[Snyk] Fix for 8 vulnerabilities #51

sokis · 2023-11-28T14:04:30Z

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json

Vulnerabilities that will be fixed

With an upgrade:

Priority Score (*)	Issue	Breaking Change	Exploit Maturity
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-COLORSTRING-1082939	Yes	Proof of Concept
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-POSTCSS-1255640	Yes	Proof of Concept
479/1000 Why? Has a fix available, CVSS 5.3	Improper Input Validation SNYK-JS-POSTCSS-5926692	Yes	No Known Exploit
646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: css-loader

The new version differs by 168 commits.

634ab49 chore(release): 2.0.0
6ade2d0 refactor: remove unused file (Help Test the 1.0 Release laravel-mix/laravel-mix#860)
e7525c9 test: nested url ([Q] How to extract my module laravel-mix/laravel-mix#859)
7259faa test: css hacks (Mix is not cleaning old versioned files laravel-mix/laravel-mix#858)
5e6034c feat: allow to filter import at-rules (Object spread operator does not get transpiled properly. laravel-mix/laravel-mix#857)
5e702e7 feat: allow filtering urls ({{ mix('js/bundle.js') }} prepending "/" to path laravel-mix/laravel-mix#856)
9642aa5 test: css stuff (CSS url() Rewriting with subfolder laravel-mix/laravel-mix#855)
3338656 fix: reduce number of require for url (How to add custom webpack config options? laravel-mix/laravel-mix#854)
533abbe test: issue 636 (Laravel Mix way to use webpack's DefinePlugin laravel-mix/laravel-mix#853)
08c551c refactor: better warning on invalid url resolution (.copy() not working as intended laravel-mix/laravel-mix#852)
b0aa159 test: issue file combined with Mix.combine() does not exist on dev-server while running HMR laravel-mix/laravel-mix#589 (File helper doc laravel-mix/laravel-mix#851)
f599c70 fix: broken unucode characters (Delete please laravel-mix/laravel-mix#850)
1e551f3 test: issue 286 (Generate only mix-manifest.json on specific folder laravel-mix/laravel-mix#849)
419d27b docs: improve readme (Babel fails if the js file destination is not on a child directory laravel-mix/laravel-mix#848)
d94a698 refactor: webpack-default (Hot reloading is not tracking file changes on vscode laravel-mix/laravel-mix#847)
b97d997 feat: schema options
453248f fix: support module resolution in composes (Image url not correct in HMR laravel-mix/laravel-mix#845)
8a6ea10 refactor: postcss plugins (Javascript File Deleted After SCSS Change laravel-mix/laravel-mix#844)
fdcf687 fix: url resolving logic (Watching less also cleans js directory laravel-mix/laravel-mix#843)
889dc7f feat: allow to disable css modules and disable their by default (Jquery and Boostrap previous release configuration issue laravel-mix/laravel-mix#842)
ee2d253 test: importLoaders option (mix.styles() is excluded in emitted output list also watcher ignores mix.styles laravel-mix/laravel-mix#841)
1dad1fb feat: reuse postcss ast from other loaders (i.e `postcss-loader`) (copyDirectory not working in event hook laravel-mix/laravel-mix#840)
fe94ebc test: icss reserved keywords (Win10 the app.js is not created correctly for production when mixing multiple js files laravel-mix/laravel-mix#839)
9eaba66 refactor: migrate on message api for postcss-icss-plugin (Since 0.12.0, Mix generates a strange "mix.js" file - and sourcemaps no longer save at all laravel-mix/laravel-mix#838)

See the full diff

Package name: less

The new version differs by 250 commits.

e4f7551 v3.12.0
371185c v3.12.0-RC.2 (#3540)
d5aa9d1 Fixes Permission Woes: Copying Glitch with Laravel Mix v6.0.6, npm v6.14.10, and Node.js v14.15.4 [webpack-cli] laravel-mix/laravel-mix#3371 Allow conditional evaluation of function args (#3532)
a722237 Remove lib folder from git (#3531)
e0f5c1a Move changelog to root (#3530)
f7bdce7 Duplicate dist files in root for older links (#3529)
0925cf1 Test-data module (#3525)
51fb02b Fixes #3504 / organizes tests (#3523)
efb76ec Restore nuked scripts (?), replace dependencies (#3501) (#3522)
2c5e4dd Lerna refactor / TS compiling w/o bundling (#3521)
a3641e4 Resolve #3398 Add flag to disable sourcemap url annotation (#3517)
e018ba8 fix(HMR not working as expected laravel-mix/laravel-mix#3294): use loadFileSync when loading plugins with syncImport: true (#3506)
95b9007 Update changelog
6238bbc Fixes #3508 (#3509)
8338366 Update README.md
6313bc5 Update changelog
53bf877 Remove tree caching in import manager (#3498)
0f271f3 issue#3481 ignore missing debugInfo (#3482)
3bd995b Additional check to avoid evaluating an expression if it is a comment (#3494)
0715d90 fix: Use make-dir instead of mkdirp (#3490)
2634494 Properly exit calc mode after use (#3493)
096dd22 Convert to auto-changelog (#3477)
842386b Fixes #3469 - Include tslib dependency (#3475)
1adaadb 3.11.0 (#3468)

See the full diff

Package name: node-sass

The new version differs by 90 commits.

3b556c1 7.0.2
c716359 Bump sass-graph@^4.0.1 (How can I make the file to base64 with css? laravel-mix/laravel-mix#3292)
24741b3 docs(readme): fix docpad plugin link
1523330 feat: Drop Node 12
365d357 update https://registry.npm.taobao.org to https://registry.npmmirror.com
1456114 build(deps): bump actions/upload-artifact from 2 to 3
b465b69 chore: bump GitHub Actions to Windows 2019 (Production build yields TS2531: Object is possibly 'null' despite v-if checks laravel-mix/laravel-mix#3254)
e6194b1 build(deps): bump make-fetch-happen from 9.1.0 to 10.0.4
4edf594 build(deps): bump node-gyp from 8.4.1 to 9.0.0
29e2344 build(deps): bump actions/checkout from 2 to 3
85b0d22 build(deps): bump actions/setup-node from 2 to 3
3bb51da Use make-fetch-happen instead of request ([webpack-cli] TypeError: Cannot read property 'webpackConfig' of undefined laravel-mix/laravel-mix#3193)
adc2f8b build(deps): bump true-case-path from 1.0.3 to 2.2.1 (Unexpected output path laravel-mix/laravel-mix#3000)
77d12f0 chore: disable Apline for Node 16/17 builds
308d533 ci: use Python 3 for Node 12
c818907 ci: unpin actions/setup-node to v2
99242d7 7.0.1
77049d1 build(deps): bump sass-graph from 2.2.5 to 4.0.0 (Infinite loop in development hot laravel-mix/laravel-mix#3224)
c929f25 build(deps): bump node-gyp from 7.1.2 to 8.4.1 (Fixes for new tolerance for chunkHashes laravel-mix/laravel-mix#3209)
918dcb3 Lint fix
0a21792 Set rejectUnauthorized to true by default (ESLint and eslint-webpack-plugin laravel-mix/laravel-mix#3149)
e80d4af chore: Drop EOL Node 15 (The vue example does not work laravel-mix/laravel-mix#3122)
d753397 feat: Add Node 17 support (colors.js corrupted by maintainer - only use <=1.4.0 laravel-mix/laravel-mix#3195)
dcf2e75 build(deps-dev): bump eslint from 7.32.0 to 8.0.0

See the full diff

Package name: webpack

The new version differs by 250 commits.

610f368 5.0.0
5ce65c1 update examples
bbe1230 Merge pull request #11628 from webpack/bugfix/real-content-hash
75ecff2 5.0.0-rc.6
bfc35d6 Merge pull request #11603 from MayaWolf/master
76e8cbd Merge pull request #11622 from webpack/dependabot/npm_and_yarn/types/node-13.13.25
9fd1be2 chore(deps-dev): bump @ types/node from 13.13.23 to 13.13.25
36bcfaa Merge pull request #11621 from webpack/bugfix/11619
9130d10 fix called variables with ProvidePlugin
3e42105 Merge pull request #11620 from webpack/bugfix/11617
4709719 skip connections copied to concatenated module
57b493f 5.0.0-rc.5
1658e2f Merge pull request #11618 from webpack/bugfix/11615
a8fb45d fixes crash in SideEffectsFlagPlugin
84b196d emit error instead of crashing when unexpected problem occurs
5573fed Merge pull request #11601 from Hornwitser/improve-suggested-polyfill-config
9b5cce9 Merge pull request #11609 from snitin315/export-types
37c495c export type RuleSetUseItem
39faf34 export type RuleSetUse
e5fd246 export type RuleSetConditionAbsolute
660baad export RuleSetCondition types
13e3ca5 Merge pull request #11602 from webpack/bugfix/shared-runtime-chunk
9c0587e Merge pull request #11606 from webpack/dependabot/npm_and_yarn/simple-git-2.21.0
502d166 Merge pull request #11607 from webpack/dependabot/npm_and_yarn/acorn-8.0.4

See the full diff

Package name: webpack-dev-server

The new version differs by 250 commits.

c9271b9 chore(release): 4.0.0
18bf369 test: fix stability (#3676)
cdcabb2 fix: respect protocol from browser for manual setup (#3675)
1768d6b fix: initial reloading for lazy compilation (#3662)
4f5bab1 docs: improve examples (#3672)
f2d87fb fix: improve https CLI output (#3673)
0277c5e chore: remove redundant console statements (#3671)
16fcdbc docs: add `ipc` example (#3667)
8915fb8 test: add e2e tests for built in routes (#3669)
4d1cbe1 docs: ask `version` information in issue template (#3668)
b6c1881 chore(deps-dev): bump core-js from 3.16.1 to 3.16.2 (#3666)
ffa8cc5 chore(deps-dev): bump supertest from 6.1.5 to 6.1.6 (#3665)
f1fdaa7 chore(release): 4.0.0-rc.1
c4678bc fix: legacy API (#3660)
d8bdd03 test: fix stability (#3661)
22b1414 refactor: remove `killable` (#3657)
75bafbf test: add e2e tests for module federation (#3658)
493ccbd chore(deps): update `ws` (#3652)
ae8c523 test: add e2e test for universal compiler (#3656)
f94b84f chore(deps): update (#3655)
1923132 test: fix cli
2adfd01 test: fix todo (#3653)
6e2cbde fix: proxy logging and allow to pass options without the `target` option (#3651)
c9ccc96 fix: respect infastructureLogging.level for client.logging (#3613)