[Snyk] Fix for 25 vulnerabilities

[MelvinBot]

Details

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

⚠️ Warning

Failed to update the package-lock.json, please update manually before merging.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	482/1000 Why? Proof of Concept exploit, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	/1000 Why?	Use After Free SNYK-JS-ELECTRON-6057536	No	No Known Exploit
	/1000 Why?	Use After Free SNYK-JS-ELECTRON-6062177	No	No Known Exploit
	/1000 Why?	Integer Overflow or Wraparound SNYK-JS-ELECTRON-6095118	No	Mature
	/1000 Why?	Use After Free SNYK-JS-ELECTRON-6095120	No	No Known Exploit
	/1000 Why?	Use After Free SNYK-JS-ELECTRON-6095121	No	No Known Exploit
	/1000 Why?	Out-of-Bounds SNYK-JS-ELECTRON-6095122	No	No Known Exploit
	/1000 Why?	Use After Free SNYK-JS-ELECTRON-6100741	No	No Known Exploit
	/1000 Why?	Use After Free SNYK-JS-ELECTRON-6105391	Yes	No Known Exploit
	/1000 Why?	Heap-based Buffer Overflow SNYK-JS-ELECTRON-6137744	Yes	Mature
	/1000 Why?	Use After Free SNYK-JS-ELECTRON-6146929	Yes	No Known Exploit
	/1000 Why?	Use After Free SNYK-JS-ELECTRON-6146930	Yes	No Known Exploit
	/1000 Why?	Heap-based Buffer Overflow SNYK-JS-ELECTRON-6146931	Yes	No Known Exploit
	/1000 Why?	Use After Free SNYK-JS-ELECTRON-6146932	Yes	No Known Exploit
	/1000 Why?	Type Confusion SNYK-JS-ELECTRON-6173170	Yes	No Known Exploit
	/1000 Why?	Out-of-bounds Write SNYK-JS-ELECTRON-6173171	Yes	No Known Exploit
	/1000 Why?	Out-of-bounds Read SNYK-JS-ELECTRON-6179663	Yes	Mature
	372/1000 Why? Proof of Concept exploit, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	/1000 Why?	Missing Release of Resource after Effective Lifetime SNYK-JS-INFLIGHT-6095116	Yes	Proof of Concept
	265/1000 Why? CVSS 5.3	Improper Input Validation SNYK-JS-POSTCSS-5926692	Yes	No Known Exploit
	/1000 Why?	Cross-site Scripting (XSS) SNYK-JS-SERIALIZEJAVASCRIPT-6147607	Yes	Proof of Concept
	482/1000 Why? Proof of Concept exploit, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-TRIM-1017038	Yes	Proof of Concept
	375/1000 Why? CVSS 7.5	Denial of Service (DoS) SNYK-JS-TRIMNEWLINES-1298042	Yes	No Known Exploit
	375/1000 Why? CVSS 7.5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Prototype Pollution SNYK-JS-XML2JS-5414874	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @storybook/builder-webpack5

The new version differs by 250 commits.

• 4f2afa6 v7.0.0
• 03292b0 Update root, peer deps, version.ts/json to 7.0.0 [ci skip]
• b2dc5cf Revert "Update root, peer deps, version.ts/json to 7.0.0 [ci skip]"
• 7f391a3 Update root, peer deps, version.ts/json to 7.0.0 [ci skip]
• f0b53cb 7.0.0 changelog
• 930917d Merge pull request fix: icon not set when adding bookmark to iOS home screen #21856 from storybookjs/docs/interactions-addon-migration
• f1c13da 7.0.0-rc.11 next.json version file [skip ci]
• 512a2ae Update git head to 7.0.0-rc.11, update yarn.lock [ci skip]
• 908c324 v7.0.0-rc.11
• 5edc7c0 Update root, peer deps, version.ts/json to 7.0.0-rc.11 [ci skip]
• 324d9bb 7.0.0-rc.11 changelog
• 37d9737 interactions debugger is now default
• 9682f7c Merge pull request [Hold for payment 7-17][$1000] Web - Console log "Invalid Attempt to destructure non-iterable instance" error when clicking 'Add reaction' icon #21833 from storybookjs/kasper/fix-strict-args-decorator-with-interface
• a08ffc7 Put @ storybook/csf version back into next
• 2cc1d36 Merge pull request Fixed 21280 textinput autogrow height #21850 from storybookjs/fix/tone-down-dependency-alerts
• 941103b Merge pull request migrate FloatingActionButtonAndPopover to function component #21851 from storybookjs/valentin/export-application-config-decorator
• 31700c0 Export applicationConfig decorator and adjust documentation for usage
• 3d9544f Merge pull request [HOLD for payment 2023-07-21] [$1000] Web - Heading after quote is not rendering #21846 from storybookjs/chore_docs_webpack_tweaks
• 79b590b Tweaks to the Webpack docs
• d193be5 Merge pull request Fix/issue 20810 #21836 from storybookjs/fix/downgrade-remark-deps
• 79b1fde Merge pull request [Performance fix #21831] Don't re-render ReportScreen unnecessarily when switching #21832 from storybookjs/fix/polyfill-global
• 590f053 downgrade remark related dependencies
• b421d95 only provide critical duplicated dependency warning on major version difference
• acace30 Merge pull request Fix - modified magic code link redirects to welcome screen with first place of magic code green #21724 from jungpaeng/docs/fix-controls

See the full diff

Package name: @storybook/react

The new version differs by 250 commits.

• 4f2afa6 v7.0.0
• 03292b0 Update root, peer deps, version.ts/json to 7.0.0 [ci skip]
• b2dc5cf Revert "Update root, peer deps, version.ts/json to 7.0.0 [ci skip]"
• 7f391a3 Update root, peer deps, version.ts/json to 7.0.0 [ci skip]
• f0b53cb 7.0.0 changelog
• 930917d Merge pull request fix: icon not set when adding bookmark to iOS home screen #21856 from storybookjs/docs/interactions-addon-migration
• f1c13da 7.0.0-rc.11 next.json version file [skip ci]
• 512a2ae Update git head to 7.0.0-rc.11, update yarn.lock [ci skip]
• 908c324 v7.0.0-rc.11
• 5edc7c0 Update root, peer deps, version.ts/json to 7.0.0-rc.11 [ci skip]
• 324d9bb 7.0.0-rc.11 changelog
• 37d9737 interactions debugger is now default
• 9682f7c Merge pull request [Hold for payment 7-17][$1000] Web - Console log "Invalid Attempt to destructure non-iterable instance" error when clicking 'Add reaction' icon #21833 from storybookjs/kasper/fix-strict-args-decorator-with-interface
• a08ffc7 Put @ storybook/csf version back into next
• 2cc1d36 Merge pull request Fixed 21280 textinput autogrow height #21850 from storybookjs/fix/tone-down-dependency-alerts
• 941103b Merge pull request migrate FloatingActionButtonAndPopover to function component #21851 from storybookjs/valentin/export-application-config-decorator
• 31700c0 Export applicationConfig decorator and adjust documentation for usage
• 3d9544f Merge pull request [HOLD for payment 2023-07-21] [$1000] Web - Heading after quote is not rendering #21846 from storybookjs/chore_docs_webpack_tweaks
• 79b590b Tweaks to the Webpack docs
• d193be5 Merge pull request Fix/issue 20810 #21836 from storybookjs/fix/downgrade-remark-deps
• 79b1fde Merge pull request [Performance fix #21831] Don't re-render ReportScreen unnecessarily when switching #21832 from storybookjs/fix/polyfill-global
• 590f053 downgrade remark related dependencies
• b421d95 only provide critical duplicated dependency warning on major version difference
• acace30 Merge pull request Fix - modified magic code link redirects to welcome screen with first place of magic code green #21724 from jungpaeng/docs/fix-controls

See the full diff

Package name: copy-webpack-plugin

The new version differs by 29 commits.

• 797a006 chore(release): update `serialize-javascript`
• f233c55 chore(deps): serialize-javascript and deps updated (Fix sign out button, by passing reference when removing event #613)
• 966d723 chore(deps): update (Add resolver sourceExts to metro config to fix CONST.jsx #610)
• 2abdddf chore: fix typo (Register the AppState listener handler correctly #609)
• d041d85 chore(release): 9.0.0
• beff64e refactor: nodejs v10 dropped (Delete stale login when creating a new one #606)
• 3a1139e docs: fix unintended cyrillics in README.md (Update version to 1.0.1-100 #604)
• 8857968 chore(release): 8.1.1
• d8fa32a fix: `stage` for processing assets (Make sure all reports are included when fetching all reports #600) (Default to target=_blank for report comment links #601)
• a571f07 chore(release): 8.1.0
• 82b10e3 chore(deps): update (Update version to 1.0.1-97 #598)
• a8ace71 docs: update (Convert isUnread logic to unreadActionCount. Improve LHN unread chat stability. #597)
• dde71f0 feat: added the `transformAll` option (Update with *Expensify Chat :expensifychat:* prefix #596)
• 4ca7f80 docs: fix broken link to #globoptions (Update version to 1.0.1-96 #595)
• 01fa91b docs: fix typo
• 1787d2d chore(release): 8.0.0
• 83601dc refactor: code (Enable Hermes JS Engine on Android #593)
• 9e12a33 refactor: code (Update version to 1.0.1-94 #592)
• d68a8eb chore(deps): update (Follow up to reconnection callback fix / Fix reconnect methods not firing on laptop awakening #591)
• ea610bc feat: added `priority` option (Update version to 1.0.1-93 #590)
• a9b06a6 docs(readme): add example to skip minimizing source files (Bubble API errors up.  #588)
• f2c1bc8 refactor: template strings in `to` option (Add QA message for new deploys #589)
• 8d5ab9a chore: updated deps (Update version to 1.0.1-92 #587)
• f5e661b test: issue 496 (Update version to 1.0.1-91 #586)

See the full diff

Package name: expo

The new version differs by 95 commits.

• 1028996 Publish packages
• be9dc2f chore(cli): hide the deprecated `export:web` command from the general help output. ([HOLD for payment 2023-10-23] [HOLD for payment 2023-10-23] [$500] Chat - Entering @ in second line not showing 5 user suggestions #26480)
• 9b57e3b chore: move expo/server to be a dependency of expo-router (Task shows "no activity yet" in LHS with activities. #25937)
• 94c137c [cli] remove versions from manual install command (Detailed design doc review (Product Manager / Generalist + Engineer) - [Tracking] Add Native Share Menus to New Dot - Share Into New Expensify #26457)
• e3b49f4 [cli]: default web.bundler to metro for new projects (fix image props for web #26452)
• 43858c5 fix(cli): let last arguments take precedence when repeated on `export:embed` command ([HOLD for payment 2023-11-22] [$500] Web - Opening split bill amount link displays no header #26471)
• 91948dd feat: use public directory when metro web is enabled ([No QA] [TS migration] Migrate 'isInputAutoFilled.js' lib to TypeScript #26473)
• a5dcdcd feat(cli, config-plugins): [2/3] patch based config-plugin ([Hold BE] fix: 23999 After deleting message, the conversation displays in LHN top instead of bottom #26414)
• f1dfaa1 feat(cli, config-plugins): [1/3] patch based config-plugin ([HOLD for payment 2023-09-08] [HOLD for payment 2023-09-07] [$500] Chat - "Go back to Home page" unresponsive on invalid link page #26413)
• 6ea59d0 [cli] enhance cors support for dev-server (Detailed design doc review (Product Manager / Generalist + Non-Engineer) - [Tracking] Add Native Share Menus to New Dot - Share Into New Expensify #26463)
• 8085d00 [metro-runtime] fix lazy component error on android (Detailed design doc review (Product Manager / Generalist + Non-Engineer) - [Tracking] Add Native Share Menus to New Dot - Share Into New Expensify #26464)
• f1850d3 update yarn.lock
• 3bbaf14 fix: pin `sucrase@3.34.0` to avoid yarn v1 incompatibilities with `@ isaacs/cliui` module aliases (Detailed design doc review (Product Manager / Generalist + Engineer) - [Tracking] Add Native Share Menus to New Dot - Share Into New Expensify #26459)
• 892827d [home][android] Update dev/prod home, bump Android Expo Go version
• 71e41ed [go][Android] Recreate root view each time the menu is opened ([HOLD for payment 2023-10-05] [$500] Web - Focus Border is not disappearing on Click #26431)
• d186593 [home] Adjust bottom sheet animation ([HOLD for payment 2023-09-29] [$500] Report - Conversation history does not scroll down after sending a message and IOU #26432)
• b9dfb00 [launcher][Android] Fix HMR not working (Web - The Cursor displayed as enabled when hovering over the amount, description, merchant, or date for the paid request money. #26441)
• 1063249 [autolinking] Introduce universal "apple" platform (Chat - With specific account, app crashes on tapping plus button #26398)
• e6631d7 [store-review] Remove expo-linking dependency and use React Native Linking instead ([$500] Web - Money request - Workspace member is missing from the workspace when requesting money for workspace #26428)
• e8abb0d Update templates to latest [skip ci]
• 4a0457e Publish packages
• 4b15eb1 [expo] Bump suggested @ sentry/react-native version [skip ci]
• 7c0e751 (router): warn if incorrect web.output when using api routes ([$500] [HOLD for payment 2023-09-07] Update styles for money request header user cannot edit #25931)
• 8c29963 feat(cli): add adb user option (The up and down keys is not functioning in the profile page #26388)

See the full diff

Package name: react-native-blob-util

The new version differs by 6 commits.

• ed20986 version
• 14104f9 fixing in check
• 5dd72a1 implementing delta from Show Connected via Pusher status #261 with small changes
• 8df0134 update glob
• 41cd57a Merge pull request ~5-second lag when starting a new DM with someone #317 from Alza-app/master
• 1851dfb fix: RN 73 remove package from AndroidManifest

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Fixed Issues

$
PROPOSAL:

Tests

• Verify that no errors appear in the JS console

Offline tests

QA Steps

• Verify that no errors appear in the JS console

PR Author Checklist

• I linked the correct issue in the ### Fixed Issues section above
• I wrote clear testing steps that cover the changes made in this PR
  • I added steps for local testing in the Tests section
  • I added steps for the expected offline behavior in the Offline steps section
  • I added steps for Staging and/or Production testing in the QA steps section
  • I added steps to cover failure scenarios (i.e. verify an input displays the correct error message if the entered data is not correct)
  • I turned off my network connection and tested it while offline to ensure it matches the expected behavior (i.e. verify the default avatar icon is displayed if app is offline)
  • I tested this PR with a High Traffic account against the staging or production API to ensure there are no regressions (e.g. long loading states that impact usability).
• I included screenshots or videos for tests on all platforms
• I ran the tests on all platforms & verified they passed on:
  • Android: Native
  • Android: mWeb Chrome
  • iOS: Native
  • iOS: mWeb Safari
  • MacOS: Chrome / Safari
  • MacOS: Desktop
• I verified there are no console errors (if there's a console error not related to the PR, report it or open an issue for it to be fixed)
• I followed proper code patterns (see Reviewing the code)
  • I verified that any callback methods that were added or modified are named for what the method does and never what callback they handle (i.e. toggleReport and not onIconClick)
  • I verified that the left part of a conditional rendering a React component is a boolean and NOT a string, e.g. myBool && <MyComponent />.
  • I verified that comments were added to code that is not self explanatory
  • I verified that any new or modified comments were clear, correct English, and explained "why" the code was doing something instead of only explaining "what" the code was doing.
  • I verified any copy / text shown in the product is localized by adding it to src/languages/* files and using the translation method
    • If any non-english text was added/modified, I verified the translation was requested/reviewed in #expensify-open-source and it was approved by an internal Expensify engineer. Link to Slack message:
  • I verified all numbers, amounts, dates and phone numbers shown in the product are using the localization methods
  • I verified any copy / text that was added to the app is grammatically correct in English. It adheres to proper capitalization guidelines (note: only the first word of header/labels should be capitalized), and is approved by marketing by adding the Waiting for Copy label for a copy review on the original GH to get the correct copy.
  • I verified proper file naming conventions were followed for any new files or renamed files. All non-platform specific files are named after what they export and are not named "index.js". All platform-specific files are named for the platform the code supports as outlined in the README.
  • I verified the JSDocs style guidelines (in STYLE.md) were followed
• If a new code pattern is added I verified it was agreed to be used by multiple Expensify engineers
• I followed the guidelines as stated in the Review Guidelines
• I tested other components that can be impacted by my changes (i.e. if the PR modifies a shared library or component like Avatar, I verified the components using Avatar are working as expected)
• I verified all code is DRY (the PR doesn't include any logic written more than once, with the exception of tests)
• I verified any variables that can be defined as constants (ie. in CONST.js or at the top of the file that uses the constant) are defined as such
• I verified that if a function's arguments changed that all usages have also been updated correctly
• If any new file was added I verified that:
  • The file has a description of what it does and/or why is needed at the top of the file if the code is not self explanatory
• If a new CSS style is added I verified that:
  • A similar style doesn't already exist
  • The style can't be created with an existing StyleUtils function (i.e. StyleUtils.getBackgroundAndBorderStyle(theme.componentBG))
• If the PR modifies code that runs when editing or sending messages, I tested and verified there is no unexpected behavior for all supported markdown - URLs, single line code, code blocks, quotes, headings, bold, strikethrough, and italic.
• If the PR modifies a generic component, I tested and verified that those changes do not break usages of that component in the rest of the App (i.e. if a shared library or component like Avatar is modified, I verified that Avatar is working as expected in all cases)
• If the PR modifies a component related to any of the existing Storybook stories, I tested and verified all stories for that component are still working as expected.
• If the PR modifies a component or page that can be accessed by a direct deeplink, I verified that the code functions as expected when the deeplink is used - from a logged in and logged out account.
• If the PR modifies the form input styles:
  • I verified that all the inputs inside a form are aligned with each other.
  • I added Design label so the design team can review the changes.
• If a new page is added, I verified it's using the ScrollView component to make it scrollable when more elements are added to the page.
• If the main branch was merged into this PR after a review, I tested again and verified the outcome was still expected according to the Test steps.

Screenshots/Videos

Android: Native

Android: mWeb Chrome

iOS: Native

iOS: mWeb Safari

MacOS: Chrome / Safari

MacOS: Desktop

[melvin-bot]

@tylerkaraszewski Please copy/paste the Reviewer Checklist from here into a new comment on this PR and complete it. If you have the K2 extension, you can simply click: [this button]

[pecanoro]

I was trying to update this in a different PR and this seems to break storybook, just so you are aware

[tylerkaraszewski]

What am I supposed to do with this PR that's created by a bot but has conflicts?

[pecanoro]

You can fix the conflicts but you should test that nothing broke after the update, which as I said, it will at least for the storybooks 😄

[tylerkaraszewski]

Heh, well then what? Don't merge it?

[pecanoro]

Ideally, you should figure out how to fix it and why storybooks break after updating, but if you don't want to do it, I am not sure, just close the PR? 😄