[Snyk] Fix for 12 vulnerabilities

[snyk-io]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • node_modules/cross-spawn/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	159/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00396, Social Trends: No, Days since published: 1135, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.65, Score Version: V5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	169/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00045, Social Trends: No, Days since published: 161, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.81, Score Version: V5	Uncontrolled resource consumption SNYK-JS-BRACES-6838727	Yes	Proof of Concept
	141/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Local, EPSS: 0.01055, Social Trends: No, Days since published: 326, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.35, Score Version: V5	Missing Release of Resource after Effective Lifetime SNYK-JS-INFLIGHT-6095116	Yes	Proof of Concept
	35/1000 Why? Confidentiality impact: Low, Integrity impact: None, Availability impact: None, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): Required, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 1026, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 2.35, Likelihood: 1.47, Score Version: V5	Reverse Tabnabbing SNYK-JS-ISTANBULREPORTS-2328088	Yes	No Known Exploit
	124/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00045, Social Trends: No, Days since published: 161, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.06, Score Version: V5	Inefficient Regular Expression Complexity SNYK-JS-MICROMATCH-6838728	Yes	No Known Exploit
	111/1000 Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: None, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00111, Social Trends: No, Days since published: 584, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 4.19, Likelihood: 2.64, Score Version: V5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	159/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.0016, Social Trends: No, Days since published: 489, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.64, Score Version: V5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	Yes	Proof of Concept
	222/1000 Why? Confidentiality impact: High, Integrity impact: High, Availability impact: High, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): High, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 1562, Reachable: No, Transitive dependency: No, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 97, Impact: 9.79, Likelihood: 2.26, Score Version: V5	Command Injection SNYK-JS-STANDARDVERSION-575708	Yes	No Known Exploit
	111/1000 Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: None, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00213, Social Trends: No, Days since published: 479, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 4.19, Likelihood: 2.65, Score Version: V5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
	114/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00285, Social Trends: No, Days since published: 1240, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 1.9, Score Version: V5	Denial of Service (DoS) SNYK-JS-TRIMNEWLINES-1298042	Yes	No Known Exploit
	115/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 981, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 1.92, Score Version: V5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit
	137/1000 Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Network, EPSS: 0.00044, Social Trends: No, Days since published: 1680, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 5.62, Likelihood: 2.42, Score Version: V5	Prototype Pollution SNYK-JS-YARGSPARSER-560381	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @commitlint/cli

The new version differs by 250 commits.

• 890a931 v17.6.6
• 05e15a0 build(deps): bump semver from 7.5.0 to 7.5.2 ([BUG] cb() never called npm/cli#3620)
• af2f3a8 v17.6.5
• 2df2243 chore: switch internal node version to 18, add asdf to docs
• 2cd236b fix: add named export to @ commitlint/parse (Release/v7.20.5 npm/cli#3614)
• eea8da8 v17.6.4
• b335b83 chore: add compatibility for Nx 16 (fix --if-present cascading to child npm run scripts npm/cli#3589)
• 7989709 v17.6.3
• 2fff094 fix(config-lerna-scopes): add missing dependency (WIP npm/cli#3607)
• f8d8f20 chore: update actions/checkout action to v3 (npm audit false negative npm/cli#3605)
• 01e35e0 fix: update dependency semver to v7.5.0 ([BUG] npm ci installs nested dev dependency npm/cli#3604)
• 38a702e chore: update typescript-eslint monorepo to v5.59.2 (Clear progress bar which overlays confirm prompt npm/cli#3603)
• c1c7338 fix: update dependency yargs to v17.7.2 (Unpublish npm docs npm/cli#3602)
• ab8266c v17.6.2
• 757d3b8 chore: update dependency @ swc/core to v1.3.56 (cannot read property 'match' of undefined  npm/cli#3601)
• 83be84b chore: update jest monorepo (npm install --workspaces runs scripts in parent package npm/cli#3598)
• 6c5cd53 fix: lerna package.json resolution ([BUG] Modules run via npx interpret strings that look like environment variables npm/cli#3600)
• 7e2a84e chore: update dependency lint-staged to v13.2.2 ([BUG] <title> npm ERR! Exit handler never called! npm/cli#3597)
• 38963b8 chore: update dependency @ types/node to v14.18.43 (Isaacs/workspace root npm/cli#3596)
• 134851f chore: update dependency @ swc/core to v1.3.55 ([BUG] installation fails for Ubuntu 16.04 npm/cli#3595)
• 7eebf8e chore: update dependency eslint-config-prettier to v8.8.0 (v7.20.3 npm/cli#3594)
• 3b8099e chore: update dependency eslint to v8.39.0 ([BUG] npm ls --depth=Infinity returns dev dependencies of local prod dependencies npm/cli#3593)
• d6ec0d9 fix: update dependency fs-extra to v11.1.1 (add cache commands "ls" and "rm" npm/cli#3592)
• 44b57a5 fix: update dependency cosmiconfig to v8.1.3 (fix(node_modules): remove duplicated file npm/cli#3591)

See the full diff

Package name: babel-jest

The new version differs by 250 commits.

• be16e47 v27.0.0
• 63102ec chore: update changelog for release
• 564694a docs(blog): Jest 27 blog post (#11131)
• b68d91b feat(pretty-print): add option `printBasicPrototype` (#11441)
• 2226742 chore: minor simplify format results error (#11432)
• 78eb25d chore: remove needless assign (#11433)
• 696c455 chore: update lockfile after publish
• e2eb9ae v27.0.0-next.11
• 3b253f8 Wait for closed resources to actually close before detecting open handles (#11429)
• 27bee72 fix: run GC before collecting open handles (#11278)
• 50451df feat: use fallback if prettier not found (#11400)
• 150dbd8 chore: update lockfile after publish
• 6f44529 v27.0.0-next.10
• cbcec7d Upgrade fsevents in jest-haste-map (#11428)
• 9633a26 feat: support reporters written in ESM (#11427)
• 59f42d8 fix: do not cache modules that throw during evaluation (#11263)
• 57e32e9 Detect open handles with done callbacks (#11382)
• a397607 Document and test dontThrow for custom inline snapshot matchers (#10995)
• 4fa3a0b feat: custom haste (#11107)
• 2047a36 chore: bump deps (#11419)
• a4358d6 chore: run prettier on changelog
• bdd6282 Move all default values into `jest-config` (#9924)
• db643a1 Link to Jest config (#11106)
• b16082c Fix locale issue #10014 (#11412)

See the full diff

Package name: eslint

The new version differs by 250 commits.

• e0cbc50 9.0.0
• 75cb5f4 Build: changelog update for 9.0.0
• 19f9a89 chore: Update dependencies for v9.0.0 (#18275)
• 7c957f2 chore: package.json update for @ eslint/js release
• d73a33c chore: ignore `/docs/v8.x` in link checker (#18274)
• d54a412 feat: Add --inspect-config CLI flag (#18270)
• e151050 docs: update get-started to the new `@ eslint/create-config` (#18217)
• 610c148 fix: Support `using` declarations in no-lone-blocks (#18269)
• 44a81c6 chore: upgrade knip (#18272)
• 94178ad docs: mention about `name` field in flat config (#18252)
• 1765c24 docs: add Troubleshooting page (#18181)
• e80b60c chore: remove code for testing version selectors (#18266)
• 96607d0 docs: version selectors synchronization (#18260)
• e508800 fix: rule tester ignore irrelevant test case properties (#18235)
• a129acb fix: flat config name on ignores object (#18258)
• 97ce45b feat: Add `reportUsedIgnorePattern` option to `no-unused-vars` rule (#17662)
• 651ec91 docs: remove `/* eslint-env */` comments from rule examples (#18249)
• 950c4f1 docs: Update README
• 3e9fcea feat: Show config names in error messages (#18256)
• b7cf3bd fix!: correct `camelcase` rule schema for `allow` option (#18232)
• 12f5746 docs: add info about dot files and dir in flat config (#18239)
• b93f408 docs: update shared settings example (#18251)
• 26384d3 docs: fix `ecmaVersion` in one example, add checks (#18241)
• 7747097 docs: Update PR review process (#18233)

See the full diff

Package name: jest

The new version differs by 250 commits.

• 75006e4 v29.0.0
• 7c82a9f chore: update jest-watch-typeahead again
• 352ff29 chore: update changelog for release
• 33ad8c3 docs: Jest 29 blog post (#13103)
• dda77e5 docs: collapse 28.0 and 28.1 docs (#13104)
• c0dc84c chore: update jest-watch-typeahead
• 05f6217 fix: support deep CJS re-exports when using ESM (#13170)
• 490fd88 chore: update yarn (#13169)
• 98936a2 docs: Update Enzyme links to use new URL (#13166)
• 187566a feat(pretty-format): allow to opt out from sorting object keys with `compareKeys: null` (#12443)
• ae2bed7 chore: tweak regex used in e2e tests (#13129)
• 8c56d74 docs: Update Configuration.md for added special notes on usage scenarios for pnpm. (#13115)
• fb1c53d feat(jest-config)!: remove undocumented `collectCoverageOnlyFrom` option (#13156)
• 075b489 fix: ignore `EISDIR` when resolving symlinks (#13157)
• 3bef02e feat(@ jest/test-result, @ jest/types)!: replace `Bytes` and `Milliseconds` types with `number` (#13155)
• 4def94b v29.0.0-alpha.6
• 0f00d4e fix: replace non-CLI `rimraf` usage (#13151)
• 6a90a2c fix: Allow updating inline snapshots when test includes JSX (#12760)
• 983274a feat: Let `babel` find config when updating inline snapshots (#13150)
• d2ff18a chore: make prettierPath optional in `SnapshotState` (#13149)
• 7d8d01c feat(circus): added each to failing tests (#13142)
• a5b52a5 chore(types): separate MatcherContext, MatcherUtils and MatcherState (#13141)
• 79b5e41 chore: get rid of peer dep warning in website
• 812763d chore: enable 'no-duplicate-imports' (#13138)

See the full diff

Package name: lint-staged

The new version differs by 146 commits.

• 885a644 Merge pull request #822 npm/cli#852 from okonet/listr2
• aba3421 fix: all lint-staged output respects the `quiet` option
• b8df31a fix: do not show incorrect error when verbose and no output
• eed6198 style: simplify eslint and prettier config
• b746290 ci: replace Node.js 13 with 14, since 14 will be next LTS
• 2c6f3ad docs: improve `verbose` description
• e749a0b test: remove redundant, misbehaving test
• 16848d8 fix: use test renderer during tests and when TERM=dumb
• efffa22 test: cover `--verbose` option usage
• 1b18550 test: restore variable in test output
• 6aede38 test: add test for error during merge state restoration
• b565481 test: integration test targets the full Node.js API instead of just `runAll`
• a3bd9d7 feat: allow specifying `cwd` using the Node.js API
• 85de3a3 feat: add `--verbose` to show output even when tasks succeed
• d69c65b fix: log task output after running listr to keep everything
• e95d1b0 refactor: move skip and enable cheks of listr tasks to separate file
• 6da7667 refactor: move messages to separate file
• 6392480 refactor: use symbols for errors
• 8f32a3e feat: replace listr with listr2 and print errors inline
• c9adca5 fix: use stash create/store to prevent files from disappearing from disk
• e093b1d fix(deps): update dependencies
• 6066b07 fix: pass correct path to unstaged patch during cleanup
• 0bf1fb0 fix: allow lint-staged to run on empty git repo by disabling backup
• 1ac6863 Merge pull request E429 npm ERR! 429 Too Many Requests - GET https://registry.npmjs.org/aws4[BUG] npm/cli#837 from okonet/serial-git-add

See the full diff

Package name: rimraf

The new version differs by 90 commits.

• a1268c9 4.3.1
• cacc067 changelog 4.3.1
• cd6fbc6 Only call directory removal method on actual dirs
• 4937e64 format markdown
• ba35d77 always return Dirents from readdir
• f923bb0 4.3.0
• ed7b2a6 test: chmod ordering is nondeterministic
• 4cb1d47 changelog about bin interactivity
• 95e13f2 try to make the interactive test less flaky
• 38e731f bin: add interactive mode
• ca28abb let the filter option be async for async methods
• 3b57687 add --verbose, --no-verbose to bin
• ed3288e add filter option
• e828fe2 Update v4 glob support in README
• 80aef8b 4.2.0
• 0d19a99 changelog 420
• f768f26 treat paths as glob patterns when glob option set
• 5760716 make rimraf cancelable with AbortSignals
• 417cdc7 4.1.4
• bdfa60c update deps, export types properly for cjs module
• 20e3799 use NodeJS.ErrnoException instead of FsError
• 450e3d2 4.1.3
• 8d77621 add declarationMap to tsconfig
• 49a2958 formatting tests

See the full diff

Package name: standard-version

The new version differs by 82 commits.

• 017dcb6 chore(master): release 9.5.0 (#795 npm/cli#867)
• 61b41fa feat(deprecated): add deprecation message (> # Apa sebabnya npm/cli#907)
• 6c75ed0 fix(deps): update dependency conventional-changelog-conventionalcommits to v4.6.3 (#799 npm/cli#866)
• 4c938a2 fix(deps): update dependency conventional-changelog to v3.1.25 (#800 npm/cli#865)
• fd05681 chore(master): release 9.4.0 (#802 npm/cli#864)
• e510623 build: run tests on label
• eceaedf feat: add .cjs config file ([DEPS] Update dependencies for release v6.13.7 npm/cli#717)
• 366a498 build: update publish configuration
• 095e1eb test: updates .gitignore test to check against a default package and bump file found in the gitignore (C1#655 npm/cli#841)
• fb3f3fa chore: Move to native fs.access, removes fs-access package. (Documentation for "npm install" unclear or incorrect npm/cli#840)
• 2785023 fix: Ensures provided `packageFiles` arguments are merged with `bumpFiles` when no `bumpFiles` argument is specified (default). ([QUESTION] Can I define myself dependency-types? npm/cli#534)
• 938828d chore(deps): update dependency eslint-plugin-promise to v5 ([BUG] Running 'npm update -g' does nothing, running 'npm -g update' works npm/cli#745)
• a0bc835 test: adds basic coverage for --preset flag and CHANGELOG output (Release 6.13.7 npm/cli#723)
• a61d8cf chore: release 9.3.2 ([BUG] 429 Too Many Requests npm/cli#836)
• bb8869d fix(deps): update dependency conventional-changelog-conventionalcommits to v4.6.1 (TONS of errors after using "npm install" from Verson 8.3.23, but application was developed with 7.0.5 npm/cli#752)
• 4b0b549 chore(deps): update codecov/codecov-action action to v2 (fix: npm explore spawn shell correctly npm/cli#784)
• ca5ab8f chore: release 9.3.1 ([Feature] Copy alert might be simpler npm/cli#781)
• a316dd0 fix(updater): npm7 package lock's inner version not being updated ([BUG] npm install -g npm@latest Does not Install Latest Version of NPM npm/cli#713)
• 605c1ab chore: release 9.3.0 (docs:correction to npm update -g behaviour npm/cli#755)
• f579ff0 feat: add --lerna-package flag used to extract tags in case of lerna repo ([Snyk] Security upgrade tap from 10.7.3 to 18.0.0 #503)
• 3d341c2 chore: release 9.2.0 (feat: added script to update dist-tags npm/cli#736)
• 3bbba02 feat: allows seperate prefixTag version sequences ([BUG] <npm ERR! cb() never called!> npm/cli#573)
• f5bff12 docs: Improve documentation on providing an empty tag-prefix (feat: add mergeable.yml to prevent merges without review approvals npm/cli#579)
• 843c572 docs: Updated generate artifacts code snippet (write EPROTO 14488:error:1408F10B:SSL npm/cli#645)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Server-side Request Forgery (SSRF)
🦉 Command Injection
🦉 More lessons are available in Snyk Learn

[sourcery-ai]

🧙 Sourcery has finished reviewing your pull request!

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time. You can also use
  this command to specify where the summary should be inserted.

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

We have skipped reviewing this pull request. Here's why:

• It seems to have been created by a bot (hey, snyk-io[bot]!). We assume it knows what it's doing!
• It seems to have been created by a bot ('[Snyk]' found in title). We assume it knows what it's doing!
• We don't review packaging changes - Let us know if you'd like us to change this.