[Snyk] Fix for 25 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	619/1000 Why? Has a fix available, CVSS 8.1	Prototype Pollution SNYK-JS-AJV-584908	Yes	No Known Exploit
	616/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.9	Server-Side Request Forgery (SSRF) SNYK-JS-AXIOS-1038255	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-AXIOS-1579269	No	Proof of Concept
	658/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 5.3	Information Exposure SNYK-JS-FOLLOWREDIRECTS-2332181	No	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOCHA-561476	Yes	No Known Exploit
	611/1000 Why? Recently disclosed, Has a fix available, CVSS 6.5	Information Exposure SNYK-JS-NODEFETCH-2342118	Yes	No Known Exploit
	520/1000 Why? Has a fix available, CVSS 5.9	Denial of Service SNYK-JS-NODEFETCH-674311	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Improper Certificate Validation SNYK-JS-NODESASS-1059081	Yes	No Known Exploit
	715/1000 Why? Has a fix available, CVSS 9.8	Use After Free SNYK-JS-NODESASS-535497	No	No Known Exploit
	761/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.8	NULL Pointer Dereference SNYK-JS-NODESASS-540974	No	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Denial of Service (DoS) SNYK-JS-NODESASS-540982	No	Proof of Concept
	509/1000 Why? Has a fix available, CVSS 5.9	Denial of Service (DoS) SNYK-JS-NODESASS-542662	No	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-POSTCSS-1255640	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-REDIS-1255645	Yes	No Known Exploit
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536528	Yes	No Known Exploit
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536531	Yes	No Known Exploit
	410/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579147	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579152	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579155	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-TRIMNEWLINES-1298042	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-UGLIFYJS-1727251	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: axios

The new version differs by 250 commits.

• e367be5 [Releasing] 0.21.3
• 83ae383 Correctly add response interceptors to interceptor chain (Unobserve status on unmount mastodon/mastodon#4013)
• c0c8761 [Updating] changelog to include links to issues and contributors
• 619bb46 [Releasing] v0.21.2
• 82c9455 Create SECURITY.md (i18n: added email to activerecord.pl.yml mastodon/mastodon#3981)
• 5b45711 Security fix for ReDoS (Sorry, I've missed the repository to send PR: Update Circle CI settings mastodon/mastodon#3980)
• 5bc9ea2 Update ECOSYSTEM.md (Docker build fails on v1.4.3 mastodon/mastodon#3817)
• e72813a Fixing README.md (Refactor AccountFilter and spec mastodon/mastodon#3818)
• e10a027 Fix README typo under Request Config (Add option to always show "remote follow" button on profiles mastodon/mastodon#3825)
• e091491 Update README.md (Don't set ASSET_HOST on build:development mastodon/mastodon#3936)
• b42fbad Removed un-needed bracket
• 520c8dc Updating CI status badge (feature request :  mastodon/mastodon#3953)
• 4fbeecb Adding CI on Github Actions. (Error when doing db:migrate (non-docker) during upgrade to 1.4.6 mastodon/mastodon#3938)
• e9965bf Fixing the sauce labs tests (Some minor change and spec for Account mastodon/mastodon#3813)
• dbc634c Remove charset in tests (Increase size of avatars mastodon/mastodon#3807)
• 3958e9f Add explanation of cancel token (Implementation of rtl? method is incorrect mastodon/mastodon#3803)
• 69949a6 Adding custom return type support to interceptor (Add Inline Translations mastodon/mastodon#3783)
• 49509f6 Create FUNDING.yml (Account aliases. mastodon/mastodon#3796)
• 199c8aa Adding parseInt to config.timeout (Toot replies should be unlisted by default mastodon/mastodon#3781)
• 94fc4ea Adding isAxiosError typeguard documentation (Merge v1.4.3 mastodon/mastodon#3767)
• 0ece97c Fixing quadratic runtime when setting a maxContentLength (Regex filters no longer saving after page reload mastodon/mastodon#3738)
• a18a0ec Updating `lib/core/README.md` about Dispatching requests (Ability to open toots in current column instead of in Getting started column in web UI mastodon/mastodon#3772)
• 59fa614 [Updated] follow-redirects to the latest version (Ability to change the icons in top left corner in web UI mastodon/mastodon#3771)
• 7821ed2 Feat/json improvements (Use instance name in email notifications instead of "Mastodon" mastodon/mastodon#3763)

See the full diff

Package name: css-loader

The new version differs by 168 commits.

• 634ab49 chore(release): 2.0.0
• 6ade2d0 refactor: remove unused file (Update the list of instances mastodon/mastodon#860)
• e7525c9 test: nested url (Add social.nasqueron.org instance mastodon/mastodon#859)
• 7259faa test: css hacks (Use active record shorthand mastodon/mastodon#858)
• 5e6034c feat: allow to filter import at-rules (timestamps take too much space mastodon/mastodon#857)
• 5e702e7 feat: allow filtering urls (Forbid and terminate accounts dedicated to the selling of goods or services, or the monetization of web contents mastodon/mastodon#856)
• 9642aa5 test: css stuff (We don't need the entire tag model for just the name mastodon/mastodon#855)
• 3338656 fix: reduce number of require for url (Fix crontab edit mastodon/mastodon#854)
• 533abbe test: issue 636 (Text formatting mastodon/mastodon#853)
• 08c551c refactor: better warning on invalid url resolution ([#817] Add email whitelist mastodon/mastodon#852)
• b0aa159 test: issue Fix for issue #462 mastodon/mastodon#589 (Javascript error in the surf browser mastodon/mastodon#851)
• f599c70 fix: broken unucode characters (Icon for "this person has followed you" and button for "follow them back" look identical mastodon/mastodon#850)
• 1e551f3 test: issue 286 (Cannot change credentials on single user mode mastodon/mastodon#849)
• 419d27b docs: improve readme (Add oc.todon.fr to the list of instances. mastodon/mastodon#848)
• d94a698 refactor: webpack-default (If redis is not running during user creation, user is still added to db mastodon/mastodon#847)
• b97d997 feat: schema options
• 453248f fix: support module resolution in composes (Add mastodon.club to running instances list mastodon/mastodon#845)
• 8a6ea10 refactor: postcss plugins (Email confirmation seems to be broken (again?) mastodon/mastodon#844)
• fdcf687 fix: url resolving logic (Update List-of-Mastodon-instances.md mastodon/mastodon#843)
• 889dc7f feat: allow to disable css modules and disable their by default (Missing quotes mastodon/mastodon#842)
• ee2d253 test: importLoaders option (Stylesheets not found ? mastodon/mastodon#841)
• 1dad1fb feat: reuse postcss ast from other loaders (i.e `postcss-loader`) (Update List-of-Mastodon-instances.md mastodon/mastodon#840)
• fe94ebc test: icss reserved keywords (Improve readability of text on profiles mastodon/mastodon#839)
• 9eaba66 refactor: migrate on message api for postcss-icss-plugin (Password reset appears to be broken mastodon/mastodon#838)

See the full diff

Package name: mocha

The new version differs by 250 commits.

• eb781e2 Release v6.2.3
• 10dbe94 update CHANGELOG for v6.2.3 [ci skip]
• 848d6fb security: update mkdirp, yargs, yargs-parser
• 843a322 6.2.2
• aec8b02 update CHANGELOG for v6.2.2 [ci skip]
• 7a8b95a npm audit fixes
• cebddf2 Improve reporter documentation for mocha in browser. (Ability to deactivate 2FA with recovery code mastodon/mastodon#4026)
• 3f7b987 uncaughtException: report more than one exception per test (Add a setting allowing the use of system's default font in Web UI mastodon/mastodon#4033)
• ee82d38 modify alt text of image from Backers to Sponsors inside Sponsors section in Readme (Add more emojify tests mastodon/mastodon#4046)
• e9c036c special-case parsing of "require" in unparseNodeArgs(); closes Too easy to trigger column swiping mastodon/mastodon#4035 (Something wrong with relationships API mastodon/mastodon#4063)
• 954cf0b Fix HTMLCollection iteration to make unhide function work as expected (Update Japanese translation mastodon/mastodon#4051)
• 816dc27 uncaughtException: fix double EVENT_RUN_END events (Update Japanese translation (Credentials -> Security) mastodon/mastodon#4025)
• 9650d3f add OpenJS Foundation logo to website (Fix media-gallery, overflow is hidden. mastodon/mastodon#4008)
• f04b81d Adopt the OpenJSF Code of Conduct (rsync for maintenance / setup on a new VPS  mastodon/mastodon#3971)
• aca8895 Add link checking to docs build step (Fix timeline jiggles/jitters mastodon/mastodon#3972)
• ef6c820 Release v6.2.1
• 9524978 updated CHANGELOG for v6.2.1 [ci skip]
• dfdb8b3 Update yargs to v13.3.0 (Do not fail to create access token if superapp was never created mastodon/mastodon#3986)
• 18ad1c1 treat '--require esm' as Node option (Feature Request: Ability to view public toots from another users timeline mastodon/mastodon#3983)
• fcffd5a Update yargs-unparser to v1.6.0 (Overwrite old statuses with reblogs in PrecomputeFeedService mastodon/mastodon#3984)
• ad4860e Remove extraGlobals() (SMTP config , recompile without infecting the productive DataBase  mastodon/mastodon#3970)
• b269ad0 Clarify effect of .skip() (fix remove unnecessary TEST_DB_ * variable from .env mastodon/mastodon#3947)
• 1e6cf3b Add Matomo to website (Add alt attribute to ImageLoader mastodon/mastodon#3765)
• 91b3a54 fix style on mochajs.org (Instance stuck in mobile mastodon/mastodon#3886)

See the full diff

Package name: node-sass

The new version differs by 250 commits.

• 918dcb3 Lint fix
• 0a21792 Set rejectUnauthorized to true by default (Adds better documentation to LOCAL_DOMAIN and LOCAL_HTTPS mastodon/mastodon#3149)
• e80d4af chore: Drop EOL Node 15 (feat(babel): Strip prop types mastodon/mastodon#3122)
• d753397 feat: Add Node 17 support (Convert all color specifications to variables. mastodon/mastodon#3195)
• dcf2e75 build(deps-dev): bump eslint from 7.32.0 to 8.0.0
• bfa1a3c build(deps): bump actions/setup-node from 2.4.0 to 2.4.1
• 80d6c00 chore: Windows x86 on GitHub Actions (Catch import promise in application.js mastodon/mastodon#3041)
• 566dc27 build(deps-dev): bump fs-extra from 0.30.0 to 10.0.0 (Importing follower list causes duplicate private account follow requests. mastodon/mastodon#3102)
• 7bb5157 build(deps): bump npmlog from 4.1.2 to 5.0.0 (Enable webm tests in API media controller mastodon/mastodon#3156)
• 2efb38f build(deps): bump chalk from 1.1.3 to 4.1.2 (guard against empty domain block list in status scope mastodon/mastodon#3161)
• fca5257 build(deps): bump actions/setup-node from 2.3.0 to 2.4.0
• 6200b21 docs: Double word "support" (Fix #2680 - Run processes in Docker as non-root user (alternative) mastodon/mastodon#3159)
• eaf791a build(deps): bump actions/setup-node from 2.1.5 to 2.3.0
• 16b8d4b build(deps): bump coverallsapp/github-action from 1.1.2 to 1.1.3
• c167004 6.0.1
• 911d4db remove mkdirp dep (Mastodon Streaming Fails mastodon/mastodon#3108)
• 30a52f7 build(deps): bump meow from 3.7.0 to 9.0.0
• 7e08463 build(deps-dev): bump mocha from 8.4.0 to 9.0.1
• cfcbb2c chore: Use default Apline version from docker-node (Update Rails to version 5.1.1 mastodon/mastodon#3121)
• 886319b chore: Drop Node 10 support
• c908f4f fix: Bump OSX minimum to 10.11
• 8ab02da fix: Remove old compiler gyp settings
• 3d7b9d0 chore: Add Node 16 support
• 4115e9d build(deps): bump actions/setup-node from v2.1.4 to v2.1.5

See the full diff

Package name: redis

The new version differs by 194 commits.

• fc28860 Bump version to 3.1.1 (Allow using an SMTP server without authentication mastodon/mastodon#1597)
• 2d11b6d fix Feature Create user account from admin interface mastodon/mastodon#1569 - improve monitor_regex (Fix redirect link on Tuning.md mastodon/mastodon#1595)
• 7e77de8 Add Chat (Cannot skip boost confirmation window mastodon/mastodon#1594)
• 5d3e995 Merge branch 'master' of https://github.com/NodeRedis/node-redis
• b797cf2 add user to README.md
• 79f34c2 Bump version to 3.1.0 (Simplify the way the embed view is created mastodon/mastodon#1590)
• 7fdc54e fix for 428e1c8a7b2322c2650294638cb1663ac5692728 - fix auth retry when redis is in loading state
• 09f0fe8 "fix" tests
• 428e1c8 Add support for Redis 6 `auth pass [user]` (views/about: use Setting.site_title instead of hardcoding mastodon/mastodon#1508)
• bb208d0 Add codeclimate badge (Vector favicon for Safari pinned tabs mastodon/mastodon#1572)
• 47e2e38 Exclude examples from deepsource (Change default log level in production from :debug to :info for less I/O mastodon/mastodon#1579)
• fbca5cd Upgrade node and dependencies (terms: remove redundant words mastodon/mastodon#1578)
• 2188744 Create codeql-analysis.yml (500 Error Retrieving the Local Timeline with Suspended Account mastodon/mastodon#1577)
• 32861b5 Create .deepsource.toml (Fix console error when scrolling a column with no scrollable content mastodon/mastodon#1574)
• 2a34d41 Add LGTM badge (Add task in order to delete unconfirmed users (older than 2days) mastodon/mastodon#1571)
• 69b7094 Workflows fixes (Update Russian translation mastodon/mastodon#1570)
• 49c4131 Merge pull request Certificate verify failed mastodon/mastodon#1531 from marnikvde/improve-docs
• 3c8ff5c Merge branch 'master' into improve-docs
• 685a72d Merge pull request notification options to not see notifications from people you do not follow mastodon/mastodon#1277 from dcharbonnier/patch-1
• 055f5c5 Merge branch 'master' into patch-1
• c78b6d5 Merge pull request Avoid user enumeration with devise paranoid mode mastodon/mastodon#1527 from heynikhil/patch-1
• 53f1468 Merge branch 'master' into patch-1
• 232f191 Merge pull request Fix #1535 - #1372 set a wrong default on :openssl_verify_mode mastodon/mastodon#1563 from lebseu/patch-1
• e4cb073 Update README.md

See the full diff

Package name: webpack

The new version differs by 250 commits.

• f010546 update examples
• bc840ec 3.11.0
• 9323ee6 Merge pull request PG::NotNullViolation: ERROR: column "memorial" contains null values mastodon/mastodon#6398 from addaleax/no-binding
• c7cbc35 Merge pull request Trailing hyphen breaks URLs mastodon/mastodon#6430 from jbottigliero/update/ajv
• 61b75b7 update ajv + ajv-keywords
• 8da8b93 Work around Node environment variable bug
• ddb1fad Merge pull request Fix mistake in cache deletion mastodon/mastodon#6408 from ocombe/fix/feature request: web UI for "some accounts were reported" mastodon/mastodon#6407-empty-array
• 2aebfbe fix(ConcatenatedModule): don't throw on arrays with empty values
• 3972d9a Merge pull request Update to Ruby 2.5.0 appears to break vagrant provision mastodon/mastodon#6391 from nerdkid93/patch-1
• e4375f8 Avoid relying on Node’s internals
• 0dd1727 change polymer loader link
• 33f518b Merge pull request Fix "tzinfo-data is not present" docker error mastodon/mastodon#6300 from nename0/fix-6243
• 80ed1c4 Merge pull request Replace relative URLs in CSS only for Premailer mastodon/mastodon#6335 from Connormiha/banner-plugin-optimize
• 5d93c53 Minor optimize banner plugin
• 1895b76 Add Tests checking chunkhash of runtime chunk only changes if needed
• dc7ebeb Fix Highlight differences between replies and simple toots mastodon/mastodon#6243: Don't include initial chunks in chunkhash computation
• b545b51 Merge pull request [Suggestion] Follow request badge on web UI mastodon/mastodon#6242 from nename0/6239-require-ensure-initial-chunks
• b059e07 Merge pull request i18n: Add some missing strings to Polish translation mastodon/mastodon#6176 from mikegreiling/fix-no-fail-on-child-compilation-error
• 64c4350 Update StatsTestCases
• 8b0a2ad Merge pull request Allow retrieval of private statuses (single or in outbox) using HTTP signatures mastodon/mastodon#6225 from neeharv/feature/async-script-type
• d1e0bec Fix: the require-ensure only includes non-initial chunks
• 21b5a02 stringify jsonpScriptType option
• 8eb0bb6 move default script type option to WebpackOptionsDefaulter
• be327f9 lint fixes

See the full diff

Package name: ws

The new version differs by 250 commits.

• 6dd88e7 [dist] 5.2.3
• 76d47c1 [security] Fix ReDoS vulnerability
• 5d55e52 [dist] 5.2.2
• 8aba871 [fix] Fix use after invalidation bug
• 175ce46 [dist] 5.2.1
• 307be7a [fix] Remove the `'data'` listener when the receiver emits an error
• 6046a28 [fix] Do not prematurely remove the listener of the `'data'` event
• bf9b2ec chore(package): update nyc to version 12.0.2 (Add search to emoji picker mastodon/mastodon#1395)
• bcab531 chore(package): update eslint-plugin-promise to version 3.8.0 (Make columns fill screen for large displays mastodon/mastodon#1389)
• e4d032c [dist] 5.2.0
• e7bfe5f chore(package): update mocha to version 5.2.0 (Add username as a title for mentions mastodon/mastodon#1385)
• 6dae94b chore(package): update eslint-plugin-import to version 2.12.0 (Receive and parse inbound Webmention mastodon/mastodon#1384)
• aebda2b chore(package): update nyc to version 11.8.0 (Added support for configurable reserved usernames mastodon/mastodon#1382)
• d871bdf [feature] Add `headers` argument to `verifyClient()` callback (Optimize restoration of scroll position mastodon/mastodon#1379)
• bb9c21c [test] Fix failing test on node 10
• 6d8f1f4 [ci] Test on node 10
• 4385c78 [doc] Add `request` to emit arguments in shared server example (More SMTP customization mastodon/mastodon#1372)
• 690b3f2 [minor] Replace bound function with arrow function
• 9dc25a3 chore(package): update nyc to version 11.7.1 (Remove unused AtomBuilderHelper mastodon/mastodon#1364)
• a81e580 chore(package): update mocha to version 5.1.0 (vector (svg) logo with correct inner shape and colors mastodon/mastodon#1362)
• 3215cf3 chore(package): update eslint-plugin-import to version 2.11.0 (Main update from Ruby 2.3.1 to Ruby 2.4.1 mastodon/mastodon#1361)
• 0100d82 [doc] Improve FAQ example for X-Forwarded-For header (Add REDIS_DB env variable to configure Redis database mastodon/mastodon#1360)
• c801e99 [doc] Improve docs and examples (Automatically reserve some accounts at instance creation mastodon/mastodon#1355)
• 10c92ff [dist] 5.1.1

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-LODASH-567746	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

[rollingversions]

There is no change log for this pull request yet.

Create a changelog