[Snyk] Fix for 10 vulnerabilities

[awaisab172]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ACORN-559469	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-CHRONONODE-1083228	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-D3COLOR-1076592	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Cross-site Scripting (XSS) SNYK-JS-DOMPURIFY-1016634	Yes	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Cross-site Scripting (XSS) SNYK-JS-DOMPURIFY-1035544	Yes	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Cross-site Scripting (XSS) SNYK-JS-DOMPURIFY-2863266	Yes	Proof of Concept
	669/1000 Why? Has a fix available, CVSS 9.1	Cross-site Scripting (XSS) SNYK-JS-DOMPURIFY-468981	Yes	No Known Exploit
	526/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.1	Arbitrary Code Injection SNYK-JS-EJS-1049328	Yes	Proof of Concept
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Remote Code Execution (RCE) SNYK-JS-EJS-2803307	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: chrono-node

The new version differs by 250 commits.

• 4350642 2.2.4
• 036f7aa New: improve parsing performance by caching complied regex
• 98815b5 Fix: unblounded regex backtracking in timeunit parsing
• 3f294e0 2.2.3
• 16737f5 Fix: Remove internal annotation on the debugging
• 5e9456d 2.2.2
• f9cd773 Update readme document
• 8f395f2 refactor: exclude documentation in master
• ac27496 New: Add typedoc setting
• e047e2e Documentation: Update
• b582ae7 Fix: vague time parsing in strict mode
• f60807e 2.2.1
• bf2ae34 Fix: time expression endding with numbers only
• 3d044ee Add init Typedoc integration
• fbbd996 Merge pull request Site Settings: move primary button to <SectionHeader>. Automattic/wp-calypso#373 from JeroenVdb/master
• 911588c Merge pull request Plugins: Fix Plugin Banner to be more responsive and work better on desktop Automattic/wp-calypso#372 from flpvsk/feature/fuzzy-forward-date
• 4f264a9 Make "in|within|for" optional if forwardDate=true
• f47c32c 2.2.0
• 1d949a2 Fix: stop guessing single digit after dot as minute
• 269fa37 remove unsupported
• 5c98948 tests for time units
• a4cedba copy from EN
• da3def8 readd morgend so we dont break
• b0af06f readd morgend so we dont break

See the full diff

Package name: d3-scale

The new version differs by 85 commits.

• f7cb35b 4.0.0
• 120ad7a adopt InternMap for ordinal scales ([Snyk] Security upgrade express from 4.16.4 to 4.21.2 #237)
• ac30873 Adopt type=module (Signup: HTML visible in error message for suspended users Automattic/wp-calypso#246)
• 2b7db62 3.3.0
• f3cfd2c update dependencies
• 80ff9b2 adopt d3-time’s ticks
• 8afe6bd 3.2.4
• 60e10c4 update dependencies
• 116ac06 Treat null as undefined. (Purchases: Add cancel/remove option for expired domain registrations and mappings Automattic/wp-calypso#241)
• c7efc99 3.2.3
• 5d3e9c3 Update d3-array.
• 1ff6522 yarn
• 957482b Update tickFormat.js
• 42d546e scaleQuantile performance fixup
• 0a427eb time_copy is part of the API but was missing from the README
• 1dd3f5a Merge pull request [Snyk] Security upgrade xunit-viewer from 5.1.8 to 6.0.0 #219 from d3/links-v6
• 8460207 v3.2.2
• 6169111 d3 dependencies
• 0a55cc8 Merge pull request [Snyk] Security upgrade @wordpress/editor from 9.0.11 to 9.1.0 #210 from domoritz/fix-nice
• 5046251 links to d3@6 versions
• d0a2fe4 fix documentation: the diverging scale's default domain is [0, 0.5, 1]
• da99948 Use var
• 0932d15 Merge pull request [Snyk] Security upgrade tinymce from 4.8.5 to 6.8.4 #211 from oluckyman/patch-1
• 2751067 Fix a typo

See the full diff

Package name: dompurify

The new version differs by 250 commits.

• e7086f7 chore: prepared 2.2.3 release
• 0c2edea fix: addressed an mXSS problem caused by nested headlines
• 2c0017c see Me: add README.md for client/lib/security-checkup Automattic/wp-calypso#490
• feeeaa9 docs: Changed granlem's URL
• 042dac1 docs: added a fellow sponsor to the README
• 89fee39 Fix Update wpcom-proxy-request to 1.0.5 Automattic/wp-calypso#489
• 66de7be Merge branch 'main' of git@github.com:cure53/DOMPurify.git into main
• 185abbb Merge pull request Update wpcom-xhr-request to 0.3.3 Automattic/wp-calypso#488 from jochenberger/patch-2
• 9dd85f4 Fix multi-license declaration
• 77d1281 Merge branch 'main' of git@github.com:cure53/DOMPurify.git into main
• 4aacbcd Merge pull request Add site names on sites-list error notices Automattic/wp-calypso#483 from yejiel/patch-1
• 25b269f Update license Header to match current Version
• b84f6ba fix: oh dear, reverted the code removal
• 4c8a84c chore: experimentally removed some possibly redundant mXSS check
• 7923e10 chore: Preparing 2.2.2 release
• 7719c5b test: Added test cases for reported bypasses
• e43de71 fix: squished another variation of the mXSS
• 0771f47 chore: Preparing 2.2.1 release
• ee33fae fix: Fixed a mXSS bypass reported in Devdocs: update layout to use new sidebar Automattic/wp-calypso#482
• e95b0de see Purchases: Add analytics to the purchase confirm cancellation submit button Automattic/wp-calypso#480
• 83b7acb See Purchases: Add analytics to the contact support links  Automattic/wp-calypso#479
• 0e31dce chore: preparing 2.2.0 release
• 307c7d0 test: added tests to cover new RETURN_DOM_IMPORT default being true
• 5aab0bb fix: fixed a typo in the config option logic for DOM_RETURN_IMPORT

See the full diff

Package name: html-webpack-plugin

The new version differs by 250 commits.

• 873d75b chore(release): 5.5.0
• ddeb774 chore: update examples
• 1e42625 feat: Support type=module via scriptLoading option
• 7d3645b Bump pretty-error to 4.0.0 to fix transitive vuln for ansi-regex CVE-2021-3807
• 79be779 [chore] changes actions to run on pull_requests
• b7e5859 [chore] fixes CI to avoid race conditions
• 48131d3 chore(release): 5.4.0
• 16a841a [chore] rebuild examples
• 3bb7c17 Update index.js
• e38ac97 Update index.js
• f08bd02 [chore] updates fixtures
• d62a10f [chore] upgrades html-minifier-terser@5.0.0 -> 6.0.2
• 2f5de7a Remove archived plugin
• 8f8f7c5 chore(release): 5.3.2
• 053c6e6 chore: update snapshot tests for webpack 5.4.0
• 9c7fba0 Fix security vulnerabilities
• b98fbeb Fix security vulnerabilities
• 25cdfc7 Added inject-body-webpack-plugin to readme
• 0e4c1fb Update README to document actual behavior
• 0a6568d chore(release): 5.3.1
• 82d0ee8 fix: remove loader-utils from plugin core
• 6f39192 chore(release): 5.3.0
• d654f5b feat: allow to modify the interpolation options in webpack config
• 41d7a50 feat: drop loader-utils dependency

See the full diff

Package name: lerna

The new version differs by 250 commits.

• 45ff346 chore(release): v5.1.2
• e519f43 fix(conventional-commits): remove pinned lodash.template (People: First pass at disabling the invite form until invitee added Automattic/wp-calypso#3172)
• d242b06 chore(e2e): Add e2e tests for lerna init options (Themes: Sheet live preview Automattic/wp-calypso#3162)
• 56eaa15 fix: update all transitive inclusions of ansi-regex (Remove Plugins page for non-Jetpack sites (cleanup of #3079) Automattic/wp-calypso#3166)
• cb47e7a chore: switch readme image based on dark mode and pin node version (Themes: Related themes Automattic/wp-calypso#3164)
• eb7da85 chore(release): v5.1.1
• 21ce2bf chore: remove broken postversion in root package.json
• 72305e4 fix: allow maintenance LTS node 14 engines starting at 14.15.0 (Themes: Sheet details view Automattic/wp-calypso#3161)
• 6cf9be8 chore: initial e2e spec for lerna init (Export: Automatically fetch advanced settings when switching to exporter Automattic/wp-calypso#3158)
• 479bf4c chore: update CHANGELOG.md
• 6b9c375 chore(release): v5.1.0
• 7e69e9e fix(utils): orphaned child process on Windows (Domain Management: add unlimited email forwarding Automattic/wp-calypso#3156)
• 897caee chore: fix typos (Domains: Purchases: Refactor domains and purchases tests Automattic/wp-calypso#2732)
• c6808fc feat: handle the edge cases in the lerna-nx integration
• ff27ccb chore(release): v5.1.0-alpha.0
• bf7daa6 chore: remove references to git.io (Purchases: No way to re-enable Auto Renew Automattic/wp-calypso#3153)
• c363ec4 chore: restore CI workflow
• 4464787 chore: remove update-historical workflow as no longer needed
• 7caf43b chore: update historical (Domains: Site Redirect: Add placeholder Automattic/wp-calypso#3148)
• 1022919 chore: update historical
• a9f3ba4 chore: update historical (Domains: Add notice for changing contact information prevents transfers for 60 days Automattic/wp-calypso#3147)
• 780cc89 chore: update contributing notes
• 9f32d4e chore: update issue templates and contributing notes
• 1c35828 feat: add experimental support to run tasks via Nx

See the full diff

Package name: postcss-cli

The new version differs by 20 commits.

• 745ad2c 7.0.0
• cf6ea09 Update eslint config
• ea1cec4 Update eslint-config-problems to version 3.1.0 (Editor: Add spellcheck / proofreading feature Automattic/wp-calypso#306)
• 1519430 Update globby to version 10.0.1 (Editor: Add "link to existing content" feature Automattic/wp-calypso#303)
• 5b47456 Update eslint to version 6.8.0 (Framework: replace wpcom-private by wpcom-unpublished Automattic/wp-calypso#305)
• e241672 Update nyc to version 15.0.0 (Purchases: Deploy /purchases to production Automattic/wp-calypso#297)
• 4a87ff1 Update chalk to version 3.0.0 (Fix typo in the readme Automattic/wp-calypso#294)
• e666505 Update prettier to version 1.19.1 (Plugins: Show disabled autoupdate info Automattic/wp-calypso#304)
• 0d3591a Update ava to version 2.4.0 (Framework: Allow for a sans-sidebar layout and adjust accordingly  Automattic/wp-calypso#302)
• cb9f451 Update fs-extra to version 8.1.0 (Don't allow private registration to be removed from the cart Automattic/wp-calypso#301)
• 4f68a46 Update chokidar to version 3.3.0 (Editor: Add word count Automattic/wp-calypso#300)
• 5c22ddb Update yargs to version 15.0.2 (Editor: Fix iOS 8.4 Focus Issues Automattic/wp-calypso#298)
• 79eb0ac Update get-stdin to version 7.0.0 (Purchases: Domain renewals: Removing private registration Automattic/wp-calypso#273)
• 71384c6 Update Travis config; remove AppVeyor
• 6b92df3 BREAKING: Drop Node 6 & 8; test on new Node versions
• 7091819 6.1.3
• 0de7ccf Fix map file path creation (Purchases: Renewals: Use a temporary cart Automattic/wp-calypso#286)
• f1c7352 Update prettier to version 1.18.0 (Purchases: Manage: Implement Use This Card feature Automattic/wp-calypso#281)
• 035bab8 Update nyc to version 14.0.0 (Server Side Rendering: Bundle localization json files Automattic/wp-calypso#274)
• 541048e Update prettier to version 1.17.0 (Purchases: style issues for PayPal in Edit Payment Method Automattic/wp-calypso#272)

See the full diff

Package name: webpack-bundle-analyzer

The new version differs by 83 commits.

• ee6c7a9 Merge pull request Me: Settings: validate email address before letting user submit & show better errors Automattic/wp-calypso#389 from webpack-contrib/support-webpack-5
• 8d1a752 Update version
• 37ab03e Fix typo
• 2153401 Add `--watch-ignore` flag to `test-dev` npm script
• 35b62db Add `private: true` flag to `package.json` files in `test/webpack-versions`
• ef36924 Add changelog entry
• f819548 Update version
• d8f2dd7 Fix lint issues
• d32cbdb Add changelog for v4.0.0
• 3094dbc Update dependencies
• b85ba7d Add tests for Webpack 5
• c35bda3 Properly parse Webpack 5 entry modules
• 7bbe89f Properly parse Webpack 5 bundle format (except concatenated entry module)
• b34b249 Update package-lock.json
• abc298a Remove Node.js 6 and 8 from .travis.yml
• a81b7b8 - Support multiple Webpack versions in tests
• 591adf1 Add more ignores to .npm-upgrade.json
• d5698f4 Update dependencies
• e4a8974 Merge pull request Billing History: Redundant navigation on mobile Automattic/wp-calypso#382 from wbobeirne/fix-opener-error
• b0f717b Catch uncaught opener errors
• e4b2677 v3.9.0
• afde5a8 Merge pull request Framework: <App> component Automattic/wp-calypso#378 from dabbott/fix-missing-child-bundles
• 0ddc92d Add test for dynamic imports in worker bundles
• b39594c Fix missing child bundles throwing an error

See the full diff

Package name: yargs

The new version differs by 14 commits.

• a6e67f1 chore(release): 13.2.4
• fc13476 chore: update standard-verison dependency
• bf46813 fix(i18n): rename unclear 'implication failed' to 'missing dependent arguments' (Reader: highlighting text in Reader post's content area results in a click Automattic/wp-calypso#1317)
• a3a5d05 docs: fix a broken link to MS Terminology Search (Help: Ending a chat while a user is on /help/contact is a jarring experience. Automattic/wp-calypso#1341)
• b4f8018 build: add .versionrc that hides test/build
• 0c39183 chore(release): 13.2.3
• 08e0746 chore: update deps (Help: Ending a chat results in the "leave a message" chat box Automattic/wp-calypso#1340)
• 843e939 docs: make `--no-` boolean prefix easier to find in the docs (Help: Form validation needs improving Automattic/wp-calypso#1338)
• 84cac07 docs: restore removed changelog of v13.2.0 (Help: Make the "HEs have returned" notice dismissable Automattic/wp-calypso#1337)
• b20db65 fix(deps): upgrade cliui for compatibility with latest chalk. (Themes: Determine if server side i18n is necessary for the Masterbar  Automattic/wp-calypso#1330)
• c294d1b test: accept differently formatted output (Themes: Render the Masterbar for /design on the server Automattic/wp-calypso#1327)
• ac3f10c chore: move .hbs templates into .js to facilitate webpacking (Reader: Fix import statement for reader/stats Automattic/wp-calypso#1320)
• 0295132 fix: address issues with dutch translation (Desktop App: Fix broken oauth token access when booting Desktop App Automattic/wp-calypso#1316)
• 9f2468e doc: clarify parserConfiguration object structure (Domains: Update back link to redirect to previous page instead of parent page Automattic/wp-calypso#1309)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Cross-site Scripting (XSS)
🦉 Arbitrary Code Injection