[Snyk] Fix for 1 vulnerabilities

[adamlaska]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

⚠️ Warning

Failed to update the package-lock.json, please update manually before merging.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	658/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: delay-cli

The new version differs by 3 commits.

• de2cb32 2.0.0
• 88fd03b Require Node.js 12
• 79c7c38 Move to GitHub Actions ([Snyk] Upgrade node-sass from 4.13.0 to 4.13.1 #5)

See the full diff

Package name: linkinator

The new version differs by 196 commits.

• 2cab633 feat: create new release with notes (New layout nodejs/nodejs.org#508)
• a376199 fix!: stream CSV results (Add weekly update 2016-02-08 nodejs/nodejs.org#507)
• 18d808c chore(deps): update dependency @ types/update-notifier to v6 (In API, reference to non-existent function hash.final() nodejs/nodejs.org#503)
• 0ee27e0 chore(deps): update dependency got to 11.8.5 [security] (fix changelog links for new 0.12 and 0.10 releases nodejs/nodejs.org#505)
• 5ef0e1e build!: drop support for nodejs 12.x (The documentation on streams is not very good. nodejs/nodejs.org#506)
• eeebebd build(deps-dev): bump semantic-release from 19.0.2 to 19.0.3 ($node-green #80bd01 on white background does not pass accessible contrast ratio nodejs/nodejs.org#501)
• da166dd build(deps): bump semver-regex from 3.1.3 to 3.1.4 (fixed anchor links to EventEmitter and http.IncomingMessage docs nodejs/nodejs.org#500)
• 4c63eb8 build(deps): bump npm from 8.3.1 to 8.12.0 (schedule update to security release nodejs/nodejs.org#499)
• 5ca5a46 feat: allow --skip to be defined multiple times (List of Companies Using Node.js nodejs/nodejs.org#399)
• 9c2b5d8 chore(deps): update dependency sinon to v14 (Changed url for PereiraJS (Colombia) meetup nodejs/nodejs.org#398)
• d334dc6 fix(deps): upgrade node-glob to v8 (add december 2015 security release schedule update nodejs/nodejs.org#397)
• ba3b9a8 fix(deps): upgrade to htmlparser2 v8.0.1 (document build.js nodejs/nodejs.org#396)
• 48af50e fix(deps): update dependency gaxios to v5 (Fix events map link color nodejs/nodejs.org#391)
• 78ae8b5 chore(deps): update github/codeql-action action to v2 (fix 'line too long' nitpick nodejs/nodejs.org#393)
• 0b31851 chore(deps): update dependency mocha to v10 (Fix links on events page nodejs/nodejs.org#394)
• e586584 build(deps): bump minimist from 1.2.5 to 1.2.6 (Past events or otherwise problematic events on map nodejs/nodejs.org#387)
• 1cc3a88 docs: Update latest major version specified in SECURITY.md (Make release blog post script compatible with v0.12.x releases nodejs/nodejs.org#380)
• 833fd33 chore(deps): update actions/checkout action to v3 (Update const name to port nodejs/nodejs.org#385)
• 1835248 chore(deps): update actions/setup-node action to v3 (Error in build.js/copystatic() ENOENT: no such file or directory, open '.../nodejs.org/build/static/event-geo.json' nodejs/nodejs.org#383)
• 4a16353 build(deps): bump simple-get from 3.1.0 to 3.1.1 (add v0.12.8 announcement post nodejs/nodejs.org#379)
• 65dfb90 chore(deps): update dependency simple-get to 3.1.1 [security] (Comprehensive Events Page nodejs/nodejs.org#378)
• 96d3ddf chore(deps): update dependency nanoid to 3.1.31 [security] (Investigate issues with greenkeeper bot nodejs/nodejs.org#377)
• ad1e73e build(deps): bump node-fetch from 2.6.1 to 2.6.7 (Add missing fields to the Italian site.json nodejs/nodejs.org#376)
• 9b287c3 chore(deps): update dependency sinon to v13 (Add link to help repo nodejs/nodejs.org#375)

See the full diff

Package name: node-sass

The new version differs by 70 commits.

• c167004 6.0.1
• 911d4db remove mkdirp dep (New Crowdin translations nodejs/nodejs.org#3108)
• 30a52f7 build(deps): bump meow from 3.7.0 to 9.0.0
• 7e08463 build(deps-dev): bump mocha from 8.4.0 to 9.0.1
• cfcbb2c chore: Use default Apline version from docker-node (fix: remark-lint-no-multiple-toplevel-headings nodejs/nodejs.org#3121)
• 886319b chore: Drop Node 10 support
• c908f4f fix: Bump OSX minimum to 10.11
• 8ab02da fix: Remove old compiler gyp settings
• 3d7b9d0 chore: Add Node 16 support
• 4115e9d build(deps): bump actions/setup-node from v2.1.4 to v2.1.5
• 06f3ab4 Update TROUBLESHOOTING.md
• c1cb367 build(deps): bump actions/setup-node from v2.1.3 to v2.1.4
• 769f3a6 build(deps): bump actions/setup-node from v2.1.2 to v2.1.3
• a2a3a78 chore: Bump dependabot limit
• 7105b0a 5.0.0 (build: this is an empty commit to try and get build working nodejs/nodejs.org#3015)
• 0648b5a chore: Add Node 15 support (Update Docker example to use most recent LTS nodejs/nodejs.org#2983)
• e2391c2 Add a deprecation message to the readme (releases.md nodejs/nodejs.org#3011)
• 6a33e53 chore: Don't upload artifacts on PRs
• d763506 chore: Only run coverage on main repo
• d4ebe72 build(deps): update actions/setup-node requirement to v2.1.2
• 2bebe05 build(deps-dev): bump rimraf from 2.7.1 to 3.0.2
• f877689 chore: Don't double build DependaBot PRs
• b48fac4 chore: Add weekly DependaBot updates
• 91c40a0 Remove deprecated process.sass API

See the full diff

Package name: semver

The new version differs by 140 commits.

• e7b78de chore: release 7.5.2
• 58c791f fix: diff when detecting major change from prerelease (Can't make v5.8.0 release post nodejs/nodejs.org#566)
• 5c8efbc fix: preserve build in raw after inc (Update versions nodejs/nodejs.org#565)
• 717534e fix: better handling of whitespace (add ppc binaries to download-matrix nodejs/nodejs.org#564)
• 2f738e9 chore: bump @ npmcli/template-oss from 4.14.1 to 4.15.1 (Layout breaking for Resources page on Firefox  nodejs/nodejs.org#558)
• aa016a6 chore: release 7.5.1
• d30d25a fix: show type on invalid semver error (Nightly downloads added - Issue #510 nodejs/nodejs.org#559)
• 09c69e2 chore: bump @ npmcli/template-oss from 4.13.0 to 4.14.1 (release-post: update 4.3.2 release post nodejs/nodejs.org#555)
• 5b02ad7 chore: release 7.5.0
• e219bb4 fix: throw on bad version with correct error message (Propose adding WCAG validation to build process nodejs/nodejs.org#552)
• 503a4e5 feat: allow identifierBase to be false (Use SVG logos on the download page nodejs/nodejs.org#548)
• fc2f3df fix: incorrect results from diff sometimes with prerelease versions (Evangelism: Weekly Update for March 1 ~ nodejs/nodejs.org#546)
• 2781767 fix: avoid re-instantiating SemVer during diff compare (openssl march impact assessment nodejs/nodejs.org#547)
• 82aa7f6 chore: release 7.4.0
• 731d896 chore: enable CD (Add weekly update 2016-03-01 nodejs/nodejs.org#545)
• 940723d fix: intersects with v0.0.0 and v0.0.0-0 (comment gitignore and add commonly ignored stuff nodejs/nodejs.org#538)
• aa516b5 fix: faster parse options (Adding Ashley Williams and Feross Aboukhadijeh to Board Page nodejs/nodejs.org#535)
• 61e6ea1 fix: faster cache key factory for range (update node-green to pass WCAG AA nodejs/nodejs.org#536)
• f8b8b61 fix: optimistic parse (Mention what version of npm node ships with on downloads page/release notes nodejs/nodejs.org#541)
• 796cbe2 fix: semver.diff prerelease to release recognition (Add new logos for en/about/resources nodejs/nodejs.org#533)
• 3f222b1 fix: reuse comparators on subset (Update readme with required version too build nodejs/nodejs.org#537)
• 113f513 feat: identifierBase parameter for .inc (blog: fix date formatting for express announcement nodejs/nodejs.org#532)
• ea689bc chore: basic type test for RELEASE_TYPES
• c5d29df docs: Add "Constants" section to README

See the full diff

Package name: standard

The new version differs by 83 commits.

• 866a666 package metadata
• 34a39d2 update authors
• 5a63a03 15.0.0
• 36cbcd8 changelog
• ab0e7a5 update deps
• 3d0ea44 eslint-config-standard-jsx 9.0.0
• 8c0513a eslint-config-standard 15.0.0
• c8c255c changelog
• 1af9b8a use "Indonesian" since it's the language name
• c0fd567 remove sponsor link
• b926ce2 remove spammy standard user link
• 1cc9df7 changelog
• 8e06e4f hallmark 3
• e4c002a bump deps
• 8bdade1 Merge pull request Latest blog post is not showing up nodejs/nodejs.org#1516 from pikadun/patch-1
• 0c27f99 Merge pull request update dependency 'marked' from 0.3.6 to 0.3.9 nodejs/nodejs.org#1544 from yoga1234/master
• 59b03fb Merge pull request Node.js logo very tiny on MS Edge (Windows 10) nodejs/nodejs.org#1461 from munierujp/update_japanese_docs
• fd72454 Merge pull request fs.chmod documentation 8.x & 9.x : The value of "mode" is not an "integer" nodejs/nodejs.org#1545 from logustra/add-jublia-to-users
• 1de7656 Merge pull request doc: provide info on impact of recent vulns nodejs/nodejs.org#1547 from kidonng/patch-1
• 6558034 add 14.3.4 changelog
• e1fa03e Update eslint to 7.11.0
• 4a0e8b0 changelog
• 4a84e61 remove weird whitespace
• 523f004 Merge pull request Npm run server blocked  nodejs/nodejs.org#1519 from standard/eslint7

See the full diff

Package name: stylelint

The new version differs by 250 commits.

• 1b75f38 13.8.0
• c84362f Prepare 13.8.0
• 00c7d73 Update deps (build(deps-dev): bump node-fetch from 2.6.7 to 2.6.9 nodejs/nodejs.org#5041)
• a1c8225 Bump jest from 26.6.1 to 26.6.3 (Blog: v19.6.0 release post nodejs/nodejs.org#5036)
• da381ee Fix `disableRanges.test.js` that uses callbacks (feat(infra): migrate to Next.js infrastructure nodejs/nodejs.org#4991)
• 2db70e9 Fix `isStandardSyntaxTypeSelector.test.js` that use callbacks (build(deps-dev): bump stylelint from 14.16.0 to 14.16.1 nodejs/nodejs.org#4990)
• bb19b6c Update CHANGELOG.md
• c36b8d0 Add selector-attribute-name-disallowed-list (code typo fix nodejs/nodejs.org#4992)
• d42f8da Update CHANGELOG.md
• 1e6f944 Fix false negatives for dollar variables in *-notation (chore(github issue): fit with nodejs.dev nodejs/nodejs.org#5031)
• d347a29 Bump jest-circus from 26.6.1 to 26.6.3 (ui: add padding to nav bar nodejs/nodejs.org#5034)
• 4695069 Bump file-entry-cache from 5.0.1 to 6.0.0 (Blog: v18.14.0 release post nodejs/nodejs.org#5038)
• bd207fa Bump np from 6.5.0 to 7.0.0 (Blog: v18.14.0 release post nodejs/nodejs.org#5037)
• 467c4f9 Bump meow from 7.1.1 to 8.0.0 (Please, add the karakalpak language to your website nodejs/nodejs.org#5015)
• 4f0225a Bump v8-compile-cache from 2.1.1 to 2.2.0 (Windows download incorrectly selects 32bit on 64bit machine nodejs/nodejs.org#5028)
• 42f6c73 Bump eslint from 7.12.1 to 7.13.0 (build(deps-dev): bump nock from 13.2.9 to 13.3.0 nodejs/nodejs.org#5029)
• f0b5aa8 refactor documentation config (fix: windows download incorrectly selects 32bit on 64bit machine nodejs/nodejs.org#5025)
• 5a84657 Update CHANGELOG.md
• 785b59d Add ignoreAtRules to property-no-unknown (build(deps-dev): bump prettier from 2.8.0 to 2.8.1 nodejs/nodejs.org#4965)
• 60eb7b6 Bump eslint from 7.11.0 to 7.12.1 (build(deps-dev): bump eslint from 8.31.0 to 8.32.0 nodejs/nodejs.org#5017)
• e2ea569 Bump typescript from 4.0.3 to 4.0.5 (build(deps-dev): bump eslint-plugin-import from 2.26.0 to 2.27.4 nodejs/nodejs.org#5016)
• 078e9a6 Bump lint-staged from 10.4.0 to 10.5.1 (Please, add the karakalpak language to your website nodejs/nodejs.org#5014)
• d7db502 Bump remark-cli from 8.0.1 to 9.0.0 (New Crowdin updates nodejs/nodejs.org#4996)
• 2cddb6e Bump jest-circus from 26.5.3 to 26.6.1 (404 error for all knowlege pages nodejs/nodejs.org#5009)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Issue	Package	Version	Note	Source
Network access	gaxios	5.1.0	Module: https Location: build/src/gaxios.js	package.json via linkinator@4.1.3
Network access	linkinator	4.1.3	Module: http Location: build/src/server.js	package.json

Next steps

What is network access?

This module accesses the network.

Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@* or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore gaxios@5.1.0
• @SocketSecurity ignore linkinator@4.1.3

[socket-security]

New and updated dependency changes detected. Learn more about Socket for GitHub ↗︎

Packages		Version	New capabilities	Transitives1	Size	Publisher
delay-cli	⬆️	1.1.0...2.0.0	None	+17/-1	277 kB	sindresorhus
node-sass	⬆️	4.14.1...6.0.1	None	+13/-29	4.45 MB	xzyfer
standard	⬆️	14.3.4...15.0.1	None	+25/-32	6.94 MB	feross
linkinator	⬆️	1.8.2...4.1.3	eval, environment	+35/-91	3.83 MB	justinbeckwith

Footnotes

1. https://docs.socket.dev ↩