[Snyk] Fix for 8 vulnerabilities

[jamijam]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • app/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-HTMLMINIFIER-3091181	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASHTEMPLATE-1088054	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Improper Input Validation SNYK-JS-POSTCSS-5926692	Yes	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: fork-ts-checker-webpack-plugin

The new version differs by 37 commits.

• 5ba6839 Release 5.0.0 (Floating label text and label not on input line` quasarframework/quasar#445)
• d056616 feat: remove "incremental: true" from ts default options (Cordova.js Uncaught Error: cordova already defined quasarframework/quasar#444)
• 188d44d feat: add issue.scope option (feat: add typescript definitions quasarframework/quasar#442)
• b865f1d fix: always pass compilation to issues hook (Autocomplete display issue in Chrome quasarframework/quasar#443)
• e812f18 feat: overwrite other fields in tsconfig.json (change primary styles quasarframework/quasar#440)
• 2b72fd0 fix: properly disconnect rpc client to be able to reconnect (component lists rendered with v-for should have explicit keys. quasarframework/quasar#439)
• c4796b2 fix: include files that are outside project context (How to use global stylus variables in vue components' <style> ? quasarframework/quasar#437)
• 1f7ae0d docs: update bug-report template by merging master into alpha branch
• aa8f74d feat: rename tsconfig option to configFile for consistency (<i> tag incompatibility with Medium editor quasarframework/quasar#436)
• 944e0c9 feat: improve overall typescript performance (. quasarframework/quasar#435)
• a430979 feat: add `context` option for typescript reporter (field focus? quasarframework/quasar#430)
• 503a948 fix: support webpack multi-compiler (Header & footer flex-shrink quasarframework/quasar#431)
• 9b3b9dd feat: add "mode" for typescript reporter (Fix problem in Datetime that causes momentjs warning quasarframework/quasar#429)
• 2ba396d fix: respect eslint extensions in incremental check
• 8a10ca9 docs: add babel-loader example
• be9cd64 docs: add ts-loader example
• b5d5977 docs: add vscode-tasks example
• e59a8d2 chore: fix github actions release job
• 37b8944 feat: export `version` const for external tools (Updated height & width variable reference quasarframework/quasar#428)
• 5552f62 docs: update bug template to use eslint, not tslint
• 5665dac feat: change start hook to AsyncSeriesWaterfallHook (q-transition has no support for transition groups quasarframework/quasar#425)
• 8687c63 feat: support @ vue/compiler-sfc in the vue extension (Fixes #420 quasarframework/quasar#423)
• f277444 fix: remove references to external typings (q-layout issue on iOS safari quasarframework/quasar#422)
• cfcc0fe fix: properly handle import modules with .vue suffix (Animate Issue on IE11 quasarframework/quasar#420)

See the full diff

Package name: html-webpack-plugin

The new version differs by 139 commits.

• eb73905 chore(release): 4.0.0
• 42a6d4a Add typing for getHooks
• a1a37cf Release html-webpack-plugin 4.0.0-beta.14
• 97f9fb9 fix: load script files before style files files in defer script loading mode
• e97ce17 Release html-webpack-plugin 4.0.0-beta.13
• e448b5d Release html-webpack-plugin 4.0.0-beta.12
• de315eb feat: Add defer script loading
• 7df269f feat: Provide a verbose error message if html minification failed
• 1d66e53 feat: merge templateParameters with default template parameters
• dfb98e7 Fix typo in template option docts
• 096a760 Fix broken links in examples
• a195c34 docs: Update template-option documentation
• 40b410e docs: Update example for template parameters
• bf017f3 chore: Release 4.0.0-beta.11
• 2549557 test: Don't use minification for speed measurement
• de22fc2 test: Adjust measurment for node 6 on travis
• 24bf1b5 fix: Update references to html-minifier
• f4eafdc chore: Release 4.0.0-beta.10
• a2ad30a refactor: Use getAssetPath instead of calling the hook directly
• 2595a79 chore: Release 4.0.0-beta.9
• c66766c feat: Add support for minifying inline ES6 inside html templates
• 655cbcd Fix README typo
• 6de319b update lodash dependency for prototype polution vulnerability
• 35a1541 Properly encode file names emitted as part of URLs.

See the full diff

Package name: node-sass

The new version differs by 97 commits.

• 3b556c1 7.0.2
• c716359 Bump sass-graph@^4.0.1 (feat(v1 docs): Layout builder notice for components quasarframework/quasar#3292)
• 24741b3 docs(readme): fix docpad plugin link
• 1523330 feat: Drop Node 12
• 365d357 update https://registry.npm.taobao.org to https://registry.npmmirror.com
• 1456114 build(deps): bump actions/upload-artifact from 2 to 3
• b465b69 chore: bump GitHub Actions to Windows 2019 (feat(docs): Splitter Image examples - remove scrollbars quasarframework/quasar#3254)
• e6194b1 build(deps): bump make-fetch-happen from 9.1.0 to 10.0.4
• 4edf594 build(deps): bump node-gyp from 8.4.1 to 9.0.0
• 29e2344 build(deps): bump actions/checkout from 2 to 3
• 85b0d22 build(deps): bump actions/setup-node from 2 to 3
• 3bb51da Use make-fetch-happen instead of request (typo quasarframework/quasar#3193)
• adc2f8b build(deps): bump true-case-path from 1.0.3 to 2.2.1 (feat(docs): QCircularProgress quasarframework/quasar#3000)
• 77d12f0 chore: disable Apline for Node 16/17 builds
• 308d533 ci: use Python 3 for Node 12
• c818907 ci: unpin actions/setup-node to v2
• 99242d7 7.0.1
• 77049d1 build(deps): bump sass-graph from 2.2.5 to 4.0.0 ([v1 docs] looks like just electron nowadays quasarframework/quasar#3224)
• c929f25 build(deps): bump node-gyp from 7.1.2 to 8.4.1 ([v1.0] QBtnGroup in card actions has margin between buttons quasarframework/quasar#3209)
• 918dcb3 Lint fix
• 0a21792 Set rejectUnauthorized to true by default (fix(quasar): Uploader mix-in fix for scoped-slot "list" quasarframework/quasar#3149)
• e80d4af chore: Drop EOL Node 15 ([v1] VTouchHold/Repeat/Pan: allow a 20ms window before aborting for move quasarframework/quasar#3122)
• d753397 feat: Add Node 17 support (Theme Builder not exporting QDrawer unless left drawer selected [v1.0] quasarframework/quasar#3195)
• dcf2e75 build(deps-dev): bump eslint from 7.32.0 to 8.0.0

See the full diff

Package name: optimize-css-assets-webpack-plugin

The new version differs by 5 commits.

• 09d29b3 5.0.5
• d0a7da7 feat(deps): update dependencies (Quasar uses fastclick? quasarframework/quasar#154)
• 41d1e23 Redirect to css-minimizer-webpack-plugin for webpack 5 or above
• e9b84f1 5.0.4
• b3a3ada Update dependencies (Error on Cookies.get() function quasarframework/quasar#133)

See the full diff

Package name: webpack

The new version differs by 250 commits.

• 610f368 5.0.0
• 5ce65c1 update examples
• bbe1230 Merge pull request Keep open a dialog opened from a dropdown? quasarframework/quasar#11628 from webpack/bugfix/real-content-hash
• 75ecff2 5.0.0-rc.6
• bfc35d6 Merge pull request feat(QCarousel): reverse autoplay when prop value is negative number #8111 (backport from v2) quasarframework/quasar#11603 from MayaWolf/master
• 76e8cbd Merge pull request fix(isDeepEqual): ignore undefined keys in objects when comparing quasarframework/quasar#11622 from webpack/dependabot/npm_and_yarn/types/node-13.13.25
• 9fd1be2 chore(deps-dev): bump @ types/node from 13.13.23 to 13.13.25
• 36bcfaa Merge pull request chore(docs): typo on dev layout quasarframework/quasar#11621 from webpack/bugfix/11619
• 9130d10 fix called variables with ProvidePlugin
• 3e42105 Merge pull request feat(AppFullscreen): toggle fullscreen even if there is already a fullscreen el; get active element and fullscreen status on fullscreenchange event quasarframework/quasar#11620 from webpack/bugfix/11617
• 4709719 skip connections copied to concatenated module
• 57b493f 5.0.0-rc.5
• 1658e2f Merge pull request feat(QFab): add scoped slots for icon, icon-active and label #7689 quasarframework/quasar#11618 from webpack/bugfix/11615
• a8fb45d fixes crash in SideEffectsFlagPlugin
• 84b196d emit error instead of crashing when unexpected problem occurs
• 5573fed Merge pull request fix(QRating): tooltips with icon in svg/img format not working correctly #11055 (backport from v2) quasarframework/quasar#11601 from Hornwitser/improve-suggested-polyfill-config
• 9b5cce9 Merge pull request feat(QTabs): add activeClass prop #10494 (backport from Qv2) quasarframework/quasar#11609 from snitin315/export-types
• 37c495c export type RuleSetUseItem
• 39faf34 export type RuleSetUse
• e5fd246 export type RuleSetConditionAbsolute
• 660baad export RuleSetCondition types
• 13e3ca5 Merge pull request feat(QInnerLoading): New props -> label, label-class, label-style #8619 (backport from v2) quasarframework/quasar#11602 from webpack/bugfix/shared-runtime-chunk
• 9c0587e Merge pull request QInfiniteScroll containerHeight error quasarframework/quasar#11606 from webpack/dependabot/npm_and_yarn/simple-git-2.21.0
• 502d166 Merge pull request fix(debouncing): cancel pending debounced calls when components are destroyed quasarframework/quasar#11607 from webpack/dependabot/npm_and_yarn/acorn-8.0.4

See the full diff

Package name: webpack-dev-server

The new version differs by 250 commits.

• c9271b9 chore(release): 4.0.0
• 18bf369 test: fix stability (close-overlay directive for QLayoutDrawer quasarframework/quasar#3676)
• cdcabb2 fix: respect protocol from browser for manual setup (QForm quasarframework/quasar#3675)
• 1768d6b fix: initial reloading for lazy compilation ([V1 - request] Delay focus event with touch-hold quasarframework/quasar#3662)
• 4f5bab1 docs: improve examples ([v1] QSelect - options-value is being ignored quasarframework/quasar#3672)
• f2d87fb fix: improve https CLI output ([v1] QTable - custom template row with field function quasarframework/quasar#3673)
• 0277c5e chore: remove redundant console statements (feat(quasar): Add touchPosition processing to QPopupProxy and don't force touchPosition on contextMenu in QMenu quasarframework/quasar#3671)
• 16fcdbc docs: add `ipc` example ([V1 - request] swipe down on Dialog quasarframework/quasar#3667)
• 8915fb8 test: add e2e tests for built in routes (docs(quasar): Add docs for QField - part 2 quasarframework/quasar#3669)
• 4d1cbe1 docs: ask `version` information in issue template (fix(quasar): Move counter prop in QField quasarframework/quasar#3668)
• b6c1881 chore(deps-dev): bump core-js from 3.16.1 to 3.16.2 (How to insert a picture using code in QEditor quasarframework/quasar#3666)
• ffa8cc5 chore(deps-dev): bump supertest from 6.1.5 to 6.1.6 ([V1] QMenu: position + context-menu quasarframework/quasar#3665)
• f1fdaa7 chore(release): 4.0.0-rc.1
• c4678bc fix: legacy API (Update quasar-config.js quasarframework/quasar#3660)
• d8bdd03 test: fix stability ([documentation] Touch-hold .prevent.stop quasarframework/quasar#3661)
• 22b1414 refactor: remove `killable` ([V1 documentation] add release notes quasarframework/quasar#3657)
• 75bafbf test: add e2e tests for module federation ([Quasar v1] Issue with the error display with icons quasarframework/quasar#3658)
• 493ccbd chore(deps): update `ws` (How can i access dev server from intranet device? quasarframework/quasar#3652)
• ae8c523 test: add e2e test for universal compiler ([Feature Request] Bring back repeat-timeout for QBtn quasarframework/quasar#3656)
• f94b84f chore(deps): update (Feature request: Show checkbox for QSelect with multiple quasarframework/quasar#3655)
• 1923132 test: fix cli
• 2adfd01 test: fix todo (feat(quasar): QField - add custom control slot, unify focus/blur and add checks quasarframework/quasar#3653)
• 6e2cbde fix: proxy logging and allow to pass options without the `target` option (fix(quasar): Check if event is cancelable before preventDefault quasarframework/quasar#3651)
• c9ccc96 fix: respect infastructureLogging.level for client.logging ([v1]QDate - years gets fighting for a place quasarframework/quasar#3613)

See the full diff

Package name: workbox-webpack-plugin

The new version differs by 250 commits.

• 9cbed27 v6.0.0
• e2bae90 Misc. webpack changes ([FEATURE REQUEST] Table/Data Grid "EpandRow" quasarframework/quasar#2683)
• f2ef912 Re-enable yarn test
• 1567f16 rc.0
• 43c375f v6.0.0-rc.0
• 5692d74 Update the stage at which the webpack plugin runs (mdi-account-details icon does not work quasarframework/quasar#2675)
• 666f7e4 Make use of AssetInfo in webpack build (Heading size on small screens quasarframework/quasar#2673)
• 06e51db Feature/workbox recipes ([v1] Firefox does not respect user-select: none quasarframework/quasar#2664)
• 57ad215 Add declare to WorkboxPlugin interface ([v1] QBtn: prevent errors on PointerEvent on Firefox mobile quasarframework/quasar#2657)
• c2eddf4 Mark BackgroundSyncPlugin options param as optional (perf: Force GPU for translate, scale and rotate transforms quasarframework/quasar#2656)
• df93286 Don't update data: sourcemaps ([v1] QSpinner: poor's man with IE spinner quasarframework/quasar#2654)
• ed69eca Updates for html-webpack-plugin and webpack v5 ([Feature Request] Add support to option groups in QSelect quasarframework/quasar#2651)
• bf8c949 networkTimeoutSeconds in NetworkOnly (Stepper bug quasarframework/quasar#2620)
• d62c185 Version bumps
• f78cfb8 Remove importScriptsViaChunks JSDoc ([v1] QTabs: fix animation for narrow indicator quasarframework/quasar#2650)
• 00ba074 v6.0.0-alpha.3
• 4669bdc Task needs to be async
• cbb18c8 webpack v5 compatibility (Mobile keyboard over text field quasarframework/quasar#2641)
• ff9d868 Adjust PrecacheEntry type to allow null revisions (Misc key related - use keyup when possible quasarframework/quasar#2645)
• ae29e17 Warn when an async matchCallback is used (Allow password to be shown by default quasarframework/quasar#2591)
• a6751b9 Precaching updates for v6 (Q-Select does not receive .focus in ref quasarframework/quasar#2639)
• bb21e82 Add gulp build to hint (QRipple: use same speed for radial and normal ripple quasarframework/quasar#2629)
• f993ab4 Add missing spaces in multiline logs (QChip: react on keyup ENTER and add kbd to close button quasarframework/quasar#2627)
• 6d38919 Allow cacheKeyWillBeUsed to influence the request method check ([Request] Add Malay language for quasar language pack quasarframework/quasar#2616)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Improper Input Validation
🦉 Server-side Request Forgery (SSRF)
🦉 More lessons are available in Snyk Learn