[Snyk] Fix for 2 vulnerabilities

[ekmixon]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • community-modules/react/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	698/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 6.1	Cross-site Scripting (XSS) SNYK-JS-SERIALIZEJAVASCRIPT-6147607	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: jest-circus

The new version differs by 250 commits.

• be16e47 v27.0.0
• 63102ec chore: update changelog for release
• 564694a docs(blog): Jest 27 blog post (#11131)
• b68d91b feat(pretty-print): add option `printBasicPrototype` (#11441)
• 2226742 chore: minor simplify format results error (#11432)
• 78eb25d chore: remove needless assign (#11433)
• 696c455 chore: update lockfile after publish
• e2eb9ae v27.0.0-next.11
• 3b253f8 Wait for closed resources to actually close before detecting open handles (#11429)
• 27bee72 fix: run GC before collecting open handles (#11278)
• 50451df feat: use fallback if prettier not found (#11400)
• 150dbd8 chore: update lockfile after publish
• 6f44529 v27.0.0-next.10
• cbcec7d Upgrade fsevents in jest-haste-map (#11428)
• 9633a26 feat: support reporters written in ESM (#11427)
• 59f42d8 fix: do not cache modules that throw during evaluation (#11263)
• 57e32e9 Detect open handles with done callbacks (#11382)
• a397607 Document and test dontThrow for custom inline snapshot matchers (#10995)
• 4fa3a0b feat: custom haste (#11107)
• 2047a36 chore: bump deps (#11419)
• a4358d6 chore: run prettier on changelog
• bdd6282 Move all default values into `jest-config` (#9924)
• db643a1 Link to Jest config (#11106)
• b16082c Fix locale issue #10014 (#11412)

See the full diff

Package name: serialize-javascript

The new version differs by 86 commits.

• b71ec23 6.0.2
• f27d65d fix: serialize URL string contents to prevent XSS ([Snyk] Security upgrade node-sass from 6.0.0 to 7.0.2 #173)
• 02499c0 Bump @ babel/traverse from 7.10.1 to 7.23.7 ([Snyk] Fix for 2 vulnerabilities #171)
• 0d88527 docs: update readme with URL support ([Snyk] Fix for 1 vulnerabilities #146)
• e2a3a91 chore: update node version and lock file
• 5a1fa64 fix typo ([Snyk] Upgrade @ag-grid-enterprise/core from 25.3.0 to 28.0.2 #164)
• 7139f92 Release v6.0.1 ([Snyk] Security upgrade @angular-devkit/build-angular from 0.900.7 to 13.3.9 #157)
• 7e23ae8 Fix serialization issue for 0n. ([Snyk] Security upgrade @angular-devkit/build-angular from 0.803.29 to 13.3.9 #156)
• 343abd9 Bump json5 from 2.1.3 to 2.2.3 ([Snyk] Security upgrade moment from 2.22.2 to 2.29.4 #155)
• 38d0e70 Bump mocha from 10.1.0 to 10.2.0 ([Snyk] Security upgrade ng-packagr from 9.1.5 to 10.1.0 #153)
• a472d9d Bump minimatch from 3.0.4 to 3.1.2 ([Snyk] Security upgrade ng-packagr from 9.1.5 to 10.1.0 #152)
• d9ad87c ci: bump GitHub Actions
• 07e8205 Bump chai from 4.3.6 to 4.3.7 ([Snyk] Fix for 16 vulnerabilities #150)
• 0cbf6ae Bump mocha from 10.0.0 to 10.1.0 ([Snyk] Fix for 1 vulnerabilities #149)
• c68e16a Bump mocha from 9.2.2 to 10.0.0 ([Snyk] Fix for 1 vulnerabilities #145)
• 8097fe2 Bump minimist from 1.2.5 to 1.2.6 ([Snyk] Security upgrade webpack-dev-server from 3.1.8 to 3.1.10 #144)
• 5fbddae Bump mocha from 9.2.0 to 9.2.2 ([Snyk] Fix for 1 vulnerabilities #143)
• 183c18a Bump ansi-regex from 5.0.0 to 5.0.1 ([Snyk] Fix for 1 vulnerabilities #141)
• 3a88913 Bump chai from 4.3.4 to 4.3.6 ([Snyk] Fix for 1 vulnerabilities #140)
• 8984bbb Bump mocha from 9.1.4 to 9.2.0 ([Snyk] Fix for 1 vulnerabilities #138)
• 2b4f837 Bump mocha from 9.1.3 to 9.1.4 ([Snyk] Fix for 1 vulnerabilities #137)
• f60bab5 Bump mocha from 9.1.2 to 9.1.3 ([Snyk] Fix for 1 vulnerabilities #133)
• 9da6d14 Bump mocha from 9.1.1 to 9.1.2 ([Snyk] Fix for 1 vulnerabilities #132)
• da9210e Bump mocha from 9.1.0 to 9.1.1 ([Snyk] Fix for 1 vulnerabilities #131)

See the full diff

Package name: terser-webpack-plugin

The new version differs by 41 commits.

• 491b2fd chore(release): 5.1.4
• bc7580b chore(deps): serialize-javascript and deps updated ([Snyk] Fix for 5 vulnerabilities #408)
• ec65531 ci: update nodejs.yml ([Snyk] Security upgrade jest from 25.5.4 to 26.0.0 #407)
• f8ce3bc chore: update deps ([Snyk] Security upgrade serialize-javascript from 2.1.0 to 2.1.1 #404)
• 7fb9f43 chore: fix typo ([Snyk] Security upgrade karma from 4.3.0 to 5.0.8 #401)
• b44a447 chore(release): 5.1.3
• 55adbdb chore(deps): update ([Snyk] Security upgrade @vue/cli-service from 3.12.1 to 4.0.0 #400)
• 772584a chore: update `jest-worker` ([Snyk] Security upgrade serialize-javascript from 2.1.0 to 2.1.1 #399)
• da8e166 chore: fix prepare ([Snyk] Security upgrade @vue/cli-service from 3.12.1 to 4.0.0 #396)
• 0babc1b chore(release): 5.1.2
• a177425 fix: don't crash in non-parallel mode ([Snyk] Security upgrade jest from 25.5.4 to 26.0.0 #395)
• bfbb68a chore(deps): update ([Snyk] Fix for 1 vulnerabilities #387)
• ee1d938 chore: update deps ([Snyk] Fix for 1 vulnerabilities #381)
• 727ee60 docs: update usage for webpack v4 ([Snyk] Fix for 1 vulnerabilities #378)
• 4320006 chore(release): 5.1.1
• 3a3fe51 fix: remove verbose console log ([Snyk] Security upgrade cypress from 5.6.0 to 13.0.0 #374)
• 1859a92 chore(release): 5.1.0
• fea6f20 feat: optimize JS assets added later by plugins ([Snyk] Security upgrade cypress from 5.6.0 to 13.0.0 #373)
• e10b8b4 test: source maps ([Snyk] Security upgrade cypress from 4.12.1 to 13.0.0 #372)
• 0633c9d chore(deps): update ([Snyk] Security upgrade @angular-devkit/build-angular from 0.900.7 to 0.901.9 #371)
• 809ef42 chore(deps): update ([Snyk] Security upgrade eslint-plugin-compat from 3.13.0 to 4.2.0 #368)
• 562d121 style: default prettier
• 8ef95a6 test: updated ([Snyk] Security upgrade jest from 25.5.4 to 26.0.0 #355)
• 661d1f8 docs: no need to install it if you use webpack v5+ ([Snyk] Security upgrade jest from 25.5.4 to 26.0.0 #353)

See the full diff

Package name: webpack

The new version differs by 250 commits.

• f2f998b 5.1.1
• bcd6190 Merge pull request #11704 from webpack/bugfix/delete-asset
• 11935a9 Merge pull request #11703 from webpack/bugfix/11678
• 63ba54c update chunk to files mapping when deleting assets
• 4669600 Merge pull request #11690 from webpack/bugfix/11673
• 234373e Merge pull request #11702 from webpack/deps/terser
• b6bc273 fix infinite loop in inner graph optimization
• 50c3a83 fix unused modules in chunk when optimizing runtime-specific
• 5d9d9b9 fix runtime-specific handling in concatenated modules
• 250e37c add test case
• 7925652 upgrade terser-webpack-plugin
• 27796db Merge pull request #11669 from webpack/dependabot/npm_and_yarn/ts-loader-8.0.5
• bd5aab8 Merge pull request #11692 from webpack/dependabot/npm_and_yarn/babel/core-7.12.0
• 886bbd5 Merge pull request #11693 from webpack/dependabot/npm_and_yarn/react-dom-16.14.0
• 3a14b3d Merge pull request #11694 from webpack/dependabot/npm_and_yarn/react-16.14.0
• ddf9936 chore(deps-dev): bump react from 16.13.1 to 16.14.0
• dc6e69a chore(deps-dev): bump react-dom from 16.13.1 to 16.14.0
• 8f18de9 chore(deps-dev): bump @ babel/core from 7.11.6 to 7.12.0
• c0410e8 Merge pull request #11686 from webpack/bugfix/11677
• 4504046 order runtime chunks correctly when they depend on each other
• 74a44cd add comment to help tagging for the bot
• e97efb7 chore(deps-dev): bump ts-loader from 8.0.4 to 8.0.5
• 77329b4 5.1.0
• 48c10f3 Merge pull request #11653 from log2-hwan/fix-moduletemplate-deprecation

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Cross-site Scripting (XSS)
🦉 Prototype Pollution

[secure-code-warrior-for-github]

Micro-Learning Topic: Cross-site scripting (Detected by phrase)

Matched on "Cross-site Scripting"

What is this? (2min video)

Cross-site scripting vulnerabilities occur when unescaped input is rendered into a page displayed to the user. When HTML or script is included in the input, it will be processed by a user's browser as HTML or script and can alter the appearance of the page or execute malicious scripts in their user context.

Try a challenge in Secure Code Warrior

Helpful references

• Prevent Cross-Site Scripting (XSS) in ASP.NET Core - A detailed Microsoft article on how to prevent cross-site scripting in ASP.NET Core.
• OWASP Cross Site Scripting (XSS) Software Attack - OWASP community page with comprehensive information about cross site scripting, and links to various OWASP resources to help detect or prevent it.
• OWASP Cross Site Scripting Prevention Cheat Sheet - This article provides a simple positive model for preventing XSS using output encoding properly.

Micro-Learning Topic: Prototype pollution (Detected by phrase)

Matched on "Prototype Pollution"

What is this? (2min video)

By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf).

Try a challenge in Secure Code Warrior