[Snyk] Fix for 3 vulnerabilities

[melvin-bot]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Issue	Breaking Change	Exploit Maturity
	Denial of Service (DoS) SNYK-JS-ELECTRON-6405830	No	No Known Exploit
	Missing Release of Resource after Effective Lifetime SNYK-JS-INFLIGHT-6095116	Yes	Proof of Concept
	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit

Commit messages

Package name: @storybook/react

The new version differs by 250 commits.

• 4f2afa6 v7.0.0
• 03292b0 Update root, peer deps, version.ts/json to 7.0.0 [ci skip]
• b2dc5cf Revert "Update root, peer deps, version.ts/json to 7.0.0 [ci skip]"
• 7f391a3 Update root, peer deps, version.ts/json to 7.0.0 [ci skip]
• f0b53cb 7.0.0 changelog
• 930917d Merge pull request fix: icon not set when adding bookmark to iOS home screen #21856 from storybookjs/docs/interactions-addon-migration
• f1c13da 7.0.0-rc.11 next.json version file [skip ci]
• 512a2ae Update git head to 7.0.0-rc.11, update yarn.lock [ci skip]
• 908c324 v7.0.0-rc.11
• 5edc7c0 Update root, peer deps, version.ts/json to 7.0.0-rc.11 [ci skip]
• 324d9bb 7.0.0-rc.11 changelog
• 37d9737 interactions debugger is now default
• 9682f7c Merge pull request [Hold for payment 7-17][$1000] Web - Console log "Invalid Attempt to destructure non-iterable instance" error when clicking 'Add reaction' icon #21833 from storybookjs/kasper/fix-strict-args-decorator-with-interface
• a08ffc7 Put @ storybook/csf version back into next
• 2cc1d36 Merge pull request Fixed 21280 textinput autogrow height #21850 from storybookjs/fix/tone-down-dependency-alerts
• 941103b Merge pull request migrate FloatingActionButtonAndPopover to function component #21851 from storybookjs/valentin/export-application-config-decorator
• 31700c0 Export applicationConfig decorator and adjust documentation for usage
• 3d9544f Merge pull request [HOLD for payment 2023-07-21] [$1000] Web - Heading after quote is not rendering #21846 from storybookjs/chore_docs_webpack_tweaks
• 79b590b Tweaks to the Webpack docs
• d193be5 Merge pull request Fix/issue 20810 #21836 from storybookjs/fix/downgrade-remark-deps
• 79b1fde Merge pull request [Performance fix #21831] Don't re-render ReportScreen unnecessarily when switching #21832 from storybookjs/fix/polyfill-global
• 590f053 downgrade remark related dependencies
• b421d95 only provide critical duplicated dependency warning on major version difference
• acace30 Merge pull request Fix - modified magic code link redirects to welcome screen with first place of magic code green #21724 from jungpaeng/docs/fix-controls

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Denial of Service (DoS)
🦉 Prototype Pollution

Upwork Automation - Do Not Edit

• Upwork Job URL: https://www.upwork.com/jobs/~017f0044a167283b00
• Upwork Job ID: 1768276781396721664
• Last Price Increase: 2024-03-14

[melvin-bot]

This is a Snyk issue. Snyk is a tool that automatically tracks our repositories' dependencies and reports associated security vulnerabilities. It also automatically create PRs to fix these vulnerabilities.

    C+: Please follow these steps to test the linked PR before running through the reviewer checklist:
    - [ ] The first step is to understand the PR: what dependency is it upgrading, for which vulnerability, how it impacts our product & end users.
    - [ ] If the issue is not worth fixing, please add your reasoning in the issue and have the internal engineer review it.
    - [ ] Check the change log (which should be included in the PR description) to see all changes. We want to identify any breaking changes. If it is a minor version bump, it's unlikely that there are any breaking changes.
    - [ ] Test our feature(s) that make use of this package. If it does not work, we should understand what broke it. It is also a good idea to check our main flows to make sure they are not broken that you can add in the checklist screenshots/videos.

[melvin-bot]

Job added to Upwork: https://www.upwork.com/jobs/~017f0044a167283b00

[melvin-bot]

Triggered auto assignment to Contributor Plus for review of internal employee PR - @allroundexperts (Internal)

[allroundexperts]

@yuwenmemon Since the original PR had conflicts, I created a new one #39372. Can you please review / merge?

[yuwenmemon]

This was deployed to prod.

[allroundexperts]

@yuwenmemon My compensation is pending here. Also, since this involved up-gradation of storybook (Took quite some time as evident from the merged PR), I would like to request a compensation of $500. Please review the request. Thanks!

[yuwenmemon]

That's fine by me!

[melvin-bot]

Triggered auto assignment to @greg-schroeder (Bug), see https://stackoverflow.com/c/expensify/questions/14418 for more details. Please add this bug to a GH project, as outlined in the SO.

[yuwenmemon]

@greg-schroeder Can you handle @allroundexperts's request above?

[melvin-bot]

@yuwenmemon, @greg-schroeder, @allroundexperts Uh oh! This issue is overdue by 2 days. Don't forget to update your issues!

[melvin-bot]

@yuwenmemon, @greg-schroeder, @allroundexperts 6 days overdue. This is scarier than being forced to listen to Vogon poetry!

[melvin-bot]

@yuwenmemon, @greg-schroeder, @allroundexperts 8 days overdue is a lot. Should this be a Weekly issue? If so, feel free to change it!

[yuwenmemon]

@greg-schroeder any update on this one?

[greg-schroeder]

Apologies for the delay on this, for some reason my GH<>Slack zap isn't picking up my mentions on this issue 🤔

Also it's better to add Awaiting Payment label or [HOLD for payment] in the title so it's easier to see this is waiting for payment, as that's how we generally filter them on the BZ team.

[greg-schroeder]

Creating a payment issue to generate a new upwork job and will send a manual offer: #41875

[greg-schroeder]

Oh, you're a NewDot-eligible C+. So, yeah, ignore that. You can make a manual request for $500 for this issue and link to this comment for confirmation.

[JmillsExpensify]

$500 approved for @allroundexperts