[Snyk] Fix for 10 vulnerabilities

[cmlsn]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIHTML-1296849	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-D3COLOR-1076592	Yes	No Known Exploit
	526/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.1	Arbitrary Code Injection SNYK-JS-EJS-1049328	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-2342073	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-2342082	Yes	Proof of Concept
	520/1000 Why? Has a fix available, CVSS 5.9	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-584281	Yes	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Information Exposure SNYK-JS-NODEFETCH-2342118	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-PAPAPARSE-564258	Yes	Proof of Concept
	706/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.7	Arbitrary Code Injection SNYK-JS-SERIALIZEJAVASCRIPT-570062	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: compression-webpack-plugin

The new version differs by 10 commits.

• 6cf83aa chore(release): 4.0.0
• ea33463 feat: enable cache by default for webpack@4 (Fix color by genotype after entropy click nextstrain/auspice#164)
• d07d854 refactor: improve validation for options and docs
• 778e866 refactor: code
• cff32d7 test: rephrase description (Move dataset path to redux / react-router nextstrain/auspice#161)
• 2f5ccaa chore(deps): update (Move filter query params to redux nextstrain/auspice#160)
• e222c4e fix: behaviour in watch mode
• 23dd998 docs: update (Compress aspect ratio of tree / map and show entropy nextstrain/auspice#157)
• 1a0a4ad chore: update
• 2fa1ef6 docs: remove wrong information about versions (Tree Confidence Interval d3 errors nextstrain/auspice#151)

See the full diff

Package name: d3-color

The new version differs by 21 commits.

• 7a1573e 3.1.0
• 75c19c4 update LICENSE
• ef94e01 update dependencies
• 5e9f757 method shorthand
• e4bc34e formatHex8 (Search by name nextstrain/auspice#103)
• ac660c6 {rgb,hsl}.clamp() (selections and zoom in query params nextstrain/auspice#102)
• 70e3a04 clamp HSL format (Pixel based responsive panel layout nextstrain/auspice#101)
• 994d8fd avoid backtracking (Zoom map in when browser width gets past a certain point nextstrain/auspice#100)
• 7d61bbe 3.0.1
• 93bc4ff related Generate copyright from LICENSE. d3/d3#3502; extract copyrights from LICENSE
• 611e1c3 3.0.0
• 4c2be7e Adopt type=module (Unrooted layout & infopanel nextstrain/auspice#90)
• 017a463 v2.0.0
• 7de7354 Merge pull request [Snyk] Fix for 1 vulnerabilities #75 from d3/two
• 0ecd740 v2.0.0-rc.1
• 0eb9594 Merge pull request [Snyk] Security upgrade webpack-dev-middleware from 3.7.3 to 5.3.4 #76 from d3/radians
• cc0a51b Merge pull request [Snyk] Security upgrade express from 4.17.1 to 4.19.2 #77 from d3/document-extensions
• fd23843 document extensions
• d86e36b link to https://d3js.org/d3-color.v2.min.js
• c1b93f1 normalize "degrees" and "radians" for deg2rad conversions
• 693572b deliberate ES6 syntax

See the full diff

Package name: d3-interpolate

The new version differs by 28 commits.

• 38346a4 3.0.0
• 47f9564 Adopt type=module (Redraw tree on resize nextstrain/auspice#93)
• e8cddfd Update README.
• df0475a v2.0.1
• 0ef66dc Merge pull request [Snyk] Fix for 2 vulnerabilities #88 from d3/two
• 1d48123 v2.0.0-rc.1
• 2db2773 avoid CIRCULAR_DEPENDENCY warning
• 17d8bcb Merge pull request Unrooted layout & infopanel nextstrain/auspice#90 from d3/piecewise-default-interpolator-80
• 0c80cbc piecewise(values) defaults to d3.interpolate
• 57e87dc deliberate ES6 syntax
• 2b9596c version numbers
• 77b7f74 Merge branch 'zoom-rho' into two
• 4b1156f Merge branch 'DOMMatrix' into two
• 1954d05 zoomInterpolate.rho() has no getter
• b1074db Merge branch 'master' of https://github.com/d3/d3-interpolate
• a044425 url for "Gamma error in picture scaling"
• 794ce05 document interpolateZoom.rho
• 8b3594e unit tests
• aa991e4 rho getter
• a4dd859 the movement’s duration should not explode for small curvatures, and should be longer when the curvature is important
• 098c2ed avoid crashing on low curvatures (rho=1e-3 gives a good approximation of a linear transform)
• abfc0ae Merge branch 'master' into zoom-rho
• 6c8db19 disable eslint error on undefined DOMMatrix and WebKitCSSMatrix
• 975936b Merge branch 'master' into DOMMatrix

See the full diff

Package name: d3-scale

The new version differs by 168 commits.

• f7cb35b 4.0.0
• 120ad7a adopt InternMap for ordinal scales (Dynamically add tip labels nextstrain/auspice#237)
• ac30873 Adopt type=module (Color reload bug nextstrain/auspice#246)
• 2b7db62 3.3.0
• f3cfd2c update dependencies
• 80ff9b2 adopt d3-time’s ticks
• 8afe6bd 3.2.4
• 60e10c4 update dependencies
• 116ac06 Treat null as undefined. (Revert "hide scrollbar in sidebar (webkit only)" nextstrain/auspice#241)
• c7efc99 3.2.3
• 5d3e9c3 Update d3-array.
• 1ff6522 yarn
• 957482b Update tickFormat.js
• 42d546e scaleQuantile performance fixup
• 0a427eb time_copy is part of the API but was missing from the README
• 1dd3f5a Merge pull request Link to division-level Ebola nextstrain/auspice#219 from d3/links-v6
• 8460207 v3.2.2
• 6169111 d3 dependencies
• 0a55cc8 Merge pull request Throttle date slider nextstrain/auspice#210 from domoritz/fix-nice
• 5046251 links to d3@6 versions
• d0a2fe4 fix documentation: the diverging scale's default domain is [0, 0.5, 1]
• da99948 Use var
• 0932d15 Merge pull request Tree card is no longer responsive nextstrain/auspice#211 from oluckyman/patch-1
• 2751067 Fix a typo

See the full diff

Package name: d3-transition

The new version differs by 39 commits.

• 98e84f0 3.0.0
• aa44264 Update README
• 692f025 fix make titlebar component nextstrain/auspice#121; add transition.selectChild[ren]
• 1ac7984 Precise sideEffects. (Ebola dataset broken nextstrain/auspice#115)
• d1a518c Adopt type=module (Fetch data from data.nextstrain.org nextstrain/auspice#123)
• abe6511 Merge pull request make titlebar component responsive nextstrain/auspice#122 from inokawa/patch-1
• a71a58d Fix typo in README.md
• 40d5865 d3 dependencies
• 2fa17ff v2.0.0
• 611e427 Merge pull request Properly calculate horizontal and vertical padding nextstrain/auspice#94 from d3/two
• df65078 v2.0.0-rc.6
• 1fe858c v2.0.0-rc.5
• 6635117 test transition.each
• 9485837 revert 91990a1e5959c107319a4b59bfcc8f203f2a944b
• 2f6c57d transitions are iterable
• 46027fa Test transition.size.
• ca5ae84 Symbol.iterator
• 91990a1 fix crash on transition.size()
• 956f0ae v2.0.0-rc.3
• f49b6dd v2.0.0-rc.2
• 2f03929 v2.0.0-rc.1
• 6fa3c5c v2.0.0-rc1
• fcdbb3a easeVarying
• 70abf61 links

See the full diff

Package name: d3-zoom

The new version differs by 36 commits.

• debbe3d 3.0.0
• 3419879 Expose ZoomTransform constructor. (Static divs on screen resolutions close to 780px nextstrain/auspice#191)
• e2f0e73 fix release script nextstrain/auspice#235; currentTarget initialization
• c774f9e Adopt type=module (Grey line on clock improvements nextstrain/auspice#234)
• e9aa6cb Merge pull request Remove tip and branch labels nextstrain/auspice#236 from fidelthomet/patch-1
• 506ccf3 Docs: Update default value for zoom.filter
• 84a5e7b adding passive flag to wheel zoom event listener to remove google's warning
• db169ea v2.0.0
• 8f81ee7 d3 dependencies
• c2fa604 Merge pull request Collapse overly long legends nextstrain/auspice#205 from d3/two
• 28bb791 v2.0.0-rc.1
• 0fa9a21 Merge pull request Experimental merge nextstrain/auspice#214 from d3/document-translate-tk-192
• ab4bc64 pinch-to-zoom
• a710747 Merge branch 'tapDistance-180' into two
• e02e23c Merge branch 'two' into tapDistance-180
• 87c6215 remove touch-action:none
• 96bd44b remove zoomEvent.on for now
• 3318746 introduces tapDistance (default 10 pixels)
• 5ee1a8d x and y are scaled by t_k when calling t.translate(x,y)
• 4d2a5f1 pinch-to-zoom
• 87781b6 d3
• c0fbb0f dbltap results in a touchend event being passed to dblclicked
• 0c6be96 accept subevents
• 82b6e36 in wheeled also, send args

See the full diff

Package name: jest

The new version differs by 49 commits.

• 343532a v26.0.0
• 075854a chore: update changelog for release
• 68b65af v26.0.0-alpha.2
• d30a586 fix: disallow hook definitions in tests (#9957)
• 3375ac3 chore: remove unused prettier uninstall step from CI
• 0a63d40 fix: absolute path moduleNameMapper + jest.mock issue (#8727)
• 03dbb2f chore: fix watch mode test with utimes (#9967)
• 68d12d5 chore: skip broken test on windows (#9966)
• e8e8146 align circus with jasmine's top-to-bottom execution order (#9965)
• 968a301 Fix invalid re-run of tests in watch mode (#7347)
• 5d1be03 chore: fix windows CI (#9964)
• 2bac04f v26.0.0-alpha.1
• c665f22 feat: add `createMockFromModule` to replace `genMockFromModule` (#9962)
• 8147af1 chore: improve error on module not found (#9963)
• 71631f6 feat: add new 'modern' implementation of Fake Timers (#7776)
• d7f3427 chore: rename LolexFakeTimers to ModernFakeTimers (#9960)
• 2c7682c Update index.js (#9095)
• 5a16415 docs: Updated Testing Frameworks guide with React; make it generic (#9106)
• 4216b86 updated docs regarding testSequencer (#9174)
• 2e8f8d5 fix: handle `null` being passed to `createTransformer` (#9955)
• 7a3c997 jest-circus: throw if a test / hook is defined asynchronously (#8096)
• 42f920c chore: update ts-eslint (#9953)
• 3078172 Updated config docs with default transform value (#8583)
• b6052e0 Update jest-phabricator documentation (#8662)

See the full diff

Package name: marked

The new version differs by 250 commits.

• ae01170 chore(release): 4.0.10 [skip ci]
• fceda57 🗜️ build [skip ci]
• 8f80657 fix(security): fix redos vulnerabilities
• c4a3ccd Merge pull request from GHSA-rrrm-qjm4-v8hf
• d7212a6 chore(deps-dev): Bump jasmine from 4.0.0 to 4.0.1 (#2352)
• 5a84db5 chore(deps-dev): Bump rollup from 2.62.0 to 2.63.0 (#2350)
• 2bc67a5 chore(deps-dev): Bump markdown-it from 12.3.0 to 12.3.2 (#2351)
• 98996b8 chore(deps-dev): Bump @ babel/preset-env from 7.16.5 to 7.16.7 (#2353)
• ebc2c95 chore(deps-dev): Bump highlight.js from 11.3.1 to 11.4.0 (#2354)
• e5171a9 chore(release): 4.0.9 [skip ci]
• 41990a5 🗜️ build [skip ci]
• a9696e2 fix: retain line breaks in tokens properly (#2341)
• 6aacd13 chore(deps-dev): Bump jasmine from 3.10.0 to 4.0.0 (#2343)
• 55e5df9 chore(deps-dev): Bump @ babel/core from 7.16.5 to 7.16.7 (#2344)
• 4f4cab4 chore(deps-dev): Bump eslint-plugin-import from 2.25.3 to 2.25.4 (#2345)
• 97ea9f2 chore(deps-dev): Bump eslint from 8.5.0 to 8.6.0 (#2346)
• 4c3b853 chore(deps-dev): Bump rollup-plugin-license from 2.6.0 to 2.6.1 (#2347)
• 9396896 chore(deps-dev): Bump rollup from 2.61.1 to 2.62.0 (#2338)
• 103a56c chore(deps-dev): Bump @ babel/preset-env from 7.16.4 to 7.16.5 (#2333)
• be771c9 chore(deps-dev): Bump eslint from 8.4.1 to 8.5.0 (#2334)
• 67d5a65 chore(deps-dev): Bump @ babel/core from 7.16.0 to 7.16.5 (#2335)
• 991493a chore(deps-dev): Bump eslint-plugin-promise from 5.2.0 to 6.0.0 (#2336)
• 59375fb chore(release): 4.0.8 [skip ci]
• 4734c82 🗜️ build [skip ci]

See the full diff

Package name: node-fetch

The new version differs by 7 commits.

• 1ef4b56 backport of categorise mutations nextstrain/auspice#1449 (Overlapping filter dropdown options nextstrain/auspice#1453)
• 8fe5c4e 2.x: Specify encoding as an optional peer dependency in package.json (Scatterplots nextstrain/auspice#1310)
• f56b0c6 fix(URL): prefer built in URL version when available and fallback to whatwg (Always show regression toggle for clock layout nextstrain/auspice#1352)
• b5417ae fix: import whatwg-url in a way compatible with ESM Node (Allow JSONs to define language nextstrain/auspice#1303)
• 18193c5 fix v2.6.3 that did not sending query params ([frequencies panel] Don't round frequencies below 1% nextstrain/auspice#1301)
• ace7536 fix: properly encode url with unicode characters (better sorting of color by legend nextstrain/auspice#1291)
• 152214c Fix(package.json): Corrected main file path in package.json (#1274)

See the full diff

Package name: papaparse

The new version differs by 72 commits.

• 4b192de Minor version bump
• 235a127 Avoid ReDOS on float dynamic typing (schema updates nextstrain/auspice#779)
• a4cf371 Improve downloadRequestBody documentation
• e934deb Support POST method when download is true
• 7ec146c Using self instead of this to preserve binding. (Top level meta nextstrain/auspice#769)
• 3497ded Patch version bump
• ae73d2a Use chunk size to determine the processed length
• a318396 Reword newline docs
• 47b356d Color gaps, Ns and Xs as gray nextstrain/auspice#727 update delimiter and newline index if they are earlier than the current position before tested. (Dynamically add tip labels nextstrain/auspice#728)
• 7ad8dda Address deepEqual using compare by JSON strings. (Test npm install --global on different setups nextstrain/auspice#724)
• e536351 Refactor substr calls to substring calls. (src/components/tree/phyloTree/grid.js: nextstrain/auspice#725)
• e0b474d Correct small typo (Don't Count X for AA Diversity Chart nextstrain/auspice#723)
• 6f7e43e Fix step callback function when skipping empty lines (Improve offline functionality nextstrain/auspice#714)
• ec26e72 Bump open from 0.0.5 to 7.0.0 (how to develop v2 nextstrain/auspice#721)
• 5219809 Minor version bump
• 9b54b11 Fix Range Header processing logic for NetworkStreamer (Check mutation type against tree nextstrain/auspice#709)
• 94d7bf9 Fix CSV parsing issue when first cell is empty (Allow footer text to derive from meta.json nextstrain/auspice#707)
• bacf4f2 Adds Hua Explore to list of lovers (Sorting of dataset dropdown could be improved nextstrain/auspice#705)
• 45c1455 Fix README typos (Blank nextstrain/auspice#704)
• 80a1044 Implement quotes config optionally as function (404 page preserves URL nextstrain/auspice#703)
• 874161a Fix misplaced quotes parsing (List of performance improvements to be implemented nextstrain/auspice#702)
• 98e3102 Use latest PapaParse version on demo page
• d2206b3 Update download version from webpage
• 788631f Patch version bump

See the full diff

Package name: webpack-bundle-analyzer

The new version differs by 20 commits.

• ee6c7a9 Merge pull request changeDateFilter now dispatches only once. Closes #385 nextstrain/auspice#389 from webpack-contrib/support-webpack-5
• 8d1a752 Update version
• 37ab03e Fix typo
• 2153401 Add `--watch-ignore` flag to `test-dev` npm script
• 35b62db Add `private: true` flag to `package.json` files in `test/webpack-versions`
• ef36924 Add changelog entry
• f819548 Update version
• d8f2dd7 Fix lint issues
• d32cbdb Add changelog for v4.0.0
• 3094dbc Update dependencies
• b85ba7d Add tests for Webpack 5
• c35bda3 Properly parse Webpack 5 entry modules
• 7bbe89f Properly parse Webpack 5 bundle format (except concatenated entry module)
• b34b249 Update package-lock.json
• abc298a Remove Node.js 6 and 8 from .travis.yml
• a81b7b8 - Support multiple Webpack versions in tests
• 591adf1 Add more ignores to .npm-upgrade.json
• d5698f4 Update dependencies
• e4a8974 Merge pull request Dengue is silently defaulting to divergence nextstrain/auspice#382 from wbobeirne/fix-opener-error
• b0f717b Catch uncaught opener errors

See the full diff

Package name: webpack-cli

The new version differs by 250 commits.

• fb50f76 chore(release): publish new version
• 2c75aeb chore: new version of the packages
• 0d05c30 chore(release): publish %s
• 3f9e151 chore: fix lerna config
• 2c1e34c tests(generator): enhance init generator tests (Download Newick labeled by colorBy nextstrain/auspice#1236)
• 6ee61b9 Fix loader-generator and plugin-generator tests (Allow filtering to all samples with a value nextstrain/auspice#1250)
• 52956a2 Fixing the typos and grammatical errors in Readme files (Allow tip labels to be user selected nextstrain/auspice#1246)
• 7faaed2 chore: update Bug_report & Feature_request Templates (Adding Italian language nextstrain/auspice#1256)
• 7a5b33d feat(webpack-cli): added mode argument (test epic nextstrain/auspice#1253)
• 3715756 tests(webpack-cli): add test case for defaults flag (frequencies nextstrain/auspice#1254)
• a7cba2f chore: project maintanance and typescript fix (Bump dompurify from 2.0.7 to 2.0.17 nextstrain/auspice#1247)
• 7748472 chore: ignore package-lock.json and remove its references (test issue nextstrain/auspice#1252)
• a014aa7 docs: fix supported arguments & commands link in README (Drag drop metadata improvements nextstrain/auspice#1244)
• 06129a1 feat(webpack-cli): add progress bar for progress flag (We should not guess divergence unit nextstrain/auspice#1238)
• 6cc6a49 chore: post refactor CLI ([bugfix] handle unknown values in color scales with provided scales nextstrain/auspice#1237)
• 358651e chore: move cli under lerna package (Frequency Panel Shows 'All Equal' Before Estimated Date of Ancestor on Zoomed-in Cluster nextstrain/auspice#1225)
• 2dc495a fix(init): fix webpack config scaffold (Improve appearance of sidebar headers nextstrain/auspice#1231)
• 1ab62d2 tests(generator): add tests for plugin generator (Add "Download Filtered Tree" option nextstrain/auspice#1235)
• d2dd0c1 tests(sourcemap): fix flaky stats statement (Improve performance of sidebar filter UI nextstrain/auspice#1232)
• f6dc680 tests(loader-generator): add tests for loader generator (Add warning to docs fetched by docs.nextstrain.org nextstrain/auspice#1234)
• 35d1381 tests(generator): enable init generator test (Improve matching algorithm of filter UI nextstrain/auspice#1233)
• 66cdcb6 chore(generator): remove transpiled tests (Improve temporal axis labelling nextstrain/auspice#1229)
• f29a170 fix(init): fix the invalid package name ([WIP] Create redirect HTML files for switch to new docs platform nextstrain/auspice#1228)
• 8c3a66d chore(cli): updated changelog of v3 (Normalized Frequency Panel Doesn't Respond to Date Sliders When Zoomed to Clade nextstrain/auspice#1224)

See the full diff

Package name: webpack-hot-middleware

The new version differs by 13 commits.

• e140693 2.25.1
• 3d5018a Merge pull request use react performance tools for animation ticks (dev only) nextstrain/auspice#413 from nttibbetts/replace-ansi-html
• 90551e5 use public npm registry, not private one
• adeeade fix: replace ansi-html with ansi-html-community to fix vulnerability
• f0ffa4c Resolve weird desync in package lock
• 0f5e3e9 Use old-style require syntax to keep the linter happy
• aa38d42 Bump ansi/html encoding deps
• 2c31df1 Bump example dependencies
• d156bbc Simplify CI setup
• 0635d00 Replace istanbul with nyc
• 04fa8c8 Apply prettier formatting updates
• b81cfd5 Update eslint and prettier
• c98216a Upgrade test dependencies

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Arbitrary Code Injection
🦉 Arbitrary Code Injection