[Snyk] Fix for 15 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

⚠️ Warning

Failed to update the package-lock.json, please update manually before merging.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	526/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.1	Arbitrary Code Injection SNYK-JS-EJS-1049328	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-ISSVG-1085627	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-ISSVG-1243891	Yes	Proof of Concept
	509/1000 Why? Has a fix available, CVSS 5.9	Denial of Service (DoS) SNYK-JS-JSYAML-173999	Yes	No Known Exploit
	619/1000 Why? Has a fix available, CVSS 8.1	Arbitrary Code Execution SNYK-JS-JSYAML-174129	Yes	No Known Exploit
	494/1000 Why? Has a fix available, CVSS 5.6	Command Injection SNYK-JS-NODENOTIFIER-1035794	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-POSTCSS-1255640	Yes	Proof of Concept
	619/1000 Why? Has a fix available, CVSS 8.1	Cross-site Scripting (XSS) SNYK-JS-SERIALIZEJAVASCRIPT-536840	Yes	No Known Exploit
	706/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.7	Arbitrary Code Injection SNYK-JS-SERIALIZEJAVASCRIPT-570062	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Denial of Service (DoS) SNYK-JS-SOCKJS-575261	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SSRI-1246392	Yes	Proof of Concept
	529/1000 Why? Has a fix available, CVSS 6.3	Cross-site Scripting (XSS) SNYK-JS-WEBPACKBUNDLEANALYZER-174190	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-YARGSPARSER-560381	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: copy-webpack-plugin

The new version differs by 70 commits.

• 650d44d chore(release): 5.1.2
• a42d63f fix(security): update `serialize-javascript` (Scheduled daily dependency update on friday mozilla/redash#521)
• 96e2315 chore(release): 5.1.1
• 3b79595 fix: allow to setup empty array (Display issue in bars charts mozilla/redash#425)
• 5df649c chore(release): 5.1.0
• c936416 refactor: tests (TestPublicDashboard.test_works_for_logged_in_user test failure mozilla/redash#421)
• 08a4d7f docs: fix
• 8b13bc3 refactor: improve schema
• d155dd0 docs: update ignore instructions (npm run start not working mozilla/redash#410)
• 45780be docs: example for placeholders in `to` (TestPublicDashboard.test_success test failure mozilla/redash#420)
• 452539a feat: validate options (TestEmbedVisualization.test_sucesss test failure mozilla/redash#419)
• 4826e56 fix: better to determine when glob is used
• 51c3680 docs: issue 408 (TestLogout.test_logout_when_loggedin test failure mozilla/redash#418)
• f6f72a7 chore(deps): update
• 0675847 chore(release): 5.0.5
• 9146c2a docs: fix typo (Merge latest code from upstream repo mozilla/redash#401)
• 3103940 refactor: minor code refactor (Use new master / rc release release strategy mozilla/redash#399)
• c546871 perf: improvement for webpack@5 (funky data source selection for queries mozilla/redash#406)
• 5db376b chore(deps): update (unarchive a query mozilla/redash#409)
• 806eb41 docs: fix broken fragment links (Dashboard share link does not load mozilla/redash#398)
• 6158483 chore(release): 5.0.4
• cd0e9f5 docs: clarify plugin description (Group by text displayed in some charts is truncated mozilla/redash#395)
• f848140 test: refactor (Closes #369: Correct datasource documentation link alignment. mozilla/redash#394)
• ff0c736 refactor: tests (Closes #368: Wrap Autocomplete and checkbox in span and pad. mozilla/redash#393)

See the full diff

Package name: css-loader

The new version differs by 80 commits.

• 634ab49 chore(release): 2.0.0
• 6ade2d0 refactor: remove unused file (Update python-dateutil to 2.8.0 mozilla/redash#860)
• e7525c9 test: nested url (Update psycopg2 to 2.7.7 mozilla/redash#859)
• 7259faa test: css hacks (Update blinker to 1.4 mozilla/redash#858)
• 5e6034c feat: allow to filter import at-rules (Update aniso8601 to 4.1.0 mozilla/redash#857)
• 5e702e7 feat: allow filtering urls (Update passlib to 1.7.1 mozilla/redash#856)
• 9642aa5 test: css stuff (Update flask-limiter to 1.0.1 mozilla/redash#855)
• 3338656 fix: reduce number of require for url (Update flask-migrate to 2.4.0 mozilla/redash#854)
• 533abbe test: issue 636 (Update flask-sqlalchemy to 2.3.2 mozilla/redash#853)
• 08c551c refactor: better warning on invalid url resolution (Update flask-login to 0.4.1 mozilla/redash#852)
• b0aa159 test: issue Scheduled daily dependency update on tuesday mozilla/redash#589 (Update flask-restful to 0.3.7 mozilla/redash#851)
• f599c70 fix: broken unucode characters (Update flask-admin to 1.5.3 mozilla/redash#850)
• 1e551f3 test: issue 286 (Update httplib2 to 0.12.1 mozilla/redash#849)
• 419d27b docs: improve readme (Update pyopenssl to 19.0.0 mozilla/redash#848)
• d94a698 refactor: webpack-default (Update markupsafe to 1.1.1 mozilla/redash#847)
• b97d997 feat: schema options
• 453248f fix: support module resolution in composes (Update itsdangerous to 1.1.0 mozilla/redash#845)
• 8a6ea10 refactor: postcss plugins (Update jinja2 to 2.10 mozilla/redash#844)
• fdcf687 fix: url resolving logic (Update werkzeug to 0.14.1 mozilla/redash#843)
• 889dc7f feat: allow to disable css modules and disable their by default (Update flask to 1.0.2 mozilla/redash#842)
• ee2d253 test: importLoaders option (Update jsonschema to 3.0.0 mozilla/redash#841)
• 1dad1fb feat: reuse postcss ast from other loaders (i.e `postcss-loader`) (Update markupsafe to 1.1.1 mozilla/redash#840)
• fe94ebc test: icss reserved keywords (Update xlsxwriter to 1.1.5 mozilla/redash#839)
• 9eaba66 refactor: migrate on message api for postcss-icss-plugin (Update botocore to 1.12.101 mozilla/redash#838)

See the full diff

Package name: webpack-build-notifier

The new version differs by 30 commits.

• 1a5987d Updated node-notifier to fix [Snyk] Security upgrade protobuf from 3.17.3 to 3.18.3 #43; added test coverage.
• e153dd8 Updated changelog and package version
• d6b7feb Merge pull request [Snyk] Fix for 2 vulnerabilities #49 from yoavain/add-duration-to-notification
• 510f9cd Build time in notification
• db6552f Updated node-notifier dependency to latest version to fix [Snyk] Security upgrade pyarrow from 0.13.0 to 0.15.1 #45.
• b39b4a1 Merge pull request [Snyk] Security upgrade urllib3 from 1.25.11 to 1.26.5 #44 from RoccoC/feature/callbacks
• 8f65131 Fixed lint errors
• c031929 Minor cleanup for consistency, bumped version
• 75c101c Merge pull request [Snyk] Security upgrade pyarrow from 0.13.0 to 0.15.1 #42 from phyzical/feature/Adding-custom-callback-functionailty
• 4ace475 * simplified code and added params to be passed down, allowing for the type of compilation to be hadnled in the callbaack provided
• 2058569 * aded functionality to pass false to callbacks to disable if using one base
• d1a187a *Added Custom callbacks
• b861e3e Updated dependencies to fix js-yaml vuln.
• 4bdbb41 1.0.2 release
• a7e87c7 Merge pull request [Snyk] Security upgrade urllib3 from 1.25.11 to 1.26.5 #41 from fsubal/feature/sound-wrongly-typed
• 478faa3 "*sounds" are wrongly typed
• 7148475 Updated README file
• 2586c31 Updated TS def for [pull] master from mozilla:master #39; bumped to 1.0.0
• 772e07f Fix for [Snyk] Security upgrade moment from 2.24.0 to 2.29.4 #38 and [pull] master from mozilla:master #39.
• 6714095 Merge pull request [pull] master from mozilla:master #36 from RoccoC/typescript-support
• 786ce3e Made config obj optional.
• 17c17b3 Adding TS definitions per issue/improvement request [pull] master from mozilla:master #35
• 3f34ac3 Added coveralls for code coverage
• e748dd2 Updated lint rules.

See the full diff

Package name: webpack-bundle-analyzer

The new version differs by 250 commits.

• ee6c7a9 Merge pull request Bar chart doesn't support one row result any more mozilla/redash#389 from webpack-contrib/support-webpack-5
• 8d1a752 Update version
• 37ab03e Fix typo
• 2153401 Add `--watch-ignore` flag to `test-dev` npm script
• 35b62db Add `private: true` flag to `package.json` files in `test/webpack-versions`
• ef36924 Add changelog entry
• f819548 Update version
• d8f2dd7 Fix lint issues
• d32cbdb Add changelog for v4.0.0
• 3094dbc Update dependencies
• b85ba7d Add tests for Webpack 5
• c35bda3 Properly parse Webpack 5 entry modules
• 7bbe89f Properly parse Webpack 5 bundle format (except concatenated entry module)
• b34b249 Update package-lock.json
• abc298a Remove Node.js 6 and 8 from .travis.yml
• a81b7b8 - Support multiple Webpack versions in tests
• 591adf1 Add more ignores to .npm-upgrade.json
• d5698f4 Update dependencies
• e4a8974 Merge pull request CORS headers are no longer included on results.json responses mozilla/redash#382 from wbobeirne/fix-opener-error
• b0f717b Catch uncaught opener errors
• e4b2677 v3.9.0
• afde5a8 Merge pull request Closes #374: Truncating x-axis should be done to ticktext not x values. mozilla/redash#378 from dabbott/fix-missing-child-bundles
• 0ddc92d Add test for dynamic imports in worker bundles
• b39594c Fix missing child bundles throwing an error

See the full diff

Package name: webpack-cli

The new version differs by 250 commits.

• 30b1b8d chore: v3.3.5
• 76b75ac chore: remove donation section
• 8913928 chore: update pkg lock
• a37477d cli: remove donation prompt
• 002a6ac Merge pull request M23 rebase mozilla/redash#970 from dhruvdutt/postinstall
• cd54ba5 chore(scripts): clean opencollective
• 0c1f6b6 chore(scripts): clean postinstall
• 313e83e chore(deps): update major versions (Fix query id in parameter querystring names (fixes #942) mozilla/redash#969)
• 6105ef1 fix(deps): move prettier from dependencies to devDependencies (Release m22.1 mozilla/redash#968)
• dad54f4 chore(ts): enables source map in the ts (Consider adding a banner that gives information about missing data mozilla/redash#961)
• d7cdab9 Merge pull request Reverting a query to a previous version is not taking place until the page is refreshed mozilla/redash#960 from DanielRuf/fix/use-strict
• 6015bad chore: added await in order to resolve the pending promise (Big Query Data Samples mozilla/redash#948)
• 670efc7 fix: change "usr strict" to "use strict"
• dc25beb Merge pull request New created tags are not saved from the new query page mozilla/redash#959 from webpack/fix/deps
• 69f364e fix: update deps
• f0f12c9 chore(packages): lock dependencies versions (Moving widgets inside a dashboard has become less smooth in RC mozilla/redash#958)
• 08edf57 Merge pull request Query consistently times out mozilla/redash#954 from webpack/v.3.3.4
• 186166f chore: v.3.3.4
• 8acf08f Merge pull request M21 rebase mozilla/redash#952 from pranshuchittora/docs/readme
• 8b00884 chore: remove unused pkgs
• 478340d chore: fix prompt
• 0acd33e Merge pull request Too easy to accidentally schedule queries for long periods that cost a lot of money mozilla/redash#949 from rishabh3112/fix/not-found
• 23eddcb chore: improved err msg
• d025bf5 Merge branch 'master' of github.com:webpack/webpack-cli into docs/readme

See the full diff

Package name: webpack-dev-server

The new version differs by 250 commits.

• 4ab1f21 chore(release): 3.11.0
• 0e51fb1 fix: invalidate route (keep query result pagination out of scroll getredash/redash#2584)
• f857c40 chore: deps and tests
• 41d1d0c fix(deps): security vulnerability in yargs-parser (Fix #78 - Implement server side pagination and sorting for queries getredash/redash#2566)
• 375ab23 ci: add node@14 (search by data_source in Search Page getredash/redash#2530)
• 776e7d4 chore(deps): update dependency html-entities to ^1.3.1 (master) (Add location property to BigQuery data source settings getredash/redash#2513)
• 984536c chore: update lint-staged config (Fix when use lower_case_table_names 0 in mysql getredash/redash#2524)
• 89ffb86 feat: add invalidate endpoint (Redash search shows no indication while search is running getredash/redash#2493)
• 0e9bffb chore(deps): update all patch dependencies (Allow disabling password login directly from the settings, with LDAP login enabled. getredash/redash#2508)
• 99ccfd8 fix: update jquery (Running create_db on an already created database causes invalid state getredash/redash#2516)
• 06583f2 fix: do not swallow errors from server (BigQuery: Replace project id with dataset in table list format getredash/redash#2512)
• 0d5c681 fix(server): don't crash on setupExitSignals(undefined) (Log user's screen resolution getredash/redash#2507)
• c436058 chore(deps): update all patch dependencies (master) (patch) ([Athena] Fix: missing databases (apply pagination) getredash/redash#2503)
• 4808abd feat(progess): emit progress-update (Top icon link to localhost:5000 when actually its being hosted in a different hostname and behind nginx getredash/redash#2498)
• adeb92e feat: allow open option to accept an object (Cohort bug: JS error (value not wrapped with moment instance) getredash/redash#2492)
• c6bdfe4 feat(contentBasePublicPath): allow multiple paths (Fixes #2488 getredash/redash#2489)
• f317358 chore(deps): update all patch dependencies (master) (patch) (Custom color theme for charts getredash/redash#2481)
• de763e9 chore(deps): update all minor dependencies (master) (minor) (add Helm Chart for Redash  getredash/redash#2473)
• f7b6fa1 chore(deps): update package-lock.json (add support ChatWork Alert Destination. getredash/redash#2482)
• 3bf43a7 chore(deps): update all patch dependencies (Show SAML callback URL on SAML configuration screen getredash/redash#2477)
• 12d76be docs: fix typos across the project (Firefox: widget height continuously increases getredash/redash#2452)
• 9a6e4a1 chore(deps): update all patch dependencies (Better tooltips for charts; ability to change formats for numbers and dates (WIP) getredash/redash#2468)
• d4739f8 chore(deps): update dependency husky to v4 (Payment ratio getredash/redash#2383)
• 5f357f3 chore(deps): update all patch dependencies (Update map visualizations names. getredash/redash#2450)

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-LODASH-567746	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the effected dependencies could be upgraded.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic