[Snyk] Security upgrade babel-loader from 8.1.0 to 9.1.3

[jydmyk]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	768/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: babel-loader

The new version differs by 70 commits.

• b89dfbd 9.1.3
• 54fb781 Update caniuse
• 6f300f3 bump find-cache-dir to v4 (Update about-protected-branches.md github/docs#995)
• 2fd1c0a Bump semver from 7.3.2 to 7.5.2 (Update index.md github/docs#993)
• b3682fd Add more exhaustive example on customized-loader (Describe how to re-request a review github/docs#897)
• a797c3b ci: bump actions/checkout (Fix broken link: content style guide github/docs#981)
• 170350e Bump http-cache-semantics from 4.1.0 to 4.1.1 (Docs seem to include old information on how to delete docker images from package registry. github/docs#982)
• 78bd0a1 Update README.md (Hahah github/docs#987)
• c049187 Bump webpack from 5.74.0 to 5.76.0 (Hi github/docs#986)
• 0406d16 9.1.2
• ca0cc0e Bump json5 from 2.2.1 to 2.2.3 (Put the preview notice at the top of the subsection instead of at the bottom github/docs#980)
• c8b1feb build: harden ci.yml permissions (branches.md github/docs#976)
• 4e70cca Bump qs from 6.5.2 to 6.5.3 (github-glossary.md github/docs#977)
• 15fbacf 9.1.0
• 6348e1c Pass external dependencies from Babel to Webpack (YouTube_academyfornonprofits.dev github/docs#971)
• 457b9ad Update webpack
• f42ac9b 9.0.1
• 4f9c0bf remove "node:" builtin prefix (Delete search.js github/docs#970)
• 9ff288f 9.0.0
• 006a3dc Update README.md
• daed88a Update README.md
• 0ed5fd6 Bump ini from 1.3.5 to 1.3.8 (sky-zadro/docs github/docs#968)
• b1749e3 Bump y18n from 4.0.0 to 4.0.3 (Create licensing-a-repository.md github/docs#967)
• 3a55a4a Bump lodash from 4.17.20 to 4.17.21 (Preview preview  github/docs#966)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)

[socket-security]

New, updated, and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Packages	Version	New capabilities	Transitives	Size	Publisher
strip-ansi	6.0.1	None	+1	9.64 kB	sindresorhus
classnames	2.3.2	None	+0	18.8 kB	dcousens
domwaiter	1.1.0...1.4.0	network	+34/-28	3.24 MB	zeke
next	10.2.0...10.2.3	None	+58/-121	39.4 MB	zeit-bot
lunr-languages	1.4.0...1.12.0	None	+0/-0	2.15 MB	mihaivalentin
js-yaml	3.14.0...3.14.1	None	+0/-0	291 kB	vitaly
rss-parser	3.12.0...3.13.0	None	+2/-2	2.09 MB	bobby-brennan
date-fns	2.21.3...2.30.0	None	+0/-0	6.69 MB	kossnocorp
jest-github-actions-reporter	1.0.2...1.0.3	None	+3/-1	545 kB	cschleiden
npm-merge-driver-install	2.0.0...2.0.2	None	+2/-0	55.4 kB	brandonocasey
csv-parse	4.8.8...4.16.3	environment	+0/-0	668 kB	david
@primer/components	28.0.1...28.5.0	None	+16/-29	15.5 MB	primer-css
typescript	4.2.4...4.9.5	None	+0/-0	66.8 MB	typescript-bot
github-slugger	1.2.1...1.5.0	None	+0/-1	13.5 kB	wooorm
@babel/plugin-proposal-class-properties	7.12.13...7.18.6	None	+16/-26	2.99 MB	nicolo-ribaudo
aws-sdk	2.610.0...2.1413.0	eval, environment	+18/-6	86.4 MB
glob	7.1.6...7.2.3	None	+2/-3	96.9 kB	isaacs
husky	4.2.1...4.3.8	None	+19/-19	798 kB	typicode
pa11y-ci	2.4.0...2.4.2	None	+32/-25	8.84 MB	joseluisbolos
@babel/plugin-transform-modules-amd	7.12.13...7.22.5	None	+11/-25	2.83 MB	nicolo-ribaudo
object-hash	2.0.1...2.2.0	None	+0/-0	59 kB	addaleax
@babel/preset-react	7.12.13...7.22.5	None	+12/-31	2.68 MB	nicolo-ribaudo
@babel/plugin-transform-modules-commonjs	7.12.13...7.22.5	None	+11/-25	2.85 MB	nicolo-ribaudo
express-timeout-handler	2.2.0...2.2.2	None	+0/-0	6.84 kB	hilleer
sass-loader	9.0.2...9.0.3	None	+12/-65	6.63 MB	evilebottnawi
@babel/plugin-transform-react-jsx	7.12.13...7.22.5	None	+7/-27	2.63 MB	nicolo-ribaudo
@graphql-tools/load	6.2.5...6.2.8	None	+18/-24	6.34 MB	ardatan
@types/lodash	4.14.168...4.14.195	None	+0/-0	863 kB	types
react	17.0.1...17.0.2	None	+0/-0	291 kB	gaearon
mockdate	3.0.2...3.0.5	None	+0/-0	13.8 kB	boblauer
website-scraper	4.2.0...4.2.3	None	+23/-21	2.05 MB	s0ph1e
replace	1.2.0...1.2.2	None	+8/-8	95.1 kB	almaclaine
nodemon	2.0.4...2.0.22	network	+10/-41	552 kB	remy
babel-plugin-styled-components	1.12.0...1.13.3	None	+13/-24	9.13 MB	probablyup
async	3.2.0...3.2.4	None	+0/-0	821 kB	hargasinski
start-server-and-test	1.12.0...1.15.5	environment	+21/-27	6.27 MB	bahmutov
express	4.17.1...4.18.2	network	+29/-17	1.23 MB	dougwilson
react-dom	17.0.1...17.0.2	None	+2/-2	3.39 MB	gaearon
cross-env	7.0.2...7.0.3	None	+0/-1	29.1 kB	kentcdodds
resolve-url-loader	3.1.2...3.1.5	None	+14/-13	1.66 MB	bholloway
hot-shots	8.2.0...8.5.2	None	+2/-2	532 kB	bdeitte
helmet	3.21.2...3.23.3	None	+2/-2	329 kB	evanhahn
morgan	1.9.1...1.10.0	None	+0/-1	29.7 kB	dougwilson
@actions/core	1.2.6...1.10.0	environment	+2/-0	261 kB	thboop
mime	2.5.2...2.6.0	None	+0/-0	60.1 kB	broofa
html-entities	1.2.1...1.4.0	None	+0/-0	68.6 kB	mdevils
nock	13.0.4...13.3.1	None	+1/-1	222 kB	nockbot
robots-parser	2.1.1...2.4.0	None	+0/-0	19.4 kB	samclarke
eslint	7.13.0...7.32.0	eval	+44/-47	7.8 MB	eslintbot
styled-components	5.3.0...5.3.11	None	+13/-24	9.13 MB	probablyup
directory-tree	2.2.6...2.4.0	None	+0/-0	11.2 kB	mihneadb
flat	5.0.0...5.0.2	None	+0/-1	26.6 kB	timoxley
cheerio	1.0.0-rc.3...1.0.0-rc.12	network	+12/-4	2.63 MB	feedic
cookie-parser	1.4.5...1.4.6	None	+1/-0	30.2 kB	dougwilson
copy-webpack-plugin	6.0.3...6.4.1	None	+26/-84	1.74 MB	evilebottnawi
mini-css-extract-plugin	1.4.1...1.6.2	environment	+7/-54	995 kB	evilebottnawi
gray-matter	4.0.2...4.0.3	None	+1/-1	330 kB	rmassaioli
uuid	8.3.0...8.3.2	None	+0/-0	116 kB	ctavan
jest-expect-message	1.0.2...1.1.3	None	+0/-0	12.7 kB	mattphillips
webpack-cli	4.6.0...4.10.0	environment	+17/-72	688 kB	evilebottnawi
csv-parser	2.3.3...2.3.5	None	+2/-3	206 kB	trysound
linkinator	2.13.6...2.16.2	None	+60/-68	2.08 MB	justinbeckwith
style-loader	1.2.1...1.3.0	None	+6/-56	877 kB	evilebottnawi
eslint-config-standard	16.0.1...16.0.3	None	+109/-98	13.5 MB	linusu
eslint-plugin-import	2.22.1...2.27.5	None	+106/-95	13.4 MB	ljharb
javascript-stringify	2.0.1...2.1.0	None	+0/-0	71.9 kB	blakeembrey
webpack-dev-middleware	4.1.0...4.3.0	environment	+11/-54	1.13 MB	evilebottnawi
redis	3.1.1...3.1.2	None	+1/-1	198 kB	leibale
chalk	4.1.0...4.1.2	None	+0/-2	35 kB	sindresorhus
express-rate-limit	5.1.3...5.5.1	None	+0/-0	22.1 kB	nfriedly
liquidjs	9.22.1...9.43.0	None	+0/-0	1.29 MB	harttle
commander	6.2.0...6.2.1	None	+0/-0	113 kB	abetomo
@primer/css	16.2.0...16.3.0	None	+1/-2	7.56 MB	primer-css
prettier	2.1.2...2.8.8	environment	+0/-0	11.2 MB	prettier-bot
jimp	0.16.1...0.16.13	None	+52/-46	17 MB	alisowski
eslint-plugin-promise	4.2.1...4.3.1	None	+0/-0	40.2 kB	xjamundx
@graphql-inspector/core	2.3.0...2.9.0	None	+4/-2	2.44 MB	kamilkisiela
graphql	14.6.0...14.7.0	None	+0/-0	1.83 MB	i1g
sass	1.26.3...1.63.6	filesystem	+4/-7	5.65 MB	sassbot
dotenv	8.2.0...8.6.0	None	+0/-0	23.9 kB	motdotla

🚮 Removed packages: @babel/[email protected], @babel/[email protected], @babel/[email protected], @babel/[email protected], [email protected], [email protected], [email protected], [email protected], [email protected]

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Issue	Package	Version	Note	Source
Install scripts	es5-ext	0.10.62	Install script: postinstall Source: node -e "try{require('./_postinstall')}catch(e){}" || exit 0	[email protected] via package.json
Protestware/Troll package	styled-components	5.3.11	Note: This package prints a protestware console message regarding Ukraine for users with Russian language locale	@primer/[email protected], [email protected] via package.json package.json

Next steps

What is an install script?

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

What is protestware and troll packages?

This package is a joke, parody, or includes undocumented or hidden behavior unrelated to its primary function.

Consider that consuming this package my come along with functionality unrelated to its primary purpose.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore [email protected] bar@* or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore [email protected]
• @SocketSecurity ignore [email protected]