[Snyk] Fix for 7 vulnerabilities

[adamlaska]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	761/1000 Why? Mature exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-DICER-2311764	No	Mature
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASHTEMPLATE-1088054	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Improper Input Validation SNYK-JS-POSTCSS-5926692	Yes	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-TRIM-1017038	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @mdx-js/loader

The new version differs by 250 commits.

• bf7deab v2.0.0-next.5
• 5c15a00 fix(remark-mdx): move remark-stringify to deps (Lowercase file name vercel/next.js#1190)
• f59b174 Make type test run in their own action, closes Async render fixes for #1170 vercel/next.js#1172 (Using a src subdirectory vercel/next.js#1179)
• 9ac9755 docs(typescript): document how to use mdx 2 with typescript (Embedding scripts with multiple Head components. vercel/next.js#1181)
• 42077e4 ci(github): update github actions to latest versions ([dev] Detect whether user installed react and act vercel/next.js#1180)
• cc95646 ci(github): update github actions and dtslint to latest (Update babel-loader to the latest version 🚀 vercel/next.js#1178)
• 6098d94 Remove deprecated plugin options, fixes [Snyk] Security upgrade eslint-config-next from 12.2.0 to 14.1.0 #718 (Fix "EXDEV: cross-device link not permitted" error vercel/next.js#1174)
• 0da2fcf Specify pre-dist-tag
• e1b45e3 v2.0.0-next.4
• 649dbd8 Implement inline link serialization that doesn't wrap them in angle (Feature Request: Use the filesystem as server API vercel/next.js#1171)
• d08c5b6 Make testing matrix simpler (Error while using randomness for inline styling vercel/next.js#1173)
• d0059c8 v2.0.0-next.3
• fa091d2 v2.0.0-next.2
• 7829b88 Move publish to its own action
• afd60c2 Break out linting into its own action
• 3ca8e0a Fix linting (Improve prefetch vercel/next.js#1161)
• 577d48f Fix some linting
• db93304 Improve export name extraction for shortcode generation (next/babel preset hard-codes directory path in output vercel/next.js#1160)
• ea9970a Bump deps, fix core-js version in babel configs
• 166fd9d v2.0.0-next.1
• 569f82f Make preid next to match dist tag
• a3d8f08 types: add types to test utils (Compilation cancelation vercel/next.js#1083)
• e2eb4ee types: add typescript typings for remark-mdx, remark-mdx-remove-exports, remark-mdx-remove-imports, @ mdx-js/util (Is it possible to use styled-components with Next.js? vercel/next.js#1082)
• 65af47c Break three main tests into their own scripts

See the full diff

Package name: alex

The new version differs by 13 commits.

• ff7e86f 10.0.0
• d4833f8 Add JSDoc based types
• 646929e Update dev-dependencies
• e1f3de0 Update dependencies
• d2cd488 Use ESM
• a799349 Replace `nyc` with `c8`
• 86e9c9f Remove browser build
• 01ddabb Update Node in Actions
• b44f133 9.1.1
• 223cde1 Add lock for `remark-mdx`
• 1ebd23f Update due to upstream dependencies
• 350b509 Update dev-dependencies
• ba568e4 Update links to health files

See the full diff

Package name: dd-trace

The new version differs by 119 commits.

• 5381da3 v2.8.0
• 380db3a fix type error in hapi (Point to styled-jsx npm package's readme vercel/next.js#2085)
• 810cce1 fix store leak in plugin storage management (Correct "yo" to "to" vercel/next.js#2078)
• ce6acb2 remove legacy release action that is not needed on this branch (Unexpected token import in node_modules vercel/next.js#2080)
• ee870de move multer to devdeps (Reload webpack if needed vercel/next.js#2076)
• f4331e8 rewrite hapi integration with the new plugin system (Newexample vercel/next.js#2070)
• 5c887ca rewrite moleculer plugins with the new plugin system (exclude a module client side vercel/next.js#2069)
• 60316ad Fix downstream job trigger for deployments to rel-env (dynamic import request 404 in production mode vercel/next.js#2073)
• 165b4be AppSec error list metric (async/await fetch is slow on now hosting? vercel/next.js#2064)
• e6b0bdd use codecov action instead of deprecated npm package (Express server middleware function not handling exceptions vercel/next.js#2059)
• 9151e96 fix publish docs github actions job (Add next configuration as an option for custom servers vercel/next.js#2058)
• 2fc89bd [ci-visibility] Add jest and mocha to API docs (Import components via webpack aliases vercel/next.js#2055)
• 58bba7e [ci-visibility] Add library_version to agentless and agent based intake (Example with-jest chokes on JSX syntax vercel/next.js#2052)
• e484785 v2.7.1
• 6e5e586 fix unreturned promise in fastify hooks (Update node-fetch to the latest version 🚀 vercel/next.js#2049)
• 2387798 convert aws-sdk to new plugin system (Remove stage-0 from package.json vercel/next.js#2028)
• eaa1678 bump to 2.7.0
• 72e3a28 restrict pr labels check to master (Can't use console.log and have duplicate script tags since upgrading to 2.3.1 vercel/next.js#2040)
• 10a81dc rewrite restify and fastify plugins with the new plugin system (Aborted because of declined dependency vercel/next.js#2034)
• 1642df9 add all dns addresses when option is set (Run well when dev, but i get a 404 after build. vercel/next.js#2038)
• f00aec5 rewrite paperplane plugin for the new plugin system (Dynamic imports with dynamic filenames vercel/next.js#2037)
• 1bb7663 rewrite koa plugin with new plugin system (Multiple event listeners per event on Router vercel/next.js#2033)
• efa940e update log plugins to receive log injection config directly (Add reference to wiki for deploying to GitHub Pages vercel/next.js#2035)
• fa3e07e rewrite connect plugin with new plugin system (Add a nice way to get the router API inside a component vercel/next.js#2032)

See the full diff

Package name: html-validator

The new version differs by 7 commits.

• 41d5135 6.0.0
• 80020e2 Merge pull request [Snyk] Security upgrade next from 10.2.3 to 12.0.9 #230 from zrrrzzt/version-6
• 8b11e68 Updates README with link to workarounds (patch)
• 37115b0 Updates html-validate to v6.1.3 (patch)
• f101ad2 Switches request for axios (patch)
• b424f7d Removes coveralls (patch)
• c3a11fa Updates engines (major)

See the full diff

Package name: lerna

The new version differs by 43 commits.

• 45ff346 chore(release): v5.1.2
• e519f43 fix(conventional-commits): remove pinned lodash.template (React attempted to reuse markup in a container but the checksum was invalid vercel/next.js#3172)
• d242b06 chore(e2e): Add e2e tests for lerna init options (Next.js not watching file changes inside node_modules folder vercel/next.js#3162)
• 56eaa15 fix: update all transitive inclusions of ansi-regex (Some peer deps are missing vercel/next.js#3166)
• cb47e7a chore: switch readme image based on dark mode and pin node version (Allow BABEL_DISABLE_CACHE to override cacheDirectory in webpack.js vercel/next.js#3164)
• eb7da85 chore(release): v5.1.1
• 21ce2bf chore: remove broken postversion in root package.json
• 72305e4 fix: allow maintenance LTS node 14 engines starting at 14.15.0 (Can not install via npm. xss-filters shasum check failed  vercel/next.js#3161)
• 6cf9be8 chore: initial e2e spec for lerna init (accidental open vercel/next.js#3158)
• 479bf4c chore: update CHANGELOG.md
• 6b9c375 chore(release): v5.1.0
• 7e69e9e fix(utils): orphaned child process on Windows (HMR breaks when project is run out of a folder starting with "." vercel/next.js#3156)
• 897caee chore: fix typos (dynamic import - Syntax Error: Unexpected token (125:38) vercel/next.js#2732)
• c6808fc feat: handle the edge cases in the lerna-nx integration
• ff27ccb chore(release): v5.1.0-alpha.0
• bf7daa6 chore: remove references to git.io (Fix with-amp example vercel/next.js#3153)
• c363ec4 chore: restore CI workflow
• 4464787 chore: remove update-historical workflow as no longer needed
• 7caf43b chore: update historical (Styled-jsx integration test inconsistent between Travis and Appveyor vercel/next.js#3148)
• 1022919 chore: update historical
• a9f3ba4 chore: update historical (Fix styled-jsx test vercel/next.js#3147)
• 780cc89 chore: update contributing notes
• 9f32d4e chore: update issue templates and contributing notes
• 1c35828 feat: add experimental support to run tasks via Nx

See the full diff

Package name: lint-staged

The new version differs by 19 commits.

• 885a644 Merge pull request [Snyk] Security upgrade jest from 27.5.1 to 28.0.0 #852 from okonet/listr2
• aba3421 fix: all lint-staged output respects the `quiet` option
• b8df31a fix: do not show incorrect error when verbose and no output
• eed6198 style: simplify eslint and prettier config
• b746290 ci: replace Node.js 13 with 14, since 14 will be next LTS
• 2c6f3ad docs: improve `verbose` description
• e749a0b test: remove redundant, misbehaving test
• 16848d8 fix: use test renderer during tests and when TERM=dumb
• efffa22 test: cover `--verbose` option usage
• 1b18550 test: restore variable in test output
• 6aede38 test: add test for error during merge state restoration
• b565481 test: integration test targets the full Node.js API instead of just `runAll`
• a3bd9d7 feat: allow specifying `cwd` using the Node.js API
• 85de3a3 feat: add `--verbose` to show output even when tasks succeed
• d69c65b fix: log task output after running listr to keep everything
• e95d1b0 refactor: move skip and enable cheks of listr tasks to separate file
• 6da7667 refactor: move messages to separate file
• 6392480 refactor: use symbols for errors
• 8f32a3e feat: replace listr with listr2 and print errors inline

See the full diff

Package name: tailwindcss

The new version differs by 250 commits.

• fadd4c8 2.0.0
• 98b4405 Update resolve to version 1.19.0
• 4ab5672 Summarize 2.0 changelog
• 35f8211 2.0.0-alpha.25
• f80de6a Update changelog
• 3de0c48 Don't mix unitless values with units in the same scale
• e701c81 2.0.0-alpha.24
• ffb04c5 Update changelog
• e40079a Fix cascading shadow/ring bug, ensure default ring color
• 5e50367 Update changelog
• 2245f26 Rename plugin in compat mode
• c238ed1 Improve compat mode (Next build doesn't exit vercel/next.js#2775)
• 83c685a 2.0.0-alpha.23
• 63f5b41 Update changelog
• 1536166 Merge branch 'master' of github.com:tailwindlabs/tailwindcss
• 1d8679d Postcss7 compatibility (Relay Modern Example (#1757) vercel/next.js#2773)
• 332f421 Update changelog
• d4cde73 2.0.0-alpha.22
• fb00d14 Update changelog
• b86bdbc Cleanup custom properties (Is pages using the same document when switch route by next/link ? vercel/next.js#2771)
• f57fbb6 2.0.0-alpha.21
• 979a4e5 Update changelog
• 729b400 Upgrade to PostCSS 8
• 042e259 2.0.0-alpha.20

See the full diff

Package name: wait-port

The new version differs by 50 commits.

• 5d84bcf chore(release): 0.2.3
• b980aa8 feat: show a sensible error message if the address cannot be found ([Snyk] Upgrade style-loader from 0.17.0 to 0.23.1 #46)
• 21bf83c build: circleci 2 and node 8
• cb17261 Merge pull request [Snyk] Upgrade graphql from 14.5.8 to 14.7.0 #42 from dwmkerr/chore/update-dependencies
• 2876a6b chore: update dependencies, include package lock
• 8db816c Merge pull request [Snyk] Upgrade react-redux from 7.2.0 to 7.2.6 #40 from dwmkerr/greenkeeper/commander-3.0.0
• 7265c1d fix(package): update commander to version 3.0.0
• be991f3 Merge pull request [Snyk] Upgrade react-redux from 5.0.7 to 5.1.2 #20 from dannycochran/patch-1
• b81bd3f Merge pull request [Snyk] Upgrade @supabase/ui from 0.6.1 to 0.36.2 #28 from dwmkerr/guardrails/initial
• 91b7606 Merge pull request [Snyk] Upgrade hls.js from 0.13.2 to 0.14.17 #39 from dwmkerr/greenkeeper/sinon-7.4.0
• f71a541 chore(package): update sinon to version 7.4.0
• 42dbf9c Merge pull request [Snyk] Upgrade next from 10.0.7 to 10.2.3 #38 from dwmkerr/greenkeeper/eslint-6.0.0
• b5bf8fb chore(package): update eslint to version 6.0.0
• 03a6e90 Merge pull request [Snyk] Upgrade classnames from 2.2.6 to 2.3.1 #36 from dwmkerr/greenkeeper/nyc-14.1.1
• dd7000e chore(package): update nyc to version 14.1.1
• e688622 Merge pull request [Snyk] Upgrade @magic-sdk/admin from 1.0.0 to 1.3.2 #17 from dwmkerr/greenkeeper/nyc-12.0.1
• 6970a8f Merge branch 'master' into greenkeeper/nyc-12.0.1
• efde476 Merge pull request [Snyk] Upgrade reason-react from 0.7.1 to 0.9.1 #35 from dwmkerr/greenkeeper/sinon-7.3.1
• 19d7f54 chore(package): update sinon to version 7.3.1
• fce2fc3 Merge pull request [Snyk] Upgrade @contentful/rich-text-react-renderer from 14.1.1 to 14.1.3 #34 from dwmkerr/greenkeeper/sinon-7.2.7
• d58288d chore(package): update sinon to version 7.2.7
• 9a4929b Merge pull request [Snyk] Upgrade react-redux from 7.2.0 to 7.2.6 #33 from dwmkerr/greenkeeper/sinon-7.2.6
• 442cbb2 chore(package): update sinon to version 7.2.6
• d99d8ce Merge pull request [Snyk] Upgrade next from 10.0.9 to 10.2.3 #31 from dwmkerr/greenkeeper/sinon-7.2.4

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Improper Input Validation
🦉 Server-side Request Forgery (SSRF)
🦉 More lessons are available in Snyk Learn

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.