[Snyk] Fix for 8 vulnerabilities #646

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Open

edmooney wants to merge 1 commit into master from snyk-fix-513a74d8077ef68a7b5ab6713ea616f9

Owner

edmooney commented Oct 13, 2024

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- docs/package.json
- docs/package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	601/1000 Why? Recently disclosed, Has a fix available, CVSS 6.3	Cross-site Scripting (XSS) SNYK-JS-COOKIE-8163060	Yes	No Known Exploit
	701/1000 Why? Recently disclosed, Has a fix available, CVSS 8.3	Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-8172694	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Code Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHPARSE-1077067	No	Proof of Concept
	429/1000 Why? Has a fix available, CVSS 4.3	Exposure of Sensitive Information to an Unauthorized Actor SNYK-JS-PHIN-6598077	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Prototype Pollution SNYK-JS-XML2JS-5414874	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: gatsby

The new version differs by 250 commits.

93c356e chore(release): Publish
26a94f2 Revert "fix(gatsby): Update mini-css-extract-plugin to fix inc builds issue (build(dev-deps): upgrade Jest to major version v30 apache/superset#33979)" (fix: sqlparse issue apache/superset#34413)
183b5f1 chore(gatsby): Add types for `getServerData` (feat: Add configurable query identifiers for Mixed Timeseries charts apache/superset#34406)
2e32870 chore(docs): Clean up Headless CMS documentation links (Page table calculation error apache/superset#34350)
ca37398 fix(gatsby): Only start write page-data.json activity if there's pages to write (psycopg2.errors.UndefinedTable: relation "themes" does not exist apache/superset#34403)
f4f1313 chore(release): Publish next
8a9b023 fix(gatsby): createNode return promise (Infinite loading when trying to view query of multi-layer charts apache/superset#34399)
6ffe0af chore(release): Publish next
0cc5a5a fix(gatsby): Wrong route resolved by findPageByPath function (Graph chart with different node icons apache/superset#34070)
33049c8 fix(deps): update typescript to v5 (major) (fix(theming): Fix visual regressions from theming P5 apache/superset#33786)
073caef chore(docs): Update processing external images guide (chore: cleanup ssh tunnel apache/superset#34388)
ad4b8da chore(deps): update dependency aws-sdk to ^2.1048.0 (chore(🦾): bump python python-dotenv 1.1.0 -> 1.1.1 apache/superset#34365)
fc3e7b7 chore(deps): update dependency autoprefixer to ^10.4.1 for gatsby-plugin-sass (OAuth2 client information for Big query not visible on UI apache/superset#34357)
1106845 chore(deps): update formatting & linting (chore(🦾): bump python sqlglot 27.3.0 -> 27.4.1 apache/superset#34370)
4628093 fix(deps): update minor and patch dependencies for gatsby-source-drupal (feat(timeshift): Add support for date range timeshifts apache/superset#34375)
3af68e1 fix(deps): update dependency eslint-plugin-react to ^7.28.0 (How to use Jinja template for "Inverse Selection" filter type apache/superset#34372)
8a7788d fix(deps): update dependency resolve-url-loader to ^3.1.4 for gatsby-plugin-sass (chore(🦾): bump python slack-sdk 3.35.0 -> 3.36.0 apache/superset#34361)
c6e4298 chore(deps): update dependency typescript to ^4.5.4 (Disable Numbering on superset Assets apache/superset#34358)
7578d71 chore(docs): Fix links to shared layout component (feat: conditional formatting improvements in tables apache/superset#34330)
540484d chore: Fix typo (Download error with pivot table use aggregation function apache/superset#34349)
3341eea chore(examples): use mobx v6 in using-mobx example (fix(PivotTable): Render html in cells if allowRenderHtml is true apache/superset#34351)
63207a2 chore(deps): update dependency rewire to v6 for gatsby-plugin-offline (feat: Add GitHub Codespaces support with docker-compose-light apache/superset#34376)
42c7d64 chore(deps): update dependency msw to ^0.36.3 for gatsby-core-utils (chore(🦾): bump python nh3 0.2.21 -> 0.2.22 apache/superset#34367)
1367c79 chore(deps): update dependency msw to ^0.36.3 for gatsby-plugin-gatsby-cloud (chore(🦾): bump python bottleneck subpackage(s) apache/superset#34368)

See the full diff

Package name: gatsby-plugin-emotion

The new version differs by 250 commits.

ed73e4d chore(release): Publish
3b1b6a5 fix(gatsby): Use windows import helper for validate (#37520) (#37522)
000e23e feat(gatsby): add initial webhook body env var to bootstrap context (#37478)
0017375 fix(gatsby): pass serverData to Head (#37500)
e7e5cb4 fix(gatsby-react-router-scroll): fix issues with anchor links (#37498)
fe65c29 feat(gatsby): Allow `<html>` and `<body>` attributes to be updated from `Head` (#37449)
e4f841f chore(docs): Improve v5 migration guide around MDX (#37485)
48d4069 fix(gatsby-source-wordpress): fix preview issues (#37492)
c288dd5 fix(deps): update starters and examples gatsby packages to ^5.4.2 (#37488)
88dc3b6 chore(docs): Update headless CMS
16685a6 chore(gatsby-source-filesystem): Improve README (#37480)
8a718e3 chore(changelogs): update changelogs (#37482)
f8f084a chore(release): Publish next
df58891 feat(gatsby-source-filesystem): Only generate hashes when a file has changed, and add an option for skipping hashing (#37464)
949132b fix(gatsby): nodeModel.findAll supports v5 sort argument structure (#37477)
87487ba chore(docs): Adds Kinsta Application hosting to other services (#37476)
df27ff4 feat(gatsby-core-utils): Add hashing methods from `hash-wasm` (#37433)
2b24aec fix(deps): update starters and examples gatsby packages to ^5.4.1 (#37469)
6e215d4 chore(changelogs): update changelogs (#37473)
8763e01 docs: fix v5 release notes slice example (#37465)
4a721df fix(gatsby): Check rawPath in loadPage (#37451)
3ef4f44 fix(gatsby): Use correct settings for yaml-loader (#37454)
76f979c fix(gatsby-source-contentful): maintain back reference map between runs (#37442)
c57c060 fix(gatsby): pluginOptionsSchema in local TS plugin (#37443)

See the full diff

Package name: gatsby-plugin-sharp

The new version differs by 250 commits.

c1e67a2 chore(release): Publish
0c45654 chore: remove tracedSVG (#37093) (#37137)
d7edf95 chore(release): Publish
2d00ea0 fix(gatsby-plugin-mdx): Do not leak frontmatter into page (feat(country-map): add cross-filters support apache/superset#35859) (Jinja Templating across different datasets apache/superset#35913)
4997d63 chore(release): Publish
ff94ed5 fix(gatsby-plugin-mdx): don't allow JS frontmatter by default (Helm chart do not follow best practices for k8s manifests apache/superset#35830) (fix(dashboard): prevent tab content cutoff and excessive whitespace in empty tabs apache/superset#35834)
36f21b0 chore: Removate validate-renovate from v3-latest branch (chore(deps-dev): bump eslint-import-resolver-typescript from 3.7.0 to 4.4.4 in /superset-frontend apache/superset#34460)
1acb1bc chore(release): Publish
1589bd8 fix(gatsby): ensure that writing node manifests to disk does not break on Windows (build(deps): remove legacy browser polyfills apache/superset#33853) (Apply multiple filters in embedded dashboard apache/superset#34020)
9694010 fix(gatsby-source-drupal): Ensure all new nodes are created before creating relationships (fix: #33862 – Security menu missing on MySQL due to case mismatch apache/superset#33864) (Failing to parse a saved query completely breaks the listing page apache/superset#34019)
76deb39 fix(gatsby-source-drupal): searcParams missing from urls (HostAliases not added to init job on apache/superset#33861) (fix: Update spacing on echart legends apache/superset#34018)
f74cc8f feat(gatsby-source-drupal): Add node manifest support for previews (How to Implement Long Screenshot Capture in Reports apache/superset#33683) (feat(deckgl): add new color controls with color breakpoints apache/superset#34017)
476a591 chore(release): Publish
35b48f8 fix(gatsby-plugin-image): GatsbyImage not displaying image in IE11 (In Apache Superset, to include a logo in PDF/email reports, does it require frontend code change? apache/superset#33416) (chore(🦾): bump python bottleneck subpackage(s) apache/superset#33806)
880022e fix(gatsby-plugin-image): flickering when state changes (Best Practices for Multi-Environment Dashboard Promotion (Dev, Acceptance, Prod) with Superset CLI apache/superset#33732) (Two Jinja date filters apache/superset#33807)
c0d07e7 feat(gatsby-source-wordpress): Update supported-remote-plugin-versions.ts (chore(🦾): bump python importlib-metadata subpackage(s) apache/superset#33801) (chore(🦾): bump python pandas subpackage(s) apache/superset#33804)
3d9a702 chore(release): Publish
84053a2 fix(gatsby-plugin-sharp): pass input buffer instead of readStream when processing image jobs (### Bug: SSO Logout Not Working with Keycloak + Iframe Embedded Superset apache/superset#33685) (fix(theming): Fix visual regressions from theming P4 apache/superset#33703)
4722a0d fix(gatsby-source-drupal): Add timeout in case of stalled API requests (Chart migration from one instance to another instance. apache/superset#33668) (Dynamically get the Embeded dashboard UUID's for a Logged in User.. apache/superset#33705)
857a628 fix(gatsby): single page node manifest accuracy (chore(deps-dev): bump @docusaurus/module-type-aliases from 3.7.0 to 3.8.0 in /docs apache/superset#33642) (#33698)
6bfd0f1 Properly set the pathPrefix and assetPrefix in the pluginData (chore(wip): giving migrate-ts a shot apache/superset#33667) ("Embed dashboard" option does not appear in the dashboard menu apache/superset#33702)
26c51c0 fix(gatsby-source-drupal): cache backlink records (fix: allow metadata to parse json apache/superset#33444) (chore: update sqlglot dialect map apache/superset#33701)
b80c53a fix(gatsby-source-drupal): Correctly update nodes with changed back references so queries are re-run (chore(deps): update @deck.gl/aggregation-layers requirement from ^9.0.38 to ^9.1.11 in /superset-frontend/plugins/legacy-preset-chart-deckgl apache/superset#33328) ("Last Updated" time at top of Alerts list looks odd in 5.0.0rc3 apache/superset#33699)
e29a194 chore: use gatsby-dev-cli@latest-v3 in tests

See the full diff

Package name: gatsby-transformer-sharp

The new version differs by 250 commits.

c1e67a2 chore(release): Publish
0c45654 chore: remove tracedSVG (#37093) (#37137)
d7edf95 chore(release): Publish
2d00ea0 fix(gatsby-plugin-mdx): Do not leak frontmatter into page (feat(country-map): add cross-filters support apache/superset#35859) (Jinja Templating across different datasets apache/superset#35913)
4997d63 chore(release): Publish
ff94ed5 fix(gatsby-plugin-mdx): don't allow JS frontmatter by default (Helm chart do not follow best practices for k8s manifests apache/superset#35830) (fix(dashboard): prevent tab content cutoff and excessive whitespace in empty tabs apache/superset#35834)
36f21b0 chore: Removate validate-renovate from v3-latest branch (chore(deps-dev): bump eslint-import-resolver-typescript from 3.7.0 to 4.4.4 in /superset-frontend apache/superset#34460)
1acb1bc chore(release): Publish
1589bd8 fix(gatsby): ensure that writing node manifests to disk does not break on Windows (build(deps): remove legacy browser polyfills apache/superset#33853) (Apply multiple filters in embedded dashboard apache/superset#34020)
9694010 fix(gatsby-source-drupal): Ensure all new nodes are created before creating relationships (fix: #33862 – Security menu missing on MySQL due to case mismatch apache/superset#33864) (Failing to parse a saved query completely breaks the listing page apache/superset#34019)
76deb39 fix(gatsby-source-drupal): searcParams missing from urls (HostAliases not added to init job on apache/superset#33861) (fix: Update spacing on echart legends apache/superset#34018)
f74cc8f feat(gatsby-source-drupal): Add node manifest support for previews (How to Implement Long Screenshot Capture in Reports apache/superset#33683) (feat(deckgl): add new color controls with color breakpoints apache/superset#34017)
476a591 chore(release): Publish
35b48f8 fix(gatsby-plugin-image): GatsbyImage not displaying image in IE11 (In Apache Superset, to include a logo in PDF/email reports, does it require frontend code change? apache/superset#33416) (chore(🦾): bump python bottleneck subpackage(s) apache/superset#33806)
880022e fix(gatsby-plugin-image): flickering when state changes (Best Practices for Multi-Environment Dashboard Promotion (Dev, Acceptance, Prod) with Superset CLI apache/superset#33732) (Two Jinja date filters apache/superset#33807)
c0d07e7 feat(gatsby-source-wordpress): Update supported-remote-plugin-versions.ts (chore(🦾): bump python importlib-metadata subpackage(s) apache/superset#33801) (chore(🦾): bump python pandas subpackage(s) apache/superset#33804)
3d9a702 chore(release): Publish
84053a2 fix(gatsby-plugin-sharp): pass input buffer instead of readStream when processing image jobs (### Bug: SSO Logout Not Working with Keycloak + Iframe Embedded Superset apache/superset#33685) (fix(theming): Fix visual regressions from theming P4 apache/superset#33703)
4722a0d fix(gatsby-source-drupal): Add timeout in case of stalled API requests (Chart migration from one instance to another instance. apache/superset#33668) (Dynamically get the Embeded dashboard UUID's for a Logged in User.. apache/superset#33705)
857a628 fix(gatsby): single page node manifest accuracy (chore(deps-dev): bump @docusaurus/module-type-aliases from 3.7.0 to 3.8.0 in /docs apache/superset#33642) (#33698)
6bfd0f1 Properly set the pathPrefix and assetPrefix in the pluginData (chore(wip): giving migrate-ts a shot apache/superset#33667) ("Embed dashboard" option does not appear in the dashboard menu apache/superset#33702)
26c51c0 fix(gatsby-source-drupal): cache backlink records (fix: allow metadata to parse json apache/superset#33444) (chore: update sqlglot dialect map apache/superset#33701)
b80c53a fix(gatsby-source-drupal): Correctly update nodes with changed back references so queries are re-run (chore(deps): update @deck.gl/aggregation-layers requirement from ^9.0.38 to ^9.1.11 in /superset-frontend/plugins/legacy-preset-chart-deckgl apache/superset#33328) ("Last Updated" time at top of Alerts list looks odd in 5.0.0rc3 apache/superset#33699)
e29a194 chore: use gatsby-dev-cli@latest-v3 in tests

See the full diff

Package name: theme-ui

The new version differs by 250 commits.

6f37cdd v0.6.0
8ff0379 docs: change version in readme
d8b715d chore: update snapshots
0c6d050 Merge branch 'develop' into stable
949cbcf chore(docs): remove comma
ac60158 chore: write more on migrating
7e3afbb refactor(theme-provider): remove unused import
15c7a0b chore: describe color mode flash fix in changelog
4b34c2c Merge branch '0.6-stable' into develop
ac304c7 chore: make contributors table narrower
c1a2c09 Merge pull request add oracle time_grains apache/superset#1544 from system-ui/chores
6b11630 fix(color-modes): stop mutating theme
469dc4a feat(core): export internal base provider
9c3c7db fix(editor): fix colors logic
6652bb1 chore: we must run prepare before publish, because Lerna does not build in order
7f8f796 Merge branch 'develop' into chores
a368159 fix(editor): make editor demo work (broken for a longer time)
ed94681 fix(color-modes): read correct color mode name
00cd0e6 refactor(docs): format themed.mdx, add title to styled.mdx
79a678c chore: bump Gatsby peer dep again
2bbfea7 Revert "chore: bump Gatsby peer dep"
d52e4ec chore: write migration notes for 0.6
c0f6551 Merge pull request Bogdan/query status polling apache/superset#1453 from atanasster/css-vars-remove-defaults
8433b4e feat(types): rename ContextValue to ThemeUIContextValue

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Cross-site Scripting (XSS)
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Code Injection
🦉 More lessons are available in Snyk Learn


          fix: docs/package.json & docs/package-lock.json to reduce vulnerabili…

4a40438

…ties

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-COOKIE-8163060
- https://snyk.io/vuln/SNYK-JS-ELLIPTIC-8172694
- https://snyk.io/vuln/SNYK-JS-LODASH-1018905
- https://snyk.io/vuln/SNYK-JS-LODASH-1040724
- https://snyk.io/vuln/SNYK-JS-LODASH-567746
- https://snyk.io/vuln/SNYK-JS-PATHPARSE-1077067
- https://snyk.io/vuln/SNYK-JS-PHIN-6598077
- https://snyk.io/vuln/SNYK-JS-XML2JS-5414874

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet