[Snyk] Fix for 2 vulnerabilities

[abood640]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	661/1000 Why? Recently disclosed, Has a fix available, CVSS 7.5	Uncontrolled resource consumption SNYK-JS-BRACES-6838727	Yes	No Known Exploit
	661/1000 Why? Recently disclosed, Has a fix available, CVSS 7.5	Inefficient Regular Expression Complexity SNYK-JS-MICROMATCH-6838728	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: webpack

The new version differs by 250 commits.

• 610f368 5.0.0
• 5ce65c1 update examples
• bbe1230 Merge pull request repo sync github/docs#11628 from webpack/bugfix/real-content-hash
• 75ecff2 5.0.0-rc.6
• bfc35d6 Merge pull request Additional TOTP options github/docs#11603 from MayaWolf/master
• 76e8cbd Merge pull request repo sync github/docs#11622 from webpack/dependabot/npm_and_yarn/types/node-13.13.25
• 9fd1be2 chore(deps-dev): bump @ types/node from 13.13.23 to 13.13.25
• 36bcfaa Merge pull request Tweak AWS OIDC instructions github/docs#11621 from webpack/bugfix/11619
• 9130d10 fix called variables with ProvidePlugin
• 3e42105 Merge pull request OIDC cloud-specific docs are missing environment variables github/docs#11620 from webpack/bugfix/11617
• 4709719 skip connections copied to concatenated module
• 57b493f 5.0.0-rc.5
• 1658e2f Merge pull request repo sync github/docs#11618 from webpack/bugfix/11615
• a8fb45d fixes crash in SideEffectsFlagPlugin
• 84b196d emit error instead of crashing when unexpected problem occurs
• 5573fed Merge pull request Patch 2 github/docs#11601 from Hornwitser/improve-suggested-polyfill-config
• 9b5cce9 Merge pull request repo sync github/docs#11609 from snitin315/export-types
• 37c495c export type RuleSetUseItem
• 39faf34 export type RuleSetUse
• e5fd246 export type RuleSetConditionAbsolute
• 660baad export RuleSetCondition types
• 13e3ca5 Merge pull request Beaconcha.in ETH2 API 1.0 github/docs#11602 from webpack/bugfix/shared-runtime-chunk
• 9c0587e Merge pull request Index.Md github/docs#11606 from webpack/dependabot/npm_and_yarn/simple-git-2.21.0
• 502d166 Merge pull request https://maps.app.goo.gl/?link=https://www.google.com/maps/dir///@35.7…https://maps.app.goo.gl/?link=https://www.google.com/maps/dir///@35.7761024,50.970624,10z/data%3D!4m5!4m4!1m1!4e2!1m0!3e2?entry%3Dml&apn=com.google.android.apps.maps&amv=914018424&isi=585027354&ibi=com.google.Maps&ius=comgooglemapsurl&utm_campaign=ml_promo&ct=ml-nonlu-md-dc-en&mt=8&pt=9008&cid=5697265834171445826&_fpb=CLgEEMACGgVlbi1VUw==&_cpt=cpit&_iumenbl=1&_iumchkactval=1&_plt=3691&_uit=2653&_cpb=1&_icp=1 github/docs#11607 from webpack/dependabot/npm_and_yarn/acorn-8.0.4

See the full diff

Package name: webpack-cli

The new version differs by 250 commits.

• fb50f76 chore(release): publish new version
• 2c75aeb chore: new version of the packages
• 0d05c30 chore(release): publish %s
• 3f9e151 chore: fix lerna config
• 2c1e34c tests(generator): enhance init generator tests (Is it possible to migrate an OAuth app to Github app without asking users to re-authenticate? github/docs#1236)
• 6ee61b9 Fix loader-generator and plugin-generator tests ($fuckchrisknight 041215663 1318664565848 github/docs#1250)
• 52956a2 Fixing the typos and grammatical errors in Readme files (content/rest/index.mdUpdate index.md github/docs#1246)
• 7faaed2 chore: update Bug_report & Feature_request Templates (Improve docs to be more explanatory github/docs#1256)
• 7a5b33d feat(webpack-cli): added mode argument (Explain how to use environment variables in a test matrix github/docs#1253)
• 3715756 tests(webpack-cli): add test case for defaults flag (Explain how to use environment variables in a test matrix github/docs#1254)
• a7cba2f chore: project maintanance and typescript fix (repo sync github/docs#1247)
• 7748472 chore: ignore package-lock.json and remove its references (Remove extraneous grammar period which breaks the compare URL github/docs#1252)
• a014aa7 docs: fix supported arguments & commands link in README (Dashboard github/docs#1244)
• 06129a1 feat(webpack-cli): add progress bar for progress flag (repo sync github/docs#1238)
• 6cc6a49 chore: post refactor CLI (Update restriction github/docs#1237)
• 358651e chore: move cli under lerna package (Update about-the-dependency-graph.md github/docs#1225)
• 2dc495a fix(init): fix webpack config scaffold (Avoid use branch for example workflows github/docs#1231)
• 1ab62d2 tests(generator): add tests for plugin generator (repo sync github/docs#1235)
• d2dd0c1 tests(sourcemap): fix flaky stats statement (SystemformNuch1991 github/docs#1232)
• f6dc680 tests(loader-generator): add tests for loader generator (Fix the table overflowing sidebar github/docs#1234)
• 35d1381 tests(generator): enable init generator test (index.md github/docs#1233)
• 66cdcb6 chore(generator): remove transpiled tests (Fixes #1190 github/docs#1229)
• f29a170 fix(init): fix the invalid package name (Issue: Improve existing docs github/docs#1228)
• 8c3a66d chore(cli): updated changelog of v3 (Add note that secret scanning endpoints should be able to handle larg… github/docs#1224)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Uncontrolled resource consumption

[socket-security]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@babel/code-frame@7.24.2	environment	0	24.1 kB	nicolo-ribaudo
npm/@babel/helper-annotate-as-pure@7.22.5	None	0	4.02 kB	nicolo-ribaudo
npm/@babel/helper-create-class-features-plugin@7.24.5	None	0	502 kB	nicolo-ribaudo
npm/@babel/helper-environment-visitor@7.22.20	None	0	6.56 kB	nicolo-ribaudo
npm/@babel/helper-function-name@7.23.0	None	0	21.6 kB	nicolo-ribaudo
npm/@babel/helper-member-expression-to-functions@7.24.5	None	0	107 kB	nicolo-ribaudo
npm/@babel/helper-module-imports@7.24.3	None	0	63.8 kB	nicolo-ribaudo
npm/@babel/helper-module-transforms@7.24.5	None	0	158 kB	nicolo-ribaudo
npm/@babel/helper-optimise-call-expression@7.22.5	None	0	6.66 kB	nicolo-ribaudo
npm/@babel/helper-plugin-utils@7.24.5	None	0	130 kB	nicolo-ribaudo
npm/@babel/helper-replace-supers@7.24.1	None	0	32.2 kB	nicolo-ribaudo
npm/@babel/helper-simple-access@7.24.5	None	0	14.1 kB	nicolo-ribaudo
npm/@babel/helper-skip-transparent-expression-wrappers@7.22.5	None	0	5.96 kB	nicolo-ribaudo
npm/@babel/helper-split-export-declaration@7.24.5	None	0	10.7 kB	nicolo-ribaudo
npm/@babel/helper-string-parser@7.24.1	None	0	31.7 kB	nicolo-ribaudo
npm/@babel/helper-validator-identifier@7.24.5	None	0	49.2 kB	nicolo-ribaudo
npm/@babel/helper-validator-option@7.23.5	None	0	11.7 kB	nicolo-ribaudo
npm/@babel/highlight@7.24.5	environment	0	20.3 kB	nicolo-ribaudo
npm/@babel/parser@7.24.5	None	0	1.89 MB	nicolo-ribaudo
npm/@babel/plugin-syntax-flow@7.24.1	None	0	5.42 kB	nicolo-ribaudo
npm/@babel/plugin-syntax-jsx@7.24.1	None	0	4.14 kB	nicolo-ribaudo
npm/@babel/plugin-syntax-typescript@7.24.1	None	0	6.87 kB	nicolo-ribaudo
npm/@babel/plugin-transform-flow-strip-types@7.24.1	None	0	17.7 kB	nicolo-ribaudo
npm/@babel/plugin-transform-modules-commonjs@7.24.1	None	0	42.4 kB	nicolo-ribaudo
npm/@babel/plugin-transform-typescript@7.24.5	None	0	201 kB	nicolo-ribaudo
npm/@babel/preset-flow@7.24.1	None	0	9.08 kB	nicolo-ribaudo
npm/@babel/preset-typescript@7.24.1	None	0	21.5 kB	nicolo-ribaudo
npm/@babel/register@7.23.7	environment, filesystem, unsafe	0	62 kB	nicolo-ribaudo
npm/@babel/template@7.24.0	None	0	68.9 kB	nicolo-ribaudo
npm/@babel/types@7.24.5	environment	0	2.41 MB	nicolo-ribaudo
npm/@gar/promisify@1.1.3	None	0	4.2 kB	gar
npm/@graphql-tools/load@7.0.0	environment	0	125 kB	ardatan
npm/@graphql-tools/merge@6.2.17	None	0	267 kB	ardatan
npm/@graphql-tools/schema@8.5.1	None	0	64.8 kB	ardatan
npm/@graphql-tools/utils@8.13.1	None	0	483 kB	ardatan
npm/@jridgewell/gen-mapping@0.3.5	None	0	81.6 kB	jridgewell
npm/@jridgewell/resolve-uri@3.1.2	None	0	53.2 kB	jridgewell
npm/@jridgewell/set-array@1.2.1	None	0	17.9 kB	jridgewell
npm/@jridgewell/source-map@0.3.6	None	0	177 kB	jridgewell
npm/@jridgewell/sourcemap-codec@1.4.15	None	0	45.9 kB	jridgewell
npm/@jridgewell/trace-mapping@0.3.25	None	0	169 kB	jridgewell
npm/@mrmlnc/readdir-enhanced@2.2.1	filesystem	0	53.9 kB	mrmlnc
npm/@npmcli/fs@1.1.1	filesystem	0	41.9 kB	nlf
npm/@types/eslint-scope@3.7.7	None	0	6.27 kB	types
npm/@types/eslint@8.56.10	None	0	192 kB	types
npm/@types/estree@0.0.45	None	0	22.6 kB	types
npm/@types/json-schema@7.0.15	None	0	31.7 kB	types
npm/@webpack-cli/generators@1.3.1	filesystem	0	159 kB	evilebottnawi
npm/@webpack-cli/info@1.5.0	None	0	6.38 kB	evilebottnawi
npm/@webpack-cli/init@1.1.3	None	0	7.32 kB	evilebottnawi
npm/@webpack-cli/serve@1.7.0	environment	0	17.4 kB	evilebottnawi
npm/aggregate-error@3.1.0	None	0	6.69 kB	sindresorhus
npm/ajv@6.12.6	eval	0	929 kB	esp
npm/ansi-escapes@4.3.2	None	0	16.4 kB	sindresorhus
npm/array-back@4.0.2	None	0	8.94 kB	75lb
npm/array-differ@3.0.0	None	0	3.06 kB	sindresorhus
npm/ast-types@0.14.2	None	0	484 kB	benjamn
npm/async@3.2.5	None	0	808 kB	aearly
npm/babel-core@7.0.0-bridge.0	None	0	1.53 kB	loganfsmyth
npm/binaryextensions@2.3.0	None	0	15.3 kB	bevryme
npm/cacache@15.3.0	filesystem	0	76.3 kB	nlf
npm/call-me-maybe@1.0.2	None	0	3.79 kB	limulus
npm/capture-stack-trace@1.0.2	None	0	2.5 kB	sindresorhus
npm/chardet@0.7.0	filesystem	0	74.8 kB	runk
npm/cli-cursor@3.1.0	None	0	4.37 kB	sindresorhus
npm/cli-table@0.3.11	None	0	17.3 kB	quasistar
npm/cli-width@3.0.0	environment	0	11.5 kB	knownasilya
npm/clone-buffer@1.0.0	None	0	4.28 kB	phated
npm/clone-stats@1.0.0	filesystem	0	3.71 kB	hughsk
npm/cloneable-readable@1.1.3	None	0	21.8 kB	matteo.collina
npm/colors@1.4.0	environment	0	39.5 kB	dabh
npm/command-line-usage@6.1.3	None	0	19.7 kB	75lb
npm/create-error-class@3.0.2	None	0	3.72 kB	floatdrop
npm/cross-spawn@7.0.3	environment, filesystem, shell	0	21.2 kB	satazor
npm/dargs@6.1.0	None	0	10.6 kB	sindresorhus
npm/dateformat@3.0.3	None	0	15 kB	doowb
npm/diff@3.5.0	None	0	622 kB	kpdecker
npm/download-stats@0.3.4	network	0	31.4 kB	doowb
npm/editions@2.3.1	environment	0	59.4 kB	bevryme
npm/ejs@2.7.4	eval, filesystem	0	129 kB	mde
npm/enhanced-resolve@5.16.1	unsafe	0	210 kB	evilebottnawi
npm/envinfo@7.13.0	environment, eval, filesystem, shell	0	162 kB	tabrindle
npm/errlop@2.2.0	None	0	33.6 kB	bevryme
npm/error@7.2.1	None	0	20 kB	raynos
npm/external-editor@3.1.0	environment, filesystem, shell	0	27 kB	mrkmg
npm/figures@3.2.0	None	0	12.1 kB	sindresorhus
npm/filelist@1.0.4	filesystem	0	18.6 kB	mde
npm/findup-sync@4.0.0	filesystem	0	7.12 kB	phated
npm/first-chunk-stream@2.0.0	None	0	8.01 kB	sindresorhus
npm/flow-parser@0.236.0	None	0	727 kB	flowtype
npm/function-bind@1.1.2	None	0	31.4 kB	ljharb
npm/gh-got@5.0.0	environment	0	5.26 kB	sindresorhus
npm/github-username@3.0.0	None	0	3.31 kB	sindresorhus
npm/glob-to-regexp@0.4.1	None	0	18.1 kB	nickfitzgerald
npm/glob@7.2.3	filesystem	0	55.1 kB	isaacs
npm/graceful-fs@4.2.11	environment, filesystem	0	32.5 kB	isaacs
npm/grouped-queue@1.1.0	None	0	7.58 kB	sboudrias
npm/hasown@2.0.2	None	0	8.77 kB	ljharb
npm/http2-wrapper@1.0.3	network	0	53.1 kB	szmarczak
npm/import-from@4.0.0	unsafe	0	4.91 kB	sindresorhus
npm/inquirer@7.3.3	None	0	84.5 kB	sboudrias
npm/interpret@2.2.0	None	0	17.2 kB	phated
npm/is-core-module@2.13.1	None	0	30.2 kB	ljharb
npm/is-glob@4.0.3	None	0	13.6 kB	phated
npm/is-redirect@1.0.0	None	0	2.47 kB	sindresorhus
npm/is-scoped@1.0.0	None	0	2.51 kB	sindresorhus
npm/is-unicode-supported@0.1.0	None	0	3.54 kB	sindresorhus
npm/is-utf8@0.2.1	None	0	4.34 kB	wayfind
npm/isbinaryfile@4.0.10	filesystem	0	12.5 kB	gjtorikian
npm/istextorbinary@2.6.0	None	0	57.3 kB	bevryme
npm/jake@10.9.1	environment, filesystem, shell	0	175 kB	mde
npm/jest-worker@26.6.2	environment, shell	0	66.9 kB	simenb
npm/jscodeshift@0.11.0	None	0	170 kB	flowtype
npm/jsonparse@1.3.1	None	0	36.8 kB	creationix
npm/jsonstream@1.3.5	None	0	0 B
npm/loader-runner@4.3.0	eval, filesystem	0	18.4 kB	sokra
npm/log-symbols@4.1.0	None	0	4.58 kB	sindresorhus
npm/mem-fs-editor@6.0.0	filesystem	0	17 kB	sboudrias
npm/mem-fs@1.2.0	None	0	2.83 kB	sboudrias

🚮 Removed packages: npm/@ardatan/aggregate-error@0.0.6, npm/@babel/code-frame@7.0.0, npm/@babel/helper-annotate-as-pure@7.12.13, npm/@babel/helper-create-class-features-plugin@7.12.13, npm/@babel/helper-function-name@7.8.3, npm/@babel/helper-get-function-arity@7.8.3, npm/@babel/helper-member-expression-to-functions@7.12.13, npm/@babel/helper-module-imports@7.12.13, npm/@babel/helper-module-transforms@7.12.13, npm/@babel/helper-optimise-call-expression@7.12.13, npm/@babel/helper-plugin-utils@7.8.3, npm/@babel/helper-replace-supers@7.12.13, npm/@babel/helper-simple-access@7.12.13, npm/@babel/helper-skip-transparent-expression-wrappers@7.12.1, npm/@babel/helper-split-export-declaration@7.8.3, npm/@babel/helper-validator-identifier@7.10.4, npm/@babel/helper-validator-option@7.12.11, npm/@babel/highlight@7.0.0, npm/@babel/parser@7.8.3, npm/@babel/plugin-syntax-jsx@7.12.13, npm/@babel/plugin-transform-modules-commonjs@7.12.13, npm/@babel/template@7.8.3, npm/@babel/types@7.8.3, npm/@graphql-tools/load@6.2.5, npm/@graphql-tools/merge@6.2.5, npm/@graphql-tools/schema@7.0.0, npm/@graphql-tools/utils@7.0.2, npm/@types/json-schema@7.0.5, npm/aggregate-error@3.0.1, npm/ajv@6.11.0, npm/aproba@1.2.0, npm/asn1.js@4.10.1, npm/assert@1.4.1, npm/async-each@1.0.3, npm/async@3.2.0, npm/binary-extensions@1.13.1, npm/bn.js@5.1.2, npm/brorand@1.1.0, npm/browserify-aes@1.2.0, npm/browserify-cipher@1.0.1, npm/browserify-des@1.0.2, npm/browserify-rsa@4.0.1, npm/browserify-sign@4.2.0, npm/browserify-zlib@0.2.0, npm/buffer-xor@1.0.3, npm/buffer@4.9.2, npm/builtin-status-codes@3.0.0, npm/cacache@12.0.4, npm/cipher-base@1.0.4, npm/console-browserify@1.2.0, npm/constants-browserify@1.0.0, npm/copy-concurrently@1.0.5, npm/create-ecdh@4.0.3, npm/create-hash@1.2.0, npm/create-hmac@1.1.7, npm/cross-spawn@7.0.2, npm/crypto-browserify@3.12.0, npm/cyclist@1.0.1, npm/des.js@1.0.1, npm/diffie-hellman@5.0.3, npm/domain-browser@1.2.0, npm/duplexify@3.7.1, npm/elliptic@6.5.3, npm/enhanced-resolve@4.3.0, npm/esrecurse@4.2.1, npm/evp_bytestokey@1.0.3, npm/figgy-pudding@3.5.2, npm/findup-sync@3.0.0, npm/flush-write-stream@1.1.1, npm/from2@2.3.0, npm/fs-write-stream-atomic@1.0.10, npm/fsevents@1.2.11, npm/function-bind@1.1.1, npm/glob@7.1.3, npm/graceful-fs@4.1.11, npm/hash-base@3.1.0, npm/hash.js@1.1.7, npm/hmac-drbg@1.0.1, npm/https-browserify@1.0.0, npm/iferr@0.1.5, npm/import-from@3.0.0, npm/interpret@1.4.0, npm/is-binary-path@1.0.1, npm/is-core-module@2.1.0, npm/is-glob@3.1.0, npm/jest-worker@26.0.0, npm/loader-runner@2.4.0, npm/md5.js@1.3.5, npm/miller-rabin@4.0.1, npm/mime-db@1.38.0, npm/mime-types@2.1.22, npm/mime@2.4.4, npm/mimic-fn@2.1.0, npm/mimic-response@1.0.1, npm/min-document@2.19.0, npm/min-indent@1.0.1, npm/mini-css-extract-plugin@0.9.0, npm/minimalistic-assert@1.0.1, npm/minimalistic-crypto-utils@1.0.1, npm/minimatch@3.0.4, npm/minimist-options@4.1.0, npm/minimist@1.2.6, npm/minipass-collect@1.0.2, npm/minipass-flush@1.0.5, npm/minipass-pipeline@1.2.4, npm/minipass@3.1.3, npm/minizlib@2.1.2, npm/mississippi@3.0.0, npm/mixin-deep@1.3.2, npm/mixin-object@2.0.1, npm/mkdirp-classic@0.5.3, npm/mkdirp@1.0.3, npm/mock-express-request@0.2.2, npm/mock-express-response@0.2.2, npm/mock-req@0.2.0, npm/mock-res@0.5.0, npm/mockdate@3.0.2, npm/morgan@1.9.1, npm/move-concurrently@1.0.1

View full report↗︎

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	Source
Install scripts	npm/ejs@2.7.4	Install script: postinstall Source: node ./postinstall.js	package-lock.json

View full report↗︎

Next steps

What is an install script?

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore npm/ejs@2.7.4