[Snyk] Fix for 2 vulnerabilities

[Omrisnyk]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • large-file/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity	Reachability
	44/1000 Why? Confidentiality impact: None, Integrity impact: Low, Availability impact: None, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 4, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 2.35, Likelihood: 1.86, Score Version: V5	Cross-site Scripting (XSS) SNYK-JS-COOKIE-8163060	Yes	No Known Exploit	No Path Found
	131/1000 Why? Confidentiality impact: Low, Integrity impact: High, Availability impact: None, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 0, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 7.03, Likelihood: 1.86, Score Version: V5	Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-8172694	Yes	No Known Exploit	No Path Found

(*) Note that the real score may have changed since the PR was raised.

Release notes

Package name: elliptic

• 6.5.6 - 2024-07-17
  

  6.5.6

• 6.5.5 - 2024-03-05
  

  6.5.5

• 6.5.4 - 2021-02-02
  

  6.5.4

• 6.5.3 - 2020-06-18
  

  6.5.3

from elliptic GitHub release notes

Package name: engine.io

• 6.6.2 - 2024-10-09
  

  This release contains a bump of the cookie dependency.

  See also: GHSA-pxg6-pf52-xh8x

  Dependencies

  • ws@~8.17.1 (no change)
• 6.6.1 - 2024-09-21
  

  Bug Fixes

  • move 'offline' event listener at the top (8a2f5a3)
  • only remove the event listener if it exists (9b3c9ab)
  • do not send a packet on an expired connection (#5134) (8adcfbf)

  Performance Improvements

  • do not reset the heartbeat timer on each packet (7a23dde)

  Dependencies

  • ws@~8.17.1 (no change)
• 6.6.0 - 2024-06-21
  

  Diff: socketio/engine.io-client@6.5.3...6.6.0

• 6.5.5 - 2024-06-18
• 6.5.4 - 2023-11-09
• 6.5.3 - 2023-10-06
• 6.5.2 - 2023-08-02
• 6.5.2-alpha.1 - 2023-08-01
• 6.5.1 - 2023-06-27
• 6.5.0 - 2023-06-16
• 6.5.0-alpha.1 - 2023-06-11
• 6.4.2 - 2023-05-01
• 6.4.1 - 2023-02-19
• 6.4.0 - 2023-02-06
• 6.3.1 - 2023-01-12
• 6.3.0 - 2023-01-10
• 6.2.1 - 2022-11-20
• 6.2.0 - 2022-04-17
• 6.2.0-alpha.1 - 2022-03-12
• 6.1.3 - 2022-02-23
• 6.1.2 - 2022-01-18
• 6.1.1 - 2022-01-11
• 6.1.0 - 2021-11-08
• 6.0.1 - 2021-11-06
• 6.0.0 - 2021-10-08
• 5.2.1 - 2022-01-11
• 5.2.0 - 2021-08-29
• 5.1.1 - 2021-05-16
• 5.1.0 - 2021-05-04
• 5.0.0 - 2021-03-10
• 4.1.2 - 2022-01-11
• 4.1.1 - 2021-02-02
• 4.1.0 - 2021-01-14
• 4.0.6 - 2021-01-04
• 4.0.5 - 2020-12-07
• 4.0.4 - 2020-11-17
• 4.0.3 - 2020-11-17
• 4.0.2 - 2020-11-09
• 4.0.1 - 2020-10-21
• 4.0.0 - 2020-09-10
• 4.0.0-alpha.1 - 2020-02-12
• 4.0.0-alpha.0 - 2020-02-12
• 3.6.2 - 2024-06-18
• 3.6.1 - 2022-11-20
• 3.6.0 - 2022-06-06
• 3.5.0 - 2020-12-30
• 3.4.2 - 2020-06-04
• 3.4.1 - 2020-04-17
• 3.4.0 - 2019-09-13
• 3.3.2 - 2018-11-29
• 3.3.1 - 2018-11-19
• 3.3.0 - 2018-11-07
• 3.2.1 - 2018-11-02
• 3.2.0 - 2018-02-28
• 3.1.5 - 2018-02-18
• 3.1.4 - 2017-11-12
• 3.1.3 - 2017-10-11
• 3.1.2 - 2017-09-27
• 3.1.1 - 2017-09-02
• 3.1.0 - 2017-04-27

from engine.io GitHub release notes

Package name: react-middle-truncate

• 1.0.1 - 2019-08-19
  
  • fix: measure-text security vulnerability [#4]
• 1.0.0 - 2018-07-05
  

  1.0.0

from react-middle-truncate GitHub release notes

Package name: webpack

• 5.0.0 - 2020-10-10
  

  Announcement and changelog

• 5.0.0-rc.6 - 2020-10-10
  

  Bugfixes

  • fix evaluation order of concatenated modules
  • fix parsing of calls for ProvidePlugin
  • fix electron-renderer target
• 5.0.0-rc.5 - 2020-10-09
  

  Bugfixes

  • fix crash in getNumberOfMatchingSizeTypes
  • fix crash in SideEffectsFlagPlugin
  • fix crash when using runtimeChunk and Module Federation shared
  • add some missing type exports

  Migration

  • improve Node.js polyfill message
• 5.0.0-rc.4 - 2020-10-07
  

  Features

  • optimization.sideEffects will detect simple cases of modules without side effects from the source code now
    • supported: class and function declarations, variable declarations with pure init expression, if, while, for, switch, export, import, function calls with pure flag
  • added a "transitive only" side effects mode which drops the module but keeps dependencies
    • This is useful for mini-css-extract-plugin to allow droping the extracted JS, while keeping the CSS dependencies

  Bugfixes

  • accessing properties of the prototype from imported modules is now possible. They are no longer incorrectly mangled.

  Dependencies

  • update schema-utils to major 3
  • update acorn to major 8
• 5.0.0-rc.3 - 2020-09-30
  

  Bugfixes

  • delete x.y.z now also works in concatenated modules
  • folder and file names containing # are now supported
• 5.0.0-rc.2 - 2020-09-29
  

  Features

  • [Stats] do not display loader prefix for modules in bold
  • [Stats] improve grouping by path for modules and assets
  • add optimization.splitChunks.defaultSizeTypes to specify size types considered for sizes when only a number is specified
    • this allows plugins to add default size types

  Bugfixes

  • [Stats] fix some space calculation issues for assets and modules space limit
  • [Stats] fix filtered item count
  • remove error when watch option is used without callback and show a deprecation message instead.
• 5.0.0-rc.1 - 2020-09-28
  

  Breaking Changes

  • uses target: "browserslist" as default when a browserslist config has been found, otherwise fallback to target: "web" as usual
    • This could have unexpected changed to the EcmaScript version of the generated code
    • In same cases this might causes builds to fail because browserslist contain web and node versions
    • In most cases we expect this to simplify migration while still allowing to generate better code
      • This partially reverts a breaking change: Instead of changing the generated code from ES5 to ES6, this now changes it from ES5 to an automatic version depending on browserslist when available

  Features

  • add support for target: "browserslist" and more advanced options
  • expose more classes as needed by plugins
  • add Compiler.watching
  • add parser.worker for javascript files to allow to modify which syntax is special for WebWorker support
  • allow output.chunkFilename to be a function via schema
  • allow RegExp for watchOptions.ignored via schema
  • add resolve.preferRelative option, which allows to resolve module requests also as relative requests

  Migration

  • add more hints regarding breaking changes in config
  • improve deprecation layer for Array -> Set to allow accessing the first index
  • allow to use splitChunks name to move modules to an parent chunk

  Bugfixes

  • avoid some errors in dependencies when target module failed
  • when min(Remaingin)Size is violated, use only modules that are fine, instead of failing for all modules
  • fix infinite recursion when having a circular symlink and a context containing it
  • warning for importing an disposed module displays the correct module
  • fix too wide hash for javascript chunks that caused unnecessary invalidation of the rendered files
  • fix new URL("relative/file.png", import.meta.url) to resolve relative
  • update webpack-sources to fix crash with source "." is not in SourceMap
  • fix stack overflow in resolving
• 5.0.0-rc.0 - 2020-09-20
  

  Full Changelog

  Known Problems

  • delete x.y.z doesn't work with optimization.concatenateModules: true yet.
  • mini-css-extract-plugin is not fully compatible and there a few problems.
  • html-webpack-plugin doesn't understand the new default automatic publicPath yet. Use output.publicPath: "" instead.
  • target doesn't support individual browser versions yet. Use the general targets for now: target: ["web", "es2020"]
  • The stable webpack-cli shows too verbose output for schema validation problems.
  • new URL with string not starting with ./ or ../ works incorrectly
  • The stats grouping algorithm need still some fine-tuning
• 5.0.0-beta.33 - 2020-09-20
  

  Changes

  • deprecate stats.warningsFilter in favor of ignoreWarnings
    • We need to filter warnings earlier and not only for display, e. g. for correct ignoring in hasWarnings()

  Bugfixes

  • fix missing fileDependencies for managed items
• 5.0.0-beta.32 - 2020-09-18
  

  Features

  • sort assets by size
  • update all dependencies to stable versions only
  • output.publicPath is now "auto" by default when supported by target
  • add output.publicPath: "auto" to determine publicPath automatically

  Bugfixes

  • avoid error for managed paths that only contain a node_modules
• 5.0.0-beta.31 - 2020-09-17
• 5.0.0-beta.30 - 2020-09-11
• 5.0.0-beta.29 - 2020-08-28
• 5.0.0-beta.28 - 2020-08-20
• 5.0.0-beta.27 - 2020-08-19
• 5.0.0-beta.26 - 2020-08-14
• 5.0.0-beta.25 - 2020-08-10
• 5.0.0-beta.24 - 2020-08-05
• 5.0.0-beta.23 - 2020-08-02
• 5.0.0-beta.22 - 2020-07-09
• 5.0.0-beta.21 - 2020-07-06
• 5.0.0-beta.20 - 2020-06-29
• 5.0.0-beta.19 - 2020-06-29
• 5.0.0-beta.18 - 2020-06-17
• 5.0.0-beta.17 - 2020-06-03
• 5.0.0-beta.16 - 2020-05-05
• 5.0.0-beta.15 - 2020-04-21
• 5.0.0-beta.14 - 2020-03-02
• 5.0.0-beta.13 - 2020-01-29
• 5.0.0-beta.12 - 2020-01-16
• 5.0.0-beta.11 - 2019-12-24
• 5.0.0-beta.10 - 2019-12-22
• 5.0.0-beta.9 - 2019-12-08
• 5.0.0-beta.8 - 2019-12-08
• 5.0.0-beta.7 - 2019-11-20
• 5.0.0-beta.6 - 2019-11-14
• 5.0.0-beta.5 - 2019-11-13
• 5.0.0-beta.4 - 2019-11-12
• 5.0.0-beta.3 - 2019-11-06
• 5.0.0-beta.2 - 2019-10-31
• 5.0.0-beta.1 - 2019-10-22
• 5.0.0-beta.0 - 2019-10-11
• 5.0.0-alpha.32 - 2019-10-11
• 5.0.0-alpha.31 - 2019-10-10
• 5.0.0-alpha.30 - 2019-10-07
• 5.0.0-alpha.29 - 2019-10-02
• 5.0.0-alpha.28 - 2019-09-26
• 5.0.0-alpha.27 - 2019-09-25
• 5.0.0-alpha.26 - 2019-09-08
• 5.0.0-alpha.25 - 2019-09-06
• 5.0.0-alpha.24 - 2019-09-05
• 5.0.0-alpha.23 - 2019-08-27
• 5.0.0-alpha.22 - 2019-08-23
• 5.0.0-alpha.21 - 2019-08-22
• 5.0.0-alpha.20 - 2019-08-14
• 5.0.0-alpha.19 - 2019-08-06
• 5.0.0-alpha.18 - 2019-07-08
• 5.0.0-alpha.17 - 2019-07-01
• 5.0.0-alpha.16 - 2019-06-14
• 5.0.0-alpha.15 - 2019-06-05
• 5.0.0-alpha.14 - 2019-05-23
• 5.0.0-alpha.13 - 2019-05-20
• 5.0.0-alpha.12 - 2019-05-10
• 5.0.0-alpha.11 - 2019-02-19
• 5.0.0-alpha.10 - 2019-02-07
• 5.0.0-alpha.9 - 2019-01-27
• 5.0.0-alpha.8 - 2019-01-19
• 5.0.0-alpha.7 - 2019-01-19
• 5.0.0-alpha.6 - 2019-01-15
• 5.0.0-alpha.5 - 2019-01-09
• 5.0.0-alpha.4 - 2019-01-08
• 5.0.0-alpha.3 - 2018-12-29
• 5.0.0-alpha.2 - 2018-12-26
• 5.0.0-alpha.1 - 2018-12-23
• 5.0.0-alpha.0 - 2018-12-21
• 4.47.0 - 2023-09-06
• 4.46.0 - 2021-01-11
• 4.45.0 - 2021-01-08
• 4.44.2 - 2020-09-17
• 4.44.1 - 2020-07-30
• 4.44.0 - 2020-07-24
• 4.43.0 - 2020-04-21
• 4.42.1 - 2020-03-24
• 4.42.0 - 2020-03-02
• 4.41.6 - 2020-02-11
• 4.41.5 - 2019-12-27
• 4.41.4 - 2019-12-19
• 4.41.3 - 2019-12-16
• 4.41.2 - 2019-10-15
• 4.41.1 - 2019-10-11
• 4.41.0 - 2019-09-24
• 4.40.3 - 2019-09-24
• 4.40.2 - 2019-09-13
• 4.40.1 - 2019-09-13
• 4.40.0 - 2019-09-12
• 4.39.3 - 2019-08-27
• 4.39.2 - 2019-08-13
• 4.39.1 - 2019-08-02
• 4.39.0 - 2019-08-01
• 4.38.0 - 2019-07-26
• 4.37.0 - 2019-07-23
• 4.36.1 - 2019-07-17
• 4.36.0 - 2019-07-17
• 4.35.3 - 2019-07-08
• 4.35.2 - 2019-07-01
• 4.35.1 - 2019-07-01
• 4.35.0 - 2019-06-20
• 4.34.0 - 2019-06-12
• 4.33.0 - 2019-06-04
• 4.32.2 - 2019-05-22
• 4.32.1 - 2019-05-22
• 4.32.0 - 2019-05-20
• 4.31.0 - 2019-05-09
• 4.30.0 - 2019-04-12
• 4.29.6 - 2019-02-28
• 4.29.5 - 2019-02-18
• 4.29.4 - 2019-02-15
• 4.29.3 - 2019-02-07
• 4.29.2 - 2019-02-06
• 4.29.1 - 2019-02-04
• 4.29.0 - 2019-01-20
• 4.28.4 - 2019-01-10
• 4.28.3 - 2018-12-29
• 4.28.2 - 2018-12-22
• 4.28.1 - 2018-12-20
• 4.28.0 - 2018-12-19
• 4.27.1 - 2018-12-05
• 4.27.0 - 2018-12-04
• 4.26.1 - 2018-11-25
• 4.26.0 - 2018-11-19
• 4.25.1 - 2018-11-05
• 4.25.0 - 2018-11-05
• 4.24.0 - 2018-11-02
• 4.23.1 - 2018-10-25
• 4.23.0 - 2018-10-24
• 4.22.0 - 2018-10-21
• 4.21.0 - 2018-10-17
• 4.20.2 - 2018-09-25
• 4.20.1 - 2018-09-25
• 4.20.0 - 2018-09-25
• 4.19.1 - 2018-09-18
• 4.19.0 - 2018-09-13
• 4.18.1 - 2018-09-13
• 4.18.0 - 2018-09-10
• 4.17.3 - 2018-09-10
• 4.17.2 - 2018-09-03
• 4.17.1 - 2018-08-22
• 4.17.0 - 2018-08-21
• 4.16.5 - 2018-08-06
• 4.16.4 - 2018-08-02
• 4.16.3 - 2018-07-27
• 4.16.2 - 2018-07-23
• 4.16.1 - 2018-07-16
• 4.16.0 - 2018-07-11
• 4.15.1 - 2018-07-05
• 4.15.0 - 2018-07-04
• 4.14.0 - 2018-06-29
• 4.13.0 - 2018-06-28
• 4.12.2 - 2018-06-27
• 4.12.1 - 2018-06-24
• 4.12.0 - 2018-06-08
• 4.11.1 - 2018-06-06
• 4.11.0 - 2018-06-05
• 4.10.2 - 2018-05-30
• 4.10.1 - 2018-05-29
• 4.10.0 - 2018-05-28
• 4.9.2 - 2018-05-28
• 4.9.1 - 2018-05-25
• 4.9.0 - 2018-05-25
• 4.8.3 - 2018-05-12
• 4.8.2 - 2018-05-11
• 4.8.1 - 2018-05-07
• 4.8.0 - 2018-05-07
• 4.7.0 - 2018-05-04

from webpack GitHub release notes

Commit messages

Package name: elliptic

The new version differs by 10 commits.

• 03e06e1 6.5.6
• 7ac5360 Merge commit from fork
• 7570078 6.5.5
• 206da2e lib: lint
• 0a78e03 [Fix] restore node < 4 compat
• 43ac7f2 6.5.4
• f4bc72b package: bump deps
• 441b742 ec: validate that a point before deriving keys
• e71b2d9 lib: relint using eslint
• 8421a01 build(deps): bump elliptic from 6.4.1 to 6.5.3 ([Snyk(Unlimited)] Upgrade from thebespokepixel/es-tinycolor to thebespokepixel/es-tinycolor snyk-fixtures/npm-lockfiles#231)

See the full diff

Package name: engine.io

The new version differs by 250 commits.

• 9b80ab4 chore(release): engine.io@6.6.2
• a5d2368 ci: ignore tests when publishing to npm (bis)
• 88efd44 chore(deps): bump cookie to version 0.7.2 ([Snyk] Fix for 1 vulnerabilities snyk-fixtures/npm-lockfiles#5205)
• d0fc720 chore(release): socket.io@4.8.0
• 4a0555c chore(release): socket.io-client@4.8.0
• 2b60df1 chore(release): engine.io@6.6.1
• d4cb375 ci: ignore tests when publishing to npm
• c251ae7 chore(release): engine.io-client@6.6.1
• 8a2f5a3 fix(eio-client): move 'offline' event listener at the top
• b04fa64 fix(sio): allow to join a room in a middleware (uws)
• 7085f0e refactor(sio-client): mangle private attributes
• 4f66708 chore(sio-client): use babel loose mode when transpiling classes
• 1a95db2 chore(sio-client): add a script to compute the bundle size
• 282ae92 chore(sio-client): restore the debug package in the dev bundle
• 93010ca chore(eio-client): bump xmlhttprequest-ssl to version 2.1.1
• 132d05f fix(sio): expose type of default engine
• d5095fe fix(eio): prevent the client from upgrading twice (uws)
• da61381 test(eio): bump uWebSockets.js to version 20.48.0
• 19c48a4 refactor(sio): break circular dependency in source code
• 9b3c9ab fix(eio-client): only remove the event listener if it exists
• 043b55c refactor(sio): simplify middleware execution (bis)
• 32c761f refactor(sio): export the ExtendedError type
• 1f54ee0 refactor(sio): simplify middleware execution
• 923a12e fix(eio): discard all pending packets when the server is closed

See the full diff

Package name: react-middle-truncate

The new version differs by 12 commits.

• 41a37e7 1.0.1
• b9c235d RC v1.0.1 ([Snyk] Fix for 2 vulnerabilities #7)
• 3f3c1fe fix: resolve alias for utils folder for library webpack config
• 5c0967b fix: Readme typos.
• e455feb Merge branch 'master' of github.com:matt-d-rat/react-middle-truncate
• 6575007 fix: Security vulnerabilities in dev dependencies + upgrade dev dependencies ([Snyk] Fix for 1 vulnerabilities #6)
• ec9004e Merge branch 'master' of github.com:matt-d-rat/react-middle-truncate
• 3104743 fix: `measure-text` security vulnerability ([Snyk] Security upgrade node-fetch from 1.7.3 to 3.1.1 #5)
• 0bbfd4f Merge branch 'master' of github.com:matt-d-rat/react-middle-truncate
• 2f1dc21 go with class properties all the way ([Snyk] Fix for 1 vulnerabilities #2)
• c192168 chore: Add development setup section to the contributing docs.
• 83ab391 chore: fix typo in README.md

See the full diff

Package name: webpack

The new version differs by 250 commits.

• 610f368 5.0.0
• 5ce65c1 update examples
• bbe1230 Merge pull request #11628 from webpack/bugfix/real-content-hash
• 75ecff2 5.0.0-rc.6
• bfc35d6 Merge pull request #11603 from MayaWolf/master
• 76e8cbd Merge pull request #11622 from webpack/dependabot/npm_and_yarn/types/node-13.13.25
• 9fd1be2 chore(deps-dev): bump @ types/node from 13.13.23 to 13.13.25
• 36bcfaa Merge pull request #11621 from webpack/bugfix/11619
• 9130d10 fix called variables with ProvidePlugin
• 3e42105 Merge pull request #11620 from webpack/bugfix/11617
• 4709719 skip connections copied to concatenated module
• 57b493f 5.0.0-rc.5
• 1658e2f Merge pull request #11618 from webpack/bugfix/11615
• a8fb45d fixes crash in SideEffectsFlagPlugin
• 84b196d emit error instead of crashing when unexpected problem occurs
• 5573fed Merge pull request #11601 from Hornwitser/improve-suggested-polyfill-config
• 9b5cce9 Merge pull request #11609 from snitin315/export-types
• 37c495c export type RuleSetUseItem
• 39faf34 export type RuleSetUse
• e5fd246 export type RuleSetConditionAbsolute
• 660baad export RuleSetCondition types
• 13e3ca5 Merge pull request #11602 from webpack/bugfix/shared-runtime-chunk
• 9c0587e Merge pull request #11606 from webpack/dependabot/npm_and_yarn/simple-git-2.21.0
• 502d166 Merge pull request #11607 from webpack/dependabot/npm_and_yarn/acorn-8.0.4

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Cross-site Scripting (XSS)