[Snyk] Fix for 35 vulnerabilities

[SaFiSec]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json
  • package-lock.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	539/1000 Why? Has a fix available, CVSS 6.5	Cross-site Scripting (XSS) SNYK-JS-BOOTSTRAP-173700	No	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-D3COLOR-1076592	Yes	Proof of Concept
	504/1000 Why? Has a fix available, CVSS 5.8	Prototype Pollution SNYK-JS-HIGHLIGHTJS-1045326	No	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-HIGHLIGHTJS-1048676	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-JPEGJS-2859218	No	Proof of Concept
	509/1000 Why? Has a fix available, CVSS 5.9	Denial of Service (DoS) SNYK-JS-JPEGJS-570039	No	No Known Exploit
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-JQUERY-174006	No	Proof of Concept
	701/1000 Why? Mature exploit, Has a fix available, CVSS 6.3	Cross-site Scripting (XSS) SNYK-JS-JQUERY-565129	No	Mature
	711/1000 Why? Mature exploit, Has a fix available, CVSS 6.5	Cross-site Scripting (XSS) SNYK-JS-JQUERY-567880	No	Mature
	509/1000 Why? Has a fix available, CVSS 5.9	Cryptographic Weakness SNYK-JS-JSRSASIGN-1244072	Yes	No Known Exploit
	706/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.7	Improper Verification of Cryptographic Signature SNYK-JS-JSRSASIGN-2869122	Yes	Proof of Concept
	509/1000 Why? Has a fix available, CVSS 5.9	Timing Attack SNYK-JS-JSRSASIGN-561755	No	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Signature Bypass SNYK-JS-JSRSASIGN-572936	No	No Known Exploit
	494/1000 Why? Has a fix available, CVSS 5.6	Memory Corruption SNYK-JS-JSRSASIGN-572937	No	No Known Exploit
	494/1000 Why? Has a fix available, CVSS 5.6	Remote Code Execution (RCE) SNYK-JS-JSRSASIGN-572938	No	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	No	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	No	Proof of Concept
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	No	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	No	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	No	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Directory Traversal SNYK-JS-MOMENT-2440688	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOMENT-2944238	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Open Redirect SNYK-JS-NODEFORGE-2330875	Yes	Proof of Concept
	529/1000 Why? Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-NODEFORGE-2331908	Yes	No Known Exploit
	494/1000 Why? Has a fix available, CVSS 5.6	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430337	Yes	No Known Exploit
	579/1000 Why? Has a fix available, CVSS 7.3	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430339	Yes	No Known Exploit
	494/1000 Why? Has a fix available, CVSS 5.6	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430341	Yes	No Known Exploit
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-NODEFORGE-598677	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-UAPARSERJS-1023599	No	Proof of Concept
	616/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.9	Regular Expression Denial of Service (ReDoS) SNYK-JS-UAPARSERJS-1072471	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-UAPARSERJS-610226	No	Proof of Concept
	596/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.5	Arbitrary Code Injection SNYK-JS-UNDERSCORE-1080984	No	Proof of Concept
	484/1000 Why? Has a fix available, CVSS 5.4	XML External Entity (XXE) Injection SNYK-JS-XMLDOM-1084960	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: bootstrap

The new version differs by 192 commits.

• 8fa0d30 Release v4.3.1. (#28252)
• dae20da Remove unneeded glob. (#28249)
• 10b97f6 Fix npm package contents
• 7bc4d2e Add sanitize template option for tooltip/popover plugins.
• bf2515a Update RFS to v8.0.1 (#28245)
• 45ced60 Update font size (#28232)
• 1ded0d6 Release v4.3.0 (#28228)
• 3aa0770 docs snippets: a few more minor tweaks (#28225)
• adf16da toasts.md: Remove useless `div`s.
• 2bfe581 Remove stray parameter from capture.
• bbf8b76 Cosmetic changes in snippets.
• 7a9a8db docs: remove `-ms-overflow-style: -ms-autohiding-scrollbar` (#28220)
• 24253b1 migration.md: use https. (#28221)
• 545f3fa Prevent text selection in placeholder images (#28218)
• 94acdee Revert "Silence mkdir. (#28184)" (#28209)
• 6c7dcc6 placeholder.svg: Partially revert the changes from c0e42cb. (#28216)
• 1145365 Reword footer text.
• bd328bf Use the `site.repo` variable.
• a920429 Change footer link to point to the docs team page
• c56b10c Offcanvas example: transition the transform (#28203)
• 52e6ce4 Update devDependencies. (#28175)
• 93dec4c Fix scrollable modal snippet
• 51375ab Responsive font size implementation (#23816)
• d250567 Remove `-ms-autohiding-scrollbar` to prevent overlapping the table content (#28153)

See the full diff

Package name: d3

The new version differs by 189 commits.

• 1b8bada 7.0.0
• b98d63a update API
• 23b0212 Adopt type: module. (#3506)
• 0f01226 Fix broken markdown for link
• 5149a2f 6.7.0
• a8ebbc5 update d3-time, d3-scale
• 31d73d1 6.6.2
• 1836b64 update d3-scale
• 76c92ca 6.6.1
• ff34b4c d3-array 2.12.1
• cff66a4 add space
• b62d444 fix a typo in API.md
• 607a60f 6.6.0
• 11aa552 update dependencies
• 37cd9bf 6.5.0
• 73110b9 d3-array 2.11
• 12336e3 6.4.0
• afd34bb update dependencies
• e9fee2c 6.3.1
• ec388d8 Update d3-array.
• a8baadf 6.3.0
• 4d3baf7 Update d3-array.
• 3c63660 6.2.0
• ffb43e6 Update d3-array, d3-scale.

See the full diff

Package name: jimp

The new version differs by 114 commits.

• 2b3413a Bump version to: v0.12.0 [skip ci]
• 0bd02d5 Update CHANGELOG.md [skip ci]
• 651de24 Fix package.json
• a2b44a1 Add readme description
• 697f2a6 Remove compiling polyfills into published code (Delete file-32x32.png gchq/CyberChef#891)
• ec736c9 Bump version to: v0.11.0 [skip ci]
• a52b096 Update CHANGELOG.md [skip ci]
• 2f99663 Make callback optional for Jimp.rgbaToInt (Delete favicon.ico gchq/CyberChef#889)
• 585c1ab Removed Core-JS as a dependency. (Delete cook_female-32x32.png gchq/CyberChef#882)
• 3719710 Bump version to: v0.10.3 [skip ci]
• 30f04f7 Update CHANGELOG.md [skip ci]
• e93497a Simplify and fix flip (Made GIF extractor more robust. gchq/CyberChef#879)
• dd7a6ba Bump version to: v0.10.2 [skip ci]
• baf756c Update CHANGELOG.md [skip ci]
• b038cba Rewrite handling EXIF orientation — add tests, make it plugin-independent (Feature request: remember scroll position after tab change gchq/CyberChef#875)
• 44ce60b Bump version to: v0.10.1 [skip ci]
• da6bf75 Update CHANGELOG.md [skip ci]
• bd5ba89 Update package.json (Bug report: Gzip comment not working gchq/CyberChef#870)
• 3cc4a4c Fix a `loadFont` and case inconsistency of `jimp` (Update .editorconfig aling with the navbar code in between gchq/CyberChef#868)
• c23237b Bump version to: v0.10.0 [skip ci]
• 1add0ba Update CHANGELOG.md [skip ci]
• e1d05da Properly split constructor and instance types (AES encrypt/decrypt padding option gchq/CyberChef#867)
• 3a3df33 Bump version to: v0.9.8 [skip ci]
• df1fd79 Update CHANGELOG.md [skip ci]

See the full diff

Package name: jsonpath

The new version differs by 7 commits.

• c1dd8ec version 1.1.1
• 1303356 upgrade underscore dependency version
• eafa80c version 1.1.0
• c125a0c Merge pull request Feature: 'Comment' operation gchq/CyberChef#123 from chris-branch/master
• 778bc1e version 1.0.2
• 7fbf022 make jison a dev dependency and better support imports
• 9fec3fa Bug fix for permissions issue during global installs

See the full diff

Package name: node-forge

The new version differs by 128 commits.

• 6c5b901 Release 1.3.0.
• 0f3972a Update changelog.
• dc77b39 Fix error checking.
• bb822c0 Add advisory links.
• d4395fe Update changelog.
• a4405bb Improve signature verification tests.
• aa9372d Add missing RFC 8017 algorithm identifiers.
• 3f0b49a Fix signature verification issues.
• c20f309 Adjust remaining length.
• e27f612 Remove unused option.
• 2b1f368 Add fallback to pretty print invalid UTF8 data.
• 7928551 Start 1.2.2-0.
• 2162bfc Release 1.2.1.
• 43a456e Update changelog.
• 2f3820a Refactor logging to avoid use of URLSearchParams.
• 50a20ec Load entire module while testing.
• 1545316 Start 1.2.1-0.
• 866ed40 Release 1.2.0.
• a9f013a Update changelog.
• f8e498a Fix typos.
• 9d8b0ee Add verification helper.
• 2fb9995 Add helper to create signature digest.
• 03d3ed7 Added alternate OID 1.3.14.3.2.29 for sha1 with RSA
• 874cef8 Update changelog.

See the full diff

Package name: ua-parser-js

The new version differs by 127 commits.

• 9999815 Update version number to 0.7.24
• 809439e Fix potential ReDoS vulnerability as reported by Doyensec
• 5b83893 Merge pull request Bug Fix: Fix conversion when using compass directions as input delimiters gchq/CyberChef#479 from joeyparrish/develop
• 9d154cc chore: Update build
• 7679003 fix: Xbox OS detection
• 45bf76a Merge pull request simple docker for dev gchq/CyberChef#474 from dust-off/master
• f543c5a facebook movile app with no browser info
• 89a72c2 Merge pull request bugfix for UTF16 vs UTF8 problems gchq/CyberChef#471 from jishidaaaaa/fix-firetv-detection
• 314131d Merge pull request Bug report: ToBase64 description is incorrect gchq/CyberChef#472 from GeraldHost/master
• 386ebc2 feat: update readme playstation
• b0f14de Fix Detection Rule For Amazon Fire TV
• fd8a583 Merge pull request Bug Report: aes encryption in GCM mode is incorrect gchq/CyberChef#469 from bynice/patch-1
• cc2da93 Merge pull request Allow alternatives to viewing URLs "on Wikipedia" gchq/CyberChef#368 from Deliaz/master
• 34e2e80 Update ua-parser.js
• 26c74ef Merge branch 'develop' into master
• e4b3029 Merge pull request Operation request: Extract Hash Values gchq/CyberChef#466 from yoyo837/patch-1
• b7d4865 Update homepage
• d5ab75a Merge branch 'master' of github.com:faisalman/ua-parser-js
• c7475db 0.7.23
• 83d37b4 Merge pull request Operation request: Image manipulation operations from Jimp gchq/CyberChef#451 from dineshks1/master
• 2d53ceb Merge branch 'develop' of github.com:faisalman/ua-parser-js into develop
• d107155 Merge pull request Operation Request - de bruijn sequence generator gchq/CyberChef#463 from vinyldarkscratch/bump-deps
• 43fb4d1 Merge pull request Improve Date format in 'Parse X.509 certificate' gchq/CyberChef#459 from WizKid/master
• 6d1f26d Fix ReDoS vulnerabilities reported by Snyk

See the full diff

Package name: xmldom

The new version differs by 160 commits.

• f763b00 xmldom version 0.5.0
• d4201b9 Merge pull request from GHSA-h6q6-9hqw-rwfv
• a4d717c Update MDN links in readme.md (OTP operations gchq/CyberChef#188)
• e984b3f Update @ stryker-mutator/core -> ^4.4.1 - devDependencies (Bug report: Save to file not working in Edge browser gchq/CyberChef#184)
• c762161 Update stryker monorepo (major) (Fix bug with UTF16LE in Encode/Decode ops gchq/CyberChef#140)
• fd47c51 Fix breaking preprocessors' directives when parsing attributes (Added JPath expression operation gchq/CyberChef#171)
• baa67f5 Update xmltest -> ^1.5.0 - devDependencies (Bug fix: Substitute commas gchq/CyberChef#182)
• 64c7388 fix(dom): Escape `]]>` when serializing CharData (Misc: Mobile UI gchq/CyberChef#181)
• b73a965 Update eslint-config-prettier -> ^7.2.0 - devDependencies (New 'pretty' recipe format gchq/CyberChef#179)
• 21bc17e Switch to (only) MIT license (Adds support to build/run CyberChef in a Docker container. gchq/CyberChef#178)
• ad773c9 test: Use toBe/toStrictEqual instead of toEqual ([Operation] String escape/unescape functions gchq/CyberChef#175)
• 23608d9 chore: Add karfau as contributor (Added a GeoCities theme gchq/CyberChef#177)
• dbd2171 Export DOMException; remove custom assertions; etc. (Bug report: Downloadable version not working on Safari due to unavailable localStorage gchq/CyberChef#174)
• 8698e6b Update eslint-config-prettier -> 7 - devDependencies (Feature Request: Jscript.Encode Decoder gchq/CyberChef#165)
• 7aa75c7 Update nodemon -> ^2.0.7 - devDependencies ([Fix] Adds scrolling to description popover gchq/CyberChef#170)
• 8236db1 build(deps): bump node-notifier from 8.0.0 to 8.0.1 (Updated dependencies and linted gchq/CyberChef#169)
• 484005e Update eslint -> ^7.18.0 - devDependencies (Windows Filetime mod gchq/CyberChef#162)
• c33b2f5 Update eslint-plugin-prettier -> ^3.3.1 - devDependencies (Feature request: Addition of Chi-Squared Entropy Algorithm gchq/CyberChef#164)
• 5d13108 Update actions/setup-node action -> 2 - action (Binary-Coded Decimal operations gchq/CyberChef#167)
• 7f32da6 Update prettier -> ^2.2.1 - devDependencies ([Feature] HTTP Gzip payload decryption gchq/CyberChef#163)
• d4040a7 build(deps): bump ini from 1.3.5 to 1.3.8 (Differential schemes to 'XOR Brute Force' operation gchq/CyberChef#166)
• f7b44d9 Update eslint -> ^7.12.1 - devDependencies (Bug report: Image display issue in dev and prod gchq/CyberChef#157)
• 7493052 Update jest -> ^26.6.3 - devDependencies (Send File Data To Input gchq/CyberChef#161)
• 2107a91 Update jest -> ^26.6.2 - devDependencies (Remove preloader ring overlap gchq/CyberChef#159)

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 XML External Entity (XXE) Injection
🦉 Arbitrary Code Injection
🦉 Regular Expression Denial of Service (ReDoS)
🦉 More lessons are available in Snyk Learn