[Snyk] Fix for 27 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • superset-frontend/package.json
  • superset-frontend/package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	619/1000 Why? Has a fix available, CVSS 8.1	Prototype Pollution SNYK-JS-AJV-584908	No	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-ASYNCVALIDATOR-2311201	No	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-CHRONONODE-1083228	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-D3COLOR-1076592	Yes	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ESM-72880	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	No	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	No	Proof of Concept
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASHES-2434283	No	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASHES-2434284	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASHES-2434285	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASHES-2434289	No	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	No	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	No	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Directory Traversal SNYK-JS-MOMENT-2440688	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOMENT-2944238	No	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) SNYK-JS-POLISHED-1298071	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-TRIM-1017038	Yes	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Improper Input Validation SNYK-JS-URIJS-1055003	No	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Improper Input Validation SNYK-JS-URIJS-1078286	No	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Open Redirect SNYK-JS-URIJS-1319803	No	Proof of Concept
	579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-URIJS-1319806	No	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Open Redirect SNYK-JS-URIJS-2401466	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Improper Input Validation SNYK-JS-URIJS-2415026	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Open Redirect SNYK-JS-URIJS-2419067	No	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Misinterpretation of Input SNYK-JS-URIJS-2440699	No	Proof of Concept
	591/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.4	Cross-site Scripting (XSS) SNYK-JS-URIJS-2441239	No	Proof of Concept
	469/1000 Why? Has a fix available, CVSS 5.1	Prototype Pollution SNYK-JS-ZRENDER-1586253	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @superset-ui/plugin-chart-echarts

The new version differs by 13 commits.

• f45cfaf chore: publish v0.15.17
• d856c4c ci: remove `pull_request` trigger ( UI/UX for viewing table schema apache/superset#853)
• a6286fd ci: add chromatic visual testing step (Backticks being generated in querys when using MySQL backend apache/superset#849)
• c7b6db5 feat(plugin-chart-echarts): bump to version 5.0 (Surface partitions metadata  apache/superset#852)
• 16f754e fix(demo): add antd css and implement action hook (Per database permissions apache/superset#851)
• e67887c refactor: Relocating/renaming various chart controls (UI review and update apache/superset#836)
• 1318239 chore: publish v0.15.16
• 45d3919 fix(legacy-preset-chart-nvd3): time compare and stacked area tooltips (Caravel installation and initialization on Windows apache/superset#850)
• 4b206ca chore: publish v0.15.15
• dd12861 feat: support multi queries request (String metrics can't display apache/superset#846)
• e492105 feat: native filter components (Explanation of Period Ratio in Line Chart apache/superset#840)
• ef82336 feat: add rison request type to makeApi (When will caravel support python3? apache/superset#843)
• d0c5029 fix(legacy-plugin-chart-pivot-table): remove nulls from table (Add support for Bound filters in Druid apache/superset#839)

See the full diff

Package name: antd

The new version differs by 250 commits.

• 870b72a docs: 4.17.0 changelog (#32859)
• 3a5b6b8 chore(deps-dev): bump stylelint-config-standard from 23.0.0 to 24.0.0 (#32866)
• 7e2dc80 chore(.gitignore):add ignore for pnpm (#32860)
• 491cc4f fix: borderLeftRadius error for Input.Search #32808 (#32812)
• 958df3d docs: add demo for Input.Group (#32837)
• ce006bd docs: Version Robin (#32830)
• 3f495bb chore: Upgrade react router v6 (#32821)
• 43569b9 docs: update customize-theme-variable.zh-CN.md
• 7ed7c60 style: fix Tree icon align bug (#32822)
• 01887b4 fix: if breadcrumbRender return false, breadcrumb will hidden (#32738)
• 5f642cb fix: tag animation demo (#32804)
• 852a451 chore(Tag): update tween-one (#32800)
• 90aff3a docs: fix Spin API ts description (#32786)
• 8a3b5d9 fix: Form horizontal broken style when select item is too long (#32778)
• a73f4a3 docs: Fix the link in Table's API doc (#32779)
• ecc54dd fix: codepen demo error using hooks (#32766)
• cf15379 docs: add 4.17.0-alpha.10 changelog (#32775)
• f7380b7 chore(deps-dev): bump eslint-plugin-unicorn from 37.0.1 to 38.0.0 (#32765)
• b1ea2e4 fix: opening animation of the bottom drawer (#32761)
• 10a8578 fix: Spin tip can be react node (#32733)
• fa65cd3 chore(deps-dev): bump @ types/gtag.js from 0.0.7 to 0.0.8 (#32746)
• f88bd4d refactor: Move part mixins less to theme instead (#32763)
• 5360722 chore: update form demo
• ea52572 chore(💄): fix issue template

See the full diff

Package name: chrono-node

The new version differs by 212 commits.

• 4350642 2.2.4
• 036f7aa New: improve parsing performance by caching complied regex
• 98815b5 Fix: unblounded regex backtracking in timeunit parsing
• 3f294e0 2.2.3
• 16737f5 Fix: Remove internal annotation on the debugging
• 5e9456d 2.2.2
• f9cd773 Update readme document
• 8f395f2 refactor: exclude documentation in master
• ac27496 New: Add typedoc setting
• e047e2e Documentation: Update
• b582ae7 Fix: vague time parsing in strict mode
• f60807e 2.2.1
• bf2ae34 Fix: time expression endding with numbers only
• 3d044ee Add init Typedoc integration
• fbbd996 Merge pull request How to get the tables located on schemas other than public in postgres apache/superset#373 from JeroenVdb/master
• 911588c Merge pull request Attempting to use setuptools' use_2to3 apache/superset#372 from flpvsk/feature/fuzzy-forward-date
• 4f264a9 Make "in|within|for" optional if forwardDate=true
• f47c32c 2.2.0
• 1d949a2 Fix: stop guessing single digit after dot as minute
• 269fa37 remove unsupported
• 5c98948 tests for time units
• a4cedba copy from EN
• da3def8 readd morgend so we dont break
• b0af06f readd morgend so we dont break

See the full diff

Package name: d3-color

The new version differs by 54 commits.

• 7a1573e 3.1.0
• 75c19c4 update LICENSE
• ef94e01 update dependencies
• 5e9f757 method shorthand
• e4bc34e formatHex8 ([Snyk] Fix for 2 vulnerabilities #103)
• ac660c6 {rgb,hsl}.clamp() ([Snyk] Security upgrade urijs from 1.19.1 to 1.19.11 #102)
• 70e3a04 clamp HSL format ([Snyk] Security upgrade pillow from 7.2.0 to 9.0.1 #101)
• 994d8fd avoid backtracking ([Snyk] Security upgrade urllib3 from 1.25.11 to 1.26.5 #100)
• 7d61bbe 3.0.1
• 93bc4ff related Generate copyright from LICENSE. d3/d3#3502; extract copyrights from LICENSE
• 611e1c3 3.0.0
• 4c2be7e Adopt type=module ([Snyk] Fix for 5 vulnerabilities #90)
• 017a463 v2.0.0
• 7de7354 Merge pull request [Snyk] Security upgrade flask-appbuilder from 3.1.1 to 4.1.3 #75 from d3/two
• 0ecd740 v2.0.0-rc.1
• 0eb9594 Merge pull request [Snyk] Security upgrade gatsby-source-filesystem from 2.4.2 to 4.21.0 #76 from d3/radians
• cc0a51b Merge pull request [Snyk] Security upgrade mako from 1.1.3 to 1.2.2 #77 from d3/document-extensions
• fd23843 document extensions
• d86e36b link to https://d3js.org/d3-color.v2.min.js
• c1b93f1 normalize "degrees" and "radians" for deg2rad conversions
• 693572b deliberate ES6 syntax
• e87dc62 1.4.1
• f176ff1 Fix hexadecimal transparent colors.
• df60378 Add link to d3-hsluv.

See the full diff

Package name: d3-scale

The new version differs by 145 commits.

• f7cb35b 4.0.0
• 120ad7a adopt InternMap for ordinal scales ([Snyk] Fix for 1 vulnerabilities #237)
• ac30873 Adopt type=module ([Snyk] Fix for 1 vulnerabilities #246)
• 2b7db62 3.3.0
• f3cfd2c update dependencies
• 80ff9b2 adopt d3-time’s ticks
• 8afe6bd 3.2.4
• 60e10c4 update dependencies
• 116ac06 Treat null as undefined. ([Snyk] Security upgrade selenium from 3.141.0 to 4.15.1 #241)
• c7efc99 3.2.3
• 5d3e9c3 Update d3-array.
• 1ff6522 yarn
• 957482b Update tickFormat.js
• 42d546e scaleQuantile performance fixup
• 0a427eb time_copy is part of the API but was missing from the README
• 1dd3f5a Merge pull request [Snyk] Fix for 1 vulnerabilities #219 from d3/links-v6
• 8460207 v3.2.2
• 6169111 d3 dependencies
• 0a55cc8 Merge pull request [Snyk] Security upgrade werkzeug from 1.0.1 to 3.0.1 #210 from domoritz/fix-nice
• 5046251 links to d3@6 versions
• d0a2fe4 fix documentation: the diverging scale's default domain is [0, 0.5, 1]
• da99948 Use var
• 0932d15 Merge pull request [Snyk] Fix for 1 vulnerabilities #211 from oluckyman/patch-1
• 2751067 Fix a typo

See the full diff

Package name: lodash

The new version differs by 1 commits.

• c6e281b Bump to v4.17.21

See the full diff

Package name: react-jsonschema-form

The new version differs by 59 commits.

• 58a3534 Bump version v1.3.0
• 2a6b830 Limit cases where "required" attribute is used on checkboxes (typo fix to Update countries.md apache/superset#1194)
• 1651066 Add the full source maps by default for development (Adding a 'Misc Charts' dashboard as part of the examples apache/superset#1208)
• 10a6b64 Bug Fix empty html useless added by PR Fixing druid culster perms to mirror sqla databases apache/superset#1123 / v1.2.0 (Testing in progress apache/superset#1158)
• 92233e4 Add more schemas to validate against (models: fix slice creation apache/superset#1130)
• aebfab9 Improve handling of decimal points and trailing zeroes in numbers ([docs] improve security section around managing roles apache/superset#1183)
• 07decc5 Merge branch 'master' of https://github.com/mozilla-services/react-jsonschema-form
• c355ddb Merge branch 'huhuaaa-feature/fix-enum-empty-bug'
• 5aaf863 test: fix tests
• 9153444 Merge branch 'feature/fix-enum-empty-bug' of https://github.com/huhuaaa/react-jsonschema-form into huhuaaa-feature/fix-enum-empty-bug
• a7be6ee Remove build:readme script and toctoc dep (Download button, share button, and url shortener button stay not in sync with visualization while editing apache/superset#1189)
• f9d4c63 Fix multiple bugs related to switching between anyOf/oneOf options (--WIP-- add faves/starred things to /welcome apache/superset#1169)
• 4d17bd8 test: move the test to the right file
• bece2a5 Generate code coverage reports using nyc (Embedded Dashboards apache/superset#1170)
• aa862ab test: add enum test
• 59038c0 Submit event should return original event as second param (Bring DB in sync with the models.py apache/superset#1172)
• 919a164 Add various always-ignore files and directories to .gitignore (Druid metadata cannot be retrieved when the whole dataset has the same timestamp apache/superset#1171)
• 6e79281 Infer field type from const value ([sqllab] db migration - setting Database.allow_run_sync=True apache/superset#1174)
• b481f58 Oops, bump version in package-lock.json too
• a1eedfb Bump v1.2.1
• 54091b1 style: npm run cs-format
• f999547 Fixed a bug.The selector have a empty option, when use enum and the default value is 0 or false or ''.
• 174e136 Fix uiSchema for additionalProperties (Clicking on a user's role who is not active and making them active fires an error apache/superset#1144)
• 2368740 replace submit button paragraph tag with div (Warn the users about duplicate countries in the Worldmap apache/superset#766)

See the full diff

Package name: react-markdown

The new version differs by 18 commits.

• 45b9977 5.0.0
• eeea3c2 Update `changelog.md`
• 5d6c9f1 Refactor scripts
• d29478f Add type tests
• 4f5dbe2 Add note
• 7a5e3a1 Add `allowDangerousHtml`, preferred over `escapeHtml`
• 2675ae2 Remove docs on `source`
• 34b0883 Change default branch to `main`
• 22a5e49 Refactor and test for 100% coverage
• b3aa6e0 Rewrite readme for unified, more examples
• a9f163d Move demo to `website` branch
• 4f1a407 Change to clean project, update, refactor scripts
• ebebf51 Upgrade remark to version 8, unified to version 9
• e400f6f Upgrade to remark-parse@6
• 3260f57 Run tests on node 12
• 6eff8d1 Pass AST node to all non-tag/non-fragment renderers as prop
• ca25be1 Fix link to demo in readme
• 9b4eb84 Updated remark-parse github link (Fixing issue #444 color function chokes on non-string param apache/superset#447)

See the full diff

Package name: urijs

The new version differs by 27 commits.

• b655c1b chore(build): bumping to version 1.19.11
• b0c9796 fix(parse): handle CR,LF,TAB
• 88805fd fix(parse): handle excessive slashes in scheme-relative URLs
• 926b2aa chore(build): bumping to version 1.19.10
• a8166fe fix(parse): handle excessive colons in scheme delimiter
• 01920b5 chore(build): bumping to version 1.19.9
• 86d1052 fix(parse): remove leading whitespace
• efae1e5 chore(build): bumping to version 1.19.8
• 6ea641c fix(parse): case insensitive scheme - Error during refresh metadata apache/superset#412
• 19e54c7 chore(build): bumping to version 1.19.7
• 547d4b6 build: update jquery
• aab4a43 build: remove obsolete build tools
• ac43ca8 fix(parse): more backslash galore Adding support for Druid post aggregations (continued) apache/superset#410
• 622db6d docs: add security policy
• 8e51b00 fix(parse): prevent overwriting __proto__ in parseQuery()
• 46c8ac0 chore(build): bumping to version 1.19.6
• a1ad8bc fix(parse): treat backslash as forwardslash in scheme delimiter
• d7bb4ce chore(build): bumping to version 1.19.5
• bf04ec5 chore(build): bumping to version 1.19.4
• b02bf03 fix(parse): treat backslash as forwardslash in authority (Fix img loading overlay in explore view apache/superset#403)
• d7064ab chore(build): bumping to version 1.19.3
• 4f45faf fix(parse): treat backslash as forwardslash in authority
• 594ffc1 chore(build): bumping to version 1.19.2
• e780eeb chore: inform people of modern APIs

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Cross-site Scripting (XSS)
🦉 Open Redirect
🦉 More lessons are available in Snyk Learn