[Snyk] Fix for 43 vulnerabilities

[Jsn2win]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-CODEMIRROR-1016937	No	Proof of Concept
	410/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) SNYK-JS-CODEMIRROR-569611	No	No Known Exploit
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-JQUERY-174006	Yes	Proof of Concept
	701/1000 Why? Mature exploit, Has a fix available, CVSS 6.3	Cross-site Scripting (XSS) SNYK-JS-JQUERY-565129	Yes	Mature
	711/1000 Why? Mature exploit, Has a fix available, CVSS 6.5	Cross-site Scripting (XSS) SNYK-JS-JQUERY-567880	Yes	Mature
	676/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.1	Cross-site Scripting (XSS) SNYK-JS-JQUERYUI-1767167	No	Proof of Concept
	569/1000 Why? Has a fix available, CVSS 7.1	Cross-site Scripting (XSS) SNYK-JS-JQUERYUI-1767175	No	No Known Exploit
	676/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.1	Cross-site Scripting (XSS) SNYK-JS-JQUERYUI-1767767	No	Proof of Concept
	484/1000 Why? Has a fix available, CVSS 5.4	Cross-site Scripting (XSS) SNYK-JS-JQUERYUI-2946728	No	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	No	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	No	Proof of Concept
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	No	Proof of Concept
	541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	No	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-174116	No	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-2342073	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-2342082	No	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-451540	No	No Known Exploit
	520/1000 Why? Has a fix available, CVSS 5.9	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-584281	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-1019388	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	No	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	No	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Directory Traversal SNYK-JS-MOMENT-2440688	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-NUNJUCKS-1079083	Yes	Proof of Concept
	596/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.5	Arbitrary Code Injection SNYK-JS-UNDERSCORE-1080984	No	Proof of Concept
	579/1000 Why? Has a fix available, CVSS 7.3	Cross-site Scripting (XSS) npm:jquery-ui:20160721	No	No Known Exploit
	484/1000 Why? Has a fix available, CVSS 5.4	Cross-site Scripting (XSS) npm:jquery:20150627	No	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	No	Proof of Concept
	654/1000 Why? Has a fix available, CVSS 8.8	Cross-site Scripting (XSS) npm:marked:20150520	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Cross-site Scripting (XSS) npm:marked:20170112	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Cross-site Scripting (XSS) npm:marked:20170815	No	No Known Exploit
	454/1000 Why? Has a fix available, CVSS 4.8	Cross-site Scripting (XSS) npm:marked:20170815-1	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:marked:20170907	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:marked:20180225	No	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:moment:20160126	No	No Known Exploit
	509/1000 Why? Has a fix available, CVSS 5.9	Regular Expression Denial of Service (ReDoS) npm:moment:20161019	No	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:moment:20170905	No	No Known Exploit
	569/1000 Why? Has a fix available, CVSS 7.1	Cross-site Scripting (XSS) npm:nunjucks:20160906	Yes	No Known Exploit
	569/1000 Why? Has a fix available, CVSS 7.1	Cross-site Scripting (XSS) npm:react:20150318	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: modernizr

The new version differs by 250 commits.

• 7da8cdb v3.7.0
• 8f37d1f fix Only include persona js if flag enabled. mozilla/kitsune#1663 - Configuration Options not working ([WIP] Community hub rebase mozilla/kitsune#2413)
• 0b9eaa5 Add auto-changelog for generating a CHANGELOG.md ([bug 1140464] Update django-badger to master tip. mozilla/kitsune#2421)
• c21ecfe Fix IE caniuse conflict for svgasimg (Add CORS to realtime API (plus test). mozilla/kitsune#2397)
• 3ed2d7f Update inputsearchevent.js ([Bug 1141436] Fix visible html tags mozilla/kitsune#2405)
• e8bb349 Adding PublicKeyCredential feature detect for webauthn ([Bug 1136586] Fix validation for users api. mozilla/kitsune#2393)
• 1ef3bc8 Add caniuse "meta" property to es5/specification ([Bug 1120568] Add models, APIs, and sending for realtime notifications. mozilla/kitsune#2390)
• e05f001 Check for property and value support for CSS custom properites (Cache virtual environment on Travis mozilla/kitsune#2387)
• 8960932 Cleanup caniuse tags and other properties ([bug 1134221] Upgrade django-waffle to 0.10.1 mozilla/kitsune#2388)
• 4d10f04 Cleanup some extra whitespace
• bd34db8 Autogenerate info for license file ([Bug 1127834] "Firefox Help" might be "Mozilla Support" (opensearch) mozilla/kitsune#2353)
• c1a3e04 Fix exception in indexedDB check on Safari ([Bug 1112921] Allow SessionAuthentication on APIs. mozilla/kitsune#2336)
• a747f33 Issue 2338 - Cleanup JSdoc (Make Notifications API nicer mozilla/kitsune#2368)
• e14a7ae Adding feature detection for navigator.connection.effectiveType (Caching dependencies for Travis mozilla/kitsune#2381)
• 3a6adb5 Replace defunct caniuse jsonp.php?callback ([bug 1122539] Handle the 0 case mozilla/kitsune#2352)
• 501cc0a Additional WebView check added to fileinput test ([Bug 1132115] Prevent double inserts when using the API to create users. mozilla/kitsune#2367)
• 3072bb9 Fix Modernizr.localizednumber moves head below body (Allow filtering notifications by is_read. mozilla/kitsune#2365)
• d43ead3 option to specify global var name to attach modernizr to [Bug 1132146, 1132145] Add id to notification APIs. mozilla/kitsune#2362 ([Bug 1125536] Convert all rate limiting to a standard helper. mozilla/kitsune#2363)
• 189838a Intersection Observer API ([bug 1128477] Tags API for questions mozilla/kitsune#2360)
• a5f00a6 Move custom ESLint rule to `no-restricted-syntax` ([bug 1085456] Support Forum metrics email report. mozilla/kitsune#2359)
• 92a7f75 Use package.json `files` instead of .npmignore (Update pep8 mozilla/kitsune#2357)
• 04181ce More test around text decoration styling ([Bug 1119886] API: Better taken fields and filtering. mozilla/kitsune#2327)
• e2c27dc Update jsdoc ([Bug 1083434] Send notifications to SimplePush. mozilla/kitsune#2346)
• c2906e9 Fixed csshypens detection on FireFox and Safari. ([Bug 1127633, 1127636] Library upgrades mozilla/kitsune#2345)

See the full diff

Package name: nunjucks

The new version differs by 250 commits.

• fd50090 Release v3.2.3
• d34fdbf Temporarily comment out codecov action
• cefad41 Replace README.md travis badge with github actions
• 7601ff4 Fixup github actions workflow file
• de9dc67 Add GitHub Workflow for tests. fixes [Bug 865378] Add support for multiple Y axises. mozilla/kitsune#1333
• aa9e5b9 Fix prototype pollution security issue. fixes Fix esdelete mozilla/kitsune#1331
• f51afa3 Move chokidar to peerDependencies and make it optional via peerDependenciesMeta (Yak shaving: fix reindex cmd output mozilla/kitsune#1329)
• f91f1c3 Fix `groupby` example formatting
• 7ef121c Add base and default args to int filter
• 0c02062 Use attribute getter for `sort` filter
• c7337e7 Release v3.2.2
• bea3a43 CHANGELOG: Fix issue link
• 8186d4f Don't append extra newline when using |indent filter
• 73a4eb3 Document `with context` behavior for `import` directive (fr)
• eea081c Document `with context` behavior for `import` directive
• bbcbaf3 Fix issue where sync render would not raise errors in included templates
• 63c4baf Remove development files from NPM package. Fixes [bug 815438] Add UI for managing locale users.  mozilla/kitsune#984
• 85918ef Document `if` statement with multiple conditions (fr). refs [bug 862013] Remove progress from AAQ first step mozilla/kitsune#1284
• 7ddd747 Document `if` statement with multiple conditions
• 1e29863 Add support for nested attributes in `groupBy` filter. Fixes fix align for username-rule in AAQ-register mozilla/kitsune#1198
• 7087fa9 Fix precompile bin TypeError: name.replace is not a function
• 1736334 Modify CHANGELOG message for select/reject filters
• 62565a1 Add `reject` filter
• 647fc11 Change version query

See the full diff

Package name: underscore

The new version differs by 250 commits.

• bf5a0ed Merge branch 'template-variable-parameter'
• 7e3d404 Update annotated sources and minified bundles for 1.12.1
• 5343fbc Add version 1.12.1 to the documentation
• 44df929 Bump the version to 1.12.1
• 7e89b79 Un-document the fix for [Bug 1385087] Add firefox download button for non fx user mozilla/kitsune#2911 for the time being
• 4c73526 Fix [Bug 1385087] Add firefox download button for non fx user mozilla/kitsune#2911
• ef646cc Reflect real issue of [Bug 1385087] Add firefox download button for non fx user mozilla/kitsune#2911 in test from Fix Bug 1390180 - Add Links To Footer mozilla/kitsune#2912
• a6159ff Fix indentation in the test from Fix Bug 1390180 - Add Links To Footer mozilla/kitsune#2912
• 798eafa Update the link to the preview release (bugfix)
• 07cc415 Convert all RawGit links to Statically
• db7fb6a Add temporary note about preview release to index.html
• 548fa01 Merge pull request [bug 1357563] Remove checks from Lithium website. mozilla/kitsune#2913 from ognjenjevremovic/test/time-tampering-tests
• 3a5c878 test: Assertion comment updates; `_.throttle` and `_.debounce`.
• 4d5d198 test: 💍 Time tampering tests for _.throttle and _.deobounce
• a4cc7c0 Add a test to confirm we are not vulnerable to CVE-2021-23337 ([Bug 1385087] Add firefox download button for non fx user mozilla/kitsune#2911)
• 745e9b7 Merge pull request [Bug 1095972] Change link in revision ready e-mail - reopened mozilla/kitsune#2896 from anderlaw/master
• af2f919 Correct "Non-numerical values in list will be ignored"
• c9b4b63 Put back test/vendor/qunit.* static files to fix live website tests
• 311b04e Merge pull request [Bug 1383638] Remove en-US locale code from contributor email links - reopened mozilla/kitsune#2892 from kritollm/master
• 6568211 Make a comment render more nicely
• 0b93f06 Fixed a few more details
• 913bcf2 Resolved changes requested.
• 769a494 throttle cleanup
• 03f9781 Reimplementing timer optimization [bug 855618][bug 785851] Rate limiting mozilla/kitsune#1269

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Cross-site Scripting (XSS)
🦉 Arbitrary Code Injection
🦉 Cross-site Scripting (XSS)
🦉 More lessons are available in Snyk Learn