[Snyk] Fix for 13 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • pinot-controller/src/main/resources/package.json
  • pinot-controller/src/main/resources/package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIHTML-1296849	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	616/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.9	Server-Side Request Forgery (SSRF) SNYK-JS-AXIOS-1038255	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-AXIOS-1579269	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Information Exposure SNYK-JS-FOLLOWREDIRECTS-2332181	No	Proof of Concept
	344/1000 Why? Has a fix available, CVSS 2.6	Information Exposure SNYK-JS-FOLLOWREDIRECTS-2396346	No	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Directory Traversal SNYK-JS-MOMENT-2440688	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOMENT-2944238	No	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Information Exposure SNYK-JS-NODEFETCH-2342118	No	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Denial of Service (DoS) SNYK-JS-SOCKJS-575261	No	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-UGLIFYJS-1727251	Yes	No Known Exploit
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-YARGSPARSER-560381	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: axios

The new version differs by 115 commits.

• e367be5 [Releasing] 0.21.3
• 83ae383 Correctly add response interceptors to interceptor chain (Flaky Test List from https://github.com/apache/incubator-pinot/pull/4009#issuecomment-476204196 apache/pinot#4013)
• c0c8761 [Updating] changelog to include links to issues and contributors
• 619bb46 [Releasing] v0.21.2
• 82c9455 Create SECURITY.md ([TE] detection - align metric slices apache/pinot#3981)
• 5b45711 Security fix for ReDoS ([TE] frontend - harleyjj/preview - default preview to 2 days to accom… apache/pinot#3980)
• 5bc9ea2 Update ECOSYSTEM.md ([TE] frontend - harleyjj/yaml-editor - makes yaml autocomplete insert… apache/pinot#3817)
• e72813a Fixing README.md ([TE] frontend - aarouncsd/add debug global flag apache/pinot#3818)
• e10a027 Fix README typo under Request Config (Fix a typo and javadoc in SegmentCreationJob apache/pinot#3825)
• e091491 Update README.md ([TE] backend - add an API to clear cache for DefaultDataProvider apache/pinot#3936)
• b42fbad Removed un-needed bracket
• 520c8dc Updating CI status badge ([TE] detection - default merger gap apache/pinot#3953)
• 4fbeecb Adding CI on Github Actions. ([TE] Yaml - configure moving window detection in detection yaml apache/pinot#3938)
• e9965bf Fixing the sauce labs tests (Refactor Hadoop Jobs apache/pinot#3813)
• dbc634c Remove charset in tests (Reserve version 0.2.0 for the next release apache/pinot#3807)
• 3958e9f Add explanation of cancel token ([TE] Retain status of inactive functions apache/pinot#3803)
• 69949a6 Adding custom return type support to interceptor (Add methods toPrettyJsonString() and toSingleLineJsonString() to Schema apache/pinot#3783)
• 49509f6 Create FUNDING.yml ([PINOT-6] Fix Windows compatibility of a batch of pinot-core tests apache/pinot#3796)
• 199c8aa Adding parseInt to config.timeout (Add license header for codemirror/ruby.js apache/pinot#3781)
• 94fc4ea Adding isAxiosError typeguard documentation ([TE] detection - yaml translation/migration changes apache/pinot#3767)
• 0ece97c Fixing quadratic runtime when setting a maxContentLength (Update Pinot admin webpages with right references apache/pinot#3738)
• a18a0ec Updating `lib/core/README.md` about Dispatching requests (Update pom files for preparing Apache release apache/pinot#3772)
• 59fa614 [Updated] follow-redirects to the latest version (Modify Makefile for docs apache/pinot#3771)
• 7821ed2 Feat/json improvements (Add log for delete table API apache/pinot#3763)

See the full diff

Package name: cross-fetch

The new version differs by 13 commits.

• c6089df chore(release): 3.1.5
• a3b3a94 chore: updated node-fetch version to 2.6.7 ([Snyk] Security upgrade com.fasterxml.jackson.core:jackson-databind from 2.10.0 to 2.13.2.1 #124)
• efed703 chore: updated node-fetch version to 2.6.5
• 694ff77 refactor: removed ora from dependencies
• efc5956 refactor: added .vscode to .gitignore
• da605d5 refactor: renamed test/fetch/ to test/fetch-api/ and test/module/ to test/module-system/
• 0f0d51d chore: updated minor and patch versions of dev dependencies
• c6e34ea refactor: removed sinon.js
• f524a52 fix: yargs was incompatible with node 10
• 7906fcf chore: updated dev dependencies
• 24bc35a chore: added make browser task
• 6baf09d chore: added closeOnExec param to ./bin/server
• 80c46c1 chore: added exec param to ./bin/server

See the full diff

Package name: html-loader

The new version differs by 55 commits.

• d7cccfa chore(release): 1.0.0
• 3c9a1d8 refactor: `attributes` option ([Snyk] Security upgrade com.google.protobuf:protobuf-java from 3.11.4 to 3.16.3 #265)
• 8c73761 feat: `preprocessor` option ([Snyk] Security upgrade com.google.api:gax-httpjson from 0.75.2 to 0.105.0 #263)
• f2ce5b1 feat: improve errors
• 9923244 chore(deps): update ([Snyk] Security upgrade org.testng:testng from 6.11 to 7.0.0 #260)
• 9835bde feat: supports `link:href` attribute for css ([Snyk] Security upgrade org.yaml:snakeyaml from 1.30 to 1.32 #258)
• 7af2eff refactor: improve schema ([Snyk] Security upgrade io.swagger:swagger-jaxrs from 1.5.16 to 1.6.9 #257)
• 98412f9 docs: `filter` sources ([Snyk] Security upgrade com.azure:azure-identity from 1.4.6 to 1.7.0 #256)
• ff0f44c feat: implement the `filter` option for filtering some of sources ([Snyk] Fix for 1 vulnerabilities #255)
• 1c24662 refactor: move the `root` option under the `attributes` option ([Snyk] Security upgrade org.glassfish.jersey.media:jersey-media-json-jackson from 2.35 to 3.0.4 #254)
• 888b8fe docs: add footnote for `-attributes` ([Snyk] Security upgrade org.apache.hadoop:hadoop-common from 2.10.1 to 2.10.2 #252)
• 3d2907e refactor: remove the `interpolate` option
• bd979e2 refactor: remove the `interpolate` option
• fcba4ec fix: handle only valid srcset tags ([Snyk] Fix for 1 vulnerabilities #253)
• 9e5ce56 perf: improve source parse ([Snyk] Security upgrade org.apache.hadoop:hadoop-common from 2.10.1 to 2.10.2 #251)
• c9c8dad refactor: improve source parse ([Snyk] Security upgrade software.amazon.awssdk:s3 from 2.14.28 to 2.17.0 #250)
• 079d623 fix: respect `#hash` in sources
• a17df49 fix: reduce `import`/`require` count
• d0b0150 fix: adding quotes when necessary for unquoted sources ([Snyk] Security upgrade com.fasterxml.jackson.core:jackson-databind from 2.10.0 to 2.12.7.1 #247)
• e3727ab test: minifier
• 0bbe29c feat: migrate on `htmlparse2`
• b7af031 fix: escape `\u2028` and `\u2029` characters ([Snyk] Security upgrade com.google.protobuf:protobuf-java from 3.11.4 to 3.16.3 #244)
• 24b0427 fix: parser tags and attributes according spec ([Snyk] Security upgrade com.google.protobuf:protobuf-java from 3.19.2 to 3.19.6 #243)
• 3df909d feat: support `script:src` attributes

See the full diff

Package name: webpack-dev-server

The new version differs by 250 commits.

• c9271b9 chore(release): 4.0.0
• 18bf369 test: fix stability ([TE] Fix for anomaly legend values for non_additive daily metrics apache/pinot#3676)
• cdcabb2 fix: respect protocol from browser for manual setup (Sslbranch apache/pinot#3675)
• 1768d6b fix: initial reloading for lazy compilation ([TE] yaml - fix detection config DTO revert in yaml alert creation apache/pinot#3662)
• 4f5bab1 docs: improve examples (Change package name from com.linkedin to org.apache apache/pinot#3672)
• f2d87fb fix: improve https CLI output (thirdeye with druid apache/pinot#3673)
• 0277c5e chore: remove redundant console statements ( Make different PinotFS concrete classes have the same behaviors apache/pinot#3671)
• 16fcdbc docs: add `ipc` example (Try fixing flaky tests by adding 0.5s sleep apache/pinot#3667)
• 8915fb8 test: add e2e tests for built in routes (Added a log when access is denied apache/pinot#3669)
• 4d1cbe1 docs: ask `version` information in issue template (Split validation manager tasks into separate periodic tasks apache/pinot#3668)
• b6c1881 chore(deps-dev): bump core-js from 3.16.1 to 3.16.2 ([TE] task - yet another backlog gauge fix apache/pinot#3666)
• ffa8cc5 chore(deps-dev): bump supertest from 6.1.5 to 6.1.6 (Better handle error messages in periodic tasks apache/pinot#3665)
• f1fdaa7 chore(release): 4.0.0-rc.1
• c4678bc fix: legacy API ([TE] Skip scheduling detection task if one is already in the queue apache/pinot#3660)
• d8bdd03 test: fix stability (Add documentation for the new config format apache/pinot#3661)
• 22b1414 refactor: remove `killable` (Your project linkedin/pinot is using buggy third-party libraries [WARNING] apache/pinot#3657)
• 75bafbf test: add e2e tests for module federation (Your project linkedin/pinot is using buggy third-party libraries [WARNING] apache/pinot#3658)
• 493ccbd chore(deps): update `ws` (Your project linkedin/pinot is using buggy third-party libraries [WARNING] apache/pinot#3652)
• ae8c523 test: add e2e test for universal compiler (Your project linkedin/pinot is using buggy third-party libraries [WARNING] apache/pinot#3656)
• f94b84f chore(deps): update (Your project linkedin/pinot is using buggy third-party libraries [WARNING] apache/pinot#3655)
• 1923132 test: fix cli
• 2adfd01 test: fix todo (Your project linkedin/pinot is using buggy third-party libraries [WARNING] apache/pinot#3653)
• 6e2cbde fix: proxy logging and allow to pass options without the `target` option (Your project linkedin/pinot is using buggy third-party libraries [WARNING] apache/pinot#3651)
• c9ccc96 fix: respect infastructureLogging.level for client.logging (Add config to set batchMessageMode on ideal state of new tables apache/pinot#3613)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Denial of Service (DoS)
🦉 More lessons are available in Snyk Learn