[Snyk] Fix for 30 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json
  • package-lock.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	619/1000 Why? Has a fix available, CVSS 8.1	Prototype Pollution SNYK-JS-AJV-584908	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	526/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.1	Arbitrary Code Injection SNYK-JS-EJS-1049328	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	504/1000 Why? Has a fix available, CVSS 5.8	Prototype Pollution SNYK-JS-HIGHLIGHTJS-1045326	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-HIGHLIGHTJS-1048676	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-IMMER-1019369	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-174116	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-451341	Yes	No Known Exploit
	520/1000 Why? Has a fix available, CVSS 5.9	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-584281	Yes	No Known Exploit
	434/1000 Why? Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-73637	Yes	No Known Exploit
	715/1000 Why? Has a fix available, CVSS 9.8	Use After Free SNYK-JS-NODESASS-535497	No	No Known Exploit
	509/1000 Why? Has a fix available, CVSS 5.9	Denial of Service (DoS) SNYK-JS-NODESASS-542662	No	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-POSTCSS-1255640	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-PRISMJS-1076581	Yes	Proof of Concept
	584/1000 Why? Has a fix available, CVSS 7.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-PRISMJS-1314893	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-PRISMJS-1585202	Yes	Proof of Concept
	629/1000 Why? Has a fix available, CVSS 8.3	Cross-site Scripting (XSS) SNYK-JS-PRISMJS-597628	Yes	No Known Exploit
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Command Injection SNYK-JS-REACTDEVUTILS-1083268	Yes	Proof of Concept
	619/1000 Why? Has a fix available, CVSS 8.1	Cross-site Scripting (XSS) SNYK-JS-SERIALIZEJAVASCRIPT-536840	Yes	No Known Exploit
	706/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.7	Arbitrary Code Injection SNYK-JS-SERIALIZEJAVASCRIPT-570062	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SSRI-1246392	Yes	Proof of Concept
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536528	Yes	No Known Exploit
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536531	Yes	No Known Exploit
	410/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579147	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579152	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579155	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-TRIMNEWLINES-1298042	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @storybook/addon-notes

The new version differs by 250 commits.

• 670a682 v5.0.0
• 4bfcf03 5.0.0 changelog
• caf9630 Update frontpage build trigger to master
• 345bc9c Hardcode header link
• 80a8fee Fix typo
• ba0e8ab Fix indentatation
• 5d986a7 Update storyshots
• 1c659a5 Test docs update
• cd35663 Merge pull request #5633 from storybooks/shilman/frontpage-build-hook
• f0e4b1d 5.0.0-rc.11 versions.json
• 2724eb7 v5.0.0-rc.11
• cf9a855 5.0.0-rc.11 changelog
• bced5bf Theming mgiration placeholder
• ced6d40 Merge pull request #5843 from storybooks/tech/improve-theme-creating
• f9343ee Merge pull request #5850 from storybooks/laggy-sidebaritem-active
• 619ae85 Merge pull request #5845 from huntie/addon-cssresources-migration-docs
• 4cf9204 Merge pull request #5846 from storybooks/5833-deprecate-withA11Y
• eaa6da2 Merge pull request #5842 from storybooks/shilman/misc-migration-notes
• b710aef 5.0.0-rc.10 versions.json
• a464c6b v5.0.0-rc.10
• 9bf2eb6 5.0.0-rc.10 additions
• b5451c6 Merge pull request #5833 from storybooks/5832-a11y-migration
• 83bb311 5.0.0-rc.10 changelog
• bceef46 Merge pull request #5828 from storybooks/5818-cleanup-backgrounds

See the full diff

Package name: @storybook/addon-storysource

The new version differs by 250 commits.

• e89e51a v6.1.0
• d004d19 Update root, peer deps, version.ts/json to 6.1.0
• 1d07f01 6.1.0 changelog
• 178e9bd 6.1.0-rc.6 next.json version file
• 971eccd Update git head to 6.1.0-rc.6
• 9009e53 v6.1.0-rc.6
• eaceece Update root, peer deps, version.ts/json to 6.1.0-rc.6
• 5c0049b 6.1.0-rc.6 changelog
• 76d53b5 Merge pull request #13165 from storybookjs/13156-fix-cached-manager
• 4747fea Merge pull request #12845 from Tomastomaslol/12324_zoom_buttons_in_docs_do_not_work
• 74693f4 Drop the cache prop from managerConfig to make caching work on the 2nd run.
• 428b6e0 6.1.0-rc.5 next.json version file
• a72852d Update git head to 6.1.0-rc.5
• a8822ed v6.1.0-rc.5
• 6deb946 Update root, peer deps, version.ts/json to 6.1.0-rc.5
• 06b55c8 update 6.1-rc.5
• 875b933 Merge branch 'next' of github.com:storybookjs/storybook into next
• f701930 Merge pull request #13141 from ThibaudAV/update-angular-ex
• c8a819d Merge pull request #13162 from S1ngS1ng/patch-1
• cd7766e 6.1.0-rc.5 changelog addition
• 45ddc0c Merge pull request #13159 from storybookjs/12386-ie11-layout-centered
• f2123da 6.1.0-rc.5 changelog
• 30c5e98 fix incorrect component reference
• f6d4f0a Merge pull request #13155 from storybookjs/feature/sidebarClassNames

See the full diff

Package name: @storybook/vue

The new version differs by 250 commits.

• 829c72e v6.2.0
• f8bfee0 Update root, peer deps, version.ts/json to 6.2.0
• 2814acc CLI: Don't update versions.json on CLI prepare
• 637daa1 Update 6.2 changelog
• c760793 6.2 release
• 5595b1e Merge pull request #14348 from gabiseabra/fix/issue_13771
• a686a99 6.2.0-rc.13 next.json version file
• 6be8b92 Update git head to 6.2.0-rc.13
• c1dfd5b v6.2.0-rc.13
• 4ef7b5a Update root, peer deps, version.ts/json to 6.2.0-rc.13
• d954d50 6.2.0-rc.13 changelog
• 1913c92 Merge pull request #14390 from YozhEzhi/patch-1
• ee98e0e Merge branch 'next' of github.com:storybookjs/storybook into next
• a8aadc4 Update CHANGELOG.md
• 44eca58 Merge pull request #14392 from storybookjs/fix-raw-toggle
• f10ef90 Merge pull request #14391 from YozhEzhi/patch-3
• b1ee5e9 Prevent invalid initial color to be accepted as preset
• 2c6b796 Color picker can't deal with 'transparent' keyword
• 6951762 Don't show RAW toggle when data isn't representable by REJT
• 259b12a Update my-component-story-use-globaltype.js.mdx
• a8a846b Update my-component-story-use-globaltype.mdx.mdx
• 57fc3cd 6.2.0-rc.12 next.json version file
• ba0f535 Fix changelog
• 6ec5750 Update git head to 6.2.0-rc.12

See the full diff

Package name: @vue/cli-plugin-eslint

The new version differs by 250 commits.

• 81f8457 v4.0.0
• 0603f1e chore: pre release sync
• 15c86f0 docs: preparing v4 stable release [ci skip]
• c80fb6a fix: pin typescript version to 3.5 until we support typescript-eslint 2
• 4de59d0 fix(types): update css options interface to reflect v4 changes
• 2601fec docs: add notes about `vue --version` output format [ci skip]
• 28fd1db chore: merge branch 'next' into dev
• d72b453 fix: fix afterAnyInvoke hook compatibility with pnpm 4
• 953a080 fix: update `.npmrc` for pnpm 4
• 5d2c8da refactor: replace --disturl option with NODEJS_ORG_MIRROR env variable
• badf63d fix: add pnpm v4 support (#4677)
• b65b24e fix: correct typo in babel migrator (#4683)
• 3677493 chore!: add `@ vue/cli` in `--version` output, to avoid confusion (#4681)
• 469d3d8 docs: migration guide from v3 to v4 (#4552) [ci skip]
• c760910 missing documentation for building with vuex (#2319)
• 3aa513a Add a variant for `config get registry` (#4530)
• 5cce80c v4.0.0-rc.8
• 3fcff02 chore: pre release sync
• 0ddad86 chore: lockfile maintenance
• 81d0245 chore: better upgrade messages (#3926)
• 08d7761 chore!: upgrade terser-webpack-plugin to 2.x (#4676)
• 01e36f3 refactor!: use DefinePlugin (again) instead of EnvironmentPlugin (#4673)
• 5c2d0ba fix: fix dependency issue
• eabdaf1 fix: update command names, per https://github.com/feat: New Schema and Engine features Akryum/vue-cli-plugin-apollo#158

See the full diff

Package name: @vue/cli-service

The new version differs by 250 commits.

• 079a451 v4.2.0
• d493491 chore: pre release sync
• 6d680bc fix(migrator): correctly extract config fields to files
• 246c197 fix: clear require cache after `upgrade`, before `migrate`
• ef15316 fix: preserve the tilde version range after `vue upgrade`
• 51a4da7 fix: should infer package manager from config if there's no lockfile in the project (#5150)
• f5f4de0 feat(GeneratorAPI): allow passing options to `api.extendPackage` (#5149)
• 9a1d52e feat: create projects with @ vue/test-utils beta 31 (#5147)
• adef4c9 fix(e2e-nightwatch): fix eslint config generation (#5148)
• c5bf5b1 chore: update chromedriver version to 80
• e6d7bbd feat: implement a migrator that updates the project's ts version
• 82bd074 refactor: use dep versions from plugin package.json
• 1b64ff8 fix: fix eslint errors for typescript + e2e-nightwatch setup
• e4410b8 fixup! fix: fix duplicate slash in metadata url
• 813680e fix: should use the local version number if the cache falls behind
• e1b8519 fix: fix duplicate slash in metadata url
• 02a4799 chore: update vue & vue-template-compiler to 2.6.11
• ce64455 fix(cors): fixup #4985, allow same-origin ws requests of any domain (#5142)
• 3ee096e fix: don't output warning message on eslint deps upgrade
• 45d4969 ci: no need to include branch in the cache key
• 4501390 test: uncomment the airbnb eslint migrator test
• 773f8a4 feat: lock minor versions when creating projects / adding plugins (#5134)
• c8cecff refactor: remove usage of deprecated babel functions, preparing for babel 8 (#5133)
• da43343 fix(CORS): only allow connections from the designated host (#4985)

See the full diff

Package name: node-sass

The new version differs by 88 commits.

• c167004 6.0.1
• 911d4db remove mkdirp dep (#3108)
• 30a52f7 build(deps): bump meow from 3.7.0 to 9.0.0
• 7e08463 build(deps-dev): bump mocha from 8.4.0 to 9.0.1
• cfcbb2c chore: Use default Apline version from docker-node (#3121)
• 886319b chore: Drop Node 10 support
• c908f4f fix: Bump OSX minimum to 10.11
• 8ab02da fix: Remove old compiler gyp settings
• 3d7b9d0 chore: Add Node 16 support
• 4115e9d build(deps): bump actions/setup-node from v2.1.4 to v2.1.5
• 06f3ab4 Update TROUBLESHOOTING.md
• c1cb367 build(deps): bump actions/setup-node from v2.1.3 to v2.1.4
• 769f3a6 build(deps): bump actions/setup-node from v2.1.2 to v2.1.3
• a2a3a78 chore: Bump dependabot limit
• 7105b0a 5.0.0 (#3015)
• 0648b5a chore: Add Node 15 support (#2983)
• e2391c2 Add a deprecation message to the readme (#3011)
• 6a33e53 chore: Don't upload artifacts on PRs
• d763506 chore: Only run coverage on main repo
• d4ebe72 build(deps): update actions/setup-node requirement to v2.1.2
• 2bebe05 build(deps-dev): bump rimraf from 2.7.1 to 3.0.2
• f877689 chore: Don't double build DependaBot PRs
• b48fac4 chore: Add weekly DependaBot updates
• 91c40a0 Remove deprecated process.sass API

See the full diff

Package name: serialize-javascript

The new version differs by 20 commits.

• b54341e v3.1.0
• 7cee7e4 Revert "support for bigint (#80)"
• 026a445 Bump mocha from 7.1.2 to 7.2.0 (#83)
• 5130a71 support for bigint (#80)
• ea76b23 Bump mocha from 7.1.1 to 7.1.2 (#82)
• 073c8d8 Bump nyc from 15.0.0 to 15.0.1 (#81)
• f21a6fb Don't replace regex / function placeholders within string literals (#79)
• 1ac487e [Security] Bump minimist from 1.2.0 to 1.2.5 (#78)
• c795cef Bump mocha from 7.1.0 to 7.1.1 (#77)
• 3064431 Bump mocha from 7.0.1 to 7.1.0 (#74)
• 9dbe8f6 Update example in README (#73)
• f5957ee v3.0.0
• eed510c Introduce support for Infinity (#72)
• 82bb2d2 Bump mocha from 7.0.0 to 7.0.1 (#71)
• fdfb10a Test on Node.js v12 (#70)
• 2f5f126 Bump mocha from 6.2.2 to 7.0.0 (#69)
• 35062c0 Bump nyc from 14.1.1 to 15.0.0 (#68)
• 6c43b02 v2.1.2
• 3e05a3f Ignore .nyc_output (#64)
• 3c46e8e Bump mocha from 6.2.0 to 6.2.2 (#62)

See the full diff

Package name: tailwindcss

The new version differs by 250 commits.

• 0bc3eeb 2.2.0
• 729b09a Update CHANGELOG
• 674d79d move cssnano to devDependencies
• f63b453 Add `tailwindcss/nesting` plugin (#4673)
• 243e881 Resolve purge paths relative to the current working directory (#4655)
• 38a71d8 Use `tmp` file as a touch file (#4650)
• af4a77a Remove unused import
• 81816df Support arbitrary values for object-position
• 0d47ffd Fix cloning issues (#4646)
• 03eab31 Update prettier to version 2.3.1
• 7f564d2 Update eslint to version 7.28.0
• 546cff8 Allow quotes in arbitrary value blocks (#4625)
• cb2598c Add support for transform, filter, backdrop-filter, box-shadow and ring to pseudo-elements (#4624)
• d6da12f Update CHANGELOG
• ff64417 Add `blur-none` with intent to deprecate `blur-0` (#4614)
• 34d0551 Remove need for `filter` and `backdrop-filter` toggles (#4611)
• f4799a3 add tests for the `--postcss` option in the new CLI (#4607)
• b86aa5c Remove need for `transform` toggle (#4604)
• 6f1d5f0 prefer local plugins (#4598)
• 976acb4 Update changelog
• 8518fee implement purge safelist (#4580)
• 3569d49 fix cli purge option when using commas (#4578)
• 40645d7 Rename `--files` option in CLI to `--purge`
• 63a67cb improve integration tests (#4572)

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-LODASH-567746	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic