[Snyk] Security upgrade react-flow-renderer from 5.11.1 to 10.3.17

[ekmixon]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • src/fireedge/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-D3COLOR-1076592	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: react-flow-renderer

The new version differs by 250 commits.

• 4e9cc37 chore(node-edges): add data-testid
• 23d1dd0 fix(edge-renderer): fallback to default edge if type is invalid
• 0891b83 chore(isInputDOMNode): add event.target as fallback
• d22bf9e Merge pull request onevcenter improvements and errors OpenNebula/one#2416 from jwm0/main
• ceced01 Merge pull request VM autorefresh OpenNebula/one#2410 from wardoost/node-snap-relative-to-center
• a766ba3 Use event.composedPath for getting event target
• ac11a18 Snap node to grid relative to 0,0 instead of relative to starting point of node
• 147656b chore: release v10.3.16
• e0751cb fix(deps): put react types in devDependencies closes B #2140: reducing useless code on vcenter virtual machine (sunstone r… OpenNebula/one#2368
• 2ca2996 chore: release v10.3.15
• d074cba chore(deps): add types to dependencies closes add possibility to comment on actions OpenNebula/one#1015, closes F #2341 Add debug information to vCenter drivers (stacktrace) OpenNebula/one#2362
• cb69897 refactor(useUpdateNodeInternals): make it easier to use F #1913: setuid/setgid for VM Templates OpenNebula/one#2008
• bb00e87 fix(useReactFlow): prevent unnecessary re-renderings
• 196f225 chore(issue-templates): always use title case
• 8bbead4 Merge pull request LVM cleanup executes on master instead storage node OpenNebula/one#2352 from wbkd/chrtze-patch-1
• df5929f Update and rename feature_request.md to feature_request.yml
• d21815d Update feature_request.md
• ba64946 Merge pull request F #2341 Add debug information to vCenter drivers (stacktrace) OpenNebula/one#2350 from wbkd/chrtze-patch-1
• 5ff801b Update issue templates
• e93db69 chore: release v10.3.14
• daf677d fix(store): set domNode
• 46ba0de chore: release v10.3.13
• d07e760 fix(minZoom,maxZoom): pass min- maxZoom for initial view closes Fix wording in console help OpenNebula/one#2343
• 9f5d610 Merge pull request ONE_MANAGED should be renamed to VCENTER_IMPORTED OpenNebula/one#2324 from fbieler/main

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Command Injection

[secure-code-warrior-for-github]

Micro-Learning Topic: OS command injection (Detected by phrase)

Matched on "Command Injection"

What is this? (2min video)

In many situations, applications will rely on OS provided functions, scripts, macros and utilities instead of reimplementing them in code. While functions would typically be accessed through a native interface library, the remaining three OS provided features will normally be invoked via the command line or launched as a process. If unsafe inputs are used to construct commands or arguments, it may allow arbitrary OS operations to be performed that can compromise the server.

Try a challenge in Secure Code Warrior

Helpful references

• OWASP Command Injection - OWASP community page with comprehensive information about command injection, and links to various OWASP resources to help detect or prevent it.
• OWASP testing for Command Injection - This article is focused on providing testing techniques for identifying command injection flaws in your applications

Micro-Learning Topic: Regular expression denial of service (Detected by phrase)

Matched on "Regular Expression Denial of Service"

What is this? (2min video)

Denial of Service (DoS) attacks caused by Regular Expression which causes the system to hang or cause them to work very slowly when attacker sends a well-crafted input(exponentially related to input size).Denial of service attacks significantly degrade the service quality experienced by legitimate users. These attacks introduce large response delays, excessive losses, and service interruptions, resulting in direct impact on availability.

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Denial of service (Detected by phrase)

Matched on "Denial of Service"

The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service

Try a challenge in Secure Code Warrior

[sourcery-ai]

PR Type: Enhancement

PR Summary: The pull request upgrades the 'react-flow-renderer' package to resolve multiple security vulnerabilities associated with the previous version. It is an automated dependency update to mitigate known issues without altering the functionality of the project.

Decision: Comment

📝 Type: 'Enhancement' - not supported yet.

• Sourcery currently only approves 'Typo fix' PRs.

✅ Issue addressed: this change correctly addresses the issue or implements the desired feature.

No details provided.

✅ Small diff: the diff is small enough to approve with confidence.

No details provided.

General suggestions:

• Verify that the major version upgrade of 'react-flow-renderer' does not introduce any breaking changes that might affect the current implementation.
• Ensure that all functionalities that rely on 'react-flow-renderer' are tested to confirm that they operate as expected after the upgrade.
• Review the release notes and commit history of 'react-flow-renderer' to understand the changes between the old and new versions.

Thanks for using Sourcery. We offer it for free for open source projects and would be very grateful if you could help us grow. If you like it, would you consider sharing Sourcery on your favourite social media? ✨

Share Sourcery

• X
• Mastodon
• LinkedIn
• Facebook

---

Help me be more useful! Please click 👍 or 👎 on each comment to tell me if it was helpful.