[Snyk] Security upgrade eslint from 7.32.0 to 9.0.0

[matrix-compute]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • superset-frontend/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	141/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Local, EPSS: 0.01055, Social Trends: No, Days since published: 128, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.35, Score Version: V5	Missing Release of Resource after Effective Lifetime SNYK-JS-INFLIGHT-6095116	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: eslint

The new version differs by 250 commits.

• e0cbc50 9.0.0
• 75cb5f4 Build: changelog update for 9.0.0
• 19f9a89 chore: Update dependencies for v9.0.0 (Postgres connection apache/superset#18275)
• 7c957f2 chore: package.json update for @ eslint/js release
• d73a33c chore: ignore `/docs/v8.x` in link checker (World map error after upgrade to 1.0.1 apache/superset#18274)
• d54a412 feat: Add --inspect-config CLI flag (Pe-commit hooks using deprecated code apache/superset#18270)
• e151050 docs: update get-started to the new `@ eslint/create-config` (fix(plugin-chart-echarts): use verbose x-axis name when defined apache/superset#18217)
• 610c148 fix: Support `using` declarations in no-lone-blocks (Big Query Impersonate User to have Access to DataSource apache/superset#18269)
• 44a81c6 chore: upgrade knip (HELM CHART: After successful deployment and login, internal query with SQL Alchemy fails apache/superset#18272)
• 94178ad docs: mention about `name` field in flat config (fix(plugin-chart-echarts): fix forecasts on verbose metrics apache/superset#18252)
• 1765c24 docs: add Troubleshooting page (fix: Explore long URL problem apache/superset#18181)
• e80b60c chore: remove code for testing version selectors (how to add custom style to mapbox? apache/superset#18266)
• 96607d0 docs: version selectors synchronization (How can we set chart datetime language? apache/superset#18260)
• e508800 fix: rule tester ignore irrelevant test case properties ([mixed time-series] Secondary y-axis title is disguised/misplaced apache/superset#18235)
• a129acb fix: flat config name on ignores object (Include jdbc-sqlalchemy / jaedebeapi db driver for jdbc apache/superset#18258)
• 97ce45b feat: Add `reportUsedIgnorePattern` option to `no-unused-vars` rule (Track dashboard's “draft/published” status in CLI import/export apache/superset#17662)
• 651ec91 docs: remove `/* eslint-env */` comments from rule examples (Dont Merge apache/superset#18249)
• 950c4f1 docs: Update README
• 3e9fcea feat: Show config names in error messages (Web UI doesn't show app version when deployed using Helm chart apache/superset#18256)
• b7cf3bd fix!: correct `camelcase` rule schema for `allow` option ([mixed time-series; time-series bar chart v2] Bar chart jumps to very narrow bars in larger time ranges apache/superset#18232)
• 12f5746 docs: add info about dot files and dir in flat config (cosmetic: prevent line-breaks on table/card icons apache/superset#18239)
• b93f408 docs: update shared settings example (chore(tests): migrate mssql tests to pytest apache/superset#18251)
• 26384d3 docs: fix `ecmaVersion` in one example, add checks (refactor: convert properties modal test to rtl apache/superset#18241)
• 7747097 docs: Update PR review process (Read-only Public role for anonymous users apache/superset#18233)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

[socket-security]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@ant-design/icons@5.0.1	None	+3	18.3 MB	zombiej
npm/@applitools/eyes-storybook@3.30.1	Transitive: environment, eval, filesystem, network, shell, unsafe	+78	10.6 MB	applitools-admin
npm/@babel/cli@7.22.6	Transitive: eval, filesystem, network, shell	+5	1.28 MB	nicolo-ribaudo
npm/@babel/compat-data@7.22.6	None	0	63.9 kB	nicolo-ribaudo
npm/@babel/core@7.22.8	environment, filesystem, unsafe	+28	7.57 MB	nicolo-ribaudo
npm/@babel/eslint-parser@7.22.7	unsafe	+3	230 kB	nicolo-ribaudo
npm/@babel/node@7.22.6	None	0	40.8 kB	nicolo-ribaudo
npm/@babel/plugin-transform-runtime@7.22.7	unsafe	+7	622 kB	nicolo-ribaudo
npm/@babel/preset-env@7.22.7	environment	+104	7.47 MB	nicolo-ribaudo
npm/@babel/preset-react@7.22.5	None	+9	208 kB	nicolo-ribaudo
npm/@babel/register@7.22.5	environment, filesystem, unsafe	0	61.7 kB	nicolo-ribaudo
npm/@babel/runtime-corejs3@7.22.6	None	0	359 kB	nicolo-ribaudo
npm/@babel/runtime@7.20.1	None	0	218 kB	nicolo-ribaudo
npm/@babel/types@7.22.5	environment	+2	2.47 MB	nicolo-ribaudo
npm/@cypress/react@5.10.1	None	+1	147 kB	cypress-npm-publisher
npm/@data-ui/event-flow@0.0.84	Transitive: environment, eval, filesystem	+12	5.05 MB	data-ui
npm/@data-ui/histogram@0.0.84	None	+20	1.45 MB	data-ui
npm/@data-ui/theme@0.0.84	None	0	19.3 kB	data-ui
npm/@data-ui/xy-chart@0.0.84	Transitive: environment, eval	+14	1.39 MB	data-ui
npm/@emotion/babel-preset-css-prop@11.2.0	environment	+15	2.46 MB	emotion-release-bot
npm/@emotion/jest@11.3.0	environment	+2	132 kB	emotion-release-bot
npm/@encodable/color@1.1.1	None	+6	625 kB	kristw-bot
npm/@fontsource/inter@4.0.0	None	0	5.38 MB	lotusdevshack
npm/@hot-loader/react-dom@16.13.0	environment, eval	+1	3.12 MB	kashey
npm/@istanbuljs/nyc-config-typescript@1.0.1	None	+1	20.8 kB	coreyfarrell
npm/@mapbox/geojson-extent@1.0.1	Transitive: filesystem	+4	120 kB	mapbox-npm-02
npm/@math.gl/web-mercator@3.6.3	None	0	301 kB	pessimistress

🚮 Removed packages: npm/@applitools/eyes-cypress@3.29.1, npm/@cypress/code-coverage@3.10.4, npm/@superset-ui/core@2.1.0, npm/@types/querystringify@2.0.0, npm/brace@0.11.1, npm/cy-verify-downloads@0.1.6, npm/cypress-fail-on-console-error@4.0.3, npm/cypress@10.11.0, npm/eslint-plugin-cypress@2.12.1, npm/querystringify@2.2.0, npm/react-dom@16.14.0, npm/rison@0.1.1, npm/shortid@2.2.16

View full report↗︎

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	Source
Install scripts	npm/core-js@2.6.12	Install script: postinstall Source: node -e "try{require('./postinstall')}catch(e){}"	superset-frontend/package-lock.json superset-frontend/packages/superset-ui-demo/package.json superset-frontend/plugins/legacy-plugin-chart-event-flow/package.json
Install scripts	npm/@applitools/eyes-storybook@3.30.1	Install script: postinstall Source: node src/postinstall	superset-frontend/package-lock.json superset-frontend/package.json

View full report↗︎

Next steps

What is an install script?

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore npm/core-js@2.6.12
• @SocketSecurity ignore npm/@applitools/eyes-storybook@3.30.1