.1 (t) upgrade to: 1.3.1
Critical	pkg:npm/qs@6.5.2@6.5.2 (t) - no patch available
N/A	pkg:npm/debug@2.6.9@2.6.9 (t) upgrade to: 3.1.0
Critical	pkg:npm/minimist@1.2.5@1.2.5 (t) upgrade to: 1.2.6
Critical	pkg:npm/set-value@2.0.1@2.0.1 (t) - no patch available
High	pkg:npm/ansi-regex@5.0.0@5.0.0 (t) upgrade to: 6.0.1,5.0.1,4.1.1,3.0.1
Medium	pkg:npm/node-notifier@5.4.5@5.4.5 (t) upgrade to: 8.0.1
Low	pkg:npm/node-fetch@2.6.1@2.6.1 (t) - no patch available
High	pkg:npm/ansi-regex@4.1.0@4.1.0 (t) upgrade to: 6.0.1,5.0.1,4.1.1,3.0.1
High	pkg:npm/async@2.6.3@2.6.3 (t) upgrade to: 3.2.2,2.6.4
Medium	pkg:npm/istanbul-reports@2.2.7@2.2.7 (t) - no patch available
High	pkg:npm/fb-watchman@2.0.1@2.0.1 (t) - no patch available
High	pkg:npm/json-stable-stringify@1.0.1@1.0.1 (t) - no patch available
Critical	pkg:npm/execa@1.0.0@1.0.0 (t) - no patch available
Critical	pkg:npm/plist@3.0.2@3.0.2 (t) upgrade to: 3.0.5

More info on how to fix Vulnerable Libraries in JavaScript.

---

👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.