[Snyk] Security upgrade copy-webpack-plugin from 6.4.1 to 9.0.1

[dotam99]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	698/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 6.1	Cross-site Scripting (XSS) SNYK-JS-SERIALIZEJAVASCRIPT-6147607	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: copy-webpack-plugin

The new version differs by 29 commits.

• 797a006 chore(release): update `serialize-javascript`
• f233c55 chore(deps): serialize-javascript and deps updated (Delete CONTRIBUTING.md github/docs#613)
• 966d723 chore(deps): update (A quick experiment to get allow React components in Markdown pages and throughout the site github/docs#610)
• 2abdddf chore: fix typo (Update README.md github/docs#609)
• d041d85 chore(release): 9.0.0
• beff64e refactor: nodejs v10 dropped (repo sync github/docs#606)
• 3a1139e docs: fix unintended cyrillics in README.md (repo sync github/docs#604)
• 8857968 chore(release): 8.1.1
• d8fa32a fix: `stage` for processing assets (repo sync github/docs#600) (PUpdate about-github-packages.md github/docs#601)
• a571f07 chore(release): 8.1.0
• 82b10e3 chore(deps): update (#598)
• a8ace71 docs: update (repo sync github/docs#597)
• dde71f0 feat: added the `transformAll` option (#596)
• 4ca7f80 docs: fix broken link to #globoptions (Film Castin github/docs#595)
• 01fa91b docs: fix typo
• 1787d2d chore(release): 8.0.0
• 83601dc refactor: code (repo sync github/docs#593)
• 9e12a33 refactor: code (Update README.md github/docs#592)
• d68a8eb chore(deps): update (Update README.md github/docs#591)
• ea610bc feat: added `priority` option (Actions: Workflow dispatch API does not accept SHA commit hash as ref github/docs#590)
• a9b06a6 docs(readme): add example to skip minimizing source files (repo sync github/docs#588)
• f2c1bc8 refactor: template strings in `to` option (Update about-pull-requests.md github/docs#589)
• 8d5ab9a chore: updated deps (added Git Handbook link to further reading section github/docs#587)
• f5e661b test: issue 496 (repo sync github/docs#586)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Cross-site Scripting (XSS)

[guardrails]

⚠️ We detected 98 security issues in this pull request:

Mode: paranoid | Total findings: 98 | Considered vulnerability: 98

Insecure Access Control (6)

Severity	Details	Docs
Medium	Title: Tainted input passed to an open redirect (express) docs/middleware/redirects/external.js Line 6 in 662df1b return res.redirect(301, externalSites[req.path])	📚
Medium	Title: Tainted input passed to an open redirect (express) docs/middleware/redirects/handle-redirects.js Line 50 in 662df1b return res.redirect(301, redirect)	📚
Medium	Title: Tainted input passed to an open redirect (express) docs/middleware/contextualizers/enterprise-release-notes.js Line 94 in 662df1b return res.redirect(`https://enterprise.github.com/releases/${requestedVersion}.0/notes`)	📚
Medium	Title: Tainted input passed to an open redirect (express) docs/middleware/archived-enterprise-versions.js Line 24 in 662df1b return res.redirect(301, req.baseUrl + req.path.replace(/^\/en/, ''))	📚
Medium	Title: Tainted input passed to an open redirect (express) docs/middleware/archived-enterprise-versions.js Line 33 in 662df1b return res.redirect(301, redirect)	📚
Medium	Title: Tainted input passed to an open redirect (express) docs/middleware/redirects/language-code-redirects.js Line 15 in 662df1b return res.redirect(301, req.path.replace(redirectPattern, `/${language.code}`))	📚

More info on how to fix Insecure Access Control in JavaScript.

---

Insecure File Management (11)

Severity	Details	Docs
High	Title: Path Traversal from user input docs/middleware/contextualizers/rest.js Line 14 in 662df1b '/developers/apps'	📚
High	Title: Path Traversal from user input docs/lib/rewrite-local-links.js Line 40 in 662df1b newHref = path.join('/', languageCode, href)	📚
High	Title: Path Traversal from user input docs/lib/rewrite-local-links.js Line 47 in 662df1b newHref = path.join('/', languageCode, href)	📚
High	Title: Path Traversal from user input docs/middleware/early-access-breadcrumbs.js Line 63 in 662df1b const mapTopicOrArticlePath = path.posix.join(categoryPath, pathParts[2])	📚
High	Title: Path Traversal from user input docs/middleware/early-access-breadcrumbs.js Line 50 in 662df1b const categoryPath = removeFPTFromPath(path.posix.join('/', 'en', req.context.currentVersion, 'early-access', pathParts[0], pathParts[1]))	📚
High	Title: Path Traversal from user input docs/middleware/breadcrumbs.js Line 35 in 662df1b title: product.title	📚
High	Title: Path Traversal from user input docs/middleware/breadcrumbs.js Line 49 in 662df1b const categoryPath = removeFPTFromPath(path.posix.join('/', req.context.currentLanguage, req.context.currentVersion, productPath, pathParts[1]))	📚
High	Title: Path Traversal from user input docs/middleware/breadcrumbs.js Line 21 in 662df1b const productPath = path.posix.join('/', req.context.currentProduct)	📚
High	Title: Path Traversal from user input docs/middleware/breadcrumbs.js Line 34 in 662df1b href: removeFPTFromPath(path.posix.join('/', req.context.currentLanguage, req.context.currentVersion, productPath)),	📚
High	Title: Path Traversal from user input docs/middleware/archived-enterprise-versions-assets.js Line 22 in 662df1b const proxyPath = path.join('/', requestedVersion, assetPath)	📚
High	Title: Path Traversal from user input docs/lib/get-link-data.js Line 37 in 662df1b const href = removeFPTFromPath(path.join('/', context.currentLanguage, version, linkPath))	📚

More info on how to fix Insecure File Management in JavaScript.

---

Insecure Processing of Data (6)

Severity	Details	Docs
High	Title: Insecure Deserialization (js-yaml) docs/tests/unit/actions-workflows.js Line 11 in 662df1b const data = yaml.load(fs.readFileSync(fullpath, 'utf8'), { fullpath })	📚
High	Title: Insecure Deserialization (js-yaml) docs/tests/helpers/crowdin-config.js Line 7 in 662df1b return yaml.load(fs.readFileSync(filename, 'utf8'), { filename })	📚
Medium	Title: Tainted input passed to Express response docs/middleware/dev-toc.js Line 8 in 662df1b return res.send(await liquid.parseAndRender(layouts['dev-toc'], req.context))	📚
Medium	Title: Tainted input passed to Express response docs/middleware/loaderio-verification.js Line 5 in 662df1b return res.send(req.path.replace(/\//g, ''))	📚
Medium	Title: Tainted input passed to Express response docs/middleware/enterprise-server-releases.js Line 12 in 662df1b return res.send(await liquid.parseAndRender(layouts['enterprise-server-releases'], req.context))	📚
Medium	Title: Tainted input passed to Express response docs/middleware/render-page.js Line 144 in 662df1b res.send(addCsrf(req, output))	📚

More info on how to fix Insecure Processing of Data in JavaScript.

---

Insecure Use of Language/Framework API (42)

Severity	Details	Docs
Medium	Title: User Controlled Method Invocation docs/script/graphql/utils/remove-hidden-schema-members.rb Line 99 in 662df1b schema.send(:own_orphan_types).clear	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/tests/content/lint-files.js Line 203 in 662df1b const changedFilesRelPaths = execSync('git diff --name-only origin/main | egrep "^translations/.*/.+.(yml|md)$"', { maxBuffer: 1024 * 1024 * 100 }).toString().split('\n')	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/update-crowdin-issue.js Line 26 in 662df1b const fixable = execSync(`cat ${fixableErrorsLog} | egrep "^translations/.*/(.+.md|.+.yml)$" | sed -e 's/^/- [ ] /' | uniq`).toString()	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/update-crowdin-issue.js Line 29 in 662df1b const filesToAdd = execSync(`cat ${parsingErrorsLog} ${renderingErrorsLog} | egrep "^translations/.*/(.+.md|.+.yml)$" | sed -e 's/^/- [ ] /' | uniq`).toString()	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/update-crowdin-issue.js Line 32 in 662df1b const allErrors = execSync('cat ~/docs-*').toString()	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/reset-translated-file.js Line 56 in 662df1b execSync(`git checkout main -- ${relativePath}`, { stdio: 'pipe' })	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/rest/update-files.js Line 48 in 662df1b const githubBranch = execSync('git rev-parse --abbrev-ref HEAD', { cwd: githubRepoDir }).toString().trim()	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/rest/update-files.js Line 53 in 662df1b execSync('git pull', { cwd: githubRepoDir })	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/rest/update-files.js Line 62 in 662df1b execSync(`${path.join(githubRepoDir, 'bin/openapi')} bundle -o ${tempDocsDir} --include_unpublished`, { stdio: 'inherit' })	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/rest/update-files.js Line 69 in 662df1b execSync(`find ${tempDocsDir} -type f -name "*deref.json" -exec mv '{}' ${dereferencedPath} ';'`)	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/reconcile-filenames-with-ids.js Line 62 in 662df1b const gitStatusOfFile = execSync(`git status --porcelain ${oldContentPath}`).toString()	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/reconcile-filenames-with-ids.js Line 66 in 662df1b execSync(`mv ${oldContentPath} ${newContentPath}`)	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/reconcile-filenames-with-ids.js Line 68 in 662df1b execSync(`git mv ${oldContentPath} ${newContentPath}`)	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/reset-known-broken-translation-files.js Line 44 in 662df1b await exec(`script/reset-translated-file.js --prefer-main ${file}`)	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/prevent-pushes-to-main.js Line 13 in 662df1b const currentBranch = execSync('git symbolic-ref --short HEAD', { encoding: 'utf8' }).trim()	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/prevent-translation-commits.js Line 20 in 662df1b const filenames = execSync('git diff --cached --name-only').toString().trim().split('\n')	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/purge-fastly-by-url.js Line 74 in 662df1b const result = execSync(`${purgeCommand} ${localizedUrl}`).toString()	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/purge-fastly-by-url.js Line 78 in 662df1b const secondResult = execSync(`${purgeCommand} ${localizedUrl}`).toString()	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/lint-translation-files.js Line 16 in 662df1b execSync(`TEST_TRANSLATION=true npx jest content/lint-files > ${parsingErrorsLog}`)	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/lint-translation-files.js Line 19 in 662df1b execSync(`script/test-render-translation.js > ${renderErrorsLog}`)	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/lint-translation-files.js Line 22 in 662df1b execSync(`cat ${parsingErrorsLog} ${renderErrorsLog} | egrep "^translations/.*/(.+.md|.+.yml)$" | uniq | xargs -L1 script/reset-translated-file.js --prefer-main`)	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/move-category-to-product.js Line 51 in 662df1b execSync(`mkdir ${productDir}`)	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/move-category-to-product.js Line 56 in 662df1b execSync(`git mv ${oldCategoryDir} ${productDir}`)	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/helpers/find-unused-assets.js Line 89 in 662df1b const grepResults = execSync(grepCmd).toString()	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/fix-translation-errors.js Line 50 in 662df1b const changedFilesRelPaths = execSync(cmd).toString().split('\n')	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/get-new-dotcom-path.js Line 39 in 662df1b const newPath = execSync(`find ${newDotcomDir} -name ${filename}`).toString()	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/graphql/update-files.js Line 29 in 662df1b execSync('gem which graphql')	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/graphql/update-files.js Line 123 in 662df1b execSync('npx prettier -w "**/*.{yml,yaml}"')	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/graphql/update-files.js Line 205 in 662df1b const remoteClean = execSync(`${removeHiddenMembersScript} ${tempSchemaFilePath}`).toString()	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/enterprise-server-deprecations/archive-version.js Line 110 in 662df1b execSync('npm run build', { stdio: 'inherit' })	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/early-access/clone-for-build.js Line 36 in 662df1b currentBranch = execSync('git branch --show-current').toString()	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/early-access/clone-for-build.js Line 74 in 662df1b let branchExists = execSync(`git ls-remote --heads ${earlyAccessFullRepo} ${earlyAccessBranch}`).toString()	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/early-access/clone-for-build.js Line 82 in 662df1b branchExists = execSync(`git ls-remote --heads ${earlyAccessFullRepo} ${earlyAccessBranch}`).toString()	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/early-access/clone-for-build.js Line 100 in 662df1b cwd: earlyAccessCloningParentDir	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/anonymize-branch.js Line 27 in 662df1b exec(`git reset $(git merge-base ${base} HEAD)`)	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/anonymize-branch.js Line 28 in 662df1b exec('git add -A')	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/anonymize-branch.js Line 29 in 662df1b exec(`git commit -m "${message}"`)	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/lib/liquid-tags/octicon.js Line 34 in 662df1b while ((optionsMatch = OptionsSyntax.exec(match.groups.options))) {	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/.github/actions-scripts/openapi-schema-branch.js Line 31 in 662df1b const changedFiles = execSync('git diff --name-only HEAD').toString()	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/test-render-translation.js Line 36 in 662df1b const changedFilesRelPaths = execSync('git diff --name-only origin/main | egrep "^translations/.*/.+.md$"', { maxBuffer: 1024 * 1024 * 100 })	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/script/content-migrations/remove-unused-assets.js Line 137 in 662df1b const grepResults = execSync(grepCmd).toString()	📚
High	Title: Child process (child_process) methods accept untrusted data to execute docs/lib/liquid-tags/link.js Line 61 in 662df1b const match = liquidVariableSyntax.exec(this.param)	📚

More info on how to fix Insecure Use of Language/Framework API in Ruby and JavaScript.

---

Insecure Use of Regular Expressions (1)

Severity	Details	Docs
Medium	Title: Tainted input passed to Regular Expression docs/middleware/find-page.js Line 8 in 662df1b const englishPath = req.path.replace(new RegExp(`^/${req.language}`), '/en')	📚

More info on how to fix Insecure Use of Regular Expressions in JavaScript.

---

Vulnerable Libraries (32)

Severity	Details
N/A	pkg:npm/[email protected] upgrade to: 11.8.5,12.1.0
High	pkg:npm/[email protected] upgrade to: > 5.0.0
Medium	pkg:npm/[email protected] upgrade to: > 4.6.0
High	pkg:npm/[email protected] upgrade to: 6.5.3,6.3.3,6.2.4,6.8.3,6.7.3,6.6.1,6.4.1,4.17.3,6.10.3,6.9.7
High	pkg:npm/[email protected] upgrade to: > 1.7.4
High	pkg:npm/[email protected] upgrade to: > 3.35.1
High	pkg:npm/[email protected] upgrade to: > 3.12.0
Informational	pkg:npm/[email protected] upgrade to: > 3.1.0
Critical	pkg:npm/[email protected] upgrade to: > 5.0.0
High	pkg:npm/[email protected] upgrade to: 3.1.1,2.6.7
High	pkg:npm/[email protected] upgrade to: > 1.7.0
Critical	pkg:npm/[email protected] upgrade to: > 1.4.1
Critical	pkg:npm/[email protected] upgrade to: > 1.2.1
High	pkg:npm/[email protected] upgrade to: > 7.0.2
High	pkg:npm/[email protected] upgrade to: > 1.9.1
Medium	pkg:npm/[email protected] upgrade to: 10.0.0
High	pkg:npm/[email protected] upgrade to: > 1.0.0-rc.3
Critical	pkg:npm/[email protected] upgrade to: > 4.0.0
High	pkg:npm/[email protected] upgrade to: > 4.0.2
High	pkg:npm/[email protected] upgrade to: > 1.1.4
High	pkg:npm/[email protected] upgrade to: > 1.32.8
Critical	pkg:npm/[email protected] upgrade to: > 9.0.2
High	pkg:npm/[email protected] upgrade to: 5.76.0
Critical	pkg:npm/[email protected] upgrade to: > 3.0.3
High	pkg:npm/@babel/[email protected] upgrade to: > 7.11.0
Critical	pkg:npm/[email protected] upgrade to: > 2.13.1
Critical	pkg:npm/[email protected] upgrade to: 5.0.1
Medium	pkg:npm/[email protected] upgrade to: 7.5.2
Critical	pkg:npm/[email protected] upgrade to: > 8.1.0
Medium	pkg:npm/[email protected] upgrade to: 4.17.21
High	pkg:npm/[email protected] upgrade to: > 5.0.0
High	pkg:npm/[email protected] upgrade to: > 3.0.0

More info on how to fix Vulnerable Libraries in JavaScript.

---

👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.