chore(deps): bump urijs and xss

[villebro]

SUMMARY

Bump a few JS deps:

• xss to latest version 1.0.10
• urijs to latest version 1.19.8

TESTING INSTRUCTIONS

CI + manual testing

ADDITIONAL INFORMATION

• Has associated issue: Superset includes a number of vulnerable 3rd party JS packages #18879 (partially addresses the ticket)
• Required feature flags:
• Changes UI
• Includes DB Migration (follow approval process in SIP-59)
  • Migration is atomic, supports rollback & is backwards-compatible
  • Confirm DB migration upgrade and downgrade tested
  • Runtime estimates and downtime expectations provided
• Introduces new feature or API
• Removes existing feature or API

[etr2460]

looks like the frontend build is failing :'(

[codecov]

Codecov Report

Merging #18922 (62c3cbb) into master (db8f508) will decrease coverage by 0.00%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##           master   #18922      +/-   ##
==========================================
- Coverage   66.21%   66.20%   -0.01%     
==========================================
  Files        1633     1633              
  Lines       63210    63235      +25     
  Branches     6409     6417       +8     
==========================================
+ Hits        41852    41864      +12     
- Misses      19698    19710      +12     
- Partials     1660     1661       +1     

Flag	Coverage Δ
javascript	51.01% <ø> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
...perset-frontend/src/views/components/MenuRight.tsx	72.13% <0.00%> (-7.87%)	⬇️
superset-frontend/src/preamble.ts	0.00% <0.00%> (ø)
...erset-frontend/src/profile/components/fixtures.tsx	100.00% <0.00%> (ø)
...d/src/SqlLab/components/TabbedSqlEditors/index.jsx	56.39% <0.00%> (ø)
.../src/dashboard/components/gridComponents/Chart.jsx	57.60% <0.00%> (ø)
...tend/src/SqlLab/components/ColumnElement/index.tsx	93.75% <0.00%> (+0.41%)	⬆️
superset-frontend/src/views/CRUD/utils.tsx	65.25% <0.00%> (+1.53%)	⬆️
superset-frontend/src/chart/Chart.jsx	53.44% <0.00%> (+1.66%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update db8f508...62c3cbb. Read the comment docs.

[villebro]

Unfortunately npm audit fix broke stuff. I reverted that and just bumped those two packages, will look at running npm audit fix in a separate PR.

[etr2460]

Unfortunately npm audit fix broke stuff. I reverted that and just bumped those two packages, will look at running npm audit fix in a separate PR.

not sure if running npm audit fix is worthwhile tbh, see https://overreacted.io/npm-audit-broken-by-design/ and a specific quote:

It doesn’t help that npm audit fix (which the tool suggests using) is buggy. I ran npm audit fix --force today and it downgraded the main dependency to a three-year-old version with actual real vulnerabilities. Thanks, npm, great job.

[etr2460]

lgtm, thanks!