[Snyk] Fix for 13 vulnerabilities

[qmutz]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-D3COLOR-1076592	No	Proof of Concept
	761/1000 Why? Mature exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-DICER-2311764	Yes	Mature
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Information Exposure SNYK-JS-FOLLOWREDIRECTS-2332181	Yes	Proof of Concept
	344/1000 Why? Has a fix available, CVSS 2.6	Information Exposure SNYK-JS-FOLLOWREDIRECTS-2396346	Yes	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Information Exposure SNYK-JS-NODEFETCH-2342118	No	No Known Exploit
	520/1000 Why? Has a fix available, CVSS 5.9	Denial of Service SNYK-JS-NODEFETCH-674311	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-NTHCHECK-1586032	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Improper Input Validation SNYK-JS-XMLDOM-1534562	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Prototype Pollution SNYK-JS-XMLDOM-3042242	Yes	No Known Exploit
	811/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 9.8	Improper Input Validation SNYK-JS-XMLDOM-3092935	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @nivo/line

The new version differs by 250 commits.

• 2675b60 v0.69.0
• e9360be fix(build): include latest changelog when publishing
• 93943b8 refactor(axes): rename AxisProp to SingleAxisProp
• b5d5f0f fix(axes): update some types
• 934a299 refactor(axes): respond to pr feedback
• f11d034 fix(axes): create alias for axis value
• 828656f chore(axes): exclude tsbuildinfo from package
• 6b9af77 chore(build): update messaging in makefile
• dfd3ef0 chore(axes): changes to support react-spring v9.1.2
• f7fcc75 fix(axes): improve package types
• 7d01a53 refactor(axes): convert tests to typescript
• eb969df fix(axes): remove undefined cursor style prop from AxisTick
• b4372cf fix(bullet): remove some ts-ignore comments
• e706d48 feat(build): add test watch commands to makefile
• 73f9803 feat(axes): init migration to typescript
• 46d2ae0 feat(generators): migrate package to typescript (Add notes in settings that require a restart RocketChat/Rocket.Chat#1492)
• 53b9c1c fix(deps): remove recompose
• 97b7fc8 feat(voronoi): fix storybook
• 9796f3f feat(voronoi): migrate package to TypeScript and remove recompose
• c976d66 feat(d3-scale): upgrade d3-scale package
• f69c799 feat(voronoi): remove license headers
• 74621c0 feat(voronoi): init TypeScript setup
• a00ef4a fix(legends): Add missing symbolBorderWidth to typings (customizable url paths(permalink). RocketChat/Rocket.Chat#1431)
• 89109d9 chore(circle-packing): fixes after rebase to master

See the full diff

Package name: @nivo/pie

The new version differs by 146 commits.

• dfa6378 v0.63.1
• 9e230ce fix(storybook): always pull latest version of generators package (Github integration RocketChat/Rocket.Chat#1176)
• e799128 fix(radar): switch to useAnimatedPath hook
• d983b19 fix(stream): switch to useAnimatedPath hook
• a5cdf26 fix(sankey): switch to useAnimatedPath hook
• d755a11 fix(parallel-coordinates): switch to useAnimatedPath hook
• d457841 fix(funnel): switch to useAnimatedPath hook
• 5ddb2ec fix(bump): switch to useAnimatedPath hook
• 6c8b767 fix(annotations): switch to useAnimatedPath hook
• 6d2cd27 fix(line): animate paths properly
• 0affed6 fix(ci): switch to GitHub actions (Slack like integrations RocketChat/Rocket.Chat#1175)
• 7f19561 fix(bar): Fix BarItemProps types (Is there a coding standards doc for Rocket.Chat? RocketChat/Rocket.Chat#1163)
• 259e037 fix(bump): update input datum types for undefined/null (How to configure GCM push notifications? RocketChat/Rocket.Chat#1096)
• 65bc707 build(lodash): add back babel lodash plugin
• 5595482 chore(changelog): update changelog (Alerting of past channel joins / user mentions RocketChat/Rocket.Chat#1166)
• 8ccf936 refactor(pie): remove recompose and convert to hooks (The new message bar doesn't disappear after you've seen the messages RocketChat/Rocket.Chat#1143)
• defc453 v0.63.0
• e370ea8 fix(core / swarmplot): Improve core and swarmplot typedefs (Update README for v0.7  RocketChat/Rocket.Chat#1151)
• 42adacd fix(scatterplot): Support DerivedNodeProp for nodeSize prop (Add back sideNav animations RocketChat/Rocket.Chat#1134)
• 861000f fix(core): Add missing Theme types to match default theme object (Meteor update RocketChat/Rocket.Chat#1135)
• 56f0e44 fix(sankey): Fix issue with gradient and parentheses in IDs (Added settings for file upload type and size limit RocketChat/Rocket.Chat#1152)
• 52c1bc1 fix(scatterplot): adjust type/proptype of `data[].id` prop (Rename History RocketChat/Rocket.Chat#1147)
• 99b520e fix(core): add Defs types and export for typescript (Browser Console Errors Regarding Websocket RocketChat/Rocket.Chat#1146)
• 7d52c07 feat(a11y): add ability to set `role` prop on all charts (Buddy List  RocketChat/Rocket.Chat#1128)

See the full diff

Package name: @slack/client

The new version differs by 250 commits.

• 891307e Publish
• 55624fd lerna generated SHAs
• a76b3ee Merge pull request Set Max upload size in Settings under Administrator Account RocketChat/Rocket.Chat#756 from slackapi/dev-v5
• 09d6d6f fix a typescript issue from changing from type aliases to interfaces
• 4d3133c remove package locks from examples
• c3e5c8b update examples for testing
• d40c883 remove file accidentally added in merge
• 0d1cd79 Merge branch 'master' into dev-v5
• b6dc555 Merge pull request Allowing the rejecting/allowing of ssl certs to be configurable by the admin RocketChat/Rocket.Chat#755 from aoberoi/find-and-replace
• 65788d2 Merge pull request Add Admin Option to Enable/Disable Trusting Self Signed SSL Certs RocketChat/Rocket.Chat#754 from shanedewael/local-development-tutorial
• 81be95b its amazing what you can find with a little find and replace
• 8c98232 Consolidate cta
• 53861c9 Update docs/_tutorials/local_development.md
• 74b8e77 Update docs/_tutorials/local_development.md
• 200a430 Update docs/_tutorials/local_development.md
• 95cd749 Changes
• 2ee0224 Merge pull request Archive + Freeze Channel RocketChat/Rocket.Chat#752 from aoberoi/scheduled-messages-v5
• 695984a Merge pull request Admin can delete messages (Issue #739) RocketChat/Rocket.Chat#753 from aoberoi/issue-templates-v5
• aa126f0 Merge pull request Server crashes in development mode when statistics cron job fails RocketChat/Rocket.Chat#751 from aoberoi/reference-examples
• 5f7a654 Add table of contents
• e73ad7d Fix links on READMEs
• d1eb873 Local development tutorial
• 17318b2 add warning to maintainers guide
• dd84a72 update issue template to ask for relevant packages

See the full diff

Package name: bcrypt

The new version differs by 19 commits.

• 2f124bd Fix artifact upload path
• 10eacf5 Prepare v5.0.1
• 6eacfe1 Merge pull request joinRoom returns if room is already added RocketChat/Rocket.Chat#856 from kelektiv/update-deps
• feb477c Update node-pre-gyp to 1.0.0
• 42c8b0c Merge pull request Meteor 1.2 (HELP TO TEST) RocketChat/Rocket.Chat#852 from kelektiv/update-deps
• bafefc3 Update packages
• 7c5d8df Merge pull request Image autoloading does not work behind proxy RocketChat/Rocket.Chat#851 from recrsn/node-15-ci
• 1ba55f9 Add Node 15 to CI
• 19c06c1 Update Node version compatibility info
• 09cb4fc Merge pull request Create room permissions for read-only / speak RocketChat/Rocket.Chat#825 from dogon11/patch-1
• 2821c03 Merge pull request number of unread messages indicator misbehavior RocketChat/Rocket.Chat#811 from techhead/use_buffers
• 63c8403 Merge pull request Create Channel button hidden RocketChat/Rocket.Chat#838 from alete89/docs/improve-hash-info
• 984ef18 remove reference to $2y$ algo identifier
• 630c897 fixes: Create a cog or other icon for dropdown actions on message RocketChat/Rocket.Chat#828
• 0f93284 README.md typo fix
• 4125ebc Update README.md
• f503e57 Create SECURITY.md
• f158e6e Allow optional use of Node Buffers.
• 8866277 Deploy on any travis tag

See the full diff

Package name: blockstack

The new version differs by 219 commits.

• c21cae1 release: v21.0.0
• 2a34a2d Merge pull request Adding support for private groups reopening and fixing room subscription state RocketChat/Rocket.Chat#765 from blockstack/develop
• 3e5a317 remove beta and add date
• 8cd8e83 add version to changelog
• 52420a4 Merge pull request Route follow through on login / register RocketChat/Rocket.Chat#764 from blockstack/develop
• c7b1704 Merge branch 'release/v21.0.0-beta.1' into develop
• fbe0b24 v21.0.0 beta release
• 4a04177 Merge pull request Auto Load Images is no longer working RocketChat/Rocket.Chat#763 from blockstack/changelog
• dd1c803 fix
• 7513ae4 elaborate on putFile changes
• 767405c update changelog for concurrency changes
• 30dc53d Merge pull request Merge pull request #1 from RocketChat/master RocketChat/Rocket.Chat#743 from blockstack/etags
• 0728e0f Merge pull request Admin can delete messages (Issue #739) RocketChat/Rocket.Chat#753 from blockstack/feature/bn-fixes
• 6e79a13 file creation test
• b095f09 attempt to create new file if client doesn't have etag
• b274f2a add flag for creating new file to `uploadToGaiaHub` method and set If-None-Match header
• b4524d1 add error test and refactor etag test
• 71243ff etag unit test
• af54f80 Merge pull request Archive + Freeze Channel RocketChat/Rocket.Chat#752 from blockstack/dependabot/npm_and_yarn/handlebars-4.5.3
• cefff5c Add encryption files to prettierignore.
• 56951a3 Merge branch 'master' into develop
• 14422c7 Merge branch 'develop' into etags
• 7a1c537 Merge pull request Protect Uploads - download should not be possible without logging in RocketChat/Rocket.Chat#724 from blockstack/feature/content-length-checking
• 376e320 fix tests that mock uploadToGaiaHub method

See the full diff

Package name: googleapis

The new version differs by 250 commits.

• 7e3d978 Release v37.0.0 (favico.js update RocketChat/Rocket.Chat#1568)
• ecb2c28 build: check for 404s in the docs (Distinguish Deployment from Development Install RocketChat/Rocket.Chat#1562)
• d49aa49 docs: run the docs command (Unicode regex support RocketChat/Rocket.Chat#1566)
• d1af168 feat: run the generator (Added toAll mentions for yall, everyone, channel, and here RocketChat/Rocket.Chat#1564)
• 9ccda50 chore(deps): update dependency eslint-config-prettier to v4 (Functions rate limiter RocketChat/Rocket.Chat#1565)
• 73f8f9c docs: specify gaxios over axios (Rocket Chat fails to load channels in IE10 RocketChat/Rocket.Chat#1558)
• 7f7f3cf fix(deps): update dependency googleapis-common to ^0.7.0 (Many fixes for RTL RocketChat/Rocket.Chat#1560)
• c62efb1 docs(samples): add people samples for get & create contacts (Too easy to accidentally leave channels RocketChat/Rocket.Chat#1543)
• 2ad63f6 feat: webpack support for all APIs (When User Joins a Call, Mark Them as Busy RocketChat/Rocket.Chat#1554)
• d8ba2ac fix(deps): update googleapis-common and google-auth-library (Add hubot config to docker-compose.yml RocketChat/Rocket.Chat#1556)
• 9742db3 feat: generating webpackable packages (Reset avatar before uploading to prevent caching issues RocketChat/Rocket.Chat#1547)
• e70272c fix(generator): convert method names to camelCase (rocketchat_1 | private group user statistic not found RocketChat/Rocket.Chat#1552)
• 8d9c5d9 docs: fix typo in README.md (Mentioned non-English user names do not get linked RocketChat/Rocket.Chat#1549)
• de464c0 feat: run the generator (Unified channel creation? RocketChat/Rocket.Chat#1541)
• 7e07d11 docs: improve the compute sample in the README (Improvements/performance RocketChat/Rocket.Chat#1537)
• 47056e9 docs(samples): rework the compute list vms sample (Permissions renaming RocketChat/Rocket.Chat#1534)
• 3b612fc fix(test): fix the revoke token test (Secret URL registration. Closes #1507 RocketChat/Rocket.Chat#1532)
• 4115c0f chore(deps): update dependency typedoc to ^0.14.0 ([sandstorm] Cull administrator options RocketChat/Rocket.Chat#1527)
• c61e14d docs: correct the README (FileReader function ignores orientation of images uploaded from mobile. RocketChat/Rocket.Chat#1522)
• 438979a docs: use blogger to demonstrate key authentication (File upload too slow / eating too much resources RocketChat/Rocket.Chat#1519)
• f6edb8e chore: update license file and metadata (Account box customizable items RocketChat/Rocket.Chat#1504)
• 230bb64 chore(build): inject yoshi automation key (Multiple file upload support RocketChat/Rocket.Chat#1503)
• 443662e chore: update nyc and eslint configs (Password reset / recovery is broken RocketChat/Rocket.Chat#1502)
• 413d9ca chore: fix publish.sh permission +x (Update README.md RocketChat/Rocket.Chat#1499)

See the full diff

Package name: juice

The new version differs by 37 commits.

• a628051 v7.0.0
• 5d89c6e Merge pull request Migrating flow-router into 2.0 RocketChat/Rocket.Chat#368 from TrySound/upgrade-web-resource-inliner
• ef3a266 Merge pull request Scalable File Sharing RocketChat/Rocket.Chat#369 from TrySound/published-files
• 335ed19 Publish only necessary files in package
• 3ec34d3 Upgrade web-resource-inliner
• 56e8fbc Merge pull request Images are not showing in lan RocketChat/Rocket.Chat#367 from TrySound/upgrade-commander
• 1dac1f4 Upgrade commander
• 1f82379 Merge pull request Latest code is not working with IE 11 RocketChat/Rocket.Chat#366 from TrySound/upgrade-cheerio
• 4178da6 Upgrade typescript
• 0ea9842 Upgrade to cheerio v1
• ec41c65 Merge pull request Verify Account with phone number RocketChat/Rocket.Chat#352 from hansottowirtz/support-htmlparser2
• f55f820 Merge pull request Sort of users in view RocketChat/Rocket.Chat#364 from TrySound/drop-deep-extend
• 7116879 Replace deep-extend with nested Object.assign
• 879e34c Merge pull request Add External Chat Window RocketChat/Rocket.Chat#363 from TrySound/unused-inliner-options
• 8899cd7 Merge pull request Allow to paste images from clipboard RocketChat/Rocket.Chat#365 from TrySound/object-assign
• 0765875 Merge pull request Upload RocketChat/Rocket.Chat#362 from TrySound/cross-spawn-dev
• d08b1ed Replace custom extend utility with native Object.assign
• fb22fc0 Drop unused cssmin and uglify options from cli
• f3307de Move cross-spawn to dev dependencies
• 49b5412 Merge pull request Implement REST-full API RocketChat/Rocket.Chat#349 from ArsenyYankovsky/master
• 0ce3da7 Merge pull request fix prob when room id is not valid RocketChat/Rocket.Chat#360 from nekocode/fix-empty-tag
• 990f0dd Merge pull request Room isolation RocketChat/Rocket.Chat#353 from asztal/patch-1
• 35d9a9d fix Fix message deletion and fix render of previous message RocketChat/Rocket.Chat#359
• 6963fe6 Add changelog entry for v6.0.0

See the full diff

Package name: turndown

The new version differs by 15 commits.

• 4e36b45 6.0.0
• 9026414 5.1.0
• bc23db7 Update acorn for https://npmjs.com/advisories/1488
• b9898b7 Update travis node version
• 1559f32 Update to latest rollup (+ plugins) versions
• 73a7539 Target new versions of node
• 166a41a Update jsdom to v16 to fix potential security vulnerabilities
• 0b5d4d5 Merge pull request Fix minor bugs in irc plugin. RocketChat/Rocket.Chat#302 from fredck/t/domchristie/turndown/300
• e5bd9f8 Use the repeat utility function for consistency.
• d1ee0ac Simplified the fence character sniffing.
• 99b0516 Minor stylistic fixes.
• 8e072d2 Fixed the wrong trimming of line break at at the start of code blocks.
• a24c58b Fixed multiple ticks/tildes inside code blocks.
• cae7098 Merge pull request add Video Chat HD and fullscreen modes for web-rtc #115 RocketChat/Rocket.Chat#281 from kevindew/vanishing-or-duplicating-spacing
• b73068c Consistently handle inline elements with spaces

See the full diff

Package name: xml-crypto

The new version differs by 5 commits.

• 62fb8fa 1.5.6
• 69abad6 Update xmldom to 0.7.0 (Fix! RocketChat/Rocket.Chat#236)
• 6f63436 1.5.5
• 6af1bc5 1.5.4
• 06831c5 build(deps): update xmldom

See the full diff

Package name: xml-encryption

The new version differs by 49 commits.

• f5f6532 Merge pull request Use named parameters in translations RocketChat/Rocket.Chat#89 from auth0/1.3.0
• 3c742bf release 1.3.0
• 7b360cd Update xmldom to 0.7.0 (Sound synchronization RocketChat/Rocket.Chat#88)
• e89e7fc Merge pull request Features/avatar RocketChat/Rocket.Chat#85 from gkwang/1.2.4
• 93937fd release 1.2.4
• 1688a90 Update xpath, xmldom, y18n, lodash (Features/prevent messages removal RocketChat/Rocket.Chat#84)
• ca3796b chore: Release version 1.2.3 (Features/avatar RocketChat/Rocket.Chat#83)
• 1996dd7 fix: package.json & package-lock.json to reduce vulnerabilities (Ability to clear current window messages up to "Load more" button RocketChat/Rocket.Chat#81)
• 435b1d0 dont pull in tests (Replace the alert for email verification  RocketChat/Rocket.Chat#80)
• 4fa183c chore: remove codeql analysis (Page to configure many things of the chat, like external login services, SMTP address, etc. RocketChat/Rocket.Chat#78)
• f412aac Merge pull request Inform user of email validation after account register RocketChat/Rocket.Chat#76 from auth0/update_forge
• 9b6df94 Bumps a new patch version
• cd9c41d Update node-forge to the latest version
• 52183cb Merge pull request Turn "LOAD MORE" automatic when it comes into view, with loader. RocketChat/Rocket.Chat#73 from auth0/esarafianou-codeql-scan
• 62abb0f Create codeql-analysis.yml to trigger scans
• 1f013c5 release 1.2.0 (Remove flexbar in Home screen (click on Rocket.Chat logo) RocketChat/Rocket.Chat#72)
• b5a912b feat: sinon is a dev dependency (Improve sound of new direct message RocketChat/Rocket.Chat#71)
• 30edc80 fix(utils): fix accidental duplicate export. (Improve alerts of password reset RocketChat/Rocket.Chat#70)
• 77efd10 chore: release 1.1.0 (Create option to turn the profile information private RocketChat/Rocket.Chat#69)
• 25d22fd feat: Add warning when insecure algorithm is used. (Fix day change break RocketChat/Rocket.Chat#68)
• f5651cc feat: Add support for AES-GCM family (Improve error when user login with GitHub but don't have email as public RocketChat/Rocket.Chat#67)
• e711f7b v1.0.0 release (Password recover RocketChat/Rocket.Chat#65)
• 9459c5a Fix a missing check in encryption for encrypt call (Login user after email validation RocketChat/Rocket.Chat#64)
• 4625cc3 Merge pull request [Snyk] Fix for 4 vulnerabilities #62 from auth0/jenkins

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Server-side Request Forgery (SSRF)
🦉 Prototype Pollution
🦉 More lessons are available in Snyk Learn