[Snyk-dev] Fix for 23 vulnerabilities

[lili2311]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • app/react/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-BROWSERSLIST-1090194	No	Proof of Concept
	526/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.1	Arbitrary Code Injection SNYK-JS-EJS-1049328	Yes	Proof of Concept
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Remote Code Execution (RCE) SNYK-JS-EJS-2803307	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	504/1000 Why? Has a fix available, CVSS 5.8	Prototype Pollution SNYK-JS-HIGHLIGHTJS-1045326	No	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-HIGHLIGHTJS-1048676	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-IMMER-1019369	No	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-IMMER-1540542	No	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LOADERUTILS-3042992	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-LOADERUTILS-3043105	No	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LOADERUTILS-3105943	No	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKDOWNTOJSX-3310443	No	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	No	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Improper Input Validation SNYK-JS-POSTCSS-5926692	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-PRISMJS-1076581	No	Proof of Concept
	584/1000 Why? Has a fix available, CVSS 7.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-PRISMJS-1314893	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-PRISMJS-1585202	No	Proof of Concept
	484/1000 Why? Has a fix available, CVSS 5.4	Cross-site Scripting (XSS) SNYK-JS-PRISMJS-2404333	No	No Known Exploit
	629/1000 Why? Has a fix available, CVSS 8.3	Cross-site Scripting (XSS) SNYK-JS-PRISMJS-597628	No	No Known Exploit
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Command Injection SNYK-JS-REACTDEVUTILS-1083268	No	Proof of Concept
	619/1000 Why? Has a fix available, CVSS 8.1	Remote Code Execution (RCE) SNYK-JS-SHELLQUOTE-1766506	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @storybook/core

The new version differs by 250 commits.

• 829c72e v6.2.0
• f8bfee0 Update root, peer deps, version.ts/json to 6.2.0
• 2814acc CLI: Don't update versions.json on CLI prepare
• 637daa1 Update 6.2 changelog
• c760793 6.2 release
• 5595b1e Merge pull request Controls: Fix edge case in datetime control storybookjs/storybook#14348 from gabiseabra/fix/issue_13771
• a686a99 6.2.0-rc.13 next.json version file
• 6be8b92 Update git head to 6.2.0-rc.13
• c1dfd5b v6.2.0-rc.13
• 4ef7b5a Update root, peer deps, version.ts/json to 6.2.0-rc.13
• d954d50 6.2.0-rc.13 changelog
• 1913c92 Merge pull request [Documentation]: Update my-component-story-use-globaltype.mdx.mdx storybookjs/storybook#14390 from YozhEzhi/patch-1
• ee98e0e Merge branch 'next' of github.com:storybookjs/storybook into next
• a8aadc4 Update CHANGELOG.md
• 44eca58 Merge pull request Controls: QA fixes for Object and Color controls storybookjs/storybook#14392 from storybookjs/fix-raw-toggle
• f10ef90 Merge pull request [Documentation]: Update my-component-story-use-globaltype.js.mdx storybookjs/storybook#14391 from YozhEzhi/patch-3
• b1ee5e9 Prevent invalid initial color to be accepted as preset
• 2c6b796 Color picker can't deal with 'transparent' keyword
• 6951762 Don't show RAW toggle when data isn't representable by REJT
• 259b12a Update my-component-story-use-globaltype.js.mdx
• a8a846b Update my-component-story-use-globaltype.mdx.mdx
• 57fc3cd 6.2.0-rc.12 next.json version file
• ba0f535 Fix changelog
• 6ec5750 Update git head to 6.2.0-rc.12

See the full diff

Package name: @storybook/node-logger

The new version differs by 250 commits.

• 7d4d6ab v6.4.0
• 86e2d61 Update root, peer deps, version.ts/json to 6.4.0 [ci skip]
• ec6fd3b 6.4.0 changelog
• b88d2d9 6.4.0-rc.11 next.json version file
• 2d78019 Update git head to 6.4.0-rc.11, update yarn.lock
• 77eb43c v6.4.0-rc.11
• ca91e77 Update root, peer deps, version.ts/json to 6.4.0-rc.11 [ci skip]
• 52ed4b0 6.4.0-rc.11 changelog
• 4f23295 Merge pull request Core: Fix breaking change in process/browser storybookjs/storybook#16795 from SebastienGllmt/patch-1
• d443c73 Fix breaking changing process/browser
• 16678e0 6.4.0-rc.10 next.json version file
• 0e8f1c2 Update git head to 6.4.0-rc.10, update yarn.lock
• 5ae60fc v6.4.0-rc.10
• 135ca93 Update root, peer deps, version.ts/json to 6.4.0-rc.10 [ci skip]
• a89d8e9 6.4.0-rc.10 changelog
• 68c4086 Merge pull request Core: Allow args/argTypes/component to be set via parameters for storiesOf back-compat storybookjs/storybook#16791 from storybookjs/16756-argTypes-storiesOf
• 0a03181 Merge pull request Core: Sort the results of globby when constructing Story Index storybookjs/storybook#16788 from storybookjs/16767-sort-stories-index
• 8b4b8fc Merge pull request Core: Don't log a console error when the story is missing storybookjs/storybook#16783 from storybookjs/remove-missing-console-error
• 465a4be Merge branch 'next' into 16756-argTypes-storiesOf
• 1799997 Merge pull request Addon-docs: Wait for the story component to render before emitting storybookjs/storybook#16792 from storybookjs/16745-fix-docs-story-rendered
• 38aadfc Merge pull request Core: Ensure that context.args is always set storybookjs/storybook#16790 from storybookjs/16743-argTypeTargets-no-args
• 068ee39 Fix typo
• 809b59e Remove console log
• 1636334 Wait for the story component to render before emitting

See the full diff

Package name: react-dev-utils

The new version differs by 250 commits.

• 221e511 Publish
• 6a3315b Update CONTRIBUTING.md
• 5614c87 Add support for Tailwind (Misc cleanup storybookjs/storybook#11717)
• 657739f chore(test): make all tests install with `npm ci` (It's not possible to export decorator that contains React or HTML tags Storybook 6.0 storybookjs/storybook#11723)
• 20edab4 fix(webpackDevServer): disable overlay for warnings (Issue with deepEqual in SourceContainer  storybookjs/storybook#11413)
• 69321b0 Remove cached lockfile (Option to change the language attribute storybookjs/storybook#11706)
• 3afbbc0 Update all dependencies (Core: Optimize storiesHash by removing unused parameters storybookjs/storybook#11624)
• f5467d5 feat(eslint-config-react-app): support ESLint 8.x (ability to set default addon tab per stories module storybookjs/storybook#11375)
• e8319da [WIP] Fix integration test teardown / cleanup and missing yarn installation (ActionBar not clickable in the Actions addon storybookjs/storybook#11686)
• c7627ce Update webpack and dev server (Core: Log message length on channel message storybookjs/storybook#11646)
• f85b064 The default port used by `serve` has changed (Addon-controls: Fix undefined args handling storybookjs/storybook#11619)
• 544befe Update package.json (Generating source maps slow the build significantly, should they be opt-in? storybookjs/storybook#11597)
• 9d0369b Fix ESLint Babel preset resolution (Remove all ts-ignore in vue, tighten typings storybookjs/storybook#11547)
• d7b23c8 test(create-react-app): assert for exit code (Update @storybook/preact to support Preact 10 storybookjs/storybook#10973)
• 1465357 Prepare 5.0.0 alpha release
• 3880ba6 Remove dependency pinning (Toolbars: Should show name if no icon is configured storybookjs/storybook#11474)
• 8b9fbee Update CODEOWNERS
• cacf590 Bump template dependency version (Addon-docs: Fix subcomponents display logic storybookjs/storybook#11415)
• 5cedfe4 Bump browserslist from 4.14.2 to 4.16.5 (CSF: Deprecate duplicate titles rather than forbid them storybookjs/storybook#11476)
• 50ea5ad allow CORS on webpack-dev-server (Warning: Failed prop type: Invalid prop knob.value of type number supplied to RadiosType, expected string. storybookjs/storybook#11325)
• 63bba07 Upgrade jest and related packages from 26.6.0 to 27.1.0 (docs not processing jsdocs in non-SFC component storybookjs/storybook#11338)
• 960b21e Bump immer from 8.0.4 to 9.0.6 (Add/composition auto disable storybookjs/storybook#11364)
• 134cd3c Resolve dependency issues in v5 alpha (Composition: Allow refs versions in config storybookjs/storybook#11294)
• b45ae3c Update CONTRIBUTING.md

See the full diff

Package name: webpack

The new version differs by 250 commits.

• 610f368 5.0.0
• 5ce65c1 update examples
• bbe1230 Merge pull request Core: Change react deps to normal deps storybookjs/storybook#11628 from webpack/bugfix/real-content-hash
• 75ecff2 5.0.0-rc.6
• bfc35d6 Merge pull request Addon-docs: Fix Vue defaultValue in props table storybookjs/storybook#11603 from MayaWolf/master
• 76e8cbd Merge pull request CLI: Generate docs:json command dynamically for Angular project storybookjs/storybook#11622 from webpack/dependabot/npm_and_yarn/types/node-13.13.25
• 9fd1be2 chore(deps-dev): bump @ types/node from 13.13.23 to 13.13.25
• 36bcfaa Merge pull request #11621 from webpack/bugfix/11619
• 9130d10 fix called variables with ProvidePlugin
• 3e42105 Merge pull request [Security] Bump codecov from 3.7.0 to 3.7.1 storybookjs/storybook#11620 from webpack/bugfix/11617
• 4709719 skip connections copied to concatenated module
• 57b493f 5.0.0-rc.5
• 1658e2f Merge pull request All parameters are added and merged to all groups + roots in storiesHash storybookjs/storybook#11618 from webpack/bugfix/11615
• a8fb45d fixes crash in SideEffectsFlagPlugin
• 84b196d emit error instead of crashing when unexpected problem occurs
• 5573fed Merge pull request Addon-docs: Automatic source selection based on story type storybookjs/storybook#11601 from Hornwitser/improve-suggested-polyfill-config
• 9b5cce9 Merge pull request CLI: Generate compodoc command based on user's setup storybookjs/storybook#11609 from snitin315/export-types
• 37c495c export type RuleSetUseItem
• 39faf34 export type RuleSetUse
• e5fd246 export type RuleSetConditionAbsolute
• 660baad export RuleSetCondition types
• 13e3ca5 Merge pull request Webpack Hot Reload not working in react Storybook 6.0-rc.9 storybookjs/storybook#11602 from webpack/bugfix/shared-runtime-chunk
• 9c0587e Merge pull request Addon-controls: Expose presetColors for the color control storybookjs/storybook#11606 from webpack/dependabot/npm_and_yarn/simple-git-2.21.0
• 502d166 Merge pull request [Feature request] Ink Storybook storybookjs/storybook#11607 from webpack/dependabot/npm_and_yarn/acorn-8.0.4

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Arbitrary Code Injection
🦉 Prototype Pollution
🦉 More lessons are available in Snyk Learn