[Snyk] Fix for 15 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	616/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.9	Server-Side Request Forgery (SSRF) SNYK-JS-AXIOS-1038255	No	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Cross-site Scripting (XSS) SNYK-JS-DOMPURIFY-1016634	No	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Cross-site Scripting (XSS) SNYK-JS-DOMPURIFY-1035544	No	No Known Exploit
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Remote Code Execution (RCE) SNYK-JS-HANDLEBARS-1056767	No	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-HANDLEBARS-1279029	No	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-JQUERY-174006	Yes	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Cross-site Scripting (XSS) SNYK-JS-JQUERY-565129	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Cross-site Scripting (XSS) SNYK-JS-JQUERY-567880	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	No	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	No	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-1070800	Yes	No Known Exploit
	444/1000 Why? Has a fix available, CVSS 4.6	Cross-site Scripting (XSS) SNYK-JS-NEXTCLOUDDIALOGS-1245465	Yes	No Known Exploit
	519/1000 Why? Has a fix available, CVSS 6.1	Cross-site Scripting (XSS) SNYK-JS-SELECT2-456562	Yes	No Known Exploit
	596/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.5	Arbitrary Code Injection SNYK-JS-UNDERSCORE-1080984	No	Proof of Concept
	484/1000 Why? Has a fix available, CVSS 5.4	Cross-site Scripting (XSS) npm:jquery:20150627	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @nextcloud/axios

The new version differs by 34 commits.

• 24c2a12 1.5.0
• b6b8003 Update changelog
• 17a67a8 Merge pull request Show error message if config file is not readable nextcloud/server#185 from nextcloud/dependabot/npm_and_yarn/axios-0.21.0
• c5444bc Merge pull request Version on download.nextcloud.com is 9.0.51 nextcloud/server#184 from nextcloud/dependabot/npm_and_yarn/babel-jest-26.6.1
• 446edae Bump axios from 0.20.0 to 0.21.0
• 5c51964 Bump babel-jest from 26.5.2 to 26.6.1
• 01f61ac Merge pull request Recommendations for Configuring Memory Caching nextcloud/server#183 from nextcloud/dependabot/npm_and_yarn/jest-26.6.1
• 0c095da Bump jest from 26.5.3 to 26.6.1
• 0bdf5f6 Merge pull request white screen if webserver has no read access to config.php nextcloud/server#180 from nextcloud/dependabot/npm_and_yarn/jest-26.5.3
• eb0f642 Merge pull request Right Click Custom Context nextcloud/server#182 from nextcloud/dependabot/npm_and_yarn/babel/preset-env-7.12.1
• c5584ba Merge pull request Adjust message "This server has no working Internet connection" nextcloud/server#181 from nextcloud/dependabot/npm_and_yarn/babel/core-7.12.3
• 96e9931 Merge pull request The ability to FTP/FTPS/SFTP Files & Folders DIRECTLY into the Nextcloud Data Store. nextcloud/server#179 from nextcloud/dependabot/npm_and_yarn/babel/preset-typescript-7.12.1
• 078b015 Bump jest from 26.5.2 to 26.5.3
• 9dcd541 Bump @ babel/preset-env from 7.11.5 to 7.12.1
• 5fd9000 Bump @ babel/core from 7.11.6 to 7.12.3
• 6c173f3 Merge pull request [stable9] Branding nextcloud/server#178 from nextcloud/dependabot/npm_and_yarn/babel/cli-7.12.1
• cfee66e Bump @ babel/preset-typescript from 7.10.4 to 7.12.1
• d0a2aaa Bump @ babel/cli from 7.11.6 to 7.12.1
• 6ca1093 Merge pull request v9.0.51 nextcloud/server#177 from nextcloud/dependabot/npm_and_yarn/babel-jest-26.5.2
• b58f984 Bump babel-jest from 26.3.0 to 26.5.2
• e4d2321 Merge pull request replaced ownCloud by Nextcloud in config sample nextcloud/server#176 from nextcloud/dependabot/npm_and_yarn/jest-26.5.2
• 6ee239a Bump jest from 26.4.2 to 26.5.2
• 36eb1fa Merge pull request Port WND nextcloud/server#175 from nextcloud/dependabot/npm_and_yarn/typedoc-0.19.2
• 0a857a1 Bump typedoc from 0.19.1 to 0.19.2

See the full diff

Package name: @nextcloud/dialogs

The new version differs by 213 commits.

• 9e4acef 3.1.2
• b41ec38 Prepare changelog for v3.1.2
• 66922d9 Add releasing info to README
• 7ae200f Merge pull request Tuning of Theming (color) options  nextcloud/server#328 from nextcloud/bump-toastify-js
• e0dc11d Run l10n:extract
• 441785f Define as nullable
• da92227 Bump ToastifyJS to 1.10.0
• 770eed0 Merge pull request Fix config sample text nextcloud/server#319 from nextcloud/dependabot/npm_and_yarn/rollup/plugin-node-resolve-11.2.1
• 5674ac9 Merge pull request Cloud Sync to Backblaze B2 nextcloud/server#288 from nextcloud/dependabot/npm_and_yarn/babel-loader-exclude-node-modules-except-1.1.2
• 47770b4 Merge pull request [stable9] Use paramterized parameter for \OC\SystemTag\SystemTagManager nextcloud/server#298 from nextcloud/dependabot/npm_and_yarn/rollup/plugin-babel-5.3.0
• 621eb38 Merge pull request Add "goto" links for files in non-default file lists nextcloud/server#312 from nextcloud/dependabot/npm_and_yarn/typescript-4.0.7
• 00ed6ac Merge pull request Added occ install option for database-port nextcloud/server#323 from nextcloud/dependabot/npm_and_yarn/rollup/plugin-commonjs-18.0.0
• e05efd7 Merge pull request max upload size can't be saved nextcloud/server#322 from nextcloud/dependabot/npm_and_yarn/rollup-plugin-typescript2-0.30.0
• 1c6653c Merge pull request Fix docker image naming issue for CI nextcloud/server#324 from nextcloud/dependabot/npm_and_yarn/babel/preset-env-7.13.12
• 89a0692 Merge pull request [stable9] Fix docker image naming issue for CI nextcloud/server#325 from nextcloud/dependabot/npm_and_yarn/babel/cli-7.13.14
• 58ff492 Merge pull request Use the search bar to search for files by tag nextcloud/server#326 from nextcloud/dependabot/npm_and_yarn/babel/core-7.13.14
• 2b3f05c Bump @ babel/core from 7.12.13 to 7.13.14
• 1a2b4ba Bump @ babel/cli from 7.12.13 to 7.13.14
• 2db64ff Bump @ babel/preset-env from 7.13.9 to 7.13.12
• 8a10a57 Bump @ rollup/plugin-commonjs from 17.0.0 to 18.0.0
• a9cb557 Bump rollup-plugin-typescript2 from 0.29.0 to 0.30.0
• ec96fd3 Bump @ rollup/plugin-node-resolve from 11.0.1 to 11.2.1
• 244b42d Merge pull request Public links for calendar nextcloud/server#318 from nextcloud/dependabot/npm_and_yarn/rollup-2.42.0
• aa11a0e Bump rollup from 2.38.5 to 2.42.0

See the full diff

Package name: @nextcloud/vue

The new version differs by 108 commits.

• 06f5ad8 2.8.0
• 6171d6a Merge pull request API getRemoteThumbnailByServer nextcloud/server#1490 from nextcloud/fix/rich-content-multiline
• 6ee899e Fix multiLine prop
• 1283661 Merge pull request Return 404 on v2.php when the app is disabled nextcloud/server#1489 from nextcloud/fix/avatar-cleanup
• 988eb3e Cleanup avatar fetching methods
• 141a716 Merge pull request [Upstream] fix birthday calendar component nextcloud/server#1457 from nextcloud/poc-cache-hasavatar
• 8c7576c Merge pull request Reduce server requirements by redirecting webdav-transfer directly to object storage nextcloud/server#1486 from nextcloud/dependabot/npm_and_yarn/babel/core-7.12.3
• b2640ac Merge pull request Move integration tests to single execution containers in .drone.yml nextcloud/server#1487 from nextcloud/dependabot/npm_and_yarn/vue2-datepicker-3.6.3
• 8c87d6d Bump vue2-datepicker from 3.6.2 to 3.6.3
• b6009b9 Bump @ babel/core from 7.12.1 to 7.12.3
• 93dd0f7 Merge pull request Hide collaborative tag input when empty nextcloud/server#1469 from nextcloud/translations_l10n-messages-pot--master_gl
• 734fc0b Merge pull request Autocomplete for occ app commands nextcloud/server#1476 from nextcloud/translations_l10n-messages-pot--master_de_DE
• becc663 Merge pull request Fix the font in the select2 placeholders nextcloud/server#1473 from nextcloud/translations_l10n-messages-pot--master_it
• 76ec8fc Merge pull request Invitations not sent when added meetings from Android and Gnome nextcloud/server#1482 from nextcloud/translations_l10n-messages-pot--master_pl
• 20e6377 Merge pull request [stable10] add audio and video icons nextcloud/server#1484 from nextcloud/translations_l10n-messages-pot--master_cs_CZ
• 4b83bc2 Merge pull request deleted files, fix mimetype detection nextcloud/server#1346 from nextcloud/tests/noid/color-snapshot
• 1ea8340 Merge pull request Add Developer Certificate of Origin (DCO) nextcloud/server#1481 from nextcloud/fix/tribute-popup
• 39e925d Translate /l10n/messages.pot in cs_CZ
• 508833d Merge pull request Hide the tags input field when it's empty nextcloud/server#1478 from nextcloud/dependabot/npm_and_yarn/babel/core-7.12.1
• 161a470 Merge pull request fix sidebar tab headers margin nextcloud/server#1477 from nextcloud/dependabot/npm_and_yarn/stylelint-webpack-plugin-2.1.1
• ea34a86 Translate /l10n/messages.pot in pl
• 7613d44 Use browser storage for storaing hasAvatar state
• 97bcf17 Fix autocomplete popup size and shadow
• 4c91063 Merge pull request [stable10] redirect to default app after solving the 2FA challenge nextcloud/server#1479 from nextcloud/dependabot/npm_and_yarn/babel/preset-env-7.12.1

See the full diff

Package name: dompurify

The new version differs by 75 commits.

• 7923e10 chore: Preparing 2.2.2 release
• 7719c5b test: Added test cases for reported bypasses
• e43de71 fix: squished another variation of the mXSS
• 0771f47 chore: Preparing 2.2.1 release
• ee33fae fix: Fixed a mXSS bypass reported in PostgreSQL: faulty database connection upon completing installation wizard nextcloud/server#482
• e95b0de see AppFramework default response for OCS is xml nextcloud/server#480
• 83b7acb See Implement brute force protection nextcloud/server#479
• 0e31dce chore: preparing 2.2.0 release
• 307c7d0 test: added tests to cover new RETURN_DOM_IMPORT default being true
• 5aab0bb fix: fixed a typo in the config option logic for DOM_RETURN_IMPORT
• 8f15cd1 fix: changed RETURN_DOM_IMPORT flag to true in config block
• 1aecfe7 fix: xExperimentally set RETURN_DOM_IMPORT to true by default
• 02ae0af Merge pull request Group shares with same source and target  nextcloud/server#474 from MatmaRex/patch-1
• 89a0539 Remove mention of the removed SAFE_FOR_JQUERY flag in README
• 461589a chore: prepared 2.1.1 release
• 32b3241 chore: preparing 2.1.1 release
• daf4c05 docs: updated acknowledgements on README
• b552659 fix: re-enabled the mXSS check for old Chrome at the right place
• aec12c4 fix: Re-added an mXSS check for old Chrome
• 4586294 test: removed Node 15 again from test matrix
• 495c948 test: Added Node 14.x and 15.x to test jobs
• 075e58a fix: changed short comment to long to avoid micro-mutations
• 0228425 test: stripped SAFE_FOR_JQUERY from several tests
• 4eb5d93 test: removed a Safari 8 specific test

See the full diff

Package name: handlebars

The new version differs by 8 commits.

• a9a8e40 v4.7.7
• e66aed5 Update release notes
• 7d4d170 disable IE in Saucelabs tests
• eb860c0 fix weird error in integration tests
• b6d3de7 fix: check prototype property access in strict-mode (Read-only mode (for backups) nextcloud/server#1736)
• f058970 fix: escape property names in compat mode (Read-only mode (for backups) nextcloud/server#1736)
• 77825f8 refator: In spec tests, use expectTemplate over equals and shouldThrow (Add app name to the call nextcloud/server#1683)
• 3789a30 chore: start testing on Node.js 12 and 13

See the full diff

Package name: lodash

The new version differs by 1 commits.

• c6e281b Bump to v4.17.21

See the full diff

Package name: marked

The new version differs by 121 commits.

• 8a7502f chore(release): 2.0.0 [skip ci]
• 9d3a781 🗜️ build [skip ci]
• 7293251 fix: Total rework of Emphasis/Strong (File replacement modal too wide on mobile nextcloud/server#1864)
• f848e77 fix: Join adjacent inlineText tokens (Fix comment mentions in activities nextcloud/server#1926)
• f2535f1 chore(release): 1.2.9 [skip ci]
• f0dc8a2 🗜️ build [skip ci]
• 1e36afd fix: allow sublist to be single space in pedantic (Server info App dont work after upgraded to 10.0.1 nextcloud/server#1924)
• b97b802 chore(deps-dev): Bump rollup from 2.38.0 to 2.38.3 (External storrage: Not enough free space or just hangs nextcloud/server#1922)
• 409ef11 chore(deps-dev): Bump @ rollup/plugin-babel from 5.2.2 to 5.2.3 (Inline oc.js when possible! nextcloud/server#1917)
• f86549d chore(deps-dev): Bump rollup from 2.38.0 to 2.38.2 (discussion: remove "send email" option for public links nextcloud/server#1916)
• b2fe7c1 chore(deps-dev): Bump uglify-js from 3.12.5 to 3.12.6 (WebDAV doesn't work when migrating from ownCloud nextcloud/server#1919)
• aec6b9d chore(deps-dev): Bump @ rollup/plugin-commonjs from 17.0.0 to 17.1.0 (Problem Sharing: Automatic Reply Problem nextcloud/server#1918)
• afb285d chore(deps-dev): Bump eslint from 7.18.0 to 7.19.0 (Add nonce also to legacy CSP nextcloud/server#1920)
• 57d41b8 chore(release): 1.2.8 [skip ci]
• 608ba7c 🗜️ build [skip ci]
• 53c79ee fix: leave whitespace only lines alone (Use callForSeenUsers where possible nextcloud/server#1889)
• 42a18f1 chore(deps-dev): Bump rollup from 2.36.2 to 2.38.0 (Add build/bin to gitignore nextcloud/server#1910)
• be27b84 chore(deps-dev): Bump uglify-js from 3.12.4 to 3.12.5 (Fix malformed attribute in files app nextcloud/server#1911)
• 5f4a931 chore(deps-dev): Bump jasmine from 3.6.3 to 3.6.4 ([stable10] Fix malformed attribute in files app nextcloud/server#1912)
• c457c53 chore(deps-dev): Bump semantic-release from 17.3.3 to 17.3.7 (Require to use at least desktop client 2.0 by default nextcloud/server#1913)
• e1392c2 chore(deps-dev): Bump rollup from 2.36.1 to 2.36.2 (Allow SelfSigned/Untrusted certificates for outgoing mail servers nextcloud/server#1901)
• e9ce0ee chore(deps-dev): Bump eslint from 7.17.0 to 7.18.0 (Remove not existent function call nextcloud/server#1902)
• e3e33ee chore(deps-dev): Bump semantic-release from 17.3.1 to 17.3.3 (remove slight transparency of primary action button, ref #1615 nextcloud/server#1903)
• 659e558 chore(deps-dev): Bump @ semantic-release/npm from 7.0.9 to 7.0.10 (New folder: icon-confirm button for mouse users nextcloud/server#1904)

See the full diff

Package name: select2

The new version differs by 250 commits.

• a389a6d Merge pull request Integrity check false alert on fresh installation nextcloud/server#5578 from select2/develop
• eeefa1e Merge pull request Cannot delete User which is deleted in LDAP nextcloud/server#5577 from select2/release/4.0.8
• 5005c56 Update changelog for 4.0.8
• 8b55e47 Recompile dist for 4.0.8
• 6fbe132 Bump versions for 4.0.8 release
• bbd320d Convert source and tests to unix newlines
• 1b5a962 Revert change to focusing behaviour in 4.0.6 (URL rewrite to lose index.php with Apache & fastcgi ? nextcloud/server#5576)
• d926025 Fix infinite scroll when the scrollbar is not visible (allow to disable upload to lookup server, by default it is enabled nextcloud/server#5575)
• 8a5aeab Remove deprecated jQuery shorthand (No login image and logo on NC accessed using web nextcloud/server#5564)
• 9c4f0c8 Fix typos (It takes forever to upload in web UI nextcloud/server#5574)
• bd7ac9d Results respect disabled state of `<option>` (Sharing password input for visitors is wrongly styled nextcloud/server#5560)
• b5f136f Add `computedstyle` option for calculating the width (Overview of all shared files nextcloud/server#5559)
• f9decd6 Fix tag creation being broken in 4.0.7 (After deleting an (image) file, the preview files remain forever nextcloud/server#5558)
• 9491e1a Test against jQuery 3.4.1 (Upgrade fails from NC11-12 nextcloud/server#5531)
• d66e55d removed select2-selection__placeholder from _multiple.scss (Don't create activities for email and password change before login nextcloud/server#5508)
• 5d2fdd7 Update grunt-contrib-qunit to latest version (/dev/urandom warning seems unnecessary  nextcloud/server#5530)
• 70ca392 Update dev dependencies (Optimize performance / Load CSS and JS in parallel on firefox nextcloud/server#5529)
• 36b226d Improve French Translation ([stable12] Don't create activities for email and password change before login nextcloud/server#5521)
• d53958a Clean up docs (Plural missing on CalDAV Activity when creating multiple Calendar events nextcloud/server#5528)
• 0a612f9 Automatically deploy to NPM (Reverse Proxy, PHP cache, custom logo, CSS bug (does http instead of https) nextcloud/server#5527)
• 04fce55 Merge pull request [stable12] Use realpath to obtain the webroot nextcloud/server#5507 from select2/develop
• f8193c6 Merge pull request Use realpath to obtain the webroot nextcloud/server#5506 from select2/release/4.0.7
• 5285eef Recompile dist for 4.0.7
• 20ffd12 Bump versions for 4.0.7 release

See the full diff

Package name: underscore

The new version differs by 76 commits.

• bf5a0ed Merge branch 'template-variable-parameter'
• 7e3d404 Update annotated sources and minified bundles for 1.12.1
• 5343fbc Add version 1.12.1 to the documentation
• 44df929 Bump the version to 1.12.1
• 7e89b79 Un-document the fix for Rebrand to "Nextcloud" and add 100% coverage nextcloud/server#2911 for the time being
• 4c73526 Fix Rebrand to "Nextcloud" and add 100% coverage nextcloud/server#2911
• ef646cc Reflect real issue of Rebrand to "Nextcloud" and add 100% coverage nextcloud/server#2911 in test from Add 100% coverage for response.php nextcloud/server#2912
• a6159ff Fix indentation in the test from Add 100% coverage for response.php nextcloud/server#2912
• 798eafa Update the link to the preview release (bugfix)
• 07cc415 Convert all RawGit links to Statically
• db7fb6a Add temporary note about preview release to index.html
• 548fa01 Merge pull request Update bundled CA Certificates nextcloud/server#2913 from ognjenjevremovic/test/time-tampering-tests
• 3a5c878 test: Assertion comment updates; `_.throttle` and `_.debounce`.
• 4d5d198 test: 💍 Time tampering tests for _.throttle and _.deobounce
• a4cc7c0 Add a test to confirm we are not vulnerable to CVE-2021-23337 (Rebrand to "Nextcloud" and add 100% coverage nextcloud/server#2911)
• 745e9b7 Merge pull request Point 3rdparty to master nextcloud/server#2896 from anderlaw/master
• af2f919 Correct "Non-numerical values in list will be ignored"
• c9b4b63 Put back test/vendor/qunit.* static files to fix live website tests
• 311b04e Merge pull request Adds user controller tests nextcloud/server#2892 from kritollm/master
• 6568211 Make a comment render more nicely
• 0b93f06 Fixed a few more details
• 913bcf2 Resolved changes requested.
• 769a494 throttle cleanup
• 03f9781 Reimplementing timer optimization Deprecate OCSRespone nextcloud/server#1269

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic