[Snyk] Fix for 52 vulnerabilities

[leojoy95]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • packages/contractkit/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-ASYNC-2441827	Yes	Proof of Concept
	786/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 9.3	Incomplete List of Disallowed Inputs SNYK-JS-BABELTRAVERSE-5962463	Yes	Proof of Concept
	661/1000 Why? Recently disclosed, Has a fix available, CVSS 7.5	Uncontrolled resource consumption SNYK-JS-BRACES-6838727	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-BROWSERSLIST-1090194	Yes	Proof of Concept
	574/1000 Why? Has a fix available, CVSS 7.2	Use of Weak Hash SNYK-JS-CRYPTOJS-6028119	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-DATEANDTIME-1054430	Yes	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Arbitrary File Write via Archive Extraction (Zip Slip) SNYK-JS-DECOMPRESSTAR-559095	Yes	Proof of Concept
	554/1000 Why? Has a fix available, CVSS 6.8	Cryptographic Issues SNYK-JS-ELLIPTIC-1064899	Yes	No Known Exploit
	509/1000 Why? Has a fix available, CVSS 5.9	Timing Attack SNYK-JS-ELLIPTIC-511941	Yes	No Known Exploit
	706/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.7	Cryptographic Issues SNYK-JS-ELLIPTIC-571484	Yes	Proof of Concept
	484/1000 Why? Has a fix available, CVSS 5.4	Open Redirect SNYK-JS-GOT-2932019	Yes	No Known Exploit
	631/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.2	Missing Release of Resource after Effective Lifetime SNYK-JS-INFLIGHT-6095116	Yes	Proof of Concept
	429/1000 Why? Has a fix available, CVSS 4.3	Reverse Tabnabbing SNYK-JS-ISTANBULREPORTS-2328088	Yes	No Known Exploit
	641/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.4	Prototype Pollution SNYK-JS-JSON5-3182856	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-JSONBIGINT-608659	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	Yes	Proof of Concept
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-LODASH-6139239	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	Yes	Proof of Concept
	541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	Yes	Proof of Concept
	661/1000 Why? Recently disclosed, Has a fix available, CVSS 7.5	Inefficient Regular Expression Complexity SNYK-JS-MICROMATCH-6838728	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-MOUT-1014544	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-MOUT-2342654	Yes	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Information Exposure SNYK-JS-NODEFETCH-2342118	Yes	No Known Exploit
	520/1000 Why? Has a fix available, CVSS 5.9	Denial of Service SNYK-JS-NODEFETCH-674311	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Open Redirect SNYK-JS-NODEFORGE-2330875	Yes	Proof of Concept
	529/1000 Why? Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-NODEFORGE-2331908	Yes	No Known Exploit
	494/1000 Why? Has a fix available, CVSS 5.6	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430337	Yes	No Known Exploit
	579/1000 Why? Has a fix available, CVSS 7.3	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430339	Yes	No Known Exploit
	494/1000 Why? Has a fix available, CVSS 5.6	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430341	Yes	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	Yes	Proof of Concept
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536528	Yes	No Known Exploit
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536531	Yes	No Known Exploit
	410/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579147	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579152	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579155	Yes	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Uncontrolled Resource Consumption ('Resource Exhaustion') SNYK-JS-TAR-6476909	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
	596/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.5	Arbitrary Code Injection SNYK-JS-UNDERSCORE-1080984	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit
	379/1000 Why? Has a fix available, CVSS 3.3	Insecure Credential Storage SNYK-JS-WEB3-174533	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-WEB3UTILS-6229337	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-YARGSPARSER-560381	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Yes	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @0x/subproviders

The new version differs by 250 commits.

• aad2bd4 Publish
• ae6753a Updated CHANGELOGS & MD docs
• 91344c0 Bump CirciCI to nodejs16 ([Snyk] Fix for 1 vulnerabilities #68)
• ae232fa Bump CI to node16
• b89d468 Cannot run installation against specific package ([Snyk] Fix for 1 vulnerabilities #67)
• e003034 fix: Update deps fix ([Snyk] Fix for 1 vulnerabilities #65)
• 14e5370 empty
• 27955e3 chore: Update deps ([Snyk] Fix for 3 vulnerabilities #64)
• 7e7e6dc fix: Fix subprovider tests
• dbd0dc0 bump ts
• 094c081 Bump subprovider deps
• 3c0bb9e Update @ ethereumjs/common
• 9d28e7d Unpin merkle-patricia-tree
• b543924 Add repository to @ 0x/subproviders
• 0787b82 Publish
• c9009bd Updated CHANGELOGS & MD docs
• 136b9dd Merge pull request [Snyk] Security upgrade web3 from 1.0.0-beta.37 to 1.6.0 #62 from 0xProject/fix/ethereum-types-linkReferences
• c44fb80 make compiler output artifact `linkReferences` optional (for 0.8)
• 41976dd Publish
• e7e2055 Updated CHANGELOGS & MD docs
• 33ae44c Update publish.yml
• 343b40d Merge pull request [Snyk] Fix for 4 vulnerabilities #61 from 0xProject/fix/solc-compiler-0.8-support
• b80738e update sol-tracing-utils deps
• 7f28191 appease prettier

See the full diff

Package name: @google-cloud/storage

The new version differs by 250 commits.

• 6161c63 chore: release 5.17.0 (Grouped Notifications should include outstanding payment requests celo-org/celo-monorepo#1744)
• 97edb9a sample: add turbo replication samples (Users SBAT reference governable reserve asset allocations celo-org/celo-monorepo#1618)
• 809bf11 fix: remove compodoc dev dependency (When on Celo Lite mode, should not see 'Connecting to Celo...' celo-org/celo-monorepo#1745)
• 291e6ef feat: add support for rpo (turbo replication) metadata field when cre… (Remove gold transfer from invite script celo-org/celo-monorepo#1648)
• 437d400 chore(deps): gcs-resumable-upload migration (Update genesis block to include round in aggregated signature celo-org/celo-monorepo#1736)
• 00392a4 chore: add api_shortname and library_type to repo metadata (Support getValidators precompiles in ganache celo-org/celo-monorepo#1737)
• 9758632 docs(badges): tweak badge to use new preview/stable language (Users SNBAT to instantly reveal attestations celo-org/celo-monorepo#1314) (Remove end-to-end attestations test from circle celo-org/celo-monorepo#1739)
• 552ebef docs(node): support "stable"/"preview" release level ([Wallet] Add script to build sdk for env before running yarn dev celo-org/celo-monorepo#1312) (Support blacklisting country codes for the attestation service celo-org/celo-monorepo#1738)
• 42f4207 chore(deps): update dependency @ types/tmp to v0.2.3 (Fix flaky end-to-end transfer, protocol unit tests celo-org/celo-monorepo#1734)
• 2aad922 samples: Delete setPublicAccessPreventionUnspecified.js (Users SBAT read updated transaction, gas pricing, and full node incentive docs celo-org/celo-monorepo#1733)
• 257f771 samples: download byte range (Update genesis block after adding parent signatures to block header celo-org/celo-monorepo#1732)
• 29f91cb samples: added samples for upload from / download into memory (Make styling more consistent in validator quick start and add password prompt to account:unlock celo-org/celo-monorepo#1731)
• 8ecb70e build: add generated samples to .eslintignore ([circleci] Removed end-to-end-geth-integration-sync-test job in workflow celo-org/celo-monorepo#1730)
• 1457404 chore: create interfaces for conformance test API results ([Wallet] Users SBAT see updated gold exchange screen celo-org/celo-monorepo#1728)
• 09af838 chore: release 5.16.1 ([wallet] UX fixes for native phone number celo-org/celo-monorepo#1717)
• 2c2510a chore: address lint issues (Check in spanish verification translations celo-org/celo-monorepo#1726)
• 6490abf Revert "fix: revert skip validation ([Wallet] Style fixes on iOS for verification and backup flows celo-org/celo-monorepo#1718)" (Create notification to remind about verification celo-org/celo-monorepo#1721)
• db4e2df samples: upload without authentication (Unit test for reading Celo validator groups in Blockscout celo-org/celo-monorepo#1711)
• d77979b fix: stop File.download from truncating output file on failure (New design for redeem invite screen celo-org/celo-monorepo#1720)
• 0c75e33 fix: revert skip validation ([Wallet] Style fixes on iOS for verification and backup flows celo-org/celo-monorepo#1718)
• c365254 fix: change properties with function value to methods (App get crashed when user taps on extra “Backup keyWord” tag on “Confirm Your Backup Key”.  celo-org/celo-monorepo#1715)
• 669a34d chore(deps): update gcs-resumable-upload to ^3.6.0 (Unit tests for reading Celo validators in Blockscout celo-org/celo-monorepo#1710)
• 9018e17 chore: release 5.16.0 (#1709)
• 50cdbb6 feat: improved error messages for resumable uploads ([Wallet] Prompt user to restart app when turning off Forno a second time celo-org/celo-monorepo#1708)

See the full diff

Package name: babel-jest

The new version differs by 250 commits.

• be16e47 v27.0.0
• 63102ec chore: update changelog for release
• 564694a docs(blog): Jest 27 blog post (Increase throughput celo-org/celo-monorepo#11131)
• b68d91b feat(pretty-print): add option `printBasicPrototype` (#11441)
• 2226742 chore: minor simplify format results error (#11432)
• 78eb25d chore: remove needless assign (#11433)
• 696c455 chore: update lockfile after publish
• e2eb9ae v27.0.0-next.11
• 3b253f8 Wait for closed resources to actually close before detecting open handles (#11429)
• 27bee72 fix: run GC before collecting open handles (#11278)
• 50451df feat: use fallback if prettier not found (#11400)
• 150dbd8 chore: update lockfile after publish
• 6f44529 v27.0.0-next.10
• cbcec7d Upgrade fsevents in jest-haste-map (#11428)
• 9633a26 feat: support reporters written in ESM (#11427)
• 59f42d8 fix: do not cache modules that throw during evaluation (Soloseng/streamline-L2-validator-test celo-org/celo-monorepo#11263)
• 57e32e9 Detect open handles with done callbacks (#11382)
• a397607 Document and test dontThrow for custom inline snapshot matchers (Soloseng/celo-minting-schedule celo-org/celo-monorepo#10995)
• 4fa3a0b feat: custom haste (feat(foundry): publish L2 state in @celo/devchain-anvil celo-org/celo-monorepo#11107)
• 2047a36 chore: bump deps (#11419)
• a4358d6 chore: run prettier on changelog
• bdd6282 Move all default values into `jest-config` (Current Celo cli cannot approve until 1.3.0.0 Governance.sol is deployed celo-org/celo-monorepo#9924)
• db643a1 Link to Jest config (forge test should be all green and exclude e2e tests that require a devchain celo-org/celo-monorepo#11106)
• b16082c Fix locale issue Figure out what to do with ASv1 related code celo-org/celo-monorepo#10014 (#11412)

See the full diff

Package name: jest

The new version differs by 250 commits.

• 75006e4 v29.0.0
• 7c82a9f chore: update jest-watch-typeahead again
• 352ff29 chore: update changelog for release
• 33ad8c3 docs: Jest 29 blog post (#13103)
• dda77e5 docs: collapse 28.0 and 28.1 docs (#13104)
• c0dc84c chore: update jest-watch-typeahead
• 05f6217 fix: support deep CJS re-exports when using ESM (#13170)
• 490fd88 chore: update yarn (#13169)
• 98936a2 docs: Update Enzyme links to use new URL (#13166)
• 187566a feat(pretty-format): allow to opt out from sorting object keys with `compareKeys: null` (#12443)
• ae2bed7 chore: tweak regex used in e2e tests (#13129)
• 8c56d74 docs: Update Configuration.md for added special notes on usage scenarios for pnpm. (#13115)
• fb1c53d feat(jest-config)!: remove undocumented `collectCoverageOnlyFrom` option (#13156)
• 075b489 fix: ignore `EISDIR` when resolving symlinks (#13157)
• 3bef02e feat(@ jest/test-result, @ jest/types)!: replace `Bytes` and `Milliseconds` types with `number` (#13155)
• 4def94b v29.0.0-alpha.6
• 0f00d4e fix: replace non-CLI `rimraf` usage (#13151)
• 6a90a2c fix: Allow updating inline snapshots when test includes JSX (#12760)
• 983274a feat: Let `babel` find config when updating inline snapshots (#13150)
• d2ff18a chore: make prettierPath optional in `SnapshotState` (#13149)
• 7d8d01c feat(circus): added each to failing tests (#13142)
• a5b52a5 chore(types): separate MatcherContext, MatcherUtils and MatcherState (#13141)
• 79b5e41 chore: get rid of peer dep warning in website
• 812763d chore: enable 'no-duplicate-imports' (#13138)

See the full diff

Package name: ts-jest

The new version differs by 165 commits.

• ad58c9b chore(release): 25.3.0
• 949e3e1 chore: update package-lock.json
• b8ebf36 docs: add Troubleshoting section ([Wallet] Upgrade app version to v1.5.1 celo-org/celo-monorepo#1463)
• 8b5325e chore(transformer): only do type checking for js/jsx/ts/tsx file (Set usage of shuffled round robin in the genesis block celo-org/celo-monorepo#1464)
• 58b05b1 chore: replace travis-ci.org with travis-ci.com (Point end-to-end tests back to master celo-org/celo-monorepo#1469)
• 79e8fdf build(deps-dev): bump jest from 25.2.3 to 25.2.4 (Validate Attestation Requests celo-org/celo-monorepo#1468)
• dddce1c build(deps-dev): bump @ jest/transform from 25.2.3 to 25.2.4 (Allow a specified address to disable/enable the Exchange  celo-org/celo-monorepo#1467)
• d811bae build(deps-dev): bump lint-staged from 10.0.9 to 10.0.10 (Aaronmgdr/airtable upgrade celo-org/celo-monorepo#1466)
• ecc8312 build(deps-dev): bump @ types/react from 16.9.26 to 16.9.27 (Added txpool family to geth apis. Sorted geth cmd options celo-org/celo-monorepo#1462)
• c10ad4a chore(compiler): improve performance for language service (Application crashes when changing the local currency celo-org/celo-monorepo#1461)
• 455ee5b build(deps-dev): bump @ jest/transform from 25.2.1 to 25.2.3 ( [iOS] Sorry something went wrong is shown when user taps on Licenses option from the setting celo-org/celo-monorepo#1459)
• 1641cfb build(deps-dev): bump jest from 25.2.2 to 25.2.3 ([iOS,Android] Error “Failure sending invite” is shown when user send an invitation via SMS.  celo-org/celo-monorepo#1460)
• 3010ec8 build(deps-dev): bump @ jest/types from 25.2.1 to 25.2.3 (Minor UI issues in the new backup flow on iOS celo-org/celo-monorepo#1458)
• 26a81f0 build(deps-dev): bump @ types/react from 16.9.25 to 16.9.26 (Tapping the text next to the toggle in the new backup flow should toggle it celo-org/celo-monorepo#1457)
• 99c552d build(deps-dev): bump jest from 25.2.1 to 25.2.2 ([iOS] Continues Loading indicator is shown on “Reclaim Payment” screen when user navigate back to “Reclaim Payment” screen from “Enter PIN” screen without entering PIN.  celo-org/celo-monorepo#1455)
• 5214f1b build(deps): bump yargs-parser from 18.1.1 to 18.1.2 ( [iOS] Celo Gold amount is cut from bottom on “Exchange” page while user exchanging the cUSD to cGLD.  celo-org/celo-monorepo#1456)
• 79478ae build(deps-dev): bump tslint-plugin-prettier from 2.2.0 to 2.3.0 ([Wallet] Prevent error from Avatar when name is missing celo-org/celo-monorepo#1454)
• 107e062 fix: always do type check for all files provided to ts-jest transformer (Upgrading a testnet without resetting should not init with a new genesis file celo-org/celo-monorepo#1450)
• 1e34075 build(deps-dev): bump @ jest/types from 25.2.0 to 25.2.1 ([Wallet] Use new segment api keys used by both iOS and Android celo-org/celo-monorepo#1452)
• ba5a6c4 build(deps-dev): bump @ jest/transform from 25.2.0 to 25.2.1 (Analytics should be reported from the iOS app celo-org/celo-monorepo#1451)
• e857f5b build(deps-dev): bump jest from 25.2.0 to 25.2.1 ([Wallet] Show splash screen until JS is ready on iOS celo-org/celo-monorepo#1453)
• 4981da8 Merge pull request EU Cookies Behavior Change celo-org/celo-monorepo#1447 from kulshekhar/dependabot/npm_and_yarn/jest/types-25.2.0
• ea8240a Merge pull request Move from let's encrypt v1 API to v2; kube-lego to cert-manager celo-org/celo-monorepo#1448 from kulshekhar/dependabot/npm_and_yarn/jest/transform-25.2.0
• e50db11 build(deps-dev): bump @ jest/types from 25.1.0 to 25.2.0

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Use of Weak Hash
🦉 More lessons are available in Snyk Learn