[Snyk] Security upgrade swagger-ui-react from 4.12.0 to 4.16.1

[terrytangyuan]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `yarn` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • ui/package.json
  • ui/yarn.lock

Note for zero-installs users

If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the .yarn/cache/ directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to run yarn to update the contents of the ./yarn/cache directory.
If you are not using zero-install you can ignore this as your flow should likely be unchanged.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	484/1000 Why? Has a fix available, CVSS 5.4	Cross-site Scripting (XSS) SNYK-JS-BRAINTREESANITIZEURL-3330766	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Cross-site Scripting (XSS)

[agilgur5]

Looks like CI UI build is failing due to the dep using some newer JS syntax.
It is being loaded with babel-loader and we are on latest @babel/preset-env (which should be able to interpret this syntax), so not sure why it's failing to load 🤔

Syntax in question:

      return e[r] ?? (e[r] = []), e[r].push(t), e;

?? is newer syntax. but I am also confused by the commas... that might be a syntax error (possibly a minification bug?)? 4.16.1 is an older version...

[agilgur5]

@terrytangyuan is there a reason for closing this? Not sure what your process is for Snyk PRs

[terrytangyuan]

I don't have time to investigate and this is low priority. It's automatically created by Snyk

[agilgur5]

For sure. Why not keep the PR open like a P3 issue until there is a superseding PR?

You might have access to a Snyk dashboard to track from separately though? I don't have access to the Snyk dashboard, so was just keeping track via these PRs since you asked me to fix some of them

[agilgur5]

Attempted to update this, so jotting some notes here and there:

1. swagger-ui-react v5 has no breaking changes, so it is safe to update to. So can close this in favor of chore(deps): bump swagger-ui-react from 4.12.0 to 5.1.3 in /ui #11418 et al.
   • Confirmed that our usage does not require any changes.
   • I'm not sure why dependabot hasn't updated to latest v5.4.2.
   • I'll comment there with the build issues I had when trying to update to v5
2. Latest @types/swagger-ui-react is 4.18.0, so we are already on latest major of the typings.
3. The syntax error from the build that I mentioned above does not occur with latest v5.4.2
   • Not sure if that's because the package was updated or because of the updated build system after build(ui): upgrade to Webpack v5 + upgrade loaders + plugins #11628
   • There are other build errors happening though. Will comment in chore(deps): bump swagger-ui-react from 4.12.0 to 5.1.3 in /ui #11418 about those