[Snyk] Fix for 25 vulnerabilities

[melvin-bot]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

⚠️ Warning

Failed to update the package-lock.json, please update manually before merging.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	482/1000 Why? Proof of Concept exploit, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	/1000 Why?	Use After Free SNYK-JS-ELECTRON-6057536	No	No Known Exploit
	/1000 Why?	Use After Free SNYK-JS-ELECTRON-6062177	No	No Known Exploit
	/1000 Why?	Integer Overflow or Wraparound SNYK-JS-ELECTRON-6095118	No	Mature
	/1000 Why?	Use After Free SNYK-JS-ELECTRON-6095120	No	No Known Exploit
	/1000 Why?	Use After Free SNYK-JS-ELECTRON-6095121	No	No Known Exploit
	/1000 Why?	Out-of-Bounds SNYK-JS-ELECTRON-6095122	No	No Known Exploit
	/1000 Why?	Use After Free SNYK-JS-ELECTRON-6100741	No	No Known Exploit
	/1000 Why?	Use After Free SNYK-JS-ELECTRON-6105391	Yes	No Known Exploit
	/1000 Why?	Heap-based Buffer Overflow SNYK-JS-ELECTRON-6137744	Yes	Mature
	/1000 Why?	Use After Free SNYK-JS-ELECTRON-6146929	Yes	No Known Exploit
	/1000 Why?	Use After Free SNYK-JS-ELECTRON-6146930	Yes	No Known Exploit
	/1000 Why?	Heap-based Buffer Overflow SNYK-JS-ELECTRON-6146931	Yes	No Known Exploit
	/1000 Why?	Use After Free SNYK-JS-ELECTRON-6146932	Yes	No Known Exploit
	/1000 Why?	Type Confusion SNYK-JS-ELECTRON-6173170	Yes	No Known Exploit
	/1000 Why?	Out-of-bounds Write SNYK-JS-ELECTRON-6173171	Yes	No Known Exploit
	/1000 Why?	Out-of-bounds Read SNYK-JS-ELECTRON-6179663	Yes	Mature
	372/1000 Why? Proof of Concept exploit, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	/1000 Why?	Missing Release of Resource after Effective Lifetime SNYK-JS-INFLIGHT-6095116	Yes	Proof of Concept
	265/1000 Why? CVSS 5.3	Improper Input Validation SNYK-JS-POSTCSS-5926692	Yes	No Known Exploit
	/1000 Why?	Cross-site Scripting (XSS) SNYK-JS-SERIALIZEJAVASCRIPT-6147607	Yes	Proof of Concept
	482/1000 Why? Proof of Concept exploit, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-TRIM-1017038	Yes	Proof of Concept
	375/1000 Why? CVSS 7.5	Denial of Service (DoS) SNYK-JS-TRIMNEWLINES-1298042	Yes	No Known Exploit
	375/1000 Why? CVSS 7.5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Prototype Pollution SNYK-JS-XML2JS-5414874	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @storybook/builder-webpack5

The new version differs by 250 commits.

• 4f2afa6 v7.0.0
• 03292b0 Update root, peer deps, version.ts/json to 7.0.0 [ci skip]
• b2dc5cf Revert "Update root, peer deps, version.ts/json to 7.0.0 [ci skip]"
• 7f391a3 Update root, peer deps, version.ts/json to 7.0.0 [ci skip]
• f0b53cb 7.0.0 changelog
• 930917d Merge pull request fix: icon not set when adding bookmark to iOS home screen #21856 from storybookjs/docs/interactions-addon-migration
• f1c13da 7.0.0-rc.11 next.json version file [skip ci]
• 512a2ae Update git head to 7.0.0-rc.11, update yarn.lock [ci skip]
• 908c324 v7.0.0-rc.11
• 5edc7c0 Update root, peer deps, version.ts/json to 7.0.0-rc.11 [ci skip]
• 324d9bb 7.0.0-rc.11 changelog
• 37d9737 interactions debugger is now default
• 9682f7c Merge pull request [Hold for payment 7-17][$1000] Web - Console log "Invalid Attempt to destructure non-iterable instance" error when clicking 'Add reaction' icon #21833 from storybookjs/kasper/fix-strict-args-decorator-with-interface
• a08ffc7 Put @ storybook/csf version back into next
• 2cc1d36 Merge pull request Fixed 21280 textinput autogrow height #21850 from storybookjs/fix/tone-down-dependency-alerts
• 941103b Merge pull request migrate FloatingActionButtonAndPopover to function component #21851 from storybookjs/valentin/export-application-config-decorator
• 31700c0 Export applicationConfig decorator and adjust documentation for usage
• 3d9544f Merge pull request [HOLD for payment 2023-07-21] [$1000] Web - Heading after quote is not rendering #21846 from storybookjs/chore_docs_webpack_tweaks
• 79b590b Tweaks to the Webpack docs
• d193be5 Merge pull request Fix/issue 20810 #21836 from storybookjs/fix/downgrade-remark-deps
• 79b1fde Merge pull request [Performance fix #21831] Don't re-render ReportScreen unnecessarily when switching #21832 from storybookjs/fix/polyfill-global
• 590f053 downgrade remark related dependencies
• b421d95 only provide critical duplicated dependency warning on major version difference
• acace30 Merge pull request Fix - modified magic code link redirects to welcome screen with first place of magic code green #21724 from jungpaeng/docs/fix-controls

See the full diff

Package name: @storybook/react

The new version differs by 250 commits.

• 4f2afa6 v7.0.0
• 03292b0 Update root, peer deps, version.ts/json to 7.0.0 [ci skip]
• b2dc5cf Revert "Update root, peer deps, version.ts/json to 7.0.0 [ci skip]"
• 7f391a3 Update root, peer deps, version.ts/json to 7.0.0 [ci skip]
• f0b53cb 7.0.0 changelog
• 930917d Merge pull request fix: icon not set when adding bookmark to iOS home screen #21856 from storybookjs/docs/interactions-addon-migration
• f1c13da 7.0.0-rc.11 next.json version file [skip ci]
• 512a2ae Update git head to 7.0.0-rc.11, update yarn.lock [ci skip]
• 908c324 v7.0.0-rc.11
• 5edc7c0 Update root, peer deps, version.ts/json to 7.0.0-rc.11 [ci skip]
• 324d9bb 7.0.0-rc.11 changelog
• 37d9737 interactions debugger is now default
• 9682f7c Merge pull request [Hold for payment 7-17][$1000] Web - Console log "Invalid Attempt to destructure non-iterable instance" error when clicking 'Add reaction' icon #21833 from storybookjs/kasper/fix-strict-args-decorator-with-interface
• a08ffc7 Put @ storybook/csf version back into next
• 2cc1d36 Merge pull request Fixed 21280 textinput autogrow height #21850 from storybookjs/fix/tone-down-dependency-alerts
• 941103b Merge pull request migrate FloatingActionButtonAndPopover to function component #21851 from storybookjs/valentin/export-application-config-decorator
• 31700c0 Export applicationConfig decorator and adjust documentation for usage
• 3d9544f Merge pull request [HOLD for payment 2023-07-21] [$1000] Web - Heading after quote is not rendering #21846 from storybookjs/chore_docs_webpack_tweaks
• 79b590b Tweaks to the Webpack docs
• d193be5 Merge pull request Fix/issue 20810 #21836 from storybookjs/fix/downgrade-remark-deps
• 79b1fde Merge pull request [Performance fix #21831] Don't re-render ReportScreen unnecessarily when switching #21832 from storybookjs/fix/polyfill-global
• 590f053 downgrade remark related dependencies
• b421d95 only provide critical duplicated dependency warning on major version difference
• acace30 Merge pull request Fix - modified magic code link redirects to welcome screen with first place of magic code green #21724 from jungpaeng/docs/fix-controls

See the full diff

Package name: copy-webpack-plugin

The new version differs by 29 commits.

• 797a006 chore(release): update `serialize-javascript`
• f233c55 chore(deps): serialize-javascript and deps updated (Fix sign out button, by passing reference when removing event #613)
• 966d723 chore(deps): update (Add resolver sourceExts to metro config to fix CONST.jsx #610)
• 2abdddf chore: fix typo (Register the AppState listener handler correctly #609)
• d041d85 chore(release): 9.0.0
• beff64e refactor: nodejs v10 dropped (Delete stale login when creating a new one #606)
• 3a1139e docs: fix unintended cyrillics in README.md (Update version to 1.0.1-100 #604)
• 8857968 chore(release): 8.1.1
• d8fa32a fix: `stage` for processing assets (Make sure all reports are included when fetching all reports #600) (Default to target=_blank for report comment links #601)
• a571f07 chore(release): 8.1.0
• 82b10e3 chore(deps): update (Update version to 1.0.1-97 #598)
• a8ace71 docs: update (Convert isUnread logic to unreadActionCount. Improve LHN unread chat stability. #597)
• dde71f0 feat: added the `transformAll` option (Update with *Expensify Chat :expensifychat:* prefix #596)
• 4ca7f80 docs: fix broken link to #globoptions (Update version to 1.0.1-96 #595)
• 01fa91b docs: fix typo
• 1787d2d chore(release): 8.0.0
• 83601dc refactor: code (Enable Hermes JS Engine on Android #593)
• 9e12a33 refactor: code (Update version to 1.0.1-94 #592)
• d68a8eb chore(deps): update (Follow up to reconnection callback fix / Fix reconnect methods not firing on laptop awakening #591)
• ea610bc feat: added `priority` option (Update version to 1.0.1-93 #590)
• a9b06a6 docs(readme): add example to skip minimizing source files (Bubble API errors up.  #588)
• f2c1bc8 refactor: template strings in `to` option (Add QA message for new deploys #589)
• 8d5ab9a chore: updated deps (Update version to 1.0.1-92 #587)
• f5e661b test: issue 496 (Update version to 1.0.1-91 #586)

See the full diff

Package name: expo

The new version differs by 95 commits.

• 1028996 Publish packages
• be9dc2f chore(cli): hide the deprecated `export:web` command from the general help output. ([HOLD for payment 2023-10-23] [HOLD for payment 2023-10-23] [$500] Chat - Entering @ in second line not showing 5 user suggestions #26480)
• 9b57e3b chore: move expo/server to be a dependency of expo-router (Task shows "no activity yet" in LHS with activities. #25937)
• 94c137c [cli] remove versions from manual install command (Detailed design doc review (Product Manager / Generalist + Engineer) - [Tracking] Add Native Share Menus to New Dot - Share Into New Expensify #26457)
• e3b49f4 [cli]: default web.bundler to metro for new projects (fix image props for web #26452)
• 43858c5 fix(cli): let last arguments take precedence when repeated on `export:embed` command ([HOLD for payment 2023-11-22] [$500] Web - Opening split bill amount link displays no header #26471)
• 91948dd feat: use public directory when metro web is enabled ([No QA] [TS migration] Migrate 'isInputAutoFilled.js' lib to TypeScript #26473)
• a5dcdcd feat(cli, config-plugins): [2/3] patch based config-plugin ([Hold BE] fix: 23999 After deleting message, the conversation displays in LHN top instead of bottom #26414)
• f1dfaa1 feat(cli, config-plugins): [1/3] patch based config-plugin ([HOLD for payment 2023-09-08] [HOLD for payment 2023-09-07] [$500] Chat - "Go back to Home page" unresponsive on invalid link page #26413)
• 6ea59d0 [cli] enhance cors support for dev-server (Detailed design doc review (Product Manager / Generalist + Non-Engineer) - [Tracking] Add Native Share Menus to New Dot - Share Into New Expensify #26463)
• 8085d00 [metro-runtime] fix lazy component error on android (Detailed design doc review (Product Manager / Generalist + Non-Engineer) - [Tracking] Add Native Share Menus to New Dot - Share Into New Expensify #26464)
• f1850d3 update yarn.lock
• 3bbaf14 fix: pin `[email protected]` to avoid yarn v1 incompatibilities with `@ isaacs/cliui` module aliases (Detailed design doc review (Product Manager / Generalist + Engineer) - [Tracking] Add Native Share Menus to New Dot - Share Into New Expensify #26459)
• 892827d [home][android] Update dev/prod home, bump Android Expo Go version
• 71e41ed [go][Android] Recreate root view each time the menu is opened ([HOLD for payment 2023-10-05] [$500] Web - Focus Border is not disappearing on Click #26431)
• d186593 [home] Adjust bottom sheet animation ([HOLD for payment 2023-09-29] [$500] Report - Conversation history does not scroll down after sending a message and IOU #26432)
• b9dfb00 [launcher][Android] Fix HMR not working (Web - The Cursor displayed as enabled when hovering over the amount, description, merchant, or date for the paid request money. #26441)
• 1063249 [autolinking] Introduce universal "apple" platform (Chat - With specific account, app crashes on tapping plus button #26398)
• e6631d7 [store-review] Remove expo-linking dependency and use React Native Linking instead ([$500] Web - Money request - Workspace member is missing from the workspace when requesting money for workspace #26428)
• e8abb0d Update templates to latest [skip ci]
• 4a0457e Publish packages
• 4b15eb1 [expo] Bump suggested @ sentry/react-native version [skip ci]
• 7c0e751 (router): warn if incorrect web.output when using api routes ([$500] [HOLD for payment 2023-09-07] Update styles for money request header user cannot edit #25931)
• 8c29963 feat(cli): add adb user option (The up and down keys is not functioning in the profile page #26388)

See the full diff

Package name: react-native-blob-util

The new version differs by 6 commits.

• ed20986 version
• 14104f9 fixing in check
• 5dd72a1 implementing delta from Show Connected via Pusher status #261 with small changes
• 8df0134 update glob
• 41cd57a Merge pull request ~5-second lag when starting a new DM with someone #317 from Alza-app/master
• 1851dfb fix: RN 73 remove package from AndroidManifest

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Use After Free
🦉 Type Confusion
🦉 More lessons are available in Snyk Learn

Upwork Automation - Do Not Edit

• Upwork Job URL: https://www.upwork.com/jobs/~01e838404b4397359e
• Upwork Job ID: 1752114592755728384
• Last Price Increase: 2024-01-29

[melvin-bot]

This is a Snyk issue. Snyk is a tool that automatically tracks our repositories' dependencies and reports associated security vulnerabilities. It also automatically create PRs to fix these vulnerabilities.

    C+: Please follow these steps to test the linked PR before running through the reviewer checklist:
    - [ ] The first step is to understand the PR: what dependency is it upgrading, for which vulnerability, how it impacts our product & end users.
    - [ ] If the issue is not worth fixing, please add your reasoning in the issue and have the internal engineer review it.
    - [ ] Check the change log (which should be included in the PR description) to see all changes. We want to identify any breaking changes. If it is a minor version bump, it's unlikely that there are any breaking changes.
    - [ ] Test our feature(s) that make use of this package. If it does not work, we should understand what broke it. It is also a good idea to check our main flows to make sure they are not broken that you can add in the checklist screenshots/videos.

[melvin-bot]

Job added to Upwork: https://www.upwork.com/jobs/~01e838404b4397359e

[melvin-bot]

Triggered auto assignment to Contributor Plus for review of internal employee PR - @shubham1206agra (Internal)

[shubham1206agra]

@mountiny This is not a straight updation of packages. May require 2 different PRs, one for storybook, and one for rest.

[mountiny]

@shubham1206agra sure

[shubham1206agra]

Update: expo and react-native-blob-util have already been upgraded.

[melvin-bot]

This issue has not been updated in over 15 days. @shubham1206agra eroding to Monthly issue.

P.S. Is everyone reading this sure this is really a near-term priority? Be brave: if you disagree, go ahead and close it out. If someone disagrees, they'll reopen it, and if they don't: one less thing to do!

[shubham1206agra]

@mountiny Can you close this? I think storybook upgrades are not necessary.

[shubham1206agra]

@mountiny Bump for closing the issue.