[Snyk] Fix for 17 vulnerabilities

[avengerfart]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

⚠️ Warning

Failed to update the package-lock.json, please update manually before merging.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	676/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.1	Cross-site Request Forgery (CSRF) SNYK-JS-AXIOS-6032459	Yes	Proof of Concept
	658/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-AXIOS-6124857	Yes	Proof of Concept
	484/1000 Why? Has a fix available, CVSS 5.4	Open Redirect SNYK-JS-GOT-2932019	No	No Known Exploit
	631/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.2	Missing Release of Resource after Effective Lifetime SNYK-JS-INFLIGHT-6095116	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Information Exposure SNYK-JS-LIQUIDJS-2952868	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LOADERUTILS-3042992	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-LOADERUTILS-3043105	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LOADERUTILS-3105943	Yes	No Known Exploit
	509/1000 Why? Has a fix available, CVSS 5.9	User Interface (UI) Misrepresentation of Critical Information SNYK-JS-NEXT-2405694	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Resource Exhaustion SNYK-JS-NEXT-6032387	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-NODEFETCH-2964180	No	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Improper Input Validation SNYK-JS-POSTCSS-5926692	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Poisoning SNYK-JS-QS-3153490	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	No	Proof of Concept
	619/1000 Why? Has a fix available, CVSS 8.1	Remote Code Execution (RCE) SNYK-JS-SHELLQUOTE-1766506	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Prototype Pollution SNYK-JS-XML2JS-5414874	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: express

The new version differs by 30 commits.

• 3d7fce5 4.17.3
• f906371 build: update example dependencies
• 6381bc6 deps: qs@6.9.7
• a007863 deps: body-parser@1.19.2
• e98f584 Revert "build: use minimatch@3.0.4 for Node.js < 4"
• a659137 tests: use strict mode
• a39e409 tests: prevent leaking changes to NODE_ENV
• 82de4de examples: fix path traversal in downloads example
• 12310c5 build: use nyc for test coverage
• 884657d examples: remove bitwise syntax for includes check
• 7511d08 build: use minimatch@3.0.4 for Node.js < 4
• 2585f20 tests: fix test missing assertion
• 9d09762 build: supertest@6.2.2
• 43cc56e build: clean up gitignore
• 1c7bbcc build: Node.js@14.19
• 9cbbc8a deps: cookie@0.4.2
• 6fbc269 pref: remove unnecessary regexp for trust proxy
• 2bc734a deps: accepts@~1.3.8
• 89bb531 docs: fix typo in res.download jsdoc
• 744564f tests: add test for multiple ips in "trust proxy"
• da6cb0e tests: add range tests to res.download
• 00ad5be tests: add more tests for app.request & app.response
• 141914e tests: fix tests that did not bubble errors
• bd4fdfe tests: remove global dependency on should

See the full diff

Package name: got

The new version differs by 8 commits.

• 5e17bb7 11.8.5
• bce8ce7 Backport 861ccd9ac2237df762a9e2beed7edd88c60782dc
• 8ced192 Fix build
• 670eb04 11.8.4
• 20f29fe Backport add update index.md github/docs#1543: Initialize globalResponse in case of ignored HTTPError (x github/docs#2017)
• 0da732f 11.8.3
• 9463bb6 Bump cacheable-request dependency (Vcc.com github/docs#1921)
• 0e167b8 HTTPError code set to 'HTTPError' #1711 (rohittravels.md github/docs#1739)

See the full diff

Package name: jest-puppeteer

The new version differs by 72 commits.

• cc80f62 v7.0.0
• 31f6f1e feat: target puppeteer v19+
• 96a060d docs: fix bad links (Updated localization-checklist.md github/docs#511)
• 6ca8757 feat: modernize project (Update github-developer-program.md github/docs#514)
• 108d6f6 v6.2.0
• 656961d chore(deps): bump decode-uri-component from 0.2.0 to 0.2.2 in /examples/create-react-app (docs: add tnir as a contributor github/docs#506)
• d17827d chore(deps): bump express from 4.17.1 to 4.18.2 in /examples/create-react-app (repo sync github/docs#507)
• 67701a7 fix: update deps (Missed slash in "if" and minor formatting github/docs#508)
• 317ed12 feat: Add option `runBeforeUnloadOnClose` (docs: add ArnoutDevos as a contributor github/docs#504)
• 6b214d4 docs(readme): fix puppeteer docs 404 links (Multiple deploy keys github/docs#501)
• 9c927c6 chore(deps): bump terser in /examples/create-react-app (enter1 github/docs#492)
• 7538891 chore: Add `funding` key to package.json (Github Actions context variables data format not precise github/docs#476)
• e7850ca v6.1.1
• 8c8cc3f chore: update deps (Fix duplicate list entry name in about-self-hosted-runners.md github/docs#491)
• 74df604 chore(deps): bump jsdom in /examples/create-react-app (docs: add paulyhedral as a contributor github/docs#489)
• e9cafb1 fix(expect-puppeteer): return proper error stack traces from matchers (docs: add Protectator as a contributor github/docs#487)
• d9dc28f chore(deps): bump eventsource in /examples/create-react-app (repo sync github/docs#486)
• 1652c77 update deps (Update and rename content/actions/quickstart.md to kandungan/tindakan… github/docs#485)
• 6f16345 fix: prevent stdout buffer from filling up (Actions: Add section about group/ungroup commands github/docs#482)
• 3696132 chore(readme): add exitOnPageError flag (Update adding-an-email-address-to-your-github-account.md github/docs#481)
• e7191ed chore(deps): bump async in /examples/create-react-app (Added a quick tip about PR's base branch github/docs#480)
• 8a02858 chore(deps): bump minimist from 1.2.5 to 1.2.6 (repo sync github/docs#478)
• eb21f26 chore(deps): bump minimist from 1.2.5 to 1.2.6 in /examples/create-react-app (Fix typos in search part of contribution guideline github/docs#477)
• 678ce56 chore(deps): bump url-parse in /examples/create-react-app (Fix all-contributors file. github/docs#475)

See the full diff

Package name: jimp

The new version differs by 35 commits.

• bb5433d "Bump version to: v0.17.0 [skip ci]"
• 6295dcd Update CHANGELOG.md [skip ci]
• 226490c update jpeg-js (Rename content/github/understanding-how-github-uses-and-protects-your… github/docs#1131)
• 9eec860 "Bump version to: v0.16.13 [skip ci]"
• 9adcb2b Update CHANGELOG.md [skip ci]
• 4be043f set at org
• 0cc23a4 set user directly
• 88d52ae try this
• 11e4a4c update key
• 6df7dd5 fix patch
• 2d7332d fixing release
• a134b0b test auto fix
• 95032f0 try this
• b6ce22f fix repo
• 8f097ee testing
• 540ed93 update linting
• 9050f7e fix token
• 20078a5 actually fix release
• 00991f6 fix checkout?
• 3702060 upgrade prettier
• f87a67b Bump qs from 6.5.2 to 6.5.3 (0 github/docs#1130)
• dcdb0de only build node 16 (Simplify repository element in npm's project.json to use https URL github/docs#1127)
• 0591e9f it's -> its ;) (Hiu github/docs#992)
• 263df47 fixed plugin-crop full width slices math (chore: non-content typo cleanup github/docs#1073)

See the full diff

Package name: liquidjs

The new version differs by 250 commits.

• 9b9ef37 chore(release): 10.0.0 [skip ci]
• 5bbdc08 chore(deps): bump minimatch from 3.0.4 to 3.1.2
• 1380ac9 refactor: more consistent tags to make it easier to iterate over, link "markup reference guide" is broken or missing github/docs#524
• 4e1a30a refactor: `_evalToken` renamed to `evalToken`
• 9299268 refactor: Tag class support in registerTag()
• 1f6ce7c perf: target Node.js 14 for cjs bundle (main entry)
• 7eb6216 refactor: change `ownPropertyOnly` default value to `true`
• ffefd91 refactor: remove `toThenable` export
• b115077 refactor: remove use of internal `Context` class in `evalValue` argument
• bb58d3e refactor: delay creation of `operatorsTrie` and hide this implementation
• ff112a4 chore: rename filters to snake style, docs: add Protectator as a contributor github/docs#487
• 907c4de chore(release): 9.43.0 [skip ci]
• 7a71485 feat: support timezone offset argument for date filter, Update https-cloning-errors.md github/docs#553
• cd918cc chore(deps): bump minimatch from 3.0.4 to 3.1.2 in /docs
• 8061e55 docs: fix tags sidebar translation
• 33e97db docs: update .all-contributorsrc [skip ci]
• 9cfc8fd docs: update README.md [skip ci]
• f62b210 docs: add echo and liquid tags Chinese translation (Incorrect type for labels parameter: "array of undefineds" github/docs#549)
• bf6b5c7 chore(release): 9.42.1 [skip ci]
• a58fe44 chore(deps): bump minimist and hexo-renderer-swig in /docs
• 99516cb chore(deps): bump semver-regex from 2.0.0 to 3.1.4
• 850ab0c chore(deps): bump ansi-regex from 3.0.0 to 3.0.1
• 33c7c8f docs: demo for using LiquidJS with webpack
• 32f613f fix: truncatewords should use at least one word, update github/docs#537

See the full diff

Package name: next

The new version differs by 250 commits.

• 1e8dca4 v13.5.4
• 9e24d6f v13.5.4-canary.11
• 281ae41 Fix build output logging order (#56335)
• d7626ff Revert "misc: shortcut styled-jsx in external resolution (#56291)" (#56334)
• db48052 v13.5.4-canary.10
• 7df92b8 test: add flaky turbopack integration tests to manifest (#56309)
• eeb9b33 fix: Invalid URL (404) provided on server actions error (#56323)
• 3172cfe fix: support both decoded and encoded url requests of conventioned files (#56187)
• a2f9ef5 fix(next/client): keep hash when navigating from app to pages router (#56223)
• a970f28 Add code freeze GitHub actions for releasing (#56325)
• 5fbc23e misc: fix instrumentation with bundled server (#56318)
• 98432a4 Remove buildId test as it's no longer relevant (#56316)
• 86274e6 fix(#53190): add missing crossOrigin to assetsPrefix resources (#56311)
• e970e05 Reland static prefetches & fix prefetch bailout behavior (#56228)
• be952fb fix: typo in `with-stripe-typescript` example (#56274)
• 7f60cc8 Support serverRuntimeConfig and publicRuntimeConfig in Turbopack (#56310)
• 8d18ad6 update webp crate (#56307)
• ac95a20 Fix flaky test for size output (#56303)
• dba978f misc: shortcut styled-jsx in external resolution (#56291)
• 458dab8 misc: update code owners (#56290)
• 5254aae Update image.mdx (#56266)
• 0d4859b Update image.mdx (#56269)
• 59bda2d More Turbopack fixes (#56299)
• ecd94c1 misc: enable source maps for bundled runtime (#56289)

See the full diff

Package name: node-fetch

The new version differs by 24 commits.

• 2880238 fix: ReDoS referrer (Behance github/docs#1611)
• e87b093 fix(Headers): don't forward secure headers on protocol change (Amazoncloud.tv github/docs#1599)
• bcfb71c chore: remove triple-slash directives from typings (repo sync github/docs#1285) (sudo-mode.md github/docs#1287)
• 95165d5 fix spelling (Don't specify registry specific path github/docs#1602)
• 11b7033 fix: possibly flaky test (add recent localization contributors**1 github/docs#1523)
• 4f43c9e fix: always warn Request.data (quynhthibanh@gmail.com github/docs#1550)
• 1c5ed6b fix: undefined reference to response.body when aborted (repo sync github/docs#1578)
• a92b5d5 fix: use space in accept-encoding values (Webpage github/docs#1572)
• 0f122b8 docs: fix formdata code example (Thanks very much for contributing! Your pull request has been merged 🎉 You should see your changes appear on the site in approximately 24 hours. github/docs#1562)
• 6ae9c76 docs(readme): response.clone() is not async (Favicon might be invisible github/docs#1560)
• 043a5fc Fix leaking listeners (repo sync github/docs#1295) (repo sync github/docs#1474)
• 004b3ac fix: don't uppercase unknown methods (Update configuring-docker-for-use-with-github-packages.md github/docs#1542)
• c33e393 Fix Code of Conduct link in Readme. (Sk_live github/docs#1532)
• 6875205 docs: Fix link markup to Options definition (Instruction list being repeated thrice. github/docs#1525)
• 6425e20 fix: handle bom in text and json (repo sync github/docs#1482)
• a4ea5f9 fix: add missing formdata export to types (Rename contributing/localization-checklist.md to contributing/massto/… github/docs#1518)
• 61b3b5a fix: cancel request example import (Update about-pull-requests.md github/docs#1513)
• 5e78af3 Replace changelog with valid url (Fix typo github/docs#1506)
• 9014db7 types: support `agent: false` (Include work around for wildcards in HTTP Proxy Exclusion list on GHES github/docs#1502)
• 2e1f3a5 chore: fix typo in credential error message (Suggest to avoid "Master branch" instead of "Default branch" github/docs#1496)
• 4ce2ce5 docs(readme): fix typo (Update githubs-products.md github/docs#1489)
• ba23fd2 docs: remove the changelog (repo sync github/docs#1464)
• 8fedc1b core: move support and feature to discussion (repo sync github/docs#1471)
• 0b43b9f docs: update formdata example (repo sync github/docs#1465)

See the full diff

Package name: pa11y-ci

The new version differs by 12 commits.

• efad302 Fix minimum node version in README
• 28f161a Version 3.0.0
• 52fd274 Fix error with absolute paths on Windows (Update "Securing Your Webhooks" to prefer X-Hub-Signature-Sha-256 header github/docs#82)
• 6b2d4f5 Replace chalk with kleur
• 4e5bc51 use https where possible
• 5c842cf Add support for reporters (GitHub App Guide typo github/docs#129)
• 40ba01a Replace make with npm scripts and update Node versions (Use operationId for #anchor tags of REST API endpoint titles github/docs#139)
• 1374cd7 Bump deps to match versions used by pa11y v6
• fb86a33 Update test matrix to LTS node (12, 14, 16)
• edabbeb Update package lock
• e5dbbc7 Replace chalk with kleur
• 96a3882 Chance concurrency and incognito mode defaults

See the full diff

Package name: puppeteer

The new version differs by 250 commits.

• 377cd83 chore: release main ([From Zendesk] Squash and merge mention in commit signing article now incorrect github/docs#11081)
• 11f7c69 test: update Firefox BiDi expectations (Contributions when merging accounts github/docs#11082)
• 0c0e516 fix: roll to Chrome 117.0.5938.149 (r1181205) (Clarify content on ignoring files github/docs#11077)
• 163394d chore(deps): Bump actions/checkout from 3.6.0 to 4.1.0 (Bump lint-staged from 11.2.2 to 11.2.3 github/docs#11063)
• 67e9a92 chore(deps): Bump postcss from 8.4.16 to 8.4.31 in /website (about-pull-requests.md github/docs#11075)
• 54bc80c chore(deps): Bump github/codeql-action from 2.21.8 to 2.21.9 (Bump @babel/plugin-transform-runtime from 7.15.0 to 7.15.8 github/docs#11064)
• c5083bb docs: update link to `third_party/README.md` (Revert "repo sync" github/docs#11068)
• a3187a0 docs: Update reference to SKIP_CHROMIUM_DOWNLOAD env to SKIP_DOWNLOAD
• 28c1c26 test: crash mocha if unhandled errors occur (Bump eslint from 7.32.0 to 8.0.0 github/docs#11055)
• c5f2d28 test: move queryObjects to a CDP only tests (Bump prettier from 2.4.0 to 2.4.1 github/docs#11050)
• 88681a8 test: Remove invalid drag and drop test (Bump @actions/core from 1.5.0 to 1.6.0 github/docs#11054)
• eedbb13 chore: release main (Bump @graphql-inspector/core from 2.9.0 to 3.0.2 github/docs#11051)
• b0d7375 fix: remove the flag disabling bfcache (Bump jest from 27.2.0 to 27.2.5 github/docs#11047)
• 30bd030 chore: use yargs for mocha runner (Bump @primer/octicons from 15.1.0 to 16.0.0 github/docs#11045)
• 03b22ab chore(deps): Bump glob from 10.3.4 to 10.3.10 (repo sync github/docs#11043)
• 897fb64 chore(deps): Bump @ swc/core from 1.3.86 to 1.3.90 (repo sync github/docs#11042)
• f59537e ci: add sharding for chrome (repo sync github/docs#11038)
• bd6c246 chore: add @ typescript-eslint/no-import-type-side-effects (repo sync github/docs#11040)
• e853e63 refactor: use common debugError (Update bigcook12345 github/docs#11039)
• 48f9382 test: synchronize bidi expectations changes for Bug 1756595 (# github/docs#11005)
• aa16ab1 chore: use RxJS for wait for Navigation (repo sync github/docs#11024)
• c502ca8 chore: release main (Rename content/github/collaborating-with-pull-requests/index.md to co… github/docs#11025)
• e0e7e3a test: move cdp only tests to a subfolder (vedacomprime/docs github/docs#11033)
• 8993def ci: disable failing doctest (repo sync github/docs#11035)

See the full diff

Package name: rss-parser

The new version differs by 26 commits.

• 74bdfd2 3.13.0
• 0413e12 Build distribution
• 2de2c40 Merge pull request . github/docs#247 from Arisamiga/master
• 3265b41 lockfileVersion 3 ->2 for backwards compatibility
• 986f163 Merge branch 'master' into master
• 861855f Merge pull request ui update support buttons github/docs#248 from rbren/rb/update-actions
• 49b7a41 Update node.js.yml
• 8e962eb Fix for dependency collision
• 46667c1 Updated Dependencies
• 4c1a0dc Merge pull request https://github.com/github/docs/issues/226#issue-716944332 github/docs#242 from d-line/master
• f76cc42 Merge pull request [Snyk] Upgrade hastscript from 7.0.2 to 7.2.0 #2 from d-line/node-bump
• e51b7be fix: use 3 most recent LTS releases in worklow
• 54ac781 Merge pull request [Snyk] Security upgrade rss-parser from 3.12.0 to 3.13.0 #1 from d-line/tests-fix
• 12f3cd2 fix: carefully handle when 'rdf:about' is not there. regenerate test mocks
• e2e2f4d Merge pull request Licensing is unclear github/docs#203 from yuiseki/rdf-about
• b8cff02 Merge pull request Update configuring-network-settings.md github/docs#209 from drublic/master
• 697af31 Merge pull request Testing an issue automation! github/docs#200 from KevinFerm/patch-1
• 18dd399 Add field in item: episodeType on itunes data
• ef4f4a2 fix typo
• 67c3dbb add `rdf:about` field to item on `parseItemRss`
• 2e0244a Update index.d.ts
• 33a9a42 Merge pull request Update running-code-scanning-in-your-ci-system.md github/docs#195 from Booligoosh/patch-1
• f50421d Merge pull request Update exploring-the-dependencies-of-a-repository.md github/docs#196 from drublic/master
• af6a5ad Fix breakting keywords and categories if there are attributes `text`

See the full diff

Package name: semver

The new version differs by 82 commits.

• e7b78de chore: release 7.5.2
• 58c791f fix: diff when detecting major change from prerelease (repo sync github/docs#566)
• 5c8efbc fix: preserve build in raw after inc (repo sync github/docs#565)
• 717534e fix: better handling of whitespace (Fix docker github/docs#564)
• 2f738e9 chore: bump @ npmcli/template-oss from 4.14.1 to 4.15.1 (Ensure that the Actions Skipper never errors out github/docs#558)
• aa016a6 chore: release 7.5.1
• d30d25a fix: show type on invalid semver error (#559)
• 09c69e2 chore: bump @ npmcli/template-oss from 4.13.0 to 4.14.1 (Move GitHub Action versions to shas github/docs#555)
• 5b02ad7 chore: release 7.5.0
• e219bb4 fix: throw on bad version with correct error message (repo sync github/docs#552)
• 503a4e5 feat: allow identifierBase to be false (repo sync github/docs#548)
• fc2f3df fix: incorrect results from diff sometimes with prerelease versions (OrganizationIdentity github/docs#546)
• 2781767 fix: avoid re-instantiating SemVer during diff compare (Revert "repo sync" github/docs#547)
• 82aa7f6 chore: release 7.4.0
• 731d896 chore: enable CD (Issue.md github/docs#545)
• 940723d fix: intersects with v0.0.0 and v0.0.0-0 (Specify ssh shell is required to enable dependency graph github/docs#538)
• aa516b5 fix: faster parse options (repo sync github/docs#535)
• 61e6ea1 fix: faster cache key factory for range (Update and rename content/github/getting-started-with-github/githubs-… github/docs#536)
• f8b8b61 fix: optimistic parse (chore: Add Markdownlint checking and CI github/docs#541)
• 796cbe2 fix: semver.diff prerelease to release recognition ([DO NOT MERGE] Test github/docs#533)
• 3f222b1 fix: reuse comparators on subset (update github/docs#537)
• 113f513 feat: identifierBase parameter for .inc (Run windows tests on public repo github/docs#532)
• ea689bc chore: basic type test for RELEASE_TYPES
• c5d29df docs: Add "Constants" section to README

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Cross-site Request Forgery (CSRF)
🦉 Open Redirect
🦉 More lessons are available in Snyk Learn