[Snyk] Fix for 6 vulnerabilities

[Woodpile37]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

⚠️ Warning

Failed to update the package-lock.json, please update manually before merging.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Issue	Breaking Change	Exploit Maturity
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	Reverse Tabnabbing SNYK-JS-ISTANBULREPORTS-2328088	Yes	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	Yes	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOCHA-2863123	Yes	No Known Exploit
	Server-side Request Forgery (SSRF) SNYK-JS-PARSEURL-3023021	Yes	Proof of Concept
	Improper Input Validation SNYK-JS-PARSEURL-3024398	Yes	Proof of Concept

Commit messages

Package name: lerna

The new version differs by 182 commits.

• 6a0c3fb chore(release): v5.5.2
• ebf6542 fix(run): warn on incompatible arguments with useNx (Add types for subscription.on(connected) web3/web3.js#3326)
• 068830e fix(run): missing `fs-extra` dependency declaration (Web3 doesnt work with Cloud Functions web3/web3.js#3332)
• 7971a60 chore(deps): bump parse-url and git-url-parse (Revert non-essential changes (#3190) web3/web3.js#3330)
• 96b6f04 chore: fix formatting after release
• 9f119b0 chore(release): v5.5.1
• 99a13a9 fix(run): exclude dependencies with --scope when nx.json is not present (Ensure '0x' prefix exists (web3-eth-accounts) web3/web3.js#3316)
• 1343b9f chore: update cache-tasks.md (fix: export bloom functions on the index.js web3/web3.js#3291)
• 4cb2ac9 chore: update getting-started.md (Add project scope web3/web3.js#3293)
• f6717ea chore(run): Update deprecated nx arg _ to __overrides__ (Release - 1.2.5 web3/web3.js#3315)
• 036b984 chore(version): add GH_TOKEN scope requirements for --create-release option (Add optional privateFor to Typescript Declaration File in web3-core to support Quorum private transactions web3/web3.js#3318)
• f30e550 chore(website): fix typo on configuration page (missing types for Subscription.on('connected') web3/web3.js#3319)
• 746ce33 fix(core): prevent validation error in version/publish with `workspace:` prefix (Add network-timeout to fix Mosaic E2E web3/web3.js#3322)
• 674ffd3 chore: fix formatting
• 5a69ce5 chore: fixes post release
• bc3eb99 chore(release): v5.5.0
• a3165c1 chore: update nx
• 1b18dbe feat: pnpm workspaces support (update scrypt shim using maxmem fix from node >= 12.8 web3/web3.js#3284)
• 1d6a6f5 chore(deps-dev): bump @ actions/core from 1.8.2 to 1.9.1 (Add websocket / misc tests (#3190) web3/web3.js#3299)
• d261112 Revert "feat(repair): add lerna repair command" (This pages Ethereum Web3 js repository update security md give privilage to other web3/web3.js#3313)
• 8fe2220 chore(website): add announcement banner lerna talks
• f5c8480 fix(version): only update existing lockfile deps (Re-enable Truffle E2E test web3/web3.js#3308)
• aae1a2b feat(repair): add lerna repair command (Add tests for websocket connection errors web3/web3.js#3302)
• a248165 chore: fix typo in how-caching-works.md (web3-eth-accounts TypeScript definition file is broken (and/or confusing) web3/web3.js#3292)

See the full diff

Package name: mocha

The new version differs by 250 commits.

• 5f96d51 build(v10.1.0): release
• ed74f16 build(v10.1.0): update CHANGELOG
• 51d4746 chore(devDeps): update 'ESLint' to v8 (Version 1.7.2 published on npm does not have the lib/index.js file web3/web3.js#4926)
• 4e06a6f fix(browser): increase contrast for replay buttons (Bump minimist from 1.2.5 to 1.2.6 in /packages/web3-eth2-beaconchain web3/web3.js#4912)
• 41567df Support prefers-color-scheme: dark (IPC Provider - 4.x System Tests web3/web3.js#4896)
• 61b4b92 fix the regular expression for function `clean` in `utils.js` (setProvider "does not exist on type 'typeof import(..." in typescript. web3/web3.js#4770)
• 77c18d2 chore: use standard 'Promise.allSettled' instead of polyfill (Documentation - Updated the ABI link web3/web3.js#4905)
• 84b2f84 chore(ci): upgrade GH actions to latest versions (Update hexToNumber to check for < Number.MIN_SAFE_INTEGER web3/web3.js#4899)
• 023f548 build(v10.0.0): release
• 62b1566 build(v10.0.0): update CHANGELOG
• fbe7a24 chore: update dependencies (Update README.md - Similar libraries in other languages web3/web3.js#4878)
• 2b98521 docs: replace 'git.io' short links (Add removed property to Log type web3/web3.js#4877) [ci skip]
• 007fa65 chore(ci): add Node v18 to test matrix (Fix confirmation check after transaction getting stuck in a loop in some situations web3/web3.js#4876)
• f6695f0 chore(esm): remove code for Node v12 (Invitation web3/web3.js#4874)
• 59f6192 chore(ci): conditionally skip 'push' event (update getTransactionReceipt return type web3/web3.js#4872)
• b863359 docs: fix 'fgrep' url (process is not defined when importing Web3 in a SvelteKit page. web3/web3.js#4873)
• baaa41a chore(ci): ignore changes to docs files (Mismatched interface web3/web3.js#4871)
• ac81cc5 refactor!: drop support of 'growl' notification (4693/transaction receipt effective gas price 4.x web3/web3.js#4866)
• 3946453 chore(deps)!: upgrade 'minimatch' (Nonce must be 8 bytes by Ethereum spec (#4559) web3/web3.js#4865)
• 592905b refactor!: rename 'bin/mocha' to 'bin/mocha.js' (Doodle web3/web3.js#4863)
• b7b849b refactor!: remove deprecated Runner signature (Fix Build Command (supersedes #4848)  web3/web3.js#4861)
• 0608fa3 chore(site): fix supporters' download (Refactor formatters to JSON schemas and TypeScript band-aid solution web3/web3.js#4859)
• 785aeb1 chore(test): drop AMD/'requirejs' (Polygon chain trades gas price insufficient - 1.7.1 web3/web3.js#4857)
• ed640c4 chore(devDeps): upgrade 'coffee-script' (Replace old xhr2-cookies with local xhr2-cookies-patched deps for 1.x, fix User-Agent header problem  web3/web3.js#4856)

See the full diff

Package name: nyc

The new version differs by 55 commits.

• bebf4d6 chore(release): 15.0.0
• 2931730 chore: Update to final releases of dependencies (Update the Documentation of methods.myMethod.send web3/web3.js#1245)
• d44ff19 chore: Update node-preload and use process-on-spawn (Parity compatibility web3/web3.js#1243)
• 5258e9f feat: Filenames relative to project cwd in coverage reports (unlockaccount spawns many nodejs defunct processes web3/web3.js#1212)
• 6039f29 chore: Unpin test-exclude, update to latest pre-releases (Dependency Error while installing Web3.js web3/web3.js#1240)
• f3c9e6c chore: Temporarily pin test-exclude (Confirmation of transaction each second  web3/web3.js#1239)
• 28ed746 chore: Lazy load modules that are rarely/never needed in test processes. (npm install web3 node-gyp permission denied web3/web3.js#1232)
• 7307626 chore: Remove cp-file module (web3.eth.gasPrice is returning incorrect value web3/web3.js#1230)
• dfd629d fix: Better error handling for main execution, reporting (1.0.0-beta.20 fails when using within serverless framework web3/web3.js#1229)
• 549c953 chore: Update dependencies, pin find-cache-dir (Extends HttpProvider with custom http headers web3/web3.js#1228)
• a1dee03 chore: Update yargs (Adds checksum isAddress() test cases web3/web3.js#1224)
• 8078a79 chore: Fix 404 in README.md. (web3.eth.personal.sign gives error Unhandled rejection Error: Returned error: Method not found web3/web3.js#1220)
• 7a02cb7 chore: Add enterprise language (Pass config object to WebSocketClient web3/web3.js#1217)
• ea94c7f chore: Remove unused functions (web3.js always returns invalid JSON RPC response web3/web3.js#1218)
• 53c66b9 docs: `npm home nyc` goes to github master branch README (web3-core-requestmanager: Use sendAsync when available in sendBatch web3/web3.js#1201)
• cf5e5d3 chore: Update dependencies
• 8411a26 fix: Correct handling of source-maps for pre-instrumented files (sendTransaction/sendSignedTransaction does not return tx hash on error web3/web3.js#1216)
• f890360 docs: Fix URL to default excludes in README.md (fix: make signTransaction return a promise, fixes #1213 web3/web3.js#1214)
• 3726bbb chore: Update to async version of istanbul-lib-source-maps (web3-bzz has es6 depedencies which don't work with old nodejs versions web3/web3.js#1199)
• 0efc6d1 chore: Tweak arguments for async coverage data readers (web3 is undefined in server/lib/lib.js - Web3@1.0.0 -Meteor web3/web3.js#1198)
• cc77e13 chore: Add `use strict` to all except fixtures (Property 'sendRawTransaction, gasPrice,fromWei,toHex' does not exist on type 'Eth' or Web3 in web3 1.0.0-beta.26 web3/web3.js#1197)
• bcbe1df chore: Update dependencies (empty string handling for asciiToHex web3/web3.js#1196)
• 2735ee2 chore: 100% coverage (subscribe(“logs”) don't support address list? web3/web3.js#1195)
• fd40d49 feat: Use @ istanbuljs/schema for yargs setup (Efficient way to get multiple blocks / transactions? web3/web3.js#1194)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Server-side Request Forgery (SSRF)

[changeset-bot]

⚠️ No Changeset found

Latest commit: 6034a33

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR