[Snyk] Fix for 7 vulnerabilities

[padraigobrien]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • plugins/lighthouse/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-IMMER-1540542	No	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-JSONPOINTER-1577288	No	Proof of Concept
	644/1000 Why? Has a fix available, CVSS 8.6	Prototype Pollution SNYK-JS-JSONSCHEMA-1920922	No	No Known Exploit
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Authorization Bypass Through User-Controlled Key SNYK-JS-PARSEPATH-2936439	No	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-PARSEURL-3023021	No	Proof of Concept
	571/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5	Improper Input Validation SNYK-JS-PARSEURL-3024398	No	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-YUP-2420835	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @backstage/catalog-model

The new version differs by 250 commits.

• ddfdcd2 Merge pull request Version Packages backstage/backstage#7991 from backstage/changeset-release/master
• 99bf179 Version Packages
• 70e4b22 Merge pull request move the BehaviorSubject init into the constructor backstage/backstage#8132 from backstage/freben/behavior-init-constructor
• e72b1b8 Merge pull request Bumping testcontainers + dockerode backstage/backstage#8122 from backstage/blam/sec/dockerode
• 30477db Merge pull request chore(deps): bump hosted-git-info from 2.8.8 to 2.8.9 in /microsite backstage/backstage#8139 from backstage/dependabot/npm_and_yarn/microsite/hosted-git-info-2.8.9
• ae381d0 Merge pull request chore(deps): bump postcss from 7.0.35 to 7.0.39 in /microsite backstage/backstage#8138 from backstage/dependabot/npm_and_yarn/microsite/postcss-7.0.39
• 2367854 Merge pull request Catalog fact retriever backstage/backstage#8057 from RoadieHQ/entity-fact-retriever
• 3b06282 chore(deps): bump hosted-git-info from 2.8.8 to 2.8.9 in /microsite
• 684af3d Merge pull request chore(deps): bump set-getter from 0.1.0 to 0.1.1 in /microsite backstage/backstage#8137 from backstage/dependabot/npm_and_yarn/microsite/set-getter-0.1.1
• eaf85fd Merge pull request chore(deps): bump path-parse from 1.0.6 to 1.0.7 in /microsite backstage/backstage#8134 from backstage/dependabot/npm_and_yarn/microsite/path-parse-1.0.7
• 08dc441 chore(deps): bump postcss from 7.0.35 to 7.0.39 in /microsite
• 60f77cc Merge pull request chore(deps): bump color-string from 1.5.4 to 1.6.0 in /microsite backstage/backstage#8135 from backstage/dependabot/npm_and_yarn/microsite/color-string-1.6.0
• 0f65109 Merge pull request chore(deps): bump prismjs from 1.23.0 to 1.25.0 in /microsite backstage/backstage#8136 from backstage/dependabot/npm_and_yarn/microsite/prismjs-1.25.0
• 5ca190c chore(deps): bump set-getter from 0.1.0 to 0.1.1 in /microsite
• 10ebe95 Merge pull request chore(deps): bump url-parse from 1.4.7 to 1.5.3 in /microsite backstage/backstage#8133 from backstage/dependabot/npm_and_yarn/microsite/url-parse-1.5.3
• 4147f45 chore(deps): bump prismjs from 1.23.0 to 1.25.0 in /microsite
• 0b8032b chore(deps): bump color-string from 1.5.4 to 1.6.0 in /microsite
• 475edb5 move the BehaviorSubject init into the constructor
• 6c15c54 chore(deps): bump path-parse from 1.0.6 to 1.0.7 in /microsite
• 69f2946 chore(deps): bump url-parse from 1.4.7 to 1.5.3 in /microsite
• 0ebc659 Merge pull request Adding config prop usePluginSchemas to allow plugins using the pg… backstage/backstage#7822 from bomkamp/add-global-pg-plugin-schema-flag
• 8d81552 Merge pull request chore: fixing bad dependency ref backstage/backstage#8131 from backstage/blam/fixing-changeset-pr
• 0106ec2 Merge pull request [Doc] add missing installation steps for the todo plugin backstage/backstage#8126 from gotson/todo-documentation
• 0f56a64 Merge pull request chore: remove occurrences of the rule of hooks to favour wrapping the components instead backstage/backstage#8129 from backstage/blam/fix-up-use-of-hooks

See the full diff

Package name: @backstage/core

The new version differs by 250 commits.

• ae7b2a2 Merge pull request Version Packages backstage/backstage#5188 from backstage/changeset-release/master
• 51b6cf4 Version Packages
• 8374c8a Merge pull request changesets: fix the foolish markup language backstage/backstage#5250 from backstage/rugvip/fml
• b02bc50 changesets: fix the fml
• c848188 Merge pull request migrate all entity pages to composability api backstage/backstage#4822 from backstage/rugvip/ents
• fa59d33 Merge pull request Replace "ESNext.Promise" with "ES2020.Promise" on tsc lib property backstage/backstage#5003 from MarceloLeite2604/master
• da2281d Merge pull request [DOCS/CLI, DOCKER] Fixes untar not happening under certain conditions backstage/backstage#5088 from ntgussoni/fix/DOCS-remove_add_for_copy
• 5511d99 Merge pull request Gcs url reader backstage/backstage#4954 from RoadieHQ/gcs-url-reader
• fa18888 Fix sidebar docs for GCS integration
• 5136ae0 Update packages/cli/config/tsconfig.json
• faeda51 Merge pull request Dialog component backstage/backstage#5066 from mateusmarquezini/issue_3497_dialog_component
• 597d06e Merge pull request Add OneLogin auth documentation backstage/backstage#5234 from backstage/timbonicus/onelogin-doc
• 79b4ba6 Merge pull request chore(deps): bump ora from 5.3.0 to 5.4.0 backstage/backstage#5217 from backstage/dependabot/npm_and_yarn/ora-5.4.0
• 4c42dc2 Merge pull request fix: Support auth by sending cookies in scaffolder eventstream request backstage/backstage#5208 from erikxiv/fix/scaffolder-eventstream-auth
• c410cae Fix feedback
• 6a9b9d0 Fix some comments
• 18f4301 Fix googleGcs integration test
• d5cb513 Only allow one googleGcs config object
• 5bd7909 Add integration documentation
• e4cdec2 Fix comments on GoogleGcsUrlReader
• 9c4cedf Fix some comments
• b779b5f Add changeset
• 7abb50d Add tests for GCSUrlReader
• eafb4f9 Add GcsUrlReader

See the full diff

Package name: @backstage/plugin-catalog

The new version differs by 250 commits.

• ca2905d Merge pull request Version Packages backstage/backstage#7300 from backstage/changeset-release/master
• f67e8dd Version Packages
• da70190 Merge pull request [TechDocs] Support custom TechDocs Reader Page backstage/backstage#7378 from backstage/emmaindal/custom-techdocs-header
• 5a4597e Reflect breaking change in changeset.
• dcd3e1d update api report and prop on Reader component in EntityPageDocs
• 1f73801 replace entityId with entityRef
• 27ffae8 Merge pull request build(deps-dev): bump @types/express-serve-static-core from 4.17.18 to 4.17.24 backstage/backstage#7388 from backstage/dependabot/npm_and_yarn/types/express-serve-static-core-4.17.24
• 86a43b5 Merge pull request tech-docs: remove bonus copyright footer backstage/backstage#7389 from backstage/rugvip/bonus
• e4fabdc Merge pull request Improve API Reference in Core Component named A to C backstage/backstage#7381 from szubster/core-components-api-reference-a-to-c
• 645f038 tech-docs: remove bonus copyright footer
• 30815de yarn.lock: dedupe and prefer v14 for @ types/node
• e478e37 Merge pull request build(deps-dev): bump @types/swagger-ui-react from 3.35.1 to 3.35.2 backstage/backstage#7386 from backstage/dependabot/npm_and_yarn/types/swagger-ui-react-3.35.2
• 40141e6 Merge pull request build(deps): bump dompurify from 2.3.1 to 2.3.3 backstage/backstage#7387 from backstage/dependabot/npm_and_yarn/dompurify-2.3.3
• c4e77bb Add changeset
• ba71cc2 Review remarks + rebase conflicts
• cbf43cb core-components do not need `@ types/prop-types` dependency anymore
• d975b06 api-report diff fix
• a7caf0a Improve API Reference in Core Component named A to C
• 16b5b3d Clean up API report, export types.
• 1b7700a Merge pull request Add a processing ancestry endpoint to the catalog backstage/backstage#7377 from backstage/mob/ancestry
• 7e6b7a4 Merge pull request Added Badges to Plugin Marketplace backstage/backstage#7385 from awanlin/topic/add-badges-to-plugin-marketplace
• 9200d45 build(deps-dev): bump @ types/express-serve-static-core
• 32a5a8c build(deps): bump dompurify from 2.3.1 to 2.3.3
• 3a060a6 build(deps-dev): bump @ types/swagger-ui-react from 3.35.1 to 3.35.2

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Prototype Pollution
🦉 Prototype Pollution
🦉 More lessons are available in Snyk Learn