[Snyk] Fix for 11 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • packages/@vue/cli-service/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	526/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.1	Arbitrary Code Injection SNYK-JS-EJS-1049328	Yes	Proof of Concept
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Remote Code Execution (RCE) SNYK-JS-EJS-2803307	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Open Redirect SNYK-JS-NODEFORGE-2330875	Yes	Proof of Concept
	529/1000 Why? Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-NODEFORGE-2331908	Yes	No Known Exploit
	494/1000 Why? Has a fix available, CVSS 5.6	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430337	Yes	No Known Exploit
	579/1000 Why? Has a fix available, CVSS 7.3	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430339	Yes	No Known Exploit
	494/1000 Why? Has a fix available, CVSS 5.6	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430341	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-NTHCHECK-1586032	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-UGLIFYJS-1727251	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: copy-webpack-plugin

The new version differs by 31 commits.

• 64e60c2 chore(release): 6.0.0
• dd9ce50 test: coverage
• 29254e3 feat: implement the `directory` option for the `cacheTransform` option
• bebafcf refactor: code
• e3803ce feat: implement the `noErrorOnMissing` option (背景图引入svg文件 报错 vuejs/vue-cli#475)
• 8e5bc1b chore(deps): update (Vue Build Stylus and Pug Missing Module vuejs/vue-cli#474)
• 6b85c86 docs: improve (Vue 1.x message shows on pwa template vuejs/vue-cli#473)
• 3ef3f25 refactor: drop test option in favor transformPath (How to use the "setup" vuejs/vue-cli#472)
• 045f629 refactor: code (Module build failed: TypeError: this._init is not a function vuejs/vue-cli#471)
• 20c9ae5 docs: import documentation for the `from` option ('npm install -g vue-cli' error vuejs/vue-cli#468)
• bfb4f0e docs: improve the description for the `toType` option (vue-cli · Failed to download repo vuejs/vue-cli#467)
• c0c9fa7 test: transform && transformPath (How do you implement this process processing function? vuejs/vue-cli#470)
• 197b0d8 fix: asset size
• c176d7d feat: concurrency option ( i cant npm run dev successful after vue-cli init vuejs/vue-cli#466)
• e5e410a refactor: code (Using a .vue file to generate an Html and CSS file with an input model vuejs/vue-cli#465)
• 0be6470 refactor: remove the `ignore` option in favor globOptions.ignore (css image 'absolute' urls cannot be loaded vuejs/vue-cli#463)
• 6b07a63 refactor: code
• 42194f3 refactor: code (Unexpected token: operator (>) from UglifyJs vuejs/vue-cli#459)
• 1e2f3a1 test: refactor (Webpack and HTTP2 vuejs/vue-cli#458)
• a728675 chore: update globby
• 64b2e1a refactor: remove the global `context` option (Fix node 4 compatibility. vuejs/vue-cli#453)
• f6da280 refactor: rename the `cache` option to `cacheTransform` (automate prompts vuejs/vue-cli#452)
• aedd2bd refactor: plugin options (Windows 10.1 "vue init webpack vuejs" command error vuejs/vue-cli#451)
• 383ff9d refactor: 'from' option (clean cached template in downloadandgenerate vuejs/vue-cli#450)

See the full diff

Package name: globby

The new version differs by 12 commits.

• 878ef6e 10.0.0
• 3706920 Upgrade `fast-glob` package to v3 ([Snyk] Security upgrade mocha from 6.2.3 to 10.1.0 #126)
• 8aadde8 Add `globby.stream` ([Snyk] Security upgrade @vue/cli-service from 4.5.17 to 5.0.1 #113)
• 2dd76d2 Remove `**/bower_components/**` as a default ignore pattern
• 9f781ce Require Node.js 8
• 04d51bf Upgrade `ignore` package ([Snyk] Fix for 11 vulnerabilities #120)
• 2b61484 Readme tweaks
• ff3e1f9 Tidelift tasks
• 31f18ae Create funding.yml
• 33ca01c Fix using the `gitignore` and `stats` options together ([Snyk] Fix for 2 vulnerabilities #121)
• c737820 Minor TypeScript definition improvements
• 82db101 Add Node.js 12 to testing ([Snyk] Security upgrade @vue/cli-ui from 4.5.19 to 5.0.7 #117)

See the full diff

Package name: html-webpack-plugin

The new version differs by 250 commits.

• 873d75b chore(release): 5.5.0
• ddeb774 chore: update examples
• 1e42625 feat: Support type=module via scriptLoading option
• 7d3645b Bump pretty-error to 4.0.0 to fix transitive vuln for ansi-regex CVE-2021-3807
• 79be779 [chore] changes actions to run on pull_requests
• b7e5859 [chore] fixes CI to avoid race conditions
• 48131d3 chore(release): 5.4.0
• 16a841a [chore] rebuild examples
• 3bb7c17 Update index.js
• e38ac97 Update index.js
• f08bd02 [chore] updates fixtures
• d62a10f [chore] upgrades html-minifier-terser@5.0.0 -> 6.0.2
• 2f5de7a Remove archived plugin
• 8f8f7c5 chore(release): 5.3.2
• 053c6e6 chore: update snapshot tests for webpack 5.4.0
• 9c7fba0 Fix security vulnerabilities
• b98fbeb Fix security vulnerabilities
• 25cdfc7 Added inject-body-webpack-plugin to readme
• 0e4c1fb Update README to document actual behavior
• 0a6568d chore(release): 5.3.1
• 82d0ee8 fix: remove loader-utils from plugin core
• 6f39192 chore(release): 5.3.0
• d654f5b feat: allow to modify the interpolation options in webpack config
• 41d7a50 feat: drop loader-utils dependency

See the full diff

Package name: webpack-bundle-analyzer

The new version differs by 20 commits.

• ee6c7a9 Merge pull request Vue packages version mismatch vuejs/vue-cli#389 from webpack-contrib/support-webpack-5
• 8d1a752 Update version
• 37ab03e Fix typo
• 2153401 Add `--watch-ignore` flag to `test-dev` npm script
• 35b62db Add `private: true` flag to `package.json` files in `test/webpack-versions`
• ef36924 Add changelog entry
• f819548 Update version
• d8f2dd7 Fix lint issues
• d32cbdb Add changelog for v4.0.0
• 3094dbc Update dependencies
• b85ba7d Add tests for Webpack 5
• c35bda3 Properly parse Webpack 5 entry modules
• 7bbe89f Properly parse Webpack 5 bundle format (except concatenated entry module)
• b34b249 Update package-lock.json
• abc298a Remove Node.js 6 and 8 from .travis.yml
• a81b7b8 - Support multiple Webpack versions in tests
• 591adf1 Add more ignores to .npm-upgrade.json
• d5698f4 Update dependencies
• e4a8974 Merge pull request Escaping for package.json vuejs/vue-cli#382 from wbobeirne/fix-opener-error
• b0f717b Catch uncaught opener errors

See the full diff

Package name: webpack-dev-server

The new version differs by 250 commits.

• 5280ee7 docs: fix typo
• d834582 chore(release): 4.7.3
• 7b8c85b chore(deps): update `selfsigned` (linux vue-cli-service build 命令 segmentation fault vuejs/vue-cli#4170)
• d598325 chore: fix lint
• c1907f1 refactor: remove redundant `if` statements (<div id="app"> is in App.vue and index.html vuejs/vue-cli#4158)
• e535f25 ci: debug (更新@vue/cli-service到3.8.3后，热重载network显示unavailable vuejs/vue-cli#4144)
• 75999bb chore(release): 4.7.2
• 90a96f7 ci: fix (type error; sercet => secret vuejs/vue-cli#4143)
• f6bc644 fix: compatible with `onAfterSetupMiddleware`
• 317e4b9 docs: fix testing instructions (Really need a way to minimize/alter build output information vuejs/vue-cli#4133)
• ff4550e test: remove redundant test cases related to 3rd party code (vue cli3 创建的项目在IE11中运行，出现白屏，通过console调试发现报错SCRIPT1003: 缺少 ':'文件: app.js，行: 7391，列: 3 vuejs/vue-cli#4131)
• 0dd1ee6 test: add e2e tests for `setupExitSignals` option (Starting type checking service... Using 1 worker with 2048MB memory limit vuejs/vue-cli#4130)
• afe4975 chore(release): 4.1.7
• 4e5d8ea fix: droped `url` package (How to eject vuejs/vue-cli#4132)
• b0c98f0 chore(release): 4.7.0
• 3138213 chore(deps): update (Property 'observable' does not exist on type 'SymbolConstructor'. vuejs/vue-cli#4127)
• 8f02c3f feat: added types
• f4fb15f fix: update description of `onAfterSetupMiddleware` and `onBeforeSetupMiddleware` options (npm run serve的时候可以正常访问但是编译时，会出现红字 Replace Autoprefixer browsers option to Browserslist config. Use browserslist key in package.json or .browserslistrc file. Using browsers option cause some error. Browserslist config can be used for Babel, Autoprefixer, postcss-normalize and other tools. If you really need to use option, rename it to overrideBrowserslist. Learn more at: https://github.com/browserslist/browserslist#readme https://twitter.com/browserslist vuejs/vue-cli#4126)
• 37b73d5 test: add e2e test for `WEBPACK_SERVE` env variable ([WSL] Error: spawn cmd.exe ENOENT vuejs/vue-cli#4125)
• f5a9d05 chore(deps-dev): bump eslint from 8.4.1 to 8.5.0 (Travis ci build failure due to @vue/babel-preset-app/index.js provided an invalid property of "default"  vuejs/vue-cli#4121)
• c9b959f chore(deps): bump ws from 8.3.0 to 8.4.0 (CSS minification doesn't works if CSS filename pattern contains query string vuejs/vue-cli#4124)
• 42208aa chore(deps-dev): bump lint-staged from 12.1.2 to 12.1.3 (Travis ci build failure due to @vue/babel-preset-app/index.js provided an invalid property of "default"  vuejs/vue-cli#4122)
• f440f84 chore(deps): bump express from 4.17.1 to 4.17.2 (Move core plugins docs to documentation website vuejs/vue-cli#4120)
• c13aa56 feat: added the `setupMiddlewares` option (To -- target lib model generated when a lot of small files vuejs/vue-cli#4068)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Arbitrary Code Injection
🦉 Remote Code Execution (RCE)
🦉 More lessons are available in Snyk Learn