[Snyk] Fix for 16 vulnerabilities

[Verdinjoshua26]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • packages/scripts/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	526/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.1	Arbitrary Code Injection SNYK-JS-EJS-1049328	Yes	Proof of Concept
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Remote Code Execution (RCE) SNYK-JS-EJS-2803307	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKDOWNIT-2331914	No	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Improper Certificate Validation SNYK-JS-NODESASS-1059081	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-NTHCHECK-1586032	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-SCSSTOKENIZER-2339884	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-STYLELINT-1585622	Yes	No Known Exploit
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536528	Yes	No Known Exploit
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536531	Yes	No Known Exploit
	410/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579147	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579152	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579155	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-TRIM-1017038	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-TRIMNEWLINES-1298042	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @svgr/webpack

The new version differs by 74 commits.

• af9a6cb v6.0.0
• e9469c3 Merge pull request Only dispatch START_TYPING if not already typing WordPress/gutenberg#629 from gregberge/rewriting-docs
• eb3282b docs: rewriting
• 6f832f0 Merge pull request Undo/Redo and command+z WordPress/gutenberg#627 from gregberge/support-css-variables
• cbdb47f fix: support CSS variables
• 985444d chore: fix package-lock.json
• a5effba v6.0.0-alpha.4
• 3f071d6 Merge pull request Parser: Use an HTML like attribute syntax for comment attributes WordPress/gutenberg#626 from gregberge/upgrade-deps
• daf6a08 chore(deps): upgrade
• 1c5f163 Merge pull request Headings: h2 and h3 have the same size WordPress/gutenberg#625 from gregberge/icon-size
• 483560d chore: fix package-lock.json
• 3c0b779 feat: allow to specify icon size
• 6ba16a3 Merge pull request Remove and prevent DOM access in block attributes matchers WordPress/gutenberg#624 from gregberge/various-things
• f61c8ba chore: fix ref following refactoring
• 261e1b5 v6.0.0-alpha.3
• fe5c117 Merge pull request Update dummy content to function as an introduction to the editor. WordPress/gutenberg#623 from gregberge/webpack
• 9a4cbce docs(examples): update examples
• 1a8cc98 fix(webpack): fix webpack 5 behaviour with url-loader
• a857bb1 feat: support mask-type property (Inserting a new block should scroll to that block WordPress/gutenberg#621)
• 5966714 fix(template): make it possible to use type in template (Add "Separator" (hr) block to the library. WordPress/gutenberg#619)
• 9ea5da4 refactor(core): use exportName transform (Blocks: add "Button" WordPress/gutenberg#616)
• 8a1b0aa docs(readme): Fixing CRA link (Editable: Adding a prop to opt-for formatting controls WordPress/gutenberg#618)
• 00a1d4b chore: fix package-lock.json
• f729efa v6.0.0-alpha.2

See the full diff

Package name: eslint-plugin-markdown

The new version differs by 46 commits.

• 89ea838 2.2.0
• 5083d83 Build: changelog update for 2.2.0
• 32203f6 Update: Replace Markdown parser (fixes [Snyk] Security upgrade jest from 25.5.4 to 27.0.0 #125, fixes Clean up UI creation a bit WordPress/gutenberg#186) (Add insert button to block outline WordPress/gutenberg#188)
• 58729d5 2.1.0
• 63322a5 Build: changelog update for 2.1.0
• f1e153b Update: Upgrade remark-parse to v7 (fixes [Snyk] Fix for 1 vulnerabilities #77, fixes [Snyk] Security upgrade webpack from 4.46.0 to 5.1.1 #78) (TinyMCE per block: Fix the quote markup WordPress/gutenberg#175)
• b1d2675 2.0.1
• e301eea Build: changelog update for 2.0.1
• d23d5f7 Fix: use blocksCache instead of single blocks instance (fixes TinyMCE per block: Adding a simple embed block WordPress/gutenberg#181) (Fix/tinymce single/block ui WordPress/gutenberg#183)
• a09a645 Chore: add yarn.lock and package-lock.json into .gitignore (TinyMCE per block: Adding a custom Link control to TinyMCE instances WordPress/gutenberg#184)
• 1280ac1 Docs: improve jsdoc, better for typings (TinyMCE per block: Adding a theme CSS to improve the preview WordPress/gutenberg#182)
• 79be776 Fix: More reliable comment attachment (fixes [Snyk] Security upgrade jest from 25.5.4 to 27.0.0 #76) (Add styles for new tinymce link behaviour WordPress/gutenberg#177)
• 610cffd 2.0.0
• e2f13a9 Build: changelog update for 2.0.0
• 53dc0e5 Docs: Remove prerelease README notes (Remove element global (tinymce-single) WordPress/gutenberg#173)
• 140adf4 2.0.0-rc.2
• 15d7aa6 Build: changelog update for 2.0.0-rc.2
• f6a3fad Fix: overrides pattern for virtual filenames in recommended config (Revert "Single TinyMCE: Drop window element global" WordPress/gutenberg#169)
• 390d508 2.0.0-rc.1
• e05d6eb Build: changelog update for 2.0.0-rc.1
• 1dd7089 Fix: npm prepare script on Windows (refs Add base ESLint and EditorConfig configurations WordPress/gutenberg#166) (Single TinyMCE: Drop window element global WordPress/gutenberg#168)
• 23ac2b9 Fix: Ignore words in info string after syntax (fixes Add base ESLint and EditorConfig configurations WordPress/gutenberg#166) (TinyMCE per block: Handle focus as state instead of using imperative API WordPress/gutenberg#167)
• 8f729d3 Chore: Switch to main for primary branch (fixes UI: Moving block should scroll window with the block WordPress/gutenberg#161) (Single TinyMCE: Add TinyMCE-unaware control registration APIs WordPress/gutenberg#165)
• d30c50f Chore: Automatically install example dependencies (TinyMCE per Block: Adding the align images controls WordPress/gutenberg#164)

See the full diff

Package name: markdownlint

The new version differs by 250 commits.

• 2d19c06 Update to version 0.25.1.
• 61bb059 Make all package.json dependency versions explicit for more deterministic installs.
• 66d533d Update npx invocation to pass --yes to avoid prompting to install missing packages.
• 23d8ed7 Add test case for custom rule that imports an ESM module (refs Use $() to return matched string instead of head:* tail:* WordPress/gutenberg#477).
• b1aef98 Empty commit to note that previous commit fixes WIP: Adds new RegExp-based "parser" WordPress/gutenberg#478.
• f77eca0 Update dependency: markdown-it to 12.3.2.
• 05b4b5f Update copyright year to 2022.
• 02707cf Merge branch 'next' into main
• 4ff4cbc Update to version 0.25.0.
• e298e3d Include async/await function in custom rules test for asynchronous mode.
• 11e9a20 Update dependency: globby to 12.0.2.
• 05b9e6e Update dependency: strip-json-comments to 4.0.0.
• 528758e Update dependencies: eslint to 8.5.0, eslint-plugin-jsdoc to 37.4.0.
• fd24b95 Remove require("os") from helpers to reduce dependencies for browser scenarios.
• 9ec14f1 Include custom rule markdownlint-rule-github-internal-links when validating project Markdown files.
• 5f00406 Deep freeze name/tokens/lines/frontMatterLines properties of params object before passing to (custom) rules for shared access.
• 5253669 Fix array indexing for markdownlint-disable-next-line when front matter is present.
• 7a76f1d Update MD039/no-space-in-links to fix reference-style links, be slightly more permissive matching link content.
• 064a1e3 Update Node version for TestRepos workflow from 12 to 16.
• ff8f4ea Reduce execution time by ~50% by updating getEnabledRulesPerLineNumber to make enabledRules immutable and copy only when changed (also, simplify handleInlineConfig slightly).
• 7cf9c2d Update MD037/no-space-in-emphasis to ignore embedded underscore emphasis markers (fixes Components: Fix the icon button level prop WordPress/gutenberg#444, fixes Reorganize folders within editor WordPress/gutenberg#408, fixes Add named colors, polish HTML editor WordPress/gutenberg#354, fixes Simplify Webpack configuration WordPress/gutenberg#324).
• 3e8d332 Add test for outdated ignore expressions to markdownlint-test-repos.
• 6dea678 Update definition of helpers.isBlankLine to treat unterminated start/end comments as potentially blank lines (fixes Update README, add CONTRIBUTING WordPress/gutenberg#431).
• 1b23976 Update dependencies: eslint-plugin-jsdoc to 37.2.8, eslint-plugin-unicorn to 39.0.0.

See the full diff

Package name: markdownlint-cli

The new version differs by 165 commits.

• fec244c Bump version 0.31.0
• a0527a8 Set two more Prettier options explicitly for a consistent experience (refs Adjust drag element WordPress/gutenberg#247).
• e45d433 Enable "Prettier" validation for "xo", configure settings for minimal non-space deltas, apply all required changes (fixes Try drag and drop on block outline WordPress/gutenberg#246, closes Adjust drag element WordPress/gutenberg#247).
• 4baec11 Update to invoke execa as an ESM import.
• f771c6b Bump execa from 5.1.1 to 6.0.0
• c327fb5 Update to invoke get-stdin as an ESM import.
• aca74ca Bump get-stdin from 8.0.0 to 9.0.0
• c48be7b Bump commander from 8.3.0 to 9.0.0 (Full Width CSS for the iframe in embedded content! WordPress/gutenberg#256)
• e1f0f3b fix: vuln in markdown > markdown-it (Keep the selection on drop WordPress/gutenberg#255)
• 3009422 Bump ava from 3.15.0 to 4.0.1 (TinyMCE per block: Delete unnecessary abstraction WordPress/gutenberg#253)
• 5276c70 Update dependency: markdownlint to 0.25.0.
• 18eb72d Bump actions/setup-node from 2.5.0 to 2.5.1 (TinyMCE per block: One enter don't split the block, two enters do WordPress/gutenberg#251)
• 38956ca Bump markdownlint-rule-helpers from 0.15.0 to 0.16.0 (TinyMCE per block: Showing moving block controls on hover WordPress/gutenberg#250)
• 318c1c3 Bump ignore from 5.1.9 to 5.2.0 (Applying hover effect to the tiny single instance WordPress/gutenberg#248)
• c5a8b48 Standardize and improve exit code handling (Add media placeholders WordPress/gutenberg#245)
• 799ed61 chore: Add Node 17 to CI matrix (TinyMCE per block: Small tweaks WordPress/gutenberg#244)
• e3f5a6c chore: use built-in setup-node NPM cache (Disable end_container_on_empty_block WordPress/gutenberg#243)
• 219cc3b Bump actions/setup-node from 2.4.1 to 2.5.0 (Restrict setting content in blockquote footer WordPress/gutenberg#242)
• 3e989a4 Bump xo from 0.46.4 to 0.47.0 (Only allow inline elements within block editable fields WordPress/gutenberg#241)
• 2ea8a2c Remove unused/outdated helper packages, replace with native JavaScript functions (fixes TinyMCE per block: Fix the inserter and drop the type icon from sidebar WordPress/gutenberg#237).
• 328dacc Bump version 0.30.0
• 27dc20f Add exitCode check to all tests.
• bf8b148 Rebuild package-lock.json to try to fix "npm ci".
• 27d5e70 Update CI workflow to include linting step.

See the full diff

Package name: node-sass

The new version differs by 90 commits.

• 3b556c1 7.0.2
• c716359 Bump sass-graph@^4.0.1 (Update README with new screenshot WordPress/gutenberg#3292)
• 24741b3 docs(readme): fix docpad plugin link
• 1523330 feat: Drop Node 12
• 365d357 update https://registry.npm.taobao.org to https://registry.npmmirror.com
• 1456114 build(deps): bump actions/upload-artifact from 2 to 3
• b465b69 chore: bump GitHub Actions to Windows 2019 (Update version to 1.6. WordPress/gutenberg#3254)
• e6194b1 build(deps): bump make-fetch-happen from 9.1.0 to 10.0.4
• 4edf594 build(deps): bump node-gyp from 8.4.1 to 9.0.0
• 29e2344 build(deps): bump actions/checkout from 2 to 3
• 85b0d22 build(deps): bump actions/setup-node from 2 to 3
• 3bb51da Use make-fetch-happen instead of request (Fix/arrow key into textarea WordPress/gutenberg#3193)
• adc2f8b build(deps): bump true-case-path from 1.0.3 to 2.2.1 (Hover UI can overlap with selected UI WordPress/gutenberg#3000)
• 77d12f0 chore: disable Apline for Node 16/17 builds
• 308d533 ci: use Python 3 for Node 12
• c818907 ci: unpin actions/setup-node to v2
• 99242d7 7.0.1
• 77049d1 build(deps): bump sass-graph from 2.2.5 to 4.0.0 (FIX: Link Dialog's position appears randomly generated WordPress/gutenberg#3224)
• c929f25 build(deps): bump node-gyp from 7.1.2 to 8.4.1 (withAPIData does not work with custom endpoints WordPress/gutenberg#3209)
• 918dcb3 Lint fix
• 0a21792 Set rejectUnauthorized to true by default (Convert a Classic Block into Multiple Blocks WordPress/gutenberg#3149)
• e80d4af chore: Drop EOL Node 15 (Metaboxes: Fix resizing iFrame in Firefox WordPress/gutenberg#3122)
• d753397 feat: Add Node 17 support (Experimenting with navigation and edit modes WordPress/gutenberg#3195)
• dcf2e75 build(deps-dev): bump eslint from 7.32.0 to 8.0.0

See the full diff

Package name: stylelint

The new version differs by 219 commits.

• 060310c 14.0.0
• ff4a1ef Prepare CHANGELOG
• 8d2f6e1 Bump postcss (Refactored meta box data collection. Fixed a bug where meta boxes may not be shown. WordPress/gutenberg#5619)
• f552608 Merge pull request Testing: Experiment with Puppeteer for E2E testing WordPress/gutenberg#5618 from stylelint/dependabot/npm_and_yarn/husky-7.0.4
• 7ed17ad Bump husky from 7.0.2 to 7.0.4
• 4d9f75e Merge pull request 2.4.0: gutenberg_register_post_types() WordPress/gutenberg#5617 from stylelint/dependabot/npm_and_yarn/jest-27.3.1
• bc9dd0b Bump jest from 27.2.5 to 27.3.1
• 82e2507 Merge pull request Embed placeholder breaks upon reload WordPress/gutenberg#5604 from stylelint/v14
• 16d259f Update CHANGELOG.md
• 70b1149 Fix false positives for dynamic-range keywords in media-feature-name-no-unknown (Console error when adding something inside the Custom HTML block, then saving and refreshing the page WordPress/gutenberg#5613)
• 8dca498 Show more info in missing customSyntax warning (Renamed blocks-... classes to components-... classes in input controls WordPress/gutenberg#5611)
• 2eee0a9 Remove v14 CI triggers (Auto-scroll behaviour on long blocks WordPress/gutenberg#5610)
• 12f8081 14.0.0-0
• 5dd7ec1 Prepare 14.0.0
• 67313a3 Add support for `extends` in `overrides` config (Gutenberg is gone for CPTs when the "editor" option is missing from the "supports" argument WordPress/gutenberg#5603)
• b6fd2fc Document no need for postcss-html maintainer (Add Server Side Render component. WordPress/gutenberg#5602)
• bf28025 Recommend using shared configs (ColorPalette: white palette color merging with white background WordPress/gutenberg#5598)
• 07118d6 Update CHANGELOG.md
• 367142a Change `ignoreFiles` to be extendable (callback for setAttributes? WordPress/gutenberg#5596)
• 1b4162f Fix conflicts in dependabot
• 87c5fde Bump picocolors from 0.2.1 to 1.0.0 (Consistency between example files and handbook  WordPress/gutenberg#5601)
• 1f32094 Bump typescript from 4.4.3 to 4.4.4 (How post_meta is handled on multiple instances of the same block? WordPress/gutenberg#5599)
• 88b9575 Revise contributors section of README (Blocks: Add transform from Paragraph block to Cover Image block WordPress/gutenberg#5585)
• e38da70 Use problem rather than violation in docs and types ("Slash menu": improve instructions and feedback WordPress/gutenberg#5592)

See the full diff

Package name: webpack-bundle-analyzer

The new version differs by 20 commits.

• ee6c7a9 Merge pull request Change mode switcher to a select box WordPress/gutenberg#389 from webpack-contrib/support-webpack-5
• 8d1a752 Update version
• 37ab03e Fix typo
• 2153401 Add `--watch-ignore` flag to `test-dev` npm script
• 35b62db Add `private: true` flag to `package.json` files in `test/webpack-versions`
• ef36924 Add changelog entry
• f819548 Update version
• d8f2dd7 Fix lint issues
• d32cbdb Add changelog for v4.0.0
• 3094dbc Update dependencies
• b85ba7d Add tests for Webpack 5
• c35bda3 Properly parse Webpack 5 entry modules
• 7bbe89f Properly parse Webpack 5 bundle format (except concatenated entry module)
• b34b249 Update package-lock.json
• abc298a Remove Node.js 6 and 8 from .travis.yml
• a81b7b8 - Support multiple Webpack versions in tests
• 591adf1 Add more ignores to .npm-upgrade.json
• d5698f4 Update dependencies
• e4a8974 Merge pull request Add/346 list block/ui WordPress/gutenberg#382 from wbobeirne/fix-opener-error
• b0f717b Catch uncaught opener errors

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Arbitrary Code Injection
🦉 Remote Code Execution (RCE)
🦉 More lessons are available in Snyk Learn