[Snyk] Fix for 9 vulnerabilities

[m-ajay]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • superset-frontend/temporary_superset_ui/superset-ui/package.json
  • superset-frontend/temporary_superset_ui/superset-ui/package-lock.json
  • superset-frontend/temporary_superset_ui/superset-ui/.snyk

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIHTML-1296849	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	526/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.1	Arbitrary Code Injection SNYK-JS-EJS-1049328	Yes	Proof of Concept
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Remote Code Execution (RCE) SNYK-JS-EJS-2803307	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	718/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-PARSEURL-3023021	Yes	Proof of Concept
	643/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 5	Improper Input Validation SNYK-JS-PARSEURL-3024398	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-TRIMNEWLINES-1298042	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: lerna

The new version differs by 250 commits.

• 6a0c3fb chore(release): v5.5.2
• ebf6542 fix(run): warn on incompatible arguments with useNx (Inconsistency with the timezone in time graphs versus calendar apache/superset#3326)
• 068830e fix(run): missing `fs-extra` dependency declaration ([nvd3] fix bubble axis apache/superset#3332)
• 7971a60 chore(deps): bump parse-url and git-url-parse ([hotfix] dashboard widget resize is broken apache/superset#3330)
• 96b6f04 chore: fix formatting after release
• 9f119b0 chore(release): v5.5.1
• 99a13a9 fix(run): exclude dependencies with --scope when nx.json is not present (How to create slices using Redshift Spectrum? apache/superset#3316)
• 1343b9f chore: update cache-tasks.md ([bugfix] Presto KeyError 'errorLocation' apache/superset#3291)
• 4cb2ac9 chore: update getting-started.md ([mapbox] fix viewport alterations apache/superset#3293)
• f6717ea chore(run): Update deprecated nx arg _ to __overrides__ (Use react-alert for backend message flashing apache/superset#3315)
• 036b984 chore(version): add GH_TOKEN scope requirements for --create-release option (the setup.py file need to fix.  apache/superset#3318)
• f30e550 chore(website): fix typo on configuration page (Already added slice(s) should be available/visible as checked in the 'Add Slices to dashboard' GUI. apache/superset#3319)
• 746ce33 fix(core): prevent validation error in version/publish with `workspace:` prefix (docs: add references to Flask-Appbuilder Security documentation apache/superset#3322)
• 674ffd3 chore: fix formatting
• 5a69ce5 chore: fixes post release
• bc3eb99 chore(release): v5.5.0
• a3165c1 chore: update nx
• 1b18dbe feat: pnpm workspaces support ([dashboard] fix standalone mode that hides the navbar apache/superset#3284)
• 1d6a6f5 chore(deps-dev): bump @ actions/core from 1.8.2 to 1.9.1 (ui datetime covert to utc time? apache/superset#3299)
• d261112 Revert "feat(repair): add lerna repair command" (French translation apache/superset#3313)
• 8fe2220 chore(website): add announcement banner lerna talks
• f5c8480 fix(version): only update existing lockfile deps ([sql lab] improve error messages apache/superset#3308)
• aae1a2b feat(repair): add lerna repair command (Create a PandasDatasource apache/superset#3302)
• a248165 chore: fix typo in how-caching-works.md ([sql lab] add pending to the list of searchable statuses apache/superset#3292)

See the full diff

Package name: webpack-bundle-analyzer

The new version differs by 20 commits.

• ee6c7a9 Merge pull request Exploring table gives IOERROR IOError: [Errno 5] Input/output error apache/superset#389 from webpack-contrib/support-webpack-5
• 8d1a752 Update version
• 37ab03e Fix typo
• 2153401 Add `--watch-ignore` flag to `test-dev` npm script
• 35b62db Add `private: true` flag to `package.json` files in `test/webpack-versions`
• ef36924 Add changelog entry
• f819548 Update version
• d8f2dd7 Fix lint issues
• d32cbdb Add changelog for v4.0.0
• 3094dbc Update dependencies
• b85ba7d Add tests for Webpack 5
• c35bda3 Properly parse Webpack 5 entry modules
• 7bbe89f Properly parse Webpack 5 bundle format (except concatenated entry module)
• b34b249 Update package-lock.json
• abc298a Remove Node.js 6 and 8 from .travis.yml
• a81b7b8 - Support multiple Webpack versions in tests
• 591adf1 Add more ignores to .npm-upgrade.json
• d5698f4 Update dependencies
• e4a8974 Merge pull request Specifying python versions supported in setup.py apache/superset#382 from wbobeirne/fix-opener-error
• b0f717b Catch uncaught opener errors

See the full diff

Package name: webpack-dev-server

The new version differs by 250 commits.

• c9271b9 chore(release): 4.0.0
• 18bf369 test: fix stability ([New Viz] Nightingale Rose Chart apache/superset#3676)
• cdcabb2 fix: respect protocol from browser for manual setup (How can I change the visualization? Changes are not displayed in the browser. apache/superset#3675)
• 1768d6b fix: initial reloading for lazy compilation (Set logging level to debug for DummyStatsLogger apache/superset#3662)
• 4f5bab1 docs: improve examples (URL link to parent or blank does not work within Markup or Separator widget apache/superset#3672)
• f2d87fb fix: improve https CLI output (Sorting slices alphabetically results in 500 - Internal Server Error apache/superset#3673)
• 0277c5e chore: remove redundant console statements (Adding new countries to Map view apache/superset#3671)
• 16fcdbc docs: add `ipc` example (Update 20171013 apache/superset#3667)
• 8915fb8 test: add e2e tests for built in routes ("Time Series Table" is missing hyphen apache/superset#3669)
• 4d1cbe1 docs: ask `version` information in issue template ([Explore] Altered Slice Tag apache/superset#3668)
• b6c1881 chore(deps-dev): bump core-js from 3.16.1 to 3.16.2 (if superset will suport druid lookup or join apache/superset#3666)
• ffa8cc5 chore(deps-dev): bump supertest from 6.1.5 to 6.1.6 (Add description for running specific test apache/superset#3665)
• f1fdaa7 chore(release): 4.0.0-rc.1
• c4678bc fix: legacy API ([stats_logger] entries flooding the console log apache/superset#3660)
• d8bdd03 test: fix stability (Making the sort order for metrics pull from fd for time table viz apache/superset#3661)
• 22b1414 refactor: remove `killable` (Choose language is brocken apache/superset#3657)
• 75bafbf test: add e2e tests for module federation (failed to add oracle view as superset table. apache/superset#3658)
• 493ccbd chore(deps): update `ws` (Authentication: Enable user impersonation for Superset to HiveServer2 using hive.server2.proxy.user (a.fernandez) apache/superset#3652)
• ae8c523 test: add e2e test for universal compiler (Export Dashboard doesn't work apache/superset#3656)
• f94b84f chore(deps): update ([SQLLab] Regression: "share query" is broken behind https-only proxy apache/superset#3655)
• 1923132 test: fix cli
• 2adfd01 test: fix todo (Add a ColorPickerControl apache/superset#3653)
• 6e2cbde fix: proxy logging and allow to pass options without the `target` option (Adding sort time table apache/superset#3651)
• c9ccc96 fix: respect infastructureLogging.level for client.logging (Time Series Table: group-by keys must be strings apache/superset#3613)

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Denial of Service (DoS)
🦉 Server-side Request Forgery (SSRF)
🦉 Prototype Pollution
🦉 More lessons are available in Snyk Learn