[Snyk] Fix for 5 vulnerabilities

[rusackas]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • superset-frontend/package.json
  • superset-frontend/package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	619/1000 Why? Has a fix available, CVSS 8.1	Prototype Pollution SNYK-JS-AJV-584908	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-ASYNCVALIDATOR-2311201	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-D3COLOR-1076592	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-TRIM-1017038	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: antd

The new version differs by 250 commits.

• 870b72a docs: 4.17.0 changelog (#32859)
• 3a5b6b8 chore(deps-dev): bump stylelint-config-standard from 23.0.0 to 24.0.0 (#32866)
• 7e2dc80 chore(.gitignore):add ignore for pnpm (#32860)
• 491cc4f fix: borderLeftRadius error for Input.Search #32808 (#32812)
• 958df3d docs: add demo for Input.Group (#32837)
• ce006bd docs: Version Robin (#32830)
• 3f495bb chore: Upgrade react router v6 (#32821)
• 43569b9 docs: update customize-theme-variable.zh-CN.md
• 7ed7c60 style: fix Tree icon align bug (#32822)
• 01887b4 fix: if breadcrumbRender return false, breadcrumb will hidden (#32738)
• 5f642cb fix: tag animation demo (#32804)
• 852a451 chore(Tag): update tween-one (#32800)
• 90aff3a docs: fix Spin API ts description (#32786)
• 8a3b5d9 fix: Form horizontal broken style when select item is too long (#32778)
• a73f4a3 docs: Fix the link in Table's API doc (#32779)
• ecc54dd fix: codepen demo error using hooks (#32766)
• cf15379 docs: add 4.17.0-alpha.10 changelog (#32775)
• f7380b7 chore(deps-dev): bump eslint-plugin-unicorn from 37.0.1 to 38.0.0 (#32765)
• b1ea2e4 fix: opening animation of the bottom drawer (#32761)
• 10a8578 fix: Spin tip can be react node (#32733)
• fa65cd3 chore(deps-dev): bump @ types/gtag.js from 0.0.7 to 0.0.8 (#32746)
• f88bd4d refactor: Move part mixins less to theme instead (#32763)
• 5360722 chore: update form demo
• ea52572 chore(💄): fix issue template

See the full diff

Package name: d3-color

The new version differs by 21 commits.

• 7a1573e 3.1.0
• 75c19c4 update LICENSE
• ef94e01 update dependencies
• 5e9f757 method shorthand
• e4bc34e formatHex8 (chore(deps): bump ws from 7.4.2 to 7.4.5 in /superset-websocket #103)
• ac660c6 {rgb,hsl}.clamp() (build(deps-dev): bump optimize-css-assets-webpack-plugin from 5.0.1 to 6.0.0 in /superset-frontend #102)
• 70e3a04 clamp HSL format (chore(deps-dev): bump @storybook/addon-knobs from 6.1.17 to 6.2.9 in /superset-frontend #101)
• 994d8fd avoid backtracking ([Snyk] Security upgrade babel from 2.5.3 to 2.9.1 #100)
• 7d61bbe 3.0.1
• 93bc4ff related Generate copyright from LICENSE. d3/d3#3502; extract copyrights from LICENSE
• 611e1c3 3.0.0
• 4c2be7e Adopt type=module ([Snyk] Security upgrade aiohttp from 3.7.2 to 3.7.4 #90)
• 017a463 v2.0.0
• 7de7354 Merge pull request build(deps): bump @actions/core from 1.2.4 to 1.2.6 in /.github/actions/cached-dependencies #75 from d3/two
• 0ecd740 v2.0.0-rc.1
• 0eb9594 Merge pull request build(deps): bump lodash from 4.17.15 to 4.17.20 in /.github/actions/cached-dependencies #76 from d3/radians
• cc0a51b Merge pull request [Snyk] Security upgrade py from 1.9.0 to 1.10.0 #77 from d3/document-extensions
• fd23843 document extensions
• d86e36b link to https://d3js.org/d3-color.v2.min.js
• c1b93f1 normalize "degrees" and "radians" for deg2rad conversions
• 693572b deliberate ES6 syntax

See the full diff

Package name: d3-scale

The new version differs by 91 commits.

• f7cb35b 4.0.0
• 120ad7a adopt InternMap for ordinal scales (chore(deps): bump terser from 4.6.3 to 4.8.1 in /superset-frontend #237)
• ac30873 Adopt type=module (chore(deps-dev): bump @typescript-eslint/parser from 4.19.0 to 5.32.0 in /superset-websocket #246)
• 2b7db62 3.3.0
• f3cfd2c update dependencies
• 80ff9b2 adopt d3-time’s ticks
• 8afe6bd 3.2.4
• 60e10c4 update dependencies
• 116ac06 Treat null as undefined. (chore: fix alt image issue #241)
• c7efc99 3.2.3
• 5d3e9c3 Update d3-array.
• 1ff6522 yarn
• 957482b Update tickFormat.js
• 42d546e scaleQuantile performance fixup
• 0a427eb time_copy is part of the API but was missing from the README
• 1dd3f5a Merge pull request chore(deps): bump got from 11.8.3 to 11.8.5 in /superset-frontend/cypress-base #219 from d3/links-v6
• 8460207 v3.2.2
• 6169111 d3 dependencies
• 0a55cc8 Merge pull request chore(deps): bump react-json-tree from 0.11.2 to 0.16.2 in /superset-frontend #210 from domoritz/fix-nice
• 5046251 links to d3@6 versions
• d0a2fe4 fix documentation: the diverging scale's default domain is [0, 0.5, 1]
• da99948 Use var
• 0932d15 Merge pull request [Snyk] Security upgrade sqlparse from 0.3.0 to 0.4.2 #211 from oluckyman/patch-1
• 2751067 Fix a typo

See the full diff

Package name: html-webpack-plugin

The new version differs by 13 commits.

• 873d75b chore(release): 5.5.0
• ddeb774 chore: update examples
• 1e42625 feat: Support type=module via scriptLoading option
• 7d3645b Bump pretty-error to 4.0.0 to fix transitive vuln for ansi-regex CVE-2021-3807
• 79be779 [chore] changes actions to run on pull_requests
• b7e5859 [chore] fixes CI to avoid race conditions
• 48131d3 chore(release): 5.4.0
• 16a841a [chore] rebuild examples
• 3bb7c17 Update index.js
• e38ac97 Update index.js
• f08bd02 [chore] updates fixtures
• d62a10f [chore] upgrades html-minifier-terser@5.0.0 -> 6.0.2
• 2f5de7a Remove archived plugin

See the full diff

Package name: react-jsonschema-form

The new version differs by 59 commits.

• 58a3534 Bump version v1.3.0
• 2a6b830 Limit cases where "required" attribute is used on checkboxes (typo fix to Update countries.md apache/superset#1194)
• 1651066 Add the full source maps by default for development (Adding a 'Misc Charts' dashboard as part of the examples apache/superset#1208)
• 10a6b64 Bug Fix empty html useless added by PR Fixing druid culster perms to mirror sqla databases apache/superset#1123 / v1.2.0 (Testing in progress apache/superset#1158)
• 92233e4 Add more schemas to validate against (models: fix slice creation apache/superset#1130)
• aebfab9 Improve handling of decimal points and trailing zeroes in numbers ([docs] improve security section around managing roles apache/superset#1183)
• 07decc5 Merge branch 'master' of https://github.com/mozilla-services/react-jsonschema-form
• c355ddb Merge branch 'huhuaaa-feature/fix-enum-empty-bug'
• 5aaf863 test: fix tests
• 9153444 Merge branch 'feature/fix-enum-empty-bug' of https://github.com/huhuaaa/react-jsonschema-form into huhuaaa-feature/fix-enum-empty-bug
• a7be6ee Remove build:readme script and toctoc dep (Download button, share button, and url shortener button stay not in sync with visualization while editing apache/superset#1189)
• f9d4c63 Fix multiple bugs related to switching between anyOf/oneOf options (--WIP-- add faves/starred things to /welcome apache/superset#1169)
• 4d17bd8 test: move the test to the right file
• bece2a5 Generate code coverage reports using nyc (Embedded Dashboards apache/superset#1170)
• aa862ab test: add enum test
• 59038c0 Submit event should return original event as second param (Bring DB in sync with the models.py apache/superset#1172)
• 919a164 Add various always-ignore files and directories to .gitignore (Druid metadata cannot be retrieved when the whole dataset has the same timestamp apache/superset#1171)
• 6e79281 Infer field type from const value ([sqllab] db migration - setting Database.allow_run_sync=True apache/superset#1174)
• b481f58 Oops, bump version in package-lock.json too
• a1eedfb Bump v1.2.1
• 54091b1 style: npm run cs-format
• f999547 Fixed a bug.The selector have a empty option, when use enum and the default value is 0 or false or ''.
• 174e136 Fix uiSchema for additionalProperties (Clicking on a user's role who is not active and making them active fires an error apache/superset#1144)
• 2368740 replace submit button paragraph tag with div (build(deps): update datamaps requirement from ^0.5.8 to ^0.5.9 in /superset-frontend/plugins/legacy-plugin-chart-world-map #766)

See the full diff

Package name: react-markdown

The new version differs by 18 commits.

• 45b9977 5.0.0
• eeea3c2 Update `changelog.md`
• 5d6c9f1 Refactor scripts
• d29478f Add type tests
• 4f5dbe2 Add note
• 7a5e3a1 Add `allowDangerousHtml`, preferred over `escapeHtml`
• 2675ae2 Remove docs on `source`
• 34b0883 Change default branch to `main`
• 22a5e49 Refactor and test for 100% coverage
• b3aa6e0 Rewrite readme for unified, more examples
• a9f163d Move demo to `website` branch
• 4f1a407 Change to clean project, update, refactor scripts
• ebebf51 Upgrade remark to version 8, unified to version 9
• e400f6f Upgrade to remark-parse@6
• 3260f57 Run tests on node 12
• 6eff8d1 Pass AST node to all non-tag/non-fragment renderers as prop
• ca25be1 Fix link to demo in readme
• 9b4eb84 Updated remark-parse github link (build(deps-dev): bump @types/node from 18.15.5 to 18.15.7 in /superset-websocket #447)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Regular Expression Denial of Service (ReDoS)
🦉 More lessons are available in Snyk Learn

[codecov-commenter]

Codecov Report

Base: 66.92% // Head: 81.47% // Increases project coverage by +14.54% 🎉

Coverage data is based on head (74da677) compared to base (b773354).
Patch has no changes to coverable lines.

Additional details and impacted files

@@             Coverage Diff             @@
##           master     #289       +/-   ##
===========================================
+ Coverage   66.92%   81.47%   +14.54%     
===========================================
  Files        1805      474     -1331     
  Lines       69074    33374    -35700     
  Branches     7378        0     -7378     
===========================================
- Hits        46228    27190    -19038     
+ Misses      20940     6184    -14756     
+ Partials     1906        0     -1906     

Flag	Coverage Δ
hive	52.92% <ø> (ø)
javascript	?
mysql	78.35% <ø> (ø)
postgres	78.41% <ø> (ø)
presto	52.82% <ø> (ø)
python	81.47% <ø> (ø)
sqlite	76.90% <ø> (ø)
unit	51.06% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
...end/src/components/Datasource/DatasourceEditor.jsx
...src/dashboard/components/dnd/handleScroll/index.ts
...et-frontend/src/components/Chart/ChartRenderer.jsx
...set-frontend/src/dashboard/util/permissionUtils.ts
...c/dashboard/components/gridComponents/Markdown.jsx
...ntend/src/dashboard/containers/DashboardHeader.jsx
...hboard/components/nativeFilters/FilterBar/utils.ts
...plugins/plugin-chart-echarts/src/Tree/constants.ts
...ols/DateFilterControl/components/AdvancedFrame.tsx
...ackages/superset-ui-core/src/query/api/v1/types.ts
... and 1321 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.