[Snyk] Fix for 1 vulnerabilities

[isp1r0]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • ui/package.json
  • ui/package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	713/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 6.4	Prototype Pollution SNYK-JS-JSON5-3182856	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: css-loader

The new version differs by 60 commits.

• 7857d8f chore(release): 4.0.0
• 5604205 feat: support `file:` protocol
• 5303db2 chore(deps): update (build(deps): bump lodash from 4.17.15 to 4.17.19 in /ui devspace-sh/devspace#1131)
• 9aa0549 chore(deps): update
• a54c955 test: imports
• 5b45d87 test: support in `@ import` at-rule
• 83515fa refactor: code
• 1c20b1e fix: parsing
• 7f49a0a feat: `@ value` supports importing `url()` (Kaniko doesn't work under loft devspace-sh/devspace#1126)
• 791fff3 refactor: named export (Fix devspace-sh/devspace#1125)
• 01e8c76 refactor: change function arguments of the `import` option (Sync does not work with crash-looping container anymore (since 4.13) devspace-sh/devspace#1124)
• c153fe6 refactor: improve schema options (Fix devspace install from npm on macos devspace-sh/devspace#1123)
• 58b4b98 test: unresolved (Better entrypoint override for interactive mode devspace-sh/devspace#1122)
• d2f6bd2 refactor: getLocalIdent function (docs: add v4.13 devspace-sh/devspace#1121)
• 069dbb0 refactor: the `modules.localsConvention` option was renamed to the `modules.exportLocalsConvention` option (devspace update config substitutes some variable references with their values devspace-sh/devspace#1120)
• fc04401 refactor: the `modules.context` option was renamed to the `modules.localIdentContext` option (Docs v4.13 devspace-sh/devspace#1119)
• 3a96a3d refactor: the `hashPrefix` option was renamed to the `localIdentHashPrefix` option (build(deps): bump websocket-extensions from 0.1.3 to 0.1.4 in /ui devspace-sh/devspace#1118)
• 0080f88 refactor: default values `modules` and `module.auto` are true (build(deps): bump websocket-extensions from 0.1.3 to 0.1.4 in /docs devspace-sh/devspace#1117)
• e1c55e4 refactor: rename the `onlyLocals` option (v4.13.0 devspace-sh/devspace#1116)
• ac5f413 refactor: code
• a5c1b5f test: code coverange (Feature Request: Bash/Zsh Tab Completion devspace-sh/devspace#1114)
• 908ecee refactor: `esModule` option is `true` by default (devspace dev not logging sync events to the console devspace-sh/devspace#1111)
• 7cca035 test: coverange (devspace ui should display logs even if it cannot list namespaces devspace-sh/devspace#1112)
• bc19ddd feat: improve `url()` resolving algorithm

See the full diff

Package name: file-loader

The new version differs by 21 commits.

• e44eb73 chore(release): 6.0.0
• ad39022 chore(deps): update ([Snyk] Fix for 1 vulnerabilities #369)
• e1fe27c docs: update README.md ([Snyk] Security upgrade @docusaurus/core from 2.0.0-alpha.50 to 2.0.0 #368)
• c2aded7 chore(release): 5.1.0
• cd8698b feat: support the `query` template for the `name` option ([Snyk] Security upgrade golang from 1.10.1 to 1.18.8 #366)
• 5703c58 chore(deps): update ([Snyk] Fix for 1 vulnerabilities #365)
• 521bff2 chore: remove duplicate prettier config file ([Snyk] Security upgrade golang from 1.13.0-alpine to 1.18.7-alpine #357)
• 5ffac2e refactor: added description on esModule ([Snyk] Security upgrade golang from 1.13.0-alpine to 1.18.7-alpine #358)
• 190829e docs: fix the description of the `esModule` option ([Snyk] Security upgrade golang from 1.10.1 to 1 #348)
• f1b071c chore(release): 5.0.2
• 6431101 chore: add the `funding` field in `package.json` ([Snyk] Security upgrade golang from 1.13.0-alpine to 1.18.6-alpine #347)
• 90302cd chore(release): 5.0.1
• 31d6589 fix: name of `esModule` option in source code ([Snyk] Security upgrade golang from 1.13.0-alpine to 1.18.6-alpine #346)
• 2a18cba chore(release): 5.0.0
• 98a6c1d refactor: next ([Snyk] Security upgrade golang from 1.13.0-alpine to 1.18.6-alpine #345)
• 0df6c8d chore(release): 4.3.0
• a2f5faf refactor: code ([Snyk] Security upgrade golang from 1.13.0-alpine to 1.18.6-alpine #344)
• 9b9cd8d feat: new options flag to output ES2015 modules ([Snyk] Security upgrade golang from 1.13-alpine to 1.18.6-alpine #340)
• ba0fd4c chore(release): 4.2.0
• 642ee74 docs: improve readme ([Snyk] Security upgrade golang from 1.13.0-alpine to 1.18.6-alpine #341)
• c136f44 feat: `postTransformPublicPath` option ([Snyk] Security upgrade golang from 1.10.1 to 1.18.6 #334)

See the full diff

Package name: html-webpack-plugin

The new version differs by 107 commits.

• 74fae99 chore(release): 5.0.0
• 94a20df chore: update to webpack 5.20.0
• c5c8212 feat: add meta attribute for html tags
• d0ab774 feat: provide public path to the alterAssetTagGroups hook
• 5200ae6 feat: provide public path to the alterAssetTags hook
• ccbe93a chore: update examples to latest webpack version
• 33cbd59 fix: generate html files even if no webpack entry exists
• 826739f feat: allow to use the latest loader-utils and tapable version
• 81d7b2c feat: add typings for options and version
• 8d34b81 fix: use correct casing for webpack type import
• 36f9aca chore: upgrade dev dependencies
• 1755962 chore: fix css-loader for unit testing
• a79ab17 chore: drop support for appcache-webpack-plugin as it is not compatible to webpack 5
• 7c3146d feat: allow to set publicPath to empty string ’’
• b109213 docs: update installation instructions for webpack 4
• 833b46b fix: inject javascripts in the <head> tag for inject:true and scriptLoading:'defer'
• 13af0fb feat: add full support for public paths inside templates
• fd5fe58 refactor: move the publicPath generation into a seperate function
• 60a6ef8 test: add test for experiments: { outputModule: true }
• a43ab72 feat: overrule module output
• 10a0c5e fix: adjust tests as webpack 5 will no longer emit files for builds with errors
• 2975a6a feat: process html during the processAssets stage PROCESS_ASSETS_STAGE_OPTIMIZE_INLINE
• 0f9c239 fix: add support for publicPath: 'auto' in combination with type: 'asset/resource'
• ab8b195 fix: support loaders like raw-loader

See the full diff

Package name: postcss-loader

The new version differs by 39 commits.

• 792e217 chore(release): 4.0.0
• 598f36d docs: improve readme
• cad6f07 fix: avoid mutations of options and config ([Snyk] Security upgrade golang from 1.13.0-alpine to 1.19.10-alpine #470)
• 77449e1 test: union ([Snyk] Security upgrade golang from 1.13.0-alpine to 1.19.10-alpine #469)
• 9b75888 feat: reuse AST from other loaders ([Snyk] Security upgrade golang from 1.13.0-alpine to 1.19.10-alpine #468)
• 5e4a77b fix: resolve `from` and `to` from config and options ([Snyk] Security upgrade golang from 1.13-alpine to 1.19.10-alpine #467)
• 225b2e5 refactor: do not validate `postcss` options ([Snyk] Security upgrade golang from 1.13.0-alpine to 1.19.10-alpine #466)
• 3d32c35 fix: `default` export for plugins ([Snyk] Security upgrade nodemon from 1.18.11 to 3.0.0 #465)
• 38ebe08 refactor: `execute` option ([Snyk] Security upgrade golang from 1.10.1 to 1.21rc2 #464)
• d0ea725 refactor: config loading
• 108d871 test: more
• b4d3bcc chore: remove unnecessary dev deps ([Snyk] Security upgrade nodemon from 1.18.11 to 2.0.17 #460)
• 475278c chore: move `postcss` to `peerDependencies` ([Snyk] Security upgrade nodemon from 1.19.4 to 2.0.17 #459)
• 98441ff fix: respect the `map` option and source maps ([Snyk] Security upgrade alpine from 3.11.6 to 3.16 #458)
• ba88040 refactor: do not pass meta from other loaders ([Snyk] Security upgrade golang from 1.13-alpine to 1.19.8-alpine #457)
• 25a16a0 refactor: source map code
• 677c2fe refactor: removed `inline` value for the `sourceMap` option ([Snyk] Security upgrade golang from 1.10.1 to 1.20 #454)
• d8d84f7 refactor: code ([Snyk] Security upgrade @docusaurus/core from 2.0.0-alpha.50 to 2.0.0 #453)
• 3cd85df refactor: code
• 6eb44ed refactor: code
• 53da71a refactor: sourcemap paths
• d7bc470 feat: array syntax for plugins
• 2cd7614 refactor: code ([Snyk] Security upgrade golang from 1.10.1 to 1.19.8 #451)
• 60e4f12 docs: addDependency ([Snyk] Security upgrade golang from 1.13.0-alpine to 1.19.8-alpine #448)

See the full diff

Package name: source-map-loader

The new version differs by 15 commits.

• e0ec5d9 chore(release): 1.0.0
• 87fa9ae refactor: remove whatwg-encoding ([Snyk] Security upgrade golang from 1.13.0-alpine to 1.18beta2-alpine #115)
• 4d043f0 docs: ignore example
• 1ccc708 test: coverage ([Snyk] Security upgrade golang from 1.13.0-alpine to 1.18beta2-alpine #111)
• 73773e2 test: validate options ([Snyk] Security upgrade golang from 1.13.0-alpine to 1.18beta2-alpine #110)
• 0d77b18 refactor: code
• 2ceba27 test: code ([Snyk] Security upgrade php from 7.1-apache-stretch to 7.3-apache-stretch #108)
• 1e785a1 fix: use webpack fs ([Snyk] Security upgrade golang from 1.10.1 to 1.16 #105)
• 01b3812 refactor: code ([Snyk] Security upgrade golang from 1.10.1 to 1.18beta2 #104)
• 4c39c22 fix: perf and crashing ([Snyk] Security upgrade golang from 1.13.0-alpine to 1.16.13-alpine #101)
• b64f7d8 fix: absolute path for sources and add sources in dependendencies
• c18d1f9 feat: indexed-sourcemap
• 526c229 test: refactor ([Snyk] Security upgrade golang from 1.13.0-alpine to 1.16.13-alpine #97)
• 7f769aa fix: avoid crash on big data URL source maps
• 2da2b2e chore(defaults): update ([Snyk] Security upgrade golang from 1.13.0-alpine to 1.16.13-alpine #95)

See the full diff

Package name: style-loader

The new version differs by 71 commits.

• 171a747 chore(release): 1.1.4
• af1b4a9 chore(deps): update
• a003f05 docs: add links for the options table ([Snyk] Security upgrade nodemon from 1.18.11 to 2.0.17 #460)
• 2756e03 chore(release): 1.1.3
• 236b243 fix: injection algorithm ([Snyk] Security upgrade golang from 1.10.1 to 1.19.8 #456)
• 36bd8f1 docs: fix typos ([Snyk] Security upgrade @docusaurus/core from 2.0.0-alpha.50 to 2.0.0 #453)
• de38c39 chore(release): 1.1.2
• 91ceaf2 fix: algorithm for importing modules ([Snyk] Security upgrade golang from 1.13.0-alpine to 1.19.8-alpine #449)
• 1138ed7 fix: checking that the list of modules is an array ([Snyk] Security upgrade golang from 1.13.0-alpine to 1.19.8-alpine #448)
• aa418dd chore(release): 1.1.1
• 7ee8b04 fix: add empty default export for `linkTag` value
• c69ea6c chore(release): 1.1.0
• c7d6e3a fix: order of imported styles ([Snyk] Security upgrade golang from 1.13.0-alpine to 1.19.8-alpine #443)
• a283b30 test: more manual test ([Snyk] Security upgrade golang from 1.13-alpine to 1.20.3-alpine #442)
• 3415266 feat: `esModule` option ([Snyk] Security upgrade golang from 1.13.0-alpine to 1.20.3-alpine #441)
• 907aed8 test: refactor ([Snyk] Security upgrade golang from 1.13.0-alpine to 1.20.3-alpine #440)
• 28e1628 refactor: code ([Snyk] Security upgrade golang from 1.13.0-alpine to 1.20.3-alpine #438)
• 5c51b90 refactor: cjs ([Snyk] Security upgrade golang from 1.13.0-alpine to 1.20.3-alpine #437)
• 609263a test: refactor
• 7768fce chore(release): 1.0.2
• dcbfadb fix: support ES module syntax ([Snyk] Security upgrade golang from 1.13.0-alpine to 1.20.3-alpine #435)
• d515edc chore(deps): update ([Snyk] Security upgrade alpine from 3.11.6 to 3.14 #434)
• 4c1e3f3 docs: fixed typo 'doom' to 'DOM' in README.md ([Snyk] Security upgrade golang from 1.13.0-alpine to 1.19-alpine #432)
• c6164d5 chore(release): 1.0.1

See the full diff

Package name: ts-loader

The new version differs by 104 commits.

• 268bc69 chore(deps): upgrade most production deps (cloud/devspace devspace-sh/devspace#1237)
• e160564 Add a cache to file path mapping (fix: dependency local paths are relative to config devspace-sh/devspace#1228)
• 14fa3f8 Add documentation about performance profiling (add env source command devspace-sh/devspace#1230)
• 3cc78b8 Fix typo in README.md (warn if minikube client creation fails devspace-sh/devspace#1229)
• 8f2a509 Add documentation for the useCaseSensitiveFileNames option (chore: improve message for restart helper error devspace-sh/devspace#1227)
• 566e6ce Instead of checking date, check time thats more accurate to see if something has changed (Fix patches.mdx devspace-sh/devspace#1217)
• 172ebeb Feature/typescript 4 1 (docs: generate docs v5.2 devspace-sh/devspace#1213)
• 0816fe9 Add peer dependencies for Yarn PnP (devspace is replacing container environment variables in unpleasant way devspace-sh/devspace#1209)
• 4909d99 Fixed missing errors in watch mode in webpack5 (Updated caching explanation devspace-sh/devspace#1208)
• 3f73e98 Fix failed builds when using thread-loader (Allow initContainer configs to set imagePullPolicy  devspace-sh/devspace#1207)
• e90f8ad Fix memory leak when using multiple webpack instances (devspace use the in-cluster config if no kube-config exists devspace-sh/devspace#1205)
• 95050eb Speeds up project reference build and doesnt store the result in memory (multiple profile parents & profile sources devspace-sh/devspace#1202)
• f99c7c4 doc: escape pipe in table (Adding helm --history-max support devspace-sh/devspace#1201)
• 0b4a86d Replace afterCompile to stop webpack 5 warning (Load profile from file devspace-sh/devspace#1200)
• 6d8d601 Fixed deprecation warnings on webpack@5. (fix(ui): fxies an issue where the ui would display 404 devspace-sh/devspace#1195)
• cafc933 Fix installation link on README.md (Ability to pass custom args to helm in deployments devspace-sh/devspace#1192)
• f5e901e Bump http-proxy in /examples/react-babel-karma-gulp (passing user credentials to private helm repo devspace-sh/devspace#1182)
• 0767bce add github action status badge (Devspace UI Terminal Column Width devspace-sh/devspace#1190)
• db5ea55 Feature/upgrade testpack to ts4 (fix: fixes an issue with large files in remote port forwarding devspace-sh/devspace#1189)
• 95b6fe8 Uses existing instance if config file is same as already built solution (devspace sync uploads unmodified files devspace-sh/devspace#1177)
• b38678a Update minimum compiler version to 3.6.3 (Images always rebuild due to use of DEVSPACE_RANDOM in image tag devspace-sh/devspace#1188)
• f8eba53 Add documentation and example code for projectReferences (sync ignore uploadExcludePaths and excludePaths dir devspace-sh/devspace#1184)
• 46d9761 Update docs to show transpileOnly does not affect project references (devspace How to change Deployment CMD? devspace-sh/devspace#1175)
• 0e64ceb Fix getOptionsHash when two options has different props but same values. (build(deps): bump http-proxy from 1.18.0 to 1.18.1 in /ui devspace-sh/devspace#1170)

See the full diff

Package name: url-loader

The new version differs by 13 commits.

• 8828d64 chore(release): 4.0.0
• fc8721f chore(deps): migrate on `mime-types` package ([Snyk] Security upgrade golang from 1.10.1 to 1.17.8 #209)
• f13757a chore(deps): update ([Snyk] Security upgrade golang from 1.10.1 to 1.17.8 #208)
• a2f127d fix: description on the `esModule` option ([Snyk] Security upgrade php from 7.1-apache-stretch to 7.3.29-apache-stretch #204)
• 4301f87 chore(release): 3.0.0
• 3f0bbc5 refactor: next ([Snyk] Security upgrade golang from 1.13.0-alpine to 1.17.8-alpine #198)
• 2451157 chore(release): 2.3.0
• 0ee2b99 feat: new `esModules` option to output ES modules
• cbd1950 chore(release): 2.2.0
• 196110e fix: yarn pnp support ([Snyk] Security upgrade golang from 1.13.0-alpine to 1.17.8-alpine #195)
• 9431124 docs: improve documentation about `fallback` ([Snyk] Security upgrade golang from 1.13.0-alpine to 1.17.8-alpine #194)
• a251a23 chore(deps): update ([Snyk] Security upgrade golang from 1.13.0-alpine to 1.17.8-alpine #193)
• 2bffcfd fix: limit must allow infinity and max value ([Snyk] Security upgrade golang from 1.13.0-alpine to 1.17.8-alpine #192)

See the full diff

Package name: webpack

The new version differs by 250 commits.

• 610f368 5.0.0
• 5ce65c1 update examples
• bbe1230 Merge pull request #11628 from webpack/bugfix/real-content-hash
• 75ecff2 5.0.0-rc.6
• bfc35d6 Merge pull request #11603 from MayaWolf/master
• 76e8cbd Merge pull request #11622 from webpack/dependabot/npm_and_yarn/types/node-13.13.25
• 9fd1be2 chore(deps-dev): bump @ types/node from 13.13.23 to 13.13.25
• 36bcfaa Merge pull request #11621 from webpack/bugfix/11619
• 9130d10 fix called variables with ProvidePlugin
• 3e42105 Merge pull request #11620 from webpack/bugfix/11617
• 4709719 skip connections copied to concatenated module
• 57b493f 5.0.0-rc.5
• 1658e2f Merge pull request #11618 from webpack/bugfix/11615
• a8fb45d fixes crash in SideEffectsFlagPlugin
• 84b196d emit error instead of crashing when unexpected problem occurs
• 5573fed Merge pull request #11601 from Hornwitser/improve-suggested-polyfill-config
• 9b5cce9 Merge pull request #11609 from snitin315/export-types
• 37c495c export type RuleSetUseItem
• 39faf34 export type RuleSetUse
• e5fd246 export type RuleSetConditionAbsolute
• 660baad export RuleSetCondition types
• 13e3ca5 Merge pull request #11602 from webpack/bugfix/shared-runtime-chunk
• 9c0587e Merge pull request #11606 from webpack/dependabot/npm_and_yarn/simple-git-2.21.0
• 502d166 Merge pull request #11607 from webpack/dependabot/npm_and_yarn/acorn-8.0.4

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution