[Snyk] Fix for 4 vulnerabilities #23

naiba4 · 2024-04-22T14:40:08Z

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- packages/vscode-pyright/package.json

Vulnerabilities that will be fixed

With an upgrade:

Priority Score (*)	Issue	Breaking Change	Exploit Maturity
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	No	Proof of Concept
631/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.2	Missing Release of Resource after Effective Lifetime SNYK-JS-INFLIGHT-6095116	No	Proof of Concept
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	No	Proof of Concept
736/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.3	Sandbox Bypass SNYK-JS-WEBPACK-3358798	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: vsce

The new version differs by 34 commits.

ab8770c feat: allow publishing universal target alongside platform specific targets (Add formatter (junit) microsoft/pyright#790)
8c1b1a0 chore: Spelling (Diagnostics are not cleared when switching diagnostic mode from "workspace" to "open files only" microsoft/pyright#789)
9aa361e Merge pull request Pyright cannot resolve the wandb module import, although it can resolve every other import. microsoft/pyright#787 from microsoft/lramos15/removePrChat-auto
2419f51 Remove PR Chat
df59e0f build(deps): bump minimatch from 3.0.4 to 3.0.5 (Instance variable of Callable is reported as having wrong number of arguments microsoft/pyright#784)
d608ecd feat: prompt for full name to confirm unpublish action (Use of "from .x import y" in pyi file should add implicit symbol export of "x" microsoft/pyright#782) (update typeshed to support redis-py 3.5.x microsoft/pyright#783)
1dcedef feat: support # model in the manifest file (eslint/prettier fixes, platform and version detection microsoft/pyright#749)
2589114 feat: allow to skip publishing duplicate package (Tuple unpacking in return statement with parentheses causes error in Python <3.8 microsoft/pyright#776)
8e193c9 feat: expose all options to packaging and publishing APIs (Pyright doesn't recognize the __members__ attribute of enumeration class microsoft/pyright#759)
5110bcf fix: correct program path in `launch.json` (Improve type inference of context manager that swallow exceptions microsoft/pyright#771)
742720a chore: set up #codereview automation (Not equal operator <> syntax (Python 2) microsoft/pyright#768)
3024d0f fix: clarify simultaneous use of packagePath and target in `vsce publish` (added more logging and fixed hover bug microsoft/pyright#765)
0940626 fix: list all valid targets in documentation for --target (Add severity level enum to package.json microsoft/pyright#766)
27fad23 chore: add branch protection (Support exhausted matching on enums microsoft/pyright#767)
9c50aa6 feat: github actions logging (Modules in symlinked directories cannot be resolved microsoft/pyright#752)
7e16ed7 fix: support fragments in image URLs (Pyright cannot resolve numpy functions microsoft/pyright#753)
955c760 build(deps): bump shell-quote from 1.7.2 to 1.7.3 (Cycle detected in import chain microsoft/pyright#746)
57112fd Merge pull request Incorrect "default value" error on certain subclassed dataclasses microsoft/pyright#745 from microsoft/fix-744
d68e2f7 Remove check for yarn.lock
b2288cd fix: ensure that we can define dependency argument in config (Upgrade dependencies, fix first line code actions, progress bar tweak, logging, package scanning microsoft/pyright#743)
76b06f2 build(deps-dev): bump semantic-release from 19.0.2 to 19.0.3 (Reorganizing "conflicts" with isort if enabled on save in vscode microsoft/pyright#741)
293f3d5 build(deps): bump semver-regex from 3.1.3 to 3.1.4 (Unsupported signature checking for overloads of str() microsoft/pyright#738)
9ef1cf0 build(deps): bump npm from 8.3.2 to 8.12.0 (Pyright can't infer the type of a repeated list microsoft/pyright#736)
95823b6 Merge pull request pandas droplevel microsoft/pyright#735 from microsoft/sandy081/horrible-rat

See the full diff

Package name: webpack

The new version differs by 75 commits.

5d64468 Merge pull request #16792 from webpack/update-version
67af5ec chore(release): 5.76.0
97b1718 Merge pull request #16781 from askoufis/loader-context-target-type
b84efe6 Merge pull request #16759 from ryanwilsonperkin/real-content-hash-regex-perf
c98e9e0 Merge pull request #16493 from piwysocki/patch-1
5f34acf feat: Add `target` to `LoaderContext` type
b7fc4d8 Merge pull request #16703 from ryanwilsonperkin/ryanwilsonperkin/fix-16160
63ea82d Merge branch 'webpack:main' into patch-1
4ba2252 Merge pull request #16446 from akhilgkrishnan/patch-1
1acd635 Merge pull request #16613 from jakebailey/ts-logo
302eb37 Merge pull request #16614 from jakebailey/html5-logo
cfdb1df Improve performance of hashRegExp lookup
4d561a6 Add test for behaviour of filesystem-cached assets with loaders
dfaa3b4 lint: remove trailing comma
dcc3e71 Serialize code generator data to support generated assets
b67626c Merge pull request #16491 from lvivski/main
d957cdf Fix formatting
6011163 Fix formatting
ea5e864 Fix HTML5 logo in README
2112f9b Replace TypeScript logo in README
5513dd6 Merge branch 'webpack:main' into patch-1
4b4ca3b Merge pull request #16500 from Jack-Works/avoid-cross-realm-object
4f39c9f fix: type error
c922ee1 chore: revert breaking change