[Snyk] Fix for 13 vulnerabilities

[adamlaska]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • packages/codesandbox-api/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	556/1000 Why? Recently disclosed, Has a fix available, CVSS 5.4	Open Redirect SNYK-JS-GOT-2932019	Yes	No Known Exploit
	584/1000 Why? Has a fix available, CVSS 7.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-HAWK-2808852	Yes	No Known Exploit
	429/1000 Why? Has a fix available, CVSS 4.3	Reverse Tabnabbing SNYK-JS-ISTANBULREPORTS-2328088	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	Yes	Proof of Concept
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	Yes	Proof of Concept
	541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-YARGSPARSER-560381	Yes	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: coveralls

The new version differs by 3 commits.

• 2ed4d09 major version bump for node > 4.x
• 5ebe57f bump version
• 428780c Expand allowed dependency versions to all API compatible versions ([Snyk] Security upgrade tsdx from 0.6.1 to 0.10.1 #172)

See the full diff

Package name: jest

The new version differs by 22 commits.

• ff9269b chore: bump most dated deps (#8850)
• 7594141 chore: upgrade to eslint@6 (#8855)
• b33ce0d chore: upgrade to micromatch v4 (#8852)
• d6ff72a chore: add node 12 to CI (fix: notification bubble codesandbox/codesandbox-client#8411)
• 7e9b4ea chore: upgrade jsdom (#8851)
• 4bb7a2d Use `weak-napi` instead of `weak` in `jest-leak-detector`
• ce47c6c Get rid of Node 6 support (feat: add codeium in featured templates codesandbox/codesandbox-client#8455)
• bc5c3c7 jest-snapshot: Remove only the added newlines in multiline snapshots (#8859)
• d523fa8 bug.md: highlights placeholder should be removed (#8836)
• 08f109c expect: Display expectedDiff more carefully in toBeCloseTo (fix: show upgrade button only for admins  codesandbox/codesandbox-client#8389)
• b09de2d chore: bump node-notifier for node v6 support
• 557a39f fix(linter): Fix linting failure introduced in #8847 😓 (#8849)
• 012472b fix(docs): Update broken links in docs. (#8847)
• ee2bea1 chore: sort member in imports (#8846)
• 9ba4594 add Chinese Jest work with AngularJS tutorial (#8828)
• 0e5b363 chore: reduce reliance on esModuleInterop (#8842)
• d69f8d3 getTimerCount will not include cancelled immediates (#8764)
• b4bd77b Fix grammar: "your jest's config"->"your Jest..." (#8843)
• 54b3dcf Fix grammar: "a known issues"->"a known issue" (#8844)
• e76c7da docs: update matchMedia methods (#8835)
• 23b9860 chore: roll new version of docs
• 3cdbd55 Release 24.9.0

See the full diff

Package name: nodemon

The new version differs by 114 commits.

• 27e91c3 fix: update packge-lock
• 0144e4f fix: bump update-notifier to v6.0.0 (Optimize docs images codesandbox/codesandbox-client#2029)
• c870342 chore: update supporters
• 5c0b472 chore: add supporter
• e26aaa9 fix: support windows by using path.delimiter
• 9d1afd7 docs: add syntax highlighting to sample-nodemon.md (View > Appearance > Toggle Menu Bar requires using the Command Palette to restore the Menu Bar codesandbox/codesandbox-client#1982) (Comments are in cursive. Cursive! Cursive!?? codesandbox/codesandbox-client#2004)
• de5d32a docs: Unified Node.js capitalization (Fix TypeScript errors codesandbox/codesandbox-client#1986)
• e890927 docs: add note to faq with example showing how to watch any file extension (Support dynamic import in vanilla template for Babel v7 codesandbox/codesandbox-client#1931)
• bc4547b chore: update sponsors
• 07159c5 chore: add supporters
• cd100da chore: update supporters
• 6a34922 chore: supporters
• e5d6067 chore: updating supporters
• 242f9f7 Merge branch 'main' of github.com:remy/nodemon
• 141e58c chore: update supporters
• 53422af ci(release): workflow uses 'npm' cache (Possible to configure ESLint? codesandbox/codesandbox-client#1933)
• 581c641 ci(node.js): workflow uses 'npm' cache (toggleSidebar is my function and exists in index.js codesandbox/codesandbox-client#1934)
• cb1c8b9 docs: Fix typo in faq.md (Refactor GitHub to functional component with hooks codesandbox/codesandbox-client#1950)
• 54784ab fix: bump prod dep versions
• 26db983 chore: update supporters
• 61e7abd fix: add windows signals SIGUSR2 & SIGUSR1 to terminate the process (Could not fetch dependencies, please try again in a couple seconds: Something went wrong while packaging the dependency INVALID_VERSION codesandbox/codesandbox-client#1938)
• b449171 docs: Fix typo in faq.md
• 0a3175f chore: update supporters
• 18516d8 chore: add supporter

See the full diff

Package name: replace-in-file

The new version differs by 36 commits.

• 2023fa8 3.4.4
• 179c82e [bump] Update packages
• 6f6cbf8 3.4.3
• f984b38 Update yargs version ([Snyk] Security upgrade next from 8.1.0 to 9.3.4 #66)
• 5d8e7eb TOC
• 261fd5d Add some regex usage instructions
• 54b2dd8 3.4.2
• 93b5315 3.4.1
• 9a2c309 Update dependencies
• 0f6a4bc Add warning note about glob
• 8938687 3.4.0
• 754fd80 [enhance] Allow passing of glob config
• 6ed5456 3.3.0
• 5e64df1 Tweaks to readme
• d94c3aa Callback for `from` ([Snyk] Security upgrade overmind-devtools from 19.0.1 to 29.0.0 #46)
• 015571a Co founder notice
• 8e9d782 3.2.0
• 60e7b82 Add verbose option
• 153dc27 Index added to the readme ([Snyk] Security upgrade overmind-devtools from 19.0.1 to 29.0.0 #43)
• 33dfe50 Document async/await usage
• 0113977 3.1.1
• 7bec36e [bump] Dependencies
• 697ee51 Update dependencies
• 5c59c87 3.1.0

See the full diff

Package name: semantic-release

The new version differs by 45 commits.

• e2a8a5c feat: Refactor CLI to run with one command, improve logs, modularize, add tests
• 1bd095d chore(CODE_OF_CONDUCT): Contributor Covenant
• 16a02e5 fix(package): update github to version 12.0.0
• 51e7579 chore(package): update ava to version 0.23.0
• acddd5a chore(package): update codecov to version 3.0.0
• f6aacd2 fix: Log error messages on reject
• b0bc490 fix: handle errors when verifyConditions and verifyRelease are a pipeline
• 580ad9c feat: Allow to recover from ENOTINHISTORY with a tag and handle detached head repo
• 8e9d9f7 fix: Always pass pluginConfig to plugins as a defined object
• 90417c6 fix: Exit with 1 if unexpected error happens
• 85dd69b feat: Retrieve version gitHead from git tags and unshallow the repo if necessary
• cbb51a4 ci(codecov): Set default branch in codecov.yml
• a58d12d chore: Update badges
• 42b3382 ci(travis): Update .travis.yml
• cc3c8f2 ci: Use codecov for code coverage
• abf92ad refactor: Use ES6, Test with AVA
• 7fe0890 chore: Remove editorconfig
• f10f157 chore: More generic `.gitignore` (Windows, Mac OS, Linux)
• 40e296b chore: Remove lockfiles
• 266a3f7 chore: Add license file
• 42456a3 chore(package): update coveralls to version 3.0.0
• 3a4334f fix(package): update @ semantic-release/error to version 2.0.0
• 41d9b7e docs: fix grammatical error in README
• 9951cf7 fix(package): Set minimum node version to 4 ([Snyk] Security upgrade nginx from 1.16.1-alpine to 1.25.3-alpine #442)

See the full diff

Package name: ts-jest

The new version differs by 165 commits.

• ad58c9b chore(release): 25.3.0
• 949e3e1 chore: update package-lock.json
• b8ebf36 docs: add Troubleshoting section (Anchors in React do not fire onClick handlers in preview if a hash is present in the link codesandbox/codesandbox-client#1463)
• 8b5325e chore(transformer): only do type checking for js/jsx/ts/tsx file (VSCode Explorer is not working codesandbox/codesandbox-client#1464)
• 58b05b1 chore: replace travis-ci.org with travis-ci.com (Ability to specify version of Node in server templates codesandbox/codesandbox-client#1469)
• 79e8fdf build(deps-dev): bump jest from 25.2.3 to 25.2.4 (add bulk delete and add to project to media codesandbox/codesandbox-client#1468)
• dddce1c build(deps-dev): bump @ jest/transform from 25.2.3 to 25.2.4 (CoffeeScript support for vue-cli and parcel templates codesandbox/codesandbox-client#1467)
• d811bae build(deps-dev): bump lint-staged from 10.0.9 to 10.0.10 (How to point dependency to a github branch  codesandbox/codesandbox-client#1466)
• ecc8312 build(deps-dev): bump @ types/react from 16.9.26 to 16.9.27 (Anchors in React do not fire onClick handlers if a hash is present in the link codesandbox/codesandbox-client#1462)
• c10ad4a chore(compiler): improve performance for language service (🌈 Feature: Allow users to Hard Reboot Container Sandboxes codesandbox/codesandbox-client#1461)
• 455ee5b build(deps-dev): bump @ jest/transform from 25.2.1 to 25.2.3 (SVG file served as application/json codesandbox/codesandbox-client#1459)
• 1641cfb build(deps-dev): bump jest from 25.2.2 to 25.2.3 (Option/Alt-click to expand/collapse all child directories codesandbox/codesandbox-client#1460)
• 3010ec8 build(deps-dev): bump @ jest/types from 25.2.1 to 25.2.3 (Problem serving MIME type="module" codesandbox/codesandbox-client#1458)
• 26a81f0 build(deps-dev): bump @ types/react from 16.9.25 to 16.9.26 (Remove event listeners when unmounting codesandbox/codesandbox-client#1457)
• 99c552d build(deps-dev): bump jest from 25.2.1 to 25.2.2 (File Explorer glitch - Duplicate folders codesandbox/codesandbox-client#1455)
• 5214f1b build(deps): bump yargs-parser from 18.1.1 to 18.1.2 (Open previous files on Refresh codesandbox/codesandbox-client#1456)
• 79478ae build(deps-dev): bump tslint-plugin-prettier from 2.2.0 to 2.3.0 (Express deployment to Zeit fails "cd build && serve -s ./" codesandbox/codesandbox-client#1454)
• 107e062 fix: always do type check for all files provided to ts-jest transformer (Not able to submit feedback codesandbox/codesandbox-client#1450)
• 1e34075 build(deps-dev): bump @ jest/types from 25.2.0 to 25.2.1 (Navigate between featured sandboxes using left and right arrow keys codesandbox/codesandbox-client#1452)
• ba5a6c4 build(deps-dev): bump @ jest/transform from 25.2.0 to 25.2.1 (only send email codesandbox/codesandbox-client#1451)
• e857f5b build(deps-dev): bump jest from 25.2.0 to 25.2.1 (Social Facebook Community Homepage! codesandbox/codesandbox-client#1453)
• 4981da8 Merge pull request Enable passing a default Terminal command as a query param to a CSB URL codesandbox/codesandbox-client#1447 from kulshekhar/dependabot/npm_and_yarn/jest/types-25.2.0
• ea8240a Merge pull request Fix mocked paths in manager codesandbox/codesandbox-client#1448 from kulshekhar/dependabot/npm_and_yarn/jest/transform-25.2.0
• e50db11 build(deps-dev): bump @ jest/types from 25.1.0 to 25.2.0

See the full diff

Package name: tsc-watch

The new version differs by 81 commits.

• f3278a3 version 4.2.9
• 0aaaf44 Merge pull request [Snyk] Security upgrade overmind-devtools from 19.0.1 to 29.0.0 #95 from FauxFaux/feat/bump-node-8
• c211f60 fix: upgrade cross-spawn and strip-ansi (node 8+)
• 12155da Version 4.2.8
• 5027aa3 Merge pull request [Snyk] Security upgrade overmind-devtools from 19.0.1 to 29.0.0 #92 from merceyz/pnp
• 7351089 fix: spawn compiler using node
• e91e81a Removed node 6 from travis
• 35b4dee dropped support for node 6, minimum is node 8
• 81a2602 Merge pull request [Snyk] Fix for 1 vulnerabilities #91 from carnun/master
• 2de5bc8 Separated out the signal and updated the package version
• c120b9a Change kill signal and add unit test
• 10554b2 Version 4.2.6
• a5f44b3 version 4.2.5
• ac1e61a lock version update
• 968c03e Version 4.2.4
• ffea707 Version 4.2.3
• b3dbf91 Removed the release script
• eb440e0 Version v4.2.2
• d3f737d Version v4.2.1
• 2724876 Fixed issue [Snyk] Security upgrade rollup-plugin-scss from 0.4.0 to 3.0.0 #81 (No restart)
• c07c75f version 4.2.0
• 8641cc4 working with readline
• 35f011d Merge pull request [Snyk] Security upgrade nginx from 1.16.1-alpine to 1-alpine #77 from yardenshoham/readme-typescript-typo
• c1bab53 Fix typo in readme

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Open Redirect