[Snyk] Fix for 63 vulnerabilities

[ekmixon]

Snyk has created this PR to fix 63 vulnerabilities in the yarn dependencies of this project.

Snyk changed the following file(s):

• package.json

Note for zero-installs users

If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the .yarn/cache/ directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to run yarn to update the contents of the ./yarn/cache directory.
If you are not using zero-install you can ignore this as your flow should likely be unchanged.

⚠️ Warning

Failed to update the yarn.lock, please update manually before merging.

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Server-side Request Forgery (SSRF) SNYK-JS-PARSEURL-2936249	791
	Incomplete List of Disallowed Inputs SNYK-JS-BABELTRAVERSE-5962462	786
	Regular Expression Denial of Service (ReDoS) SNYK-JS-CROSSSPAWN-8303230	756
	Denial of Service (DoS) SNYK-JS-HTTPPROXYMIDDLEWARE-8229906	756
	Server-side Request Forgery (SSRF) SNYK-JS-IP-6240864	751
	Prototype Pollution SNYK-JS-PROTOBUFJS-5756498	751
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHTOREGEXP-8482416	738
	Prototype Pollution SNYK-JS-PROTOBUFJS-2441248	731
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIHTML-1296849	696
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	696
	Prototype Pollution SNYK-JS-ASYNC-2441827	696
	Uncontrolled resource consumption SNYK-JS-BRACES-6838727	696
	Denial of Service (DoS) SNYK-JS-DECODEURICOMPONENT-3149970	696
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOMENT-2944238	696
	Regular Expression Denial of Service (ReDoS) SNYK-JS-NTHCHECK-1586032	696
	Prototype Poisoning SNYK-JS-QS-3153490	696
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	696
	Denial of Service (DoS) SNYK-JS-WS-7266574	696
	Path Traversal SNYK-JS-WEBPACKDEVMIDDLEWARE-6476555	691
	Authorization Bypass Through User-Controlled Key SNYK-JS-PARSEPATH-2936439	686
	Code Injection SNYK-JS-LODASHTEMPLATE-1088054	681
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHTOREGEXP-7925106	666
	Server-Side Request Forgery (SSRF) SNYK-JS-IP-7148531	646
	Server-side Request Forgery (SSRF) SNYK-JS-PARSEURL-3023021	646
	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	646
	Uncontrolled Resource Consumption ('Resource Exhaustion') SNYK-JS-TAR-6476909	646
	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	646
	Prototype Pollution SNYK-JS-JSONSCHEMA-1920922	644
	Prototype Pollution SNYK-JS-JSON5-3182856	641
	Missing Release of Resource after Effective Lifetime SNYK-JS-INFLIGHT-6095116	631
	Cross-site Scripting (XSS) SNYK-JS-SERIALIZEJAVASCRIPT-6147607	626
	Asymmetric Resource Consumption (Amplification) SNYK-JS-BODYPARSER-7926860	624
	Prototype Pollution SNYK-JS-YARGSPARSER-560381	601
	Cross-site Scripting (XSS) SNYK-JS-PARSEURL-2935944	591
	Cross-site Scripting (XSS) SNYK-JS-PARSEURL-2942134	591
	Inefficient Regular Expression Complexity SNYK-JS-MICROMATCH-6838728	589
	Directory Traversal SNYK-JS-MOMENT-2440688	589
	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	589
	Regular Expression Denial of Service (ReDoS) SNYK-JS-D3COLOR-1076592	586
	Regular Expression Denial of Service (ReDoS) SNYK-JS-HTTPCACHESEMANTICS-3248783	586
	Open Redirect SNYK-JS-NODEFORGE-2330875	586
	Regular Expression Denial of Service (ReDoS) SNYK-JS-TRIMOFFNEWLINES-1296850	586
	Improper Input Validation SNYK-JS-PARSEURL-3024398	571
	Information Exposure SNYK-JS-PARSEURL-2935947	561
	Information Exposure SNYK-JS-NODEFETCH-2342118	539
	Cross-site Scripting (XSS) SNYK-JS-COOKIE-8163060	529
	Prototype Pollution SNYK-JS-NODEFORGE-2331908	529
	Information Exposure SNYK-JS-NANOID-2332193	521
	Open Redirect SNYK-JS-EXPRESS-6474509	519
	Prototype Pollution SNYK-JS-MINIMIST-2429795	506
	Regular Expression Denial of Service (ReDoS) SNYK-JS-WORDWRAP-3149973	506
	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	506
	Open Redirect SNYK-JS-GOT-2932019	484
	Cross-site Scripting (XSS) SNYK-JS-PRISMJS-2404333	484
	Regular Expression Denial of Service (ReDoS) SNYK-JS-CONVENTIONALCOMMITSPARSER-1766960	479
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	479
	Improper Input Validation SNYK-JS-POSTCSS-5926692	479
	Regular Expression Denial of Service (ReDoS) SNYK-JS-TERSER-2806366	479
	Regular Expression Denial of Service (ReDoS) SNYK-JS-UGLIFYJS-1727251	479
	Cross-site Scripting SNYK-JS-EXPRESS-7926867	469
	Reverse Tabnabbing SNYK-JS-ISTANBULREPORTS-2328088	429
	Cross-site Scripting SNYK-JS-SEND-7926862	319
	Cross-site Scripting SNYK-JS-SERVESTATIC-7926865	319

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Cross-site Scripting (XSS)
🦉 More lessons are available in Snyk Learn

Summary by Sourcery

Upgrade multiple dependencies in package.json to address 63 vulnerabilities identified by Snyk, including critical and high severity issues. This update involves upgrading various packages to their latest versions to enhance security and stability.

Bug Fixes:

• Fix 63 vulnerabilities in yarn dependencies by upgrading various packages in package.json.

Chores:

• Update package.json to upgrade multiple dependencies to their latest versions.

[sourcery-ai]

Reviewer's Guide by Sourcery

This pull request updates multiple dependencies in the project's package.json to fix 63 security vulnerabilities. The changes involve upgrading various packages to their newer, more secure versions while maintaining compatibility with the project's requirements.

No diagrams generated as the changes look simple and do not need a visual representation.

File-Level Changes

Change	Details	Files
Major framework and build tool updates	Updated Babel core and preset-env to version 7.23.2 Upgraded webpack and related plugins to more secure versions Updated ESLint to version 9.0.0 Upgraded Jest testing framework to version 27.4.6	package.json
UI and visualization library updates	Upgraded React Router DOM to version 6.0.0 Updated Visx visualization packages to version 3.2.0 Upgraded Prismjs to version 1.27.0 Updated testing-library packages to newer versions	package.json
Development tooling and utility updates	Updated development server packages (http-server, webpack-dev-server) Upgraded build optimization tools (css-minimizer-webpack-plugin, terser-webpack-plugin) Updated code formatting and linting tools Upgraded test runners and related utilities	package.json
Date and time handling library updates	Upgraded Moment.js to version 2.29.4 Updated Moment-timezone to version 0.5.41	package.json

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time. You can also use
  this command to specify where the summary should be inserted.

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[secure-code-warrior-for-github]

Micro-Learning Topic: Regular expression denial of service (Detected by phrase)

Matched on "Regular Expression Denial of Service"

What is this? (2min video)

Denial of Service (DoS) attacks caused by Regular Expression which causes the system to hang or cause them to work very slowly when attacker sends a well-crafted input(exponentially related to input size).Denial of service attacks significantly degrade the service quality experienced by legitimate users. These attacks introduce large response delays, excessive losses, and service interruptions, resulting in direct impact on availability.

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Weak input validation (Detected by phrase)

Matched on "Improper Input Validation"

Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Try a challenge in Secure Code Warrior

Helpful references

• OWASP Top Ten 2021 A03: Injection - OWASP Top Ten articles provide basic techniques to protect against these high risk problem areas, and guidance on where to go next.
• OWASP Injection Prevention Cheat Sheet in Java - This article is focused on providing clear, simple, actionable guidance for preventing injection flaws in your Java applications.
• OWASP Input Validation Cheat Sheet - This cheatsheet is focused on providing clear, simple, actionable guidance for preventing injection and input validation flaws in your applications.
• OWASP Injection Prevention Cheat Sheet - This article is focused on providing clear, simple, actionable guidance for preventing injection flaws in your applications.
• OWASP Top Ten Proactive Controls 2018 C5: Validate All Inputs - Detailed article on input validation as a programming technique for ensuring that only properly formatted data may enter a software system component.

Micro-Learning Topic: Code injection (Detected by phrase)

Matched on "Code Injection"

What is this? (2min video)

Code injection happens when an application insecurely accepts input that is subsequently used in a dynamic code evaluation call. If insufficient validation or sanitisation is performed on the input, specially crafted inputs may be able to alter the syntax of the evaluated code and thus alter execution. In a worst case scenario, an attacker could run arbitrary code in the server context and thus perform almost any action on the application server.

Try a challenge in Secure Code Warrior

Helpful references

• OWASP Command Injection - OWASP community page with comprehensive information about Code Injection, and links to various OWASP resources to help detect or prevent it.
• SEI CERT Oracle Coding Standard for Java - Prevent Code Injection - Carnegie Mellon University Software Engineering Institute guidance on preventing code injection vulnerabilities in Java.

Micro-Learning Topic: Cross-site scripting (Detected by phrase)

Matched on "Cross-site Scripting"

What is this? (2min video)

Cross-site scripting vulnerabilities occur when unescaped input is rendered into a page displayed to the user. When HTML or script is included in the input, it will be processed by a user's browser as HTML or script and can alter the appearance of the page or execute malicious scripts in their user context.

Try a challenge in Secure Code Warrior

Helpful references

• Prevent Cross-Site Scripting (XSS) in ASP.NET Core - A detailed Microsoft article on how to prevent cross-site scripting in ASP.NET Core.
• OWASP Cross Site Scripting (XSS) Software Attack - OWASP community page with comprehensive information about cross site scripting, and links to various OWASP resources to help detect or prevent it.
• OWASP Cross Site Scripting Prevention Cheat Sheet - This article provides a simple positive model for preventing XSS using output encoding properly.

Micro-Learning Topic: Denial of service (Detected by phrase)

Matched on "Denial of Service"

The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Directory traversal (Detected by phrase)

Matched on "Directory Traversal"

What is this? (2min video)

Path traversal vulnerabilities occur when inputs that have not been sufficiently validated or sanitised are used to build directory or file paths. If an attacker can influence the path being accessed by the server, they may be able to gain unauthorised access to files or even execute arbitrary code on the server (when coupled with file upload functionality).

Try a challenge in Secure Code Warrior

Helpful references

• OWASP Input Validation Cheat Sheet - This cheatsheet is focused on providing clear, simple, actionable guidance for preventing injection and input validation flaws in your applications, including defence against path traversal.
• OWASP Path Traversal - OWASP community page with comprehensive information about path traversal, and links to various OWASP resources to help detect or prevent it.

Micro-Learning Topic: Inefficient regular expression (Detected by phrase)

Matched on "Inefficient Regular Expression"

What is this? (2min video)

A regular expression that requires exponential time to match certain inputs can be a performance bottleneck, and may be vulnerable to denial-of-service attacks.

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Information disclosure (Detected by phrase)

Matched on "Information Exposure"

Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser. Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Open redirect (Detected by phrase)

Matched on "Open Redirect"

What is this? (2min video)

This vulnerability refers to the ability of an attacker to arbitrarily perform a redirection (external) or forward (internal) against the system. It arises due to insufficient validation or sanitisation of inputs used to perform a redirect or forward and may result in privilege escalation (in the case of a forward) or may be used to launch phishing attacks against users (in the case of redirects).

Try a challenge in Secure Code Warrior

Helpful references

• OWASP Unvalidated Redirects and Forwards Cheat Sheet - This cheatsheet is focused on providing clear, simple, actionable guidance for preventing redirection and forwarding flaws in your applications.
• Preventing Open Redirection Attacks (C#) - A detailed Microsoft article on how to prevent open redirection vulnerabilities in ASP.NET MVC.

Micro-Learning Topic: Path traversal (Detected by phrase)

Matched on "Path Traversal"

What is this? (2min video)

Path traversal vulnerabilities occur when inputs that have not been sufficiently validated or sanitised are used to build directory or file paths. If an attacker can influence the path being accessed by the server, they may be able to gain unauthorised access to files or even execute arbitrary code on the server (when coupled with file upload functionality).

Try a challenge in Secure Code Warrior

Helpful references

• OWASP Input Validation Cheat Sheet - This cheatsheet is focused on providing clear, simple, actionable guidance for preventing injection and input validation flaws in your applications, including defence against path traversal.
• OWASP Path Traversal - OWASP community page with comprehensive information about path traversal, and links to various OWASP resources to help detect or prevent it.

Micro-Learning Topic: Prototype pollution (Detected by phrase)

Matched on "Prototype Pollution"

What is this? (2min video)

By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf).

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Resource exhaustion (Detected by phrase)

Matched on "Resource Exhaustion"

What is this? (2min video)

Allocating objects or timers with user-controlled sizes or durations can cause resource exhaustion.

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Server-side request forgery (Detected by phrase)

Matched on "Server-side Request Forgery"

What is this? (2min video)

Server-Side Request Forgery (SSRF) vulnerabilities are caused when an attacker can supply or modify a URL that reads or sends data to the server. The attacker can create a malicious request with a manipulated URL, when this request reaches the server, the server-side code executes the exploit URL causing the attacker to be able to read data from services that shouldn't be exposed.

Try a challenge in Secure Code Warrior

[sourcery-ai]

We have skipped reviewing this pull request. Here's why:

• It seems to have been created by a bot ('[Snyk]' found in title). We assume it knows what it's doing!
• We don't review packaging changes - Let us know if you'd like us to change this.