[Snyk] Fix for 9 vulnerabilities

[snyk-io]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • node_modules/exponential-backoff/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	159/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00396, Social Trends: No, Days since published: 1137, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.65, Score Version: V5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	169/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00045, Social Trends: No, Days since published: 163, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.81, Score Version: V5	Uncontrolled resource consumption SNYK-JS-BRACES-6838727	Yes	Proof of Concept
	141/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Local, EPSS: 0.01055, Social Trends: No, Days since published: 328, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.35, Score Version: V5	Missing Release of Resource after Effective Lifetime SNYK-JS-INFLIGHT-6095116	Yes	Proof of Concept
	35/1000 Why? Confidentiality impact: Low, Integrity impact: None, Availability impact: None, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): Required, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 1027, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 2.35, Likelihood: 1.47, Score Version: V5	Reverse Tabnabbing SNYK-JS-ISTANBULREPORTS-2328088	Yes	No Known Exploit
	124/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00045, Social Trends: No, Days since published: 163, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.06, Score Version: V5	Inefficient Regular Expression Complexity SNYK-JS-MICROMATCH-6838728	Yes	No Known Exploit
	111/1000 Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: None, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00111, Social Trends: No, Days since published: 586, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 4.19, Likelihood: 2.64, Score Version: V5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	111/1000 Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: None, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00213, Social Trends: No, Days since published: 481, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 4.19, Likelihood: 2.65, Score Version: V5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
	115/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 983, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 1.92, Score Version: V5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit
	137/1000 Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Network, EPSS: 0.00044, Social Trends: No, Days since published: 1681, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 5.62, Likelihood: 2.42, Score Version: V5	Prototype Pollution SNYK-JS-YARGSPARSER-560381	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: jest

The new version differs by 250 commits.

• 75006e4 v29.0.0
• 7c82a9f chore: update jest-watch-typeahead again
• 352ff29 chore: update changelog for release
• 33ad8c3 docs: Jest 29 blog post (#13103)
• dda77e5 docs: collapse 28.0 and 28.1 docs (#13104)
• c0dc84c chore: update jest-watch-typeahead
• 05f6217 fix: support deep CJS re-exports when using ESM (#13170)
• 490fd88 chore: update yarn (#13169)
• 98936a2 docs: Update Enzyme links to use new URL (#13166)
• 187566a feat(pretty-format): allow to opt out from sorting object keys with `compareKeys: null` (#12443)
• ae2bed7 chore: tweak regex used in e2e tests (#13129)
• 8c56d74 docs: Update Configuration.md for added special notes on usage scenarios for pnpm. (#13115)
• fb1c53d feat(jest-config)!: remove undocumented `collectCoverageOnlyFrom` option (#13156)
• 075b489 fix: ignore `EISDIR` when resolving symlinks (#13157)
• 3bef02e feat(@ jest/test-result, @ jest/types)!: replace `Bytes` and `Milliseconds` types with `number` (#13155)
• 4def94b v29.0.0-alpha.6
• 0f00d4e fix: replace non-CLI `rimraf` usage (#13151)
• 6a90a2c fix: Allow updating inline snapshots when test includes JSX (#12760)
• 983274a feat: Let `babel` find config when updating inline snapshots (#13150)
• d2ff18a chore: make prettierPath optional in `SnapshotState` (#13149)
• 7d8d01c feat(circus): added each to failing tests (#13142)
• a5b52a5 chore(types): separate MatcherContext, MatcherUtils and MatcherState (#13141)
• 79b5e41 chore: get rid of peer dep warning in website
• 812763d chore: enable 'no-duplicate-imports' (#13138)

See the full diff

Package name: lint-staged

The new version differs by 146 commits.

• 885a644 Merge pull request [Snyk] Security upgrade mocha from 3.5.3 to 11.0.1 #852 from okonet/listr2
• aba3421 fix: all lint-staged output respects the `quiet` option
• b8df31a fix: do not show incorrect error when verbose and no output
• eed6198 style: simplify eslint and prettier config
• b746290 ci: replace Node.js 13 with 14, since 14 will be next LTS
• 2c6f3ad docs: improve `verbose` description
• e749a0b test: remove redundant, misbehaving test
• 16848d8 fix: use test renderer during tests and when TERM=dumb
• efffa22 test: cover `--verbose` option usage
• 1b18550 test: restore variable in test output
• 6aede38 test: add test for error during merge state restoration
• b565481 test: integration test targets the full Node.js API instead of just `runAll`
• a3bd9d7 feat: allow specifying `cwd` using the Node.js API
• 85de3a3 feat: add `--verbose` to show output even when tasks succeed
• d69c65b fix: log task output after running listr to keep everything
• e95d1b0 refactor: move skip and enable cheks of listr tasks to separate file
• 6da7667 refactor: move messages to separate file
• 6392480 refactor: use symbols for errors
• 8f32a3e feat: replace listr with listr2 and print errors inline
• c9adca5 fix: use stash create/store to prevent files from disappearing from disk
• e093b1d fix(deps): update dependencies
• 6066b07 fix: pass correct path to unstaged patch during cleanup
• 0bf1fb0 fix: allow lint-staged to run on empty git repo by disabling backup
• 1ac6863 Merge pull request [Snyk] Security upgrade mocha from 6.2.3 to 11.0.1 #837 from okonet/serial-git-add

See the full diff

Package name: ts-jest

The new version differs by 165 commits.

• ad58c9b chore(release): 25.3.0
• 949e3e1 chore: update package-lock.json
• b8ebf36 docs: add Troubleshoting section ([BUG] npm install -g npm inside create-react-app caused npm to uninstall off of root directory of machine (mac)? npm/cli#1463)
• 8b5325e chore(transformer): only do type checking for js/jsx/ts/tsx file ([BUG] cb() never called! npm/cli#1464)
• 58b05b1 chore: replace travis-ci.org with travis-ci.com ([BUG] npm unpublish returns error 404 and not error printed unless verbose loglevel is used npm/cli#1469)
• 79e8fdf build(deps-dev): bump jest from 25.2.3 to 25.2.4 (Stripe transfer insufficient funds, used together with stripe checkout npm/cli#1468)
• dddce1c build(deps-dev): bump @ jest/transform from 25.2.3 to 25.2.4 ([BUG] discord.js npm/cli#1467)
• d811bae build(deps-dev): bump lint-staged from 10.0.9 to 10.0.10 ([BUG] <cb() never called> npm/cli#1466)
• ecc8312 build(deps-dev): bump @ types/react from 16.9.26 to 16.9.27 ([FEATURE] <title> npm/cli#1462)
• c10ad4a chore(compiler): improve performance for language service ([BUG] <title> npm/cli#1461)
• 455ee5b build(deps-dev): bump @ jest/transform from 25.2.1 to 25.2.3 (chore(docs): fixed links to cli commands npm/cli#1459)
• 1641cfb build(deps-dev): bump jest from 25.2.2 to 25.2.3 ([BUG] npm install --no-save removes other dependencies npm/cli#1460)
• 3010ec8 build(deps-dev): bump @ jest/types from 25.2.1 to 25.2.3 ([BUG] npm i -g fails with "This is related to npm not being able to find a file." npm/cli#1458)
• 26a81f0 build(deps-dev): bump @ types/react from 16.9.25 to 16.9.26 (Avoid blowing stack when checking if a failed dependency is required or optional npm/cli#1457)
• 99c552d build(deps-dev): bump jest from 25.2.1 to 25.2.2 ([BUG] Add s390x arch support npm/cli#1455)
• 5214f1b build(deps): bump yargs-parser from 18.1.1 to 18.1.2 ([BUG] Error: Missing required argument #1 on Linux Mint, 5.3.0-59-generic Kernal npm/cli#1456)
• 79478ae build(deps-dev): bump tslint-plugin-prettier from 2.2.0 to 2.3.0 (test: increase whoami with bearer auth timeout npm/cli#1454)
• 107e062 fix: always do type check for all files provided to ts-jest transformer ([BUG] npm install / missing required argument #1 npm/cli#1450)
• 1e34075 build(deps-dev): bump @ jest/types from 25.2.0 to 25.2.1 ([BUG] 502 Bad Gateway npm/cli#1452)
• ba5a6c4 build(deps-dev): bump @ jest/transform from 25.2.0 to 25.2.1 ([BUG] npm creates its cache directory in my $HOME npm/cli#1451)
• e857f5b build(deps-dev): bump jest from 25.2.0 to 25.2.1 ([QUESTION] npm ERR! code EINTEGRITY npm/cli#1453)
• 4981da8 Merge pull request [BUG] <title> npm/cli#1447 from kulshekhar/dependabot/npm_and_yarn/jest/types-25.2.0
• ea8240a Merge pull request npm outdated does not seem to check devDependecies like it used to npm/cli#1448 from kulshekhar/dependabot/npm_and_yarn/jest/transform-25.2.0
• e50db11 build(deps-dev): bump @ jest/types from 25.1.0 to 25.2.0

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Server-side Request Forgery (SSRF)
🦉 Prototype Pollution

[sourcery-ai]

🧙 Sourcery has finished reviewing your pull request!

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time. You can also use
  this command to specify where the summary should be inserted.

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

We have skipped reviewing this pull request. Here's why:

• It seems to have been created by a bot (hey, snyk-io[bot]!). We assume it knows what it's doing!
• It seems to have been created by a bot ('[Snyk]' found in title). We assume it knows what it's doing!
• We don't review packaging changes - Let us know if you'd like us to change this.