[Snyk] Fix for 5 vulnerabilities

[ekmixon]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • grid-packages/ag-grid-react/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASHTEMPLATE-1088054	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Improper Input Validation SNYK-JS-POSTCSS-5926692	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: babel-jest

The new version differs by 250 commits.

• be16e47 v27.0.0
• 63102ec chore: update changelog for release
• 564694a docs(blog): Jest 27 blog post (#11131)
• b68d91b feat(pretty-print): add option `printBasicPrototype` (#11441)
• 2226742 chore: minor simplify format results error (#11432)
• 78eb25d chore: remove needless assign (#11433)
• 696c455 chore: update lockfile after publish
• e2eb9ae v27.0.0-next.11
• 3b253f8 Wait for closed resources to actually close before detecting open handles (#11429)
• 27bee72 fix: run GC before collecting open handles (#11278)
• 50451df feat: use fallback if prettier not found (#11400)
• 150dbd8 chore: update lockfile after publish
• 6f44529 v27.0.0-next.10
• cbcec7d Upgrade fsevents in jest-haste-map (#11428)
• 9633a26 feat: support reporters written in ESM (#11427)
• 59f42d8 fix: do not cache modules that throw during evaluation (#11263)
• 57e32e9 Detect open handles with done callbacks (#11382)
• a397607 Document and test dontThrow for custom inline snapshot matchers (#10995)
• 4fa3a0b feat: custom haste (#11107)
• 2047a36 chore: bump deps (#11419)
• a4358d6 chore: run prettier on changelog
• bdd6282 Move all default values into `jest-config` (#9924)
• db643a1 Link to Jest config (#11106)
• b16082c Fix locale issue #10014 (#11412)

See the full diff

Package name: jest

The new version differs by 250 commits.

• be16e47 v27.0.0
• 63102ec chore: update changelog for release
• 564694a docs(blog): Jest 27 blog post (#11131)
• b68d91b feat(pretty-print): add option `printBasicPrototype` (#11441)
• 2226742 chore: minor simplify format results error (#11432)
• 78eb25d chore: remove needless assign (#11433)
• 696c455 chore: update lockfile after publish
• e2eb9ae v27.0.0-next.11
• 3b253f8 Wait for closed resources to actually close before detecting open handles (#11429)
• 27bee72 fix: run GC before collecting open handles (#11278)
• 50451df feat: use fallback if prettier not found (#11400)
• 150dbd8 chore: update lockfile after publish
• 6f44529 v27.0.0-next.10
• cbcec7d Upgrade fsevents in jest-haste-map (#11428)
• 9633a26 feat: support reporters written in ESM (#11427)
• 59f42d8 fix: do not cache modules that throw during evaluation (#11263)
• 57e32e9 Detect open handles with done callbacks (#11382)
• a397607 Document and test dontThrow for custom inline snapshot matchers (#10995)
• 4fa3a0b feat: custom haste (#11107)
• 2047a36 chore: bump deps (#11419)
• a4358d6 chore: run prettier on changelog
• bdd6282 Move all default values into `jest-config` (#9924)
• db643a1 Link to Jest config (#11106)
• b16082c Fix locale issue #10014 (#11412)

See the full diff

Package name: jest-circus

The new version differs by 250 commits.

• be16e47 v27.0.0
• 63102ec chore: update changelog for release
• 564694a docs(blog): Jest 27 blog post (#11131)
• b68d91b feat(pretty-print): add option `printBasicPrototype` (#11441)
• 2226742 chore: minor simplify format results error (#11432)
• 78eb25d chore: remove needless assign (#11433)
• 696c455 chore: update lockfile after publish
• e2eb9ae v27.0.0-next.11
• 3b253f8 Wait for closed resources to actually close before detecting open handles (#11429)
• 27bee72 fix: run GC before collecting open handles (#11278)
• 50451df feat: use fallback if prettier not found (#11400)
• 150dbd8 chore: update lockfile after publish
• 6f44529 v27.0.0-next.10
• cbcec7d Upgrade fsevents in jest-haste-map (#11428)
• 9633a26 feat: support reporters written in ESM (#11427)
• 59f42d8 fix: do not cache modules that throw during evaluation (#11263)
• 57e32e9 Detect open handles with done callbacks (#11382)
• a397607 Document and test dontThrow for custom inline snapshot matchers (#10995)
• 4fa3a0b feat: custom haste (#11107)
• 2047a36 chore: bump deps (#11419)
• a4358d6 chore: run prettier on changelog
• bdd6282 Move all default values into `jest-config` (#9924)
• db643a1 Link to Jest config (#11106)
• b16082c Fix locale issue #10014 (#11412)

See the full diff

Package name: optimize-css-assets-webpack-plugin

The new version differs by 3 commits.

• 09d29b3 5.0.5
• d0a7da7 feat(deps): update dependencies ([Snyk] Security upgrade lerna from 3.22.1 to 5.1.8 #154)
• 41d1e23 Redirect to css-minimizer-webpack-plugin for webpack 5 or above

See the full diff

Package name: webpack

The new version differs by 250 commits.

• 610f368 5.0.0
• 5ce65c1 update examples
• bbe1230 Merge pull request #11628 from webpack/bugfix/real-content-hash
• 75ecff2 5.0.0-rc.6
• bfc35d6 Merge pull request #11603 from MayaWolf/master
• 76e8cbd Merge pull request #11622 from webpack/dependabot/npm_and_yarn/types/node-13.13.25
• 9fd1be2 chore(deps-dev): bump @ types/node from 13.13.23 to 13.13.25
• 36bcfaa Merge pull request #11621 from webpack/bugfix/11619
• 9130d10 fix called variables with ProvidePlugin
• 3e42105 Merge pull request #11620 from webpack/bugfix/11617
• 4709719 skip connections copied to concatenated module
• 57b493f 5.0.0-rc.5
• 1658e2f Merge pull request #11618 from webpack/bugfix/11615
• a8fb45d fixes crash in SideEffectsFlagPlugin
• 84b196d emit error instead of crashing when unexpected problem occurs
• 5573fed Merge pull request #11601 from Hornwitser/improve-suggested-polyfill-config
• 9b5cce9 Merge pull request #11609 from snitin315/export-types
• 37c495c export type RuleSetUseItem
• 39faf34 export type RuleSetUse
• e5fd246 export type RuleSetConditionAbsolute
• 660baad export RuleSetCondition types
• 13e3ca5 Merge pull request #11602 from webpack/bugfix/shared-runtime-chunk
• 9c0587e Merge pull request #11606 from webpack/dependabot/npm_and_yarn/simple-git-2.21.0
• 502d166 Merge pull request #11607 from webpack/dependabot/npm_and_yarn/acorn-8.0.4

See the full diff

Package name: webpack-dev-server

The new version differs by 250 commits.

• c9271b9 chore(release): 4.0.0
• 18bf369 test: fix stability (Excel Export Line Number and Column Alphabets font size is bigger ag-grid/ag-grid#3676)
• cdcabb2 fix: respect protocol from browser for manual setup (Support Column flex to fill the entire available space even after it was moved or swapped ag-grid/ag-grid#3675)
• 1768d6b fix: initial reloading for lazy compilation (suppressCount does not work when groupUseEntireRow = true ag-grid/ag-grid#3662)
• 4f5bab1 docs: improve examples (ag-grid export as CSV is displaying [object object] in csv file but loads good in table. ag-grid/ag-grid#3672)
• f2d87fb fix: improve https CLI output (ag-grid-angular cell value not binding automatically ag-grid/ag-grid#3673)
• 0277c5e chore: remove redundant console statements (Question: When can we find Ag Grid's Next Release Date? ag-grid/ag-grid#3671)
• 16fcdbc docs: add `ipc` example (Fix NPE when using row group edit ag-grid/ag-grid#3667)
• 8915fb8 test: add e2e tests for built in routes (Column flex issue - jumps/glitches on official examples ag-grid/ag-grid#3669)
• 4d1cbe1 docs: ask `version` information in issue template (Is it possible to style the dragged element of the columns? ag-grid/ag-grid#3668)
• b6c1881 chore(deps-dev): bump core-js from 3.16.1 to 3.16.2 (Some column events can't be bound with column definitions ag-grid/ag-grid#3666)
• ffa8cc5 chore(deps-dev): bump supertest from 6.1.5 to 6.1.6 (tool panel performance issue in IE 11 ag-grid/ag-grid#3665)
• f1fdaa7 chore(release): 4.0.0-rc.1
• c4678bc fix: legacy API (Tree data aggregate column set filter not working ag-grid/ag-grid#3660)
• d8bdd03 test: fix stability (ag-grid-enteprise with noImplicitAny: Could not find a declaration file for module  ag-grid/ag-grid#3661)
• 22b1414 refactor: remove `killable` (Missing exports for /filter/provided ag-grid/ag-grid#3657)
• 75bafbf test: add e2e tests for module federation (Comparator not responding in ag-grid ag-grid/ag-grid#3658)
• 493ccbd chore(deps): update `ws` ("agSetColumnFilter" breaks application  ag-grid/ag-grid#3652)
• ae8c523 test: add e2e test for universal compiler (enableCellTextSelection does not exist on 'GridOptions' ag-grid/ag-grid#3656)
• f94b84f chore(deps): update (Allow navigating to non-editable cell by tab when editing=true ag-grid/ag-grid#3655)
• 1923132 test: fix cli
• 2adfd01 test: fix todo (When switching themes dynamically icons are not displaying ag-grid/ag-grid#3653)
• 6e2cbde fix: proxy logging and allow to pass options without the `target` option (Context menu enhancement ag-grid/ag-grid#3651)
• c9ccc96 fix: respect infastructureLogging.level for client.logging (Export Data As Excel - Turn on Filter in Excel ag-grid/ag-grid#3613)

See the full diff

Package name: workbox-webpack-plugin

The new version differs by 72 commits.

• 9cbed27 v6.0.0
• e2bae90 Misc. webpack changes (Reset Columns doesn't reset sorting  ag-grid/ag-grid#2683)
• f2ef912 Re-enable yarn test
• 1567f16 rc.0
• 43c375f v6.0.0-rc.0
• 5692d74 Update the stage at which the webpack plugin runs (Translate headerName with ngx-translate (angular) ag-grid/ag-grid#2675)
• 666f7e4 Make use of AssetInfo in webpack build (Create finished property on ColumnMovedEvent ag-grid/ag-grid#2673)
• 06e51db Feature/workbox recipes (Using unescaped '#' characters in a data URI body is deprecated ag-grid/ag-grid#2664)
• 57ad215 Add declare to WorkboxPlugin interface (When using Apply button, filter can be applied even when Apply button has not been clicked. ag-grid/ag-grid#2657)
• c2eddf4 Mark BackgroundSyncPlugin options param as optional (#2655 Changed type of ComponentFrameworks to any ag-grid/ag-grid#2656)
• df93286 Don't update data: sourcemaps (ag-grid-community 19.0.0 getDisplayedRowCount wrong value ag-grid/ag-grid#2654)
• ed69eca Updates for html-webpack-plugin and webpack v5 (fixes #2641. ag-grid/ag-grid#2651)
• bf8c949 networkTimeoutSeconds in NetworkOnly (how can i get a row-group-node (not row node) ag-grid/ag-grid#2620)
• d62c185 Version bumps
• f78cfb8 Remove importScriptsViaChunks JSDoc (Utils.isBrowserSafari p undefined issue #2649 ag-grid/ag-grid#2650)
• 00ba074 v6.0.0-alpha.3
• 4669bdc Task needs to be async
• cbb18c8 webpack v5 compatibility (CellRenderer Components Are Not Instantiated With Parent ag-grid/ag-grid#2641)
• ff9d868 Adjust PrecacheEntry type to allow null revisions (Remove debug logs ag-grid/ag-grid#2645)
• ae29e17 Warn when an async matchCallback is used (In getRowStyle and getRowClass, rows that are groups have params.node.isSelected() always returning false ag-grid/ag-grid#2591)
• a6751b9 Precaching updates for v6 ([AngularJS] Tempalted cells don't update when setting new row data ag-grid/ag-grid#2639)
• bb21e82 Add gulp build to hint (how to get dom element ? ag-grid/ag-grid#2629)
• f993ab4 Add missing spaces in multiline logs (V19 - blank defaultToolPanel yields unexpected warnings in console ag-grid/ag-grid#2627)
• 6d38919 Allow cacheKeyWillBeUsed to influence the request method check (grid does not look into frameworkComponents for named component ag-grid/ag-grid#2616)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Improper Input Validation
🦉 Prototype Pollution

[secure-code-warrior-for-github]

Micro-Learning Topic: OS command injection (Detected by phrase)

Matched on "Command Injection"

What is this? (2min video)

In many situations, applications will rely on OS provided functions, scripts, macros and utilities instead of reimplementing them in code. While functions would typically be accessed through a native interface library, the remaining three OS provided features will normally be invoked via the command line or launched as a process. If unsafe inputs are used to construct commands or arguments, it may allow arbitrary OS operations to be performed that can compromise the server.

Try a challenge in Secure Code Warrior

Helpful references

• OWASP Command Injection - OWASP community page with comprehensive information about command injection, and links to various OWASP resources to help detect or prevent it.
• OWASP testing for Command Injection - This article is focused on providing testing techniques for identifying command injection flaws in your applications

Micro-Learning Topic: Regular expression denial of service (Detected by phrase)

Matched on "Regular Expression Denial of Service"

What is this? (2min video)

Denial of Service (DoS) attacks caused by Regular Expression which causes the system to hang or cause them to work very slowly when attacker sends a well-crafted input(exponentially related to input size).Denial of service attacks significantly degrade the service quality experienced by legitimate users. These attacks introduce large response delays, excessive losses, and service interruptions, resulting in direct impact on availability.

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Weak input validation (Detected by phrase)

Matched on "Improper Input Validation"

Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Try a challenge in Secure Code Warrior

Helpful references

• OWASP Top Ten 2021 A03: Injection - OWASP Top Ten articles provide basic techniques to protect against these high risk problem areas, and guidance on where to go next.
• OWASP Injection Prevention Cheat Sheet in Java - This article is focused on providing clear, simple, actionable guidance for preventing injection flaws in your Java applications.
• OWASP Input Validation Cheat Sheet - This cheatsheet is focused on providing clear, simple, actionable guidance for preventing injection and input validation flaws in your applications.
• OWASP Injection Prevention Cheat Sheet - This article is focused on providing clear, simple, actionable guidance for preventing injection flaws in your applications.
• OWASP Top Ten Proactive Controls 2018 C5: Validate All Inputs - Detailed article on input validation as a programming technique for ensuring that only properly formatted data may enter a software system component.

Micro-Learning Topic: Denial of service (Detected by phrase)

Matched on "Denial of Service"

The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Prototype pollution (Detected by phrase)

Matched on "Prototype Pollution"

What is this? (2min video)

By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf).

Try a challenge in Secure Code Warrior