[Snyk] Fix for 11 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	619/1000 Why? Has a fix available, CVSS 8.1	Prototype Pollution SNYK-JS-AJV-584908	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Directory Traversal SNYK-JS-MOMENT-2440688	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Improper Input Validation SNYK-JS-URLPARSE-1078283	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Open Redirect SNYK-JS-URLPARSE-1533425	Yes	Proof of Concept
	641/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.4	Access Restriction Bypass SNYK-JS-URLPARSE-2401205	Yes	Proof of Concept
	641/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.4	Authorization Bypass SNYK-JS-URLPARSE-2407759	Yes	Proof of Concept
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Improper Input Validation SNYK-JS-URLPARSE-2407770	Yes	Proof of Concept
	631/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.2	Authorization Bypass Through User-Controlled Key SNYK-JS-URLPARSE-2412697	Yes	Proof of Concept
	410/1000 Why? Has a fix available, CVSS 3.7	Insecure Configuration SNYK-JS-VEGAEMBED-567898	Yes	No Known Exploit
	531/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.2	Prototype Pollution SNYK-JS-VEGAUTIL-559223	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @jupyterlab/services

The new version differs by 250 commits.

• bdee06a bump version
• 8c97d20 New version
• 12e22df Update milestone git commit range
• 36e0512 Merge pull request #9505 from jasongrout/linkcheck
• 14cf824 Fix another broken link
• 2fc3c9c Add back in the changelog link checks
• 146ffe2 Fix broken link
• 136d2ec Merge pull request #9252 from jasongrout/extdevdocs
• e76cf90 Prime link cache by ignoring changelog
• e2a7951 Cache requests when doing the linkcheck ci test.
• 6b245e5 Merge pull request #9503 from jasongrout/jlabserver
• 86d336c Fix typo
• 3fdb311 Update jupyterlab_server dependency to 2.0 final release.
• 85f84ee Mention property inspector moved to right sidebar.
• 1d07008 Delete duplicate docs.
• 0378597 Fix JLab docs to point to new generated typedoc docs.
• 4d0d373 Add typedoc module names in ensure-package script.
• 64fbeaa Add blank line after copyright
• 717266d Fix typo
• a45b789 Edit user-level documentation to consistently use source and prebuilt terms.
• 642a906 Change user-facing terminology from federated to prebuilt.
• 04c32ef More editing about prebuilt workflow
• c0316e3 Delete outdated information on packaging extensions
• ecda1b7 Continuing editing about css files and prebuilt extensions.

See the full diff

Package name: ws

The new version differs by 94 commits.

• 6dd88e7 [dist] 5.2.3
• 76d47c1 [security] Fix ReDoS vulnerability
• 5d55e52 [dist] 5.2.2
• 8aba871 [fix] Fix use after invalidation bug
• 175ce46 [dist] 5.2.1
• 307be7a [fix] Remove the `'data'` listener when the receiver emits an error
• 6046a28 [fix] Do not prematurely remove the listener of the `'data'` event
• bf9b2ec chore(package): update nyc to version 12.0.2 (An in-range update of mobx is breaking the build 🚨 nteract/hydrogen#1395)
• bcab531 chore(package): update eslint-plugin-promise to version 3.8.0 (Add class to status bar item nteract/hydrogen#1389)
• e4d032c [dist] 5.2.0
• e7bfe5f chore(package): update mocha to version 5.2.0 (Upgrade flow nteract/hydrogen#1385)
• 6dae94b chore(package): update eslint-plugin-import to version 2.12.0 (Change isSingeLine to support null or undefined text nteract/hydrogen#1384)
• aebda2b chore(package): update nyc to version 11.8.0 (Remove unnecessary .slice() calls nteract/hydrogen#1382)
• d871bdf [feature] Add `headers` argument to `verifyClient()` callback (Fix status-bar test nteract/hydrogen#1379)
• bb9c21c [test] Fix failing test on node 10
• 6d8f1f4 [ci] Test on node 10
• 4385c78 [doc] Add `request` to emit arguments in shared server example (Client encryption for remote kernel responses? nteract/hydrogen#1372)
• 690b3f2 [minor] Replace bound function with arrow function
• 9dc25a3 chore(package): update nyc to version 11.7.1 (Display HTML Images nteract/hydrogen#1364)
• a81e580 chore(package): update mocha to version 5.1.0 (Installation error from Atom desktop nteract/hydrogen#1362)
• 3215cf3 chore(package): update eslint-plugin-import to version 2.11.0 (UTF string issues in Python 3.7 and Hydrogen (not present in Python and IPython) nteract/hydrogen#1361)
• 0100d82 [doc] Improve FAQ example for X-Forwarded-For header (Remove references to controlSocket (it's unused) nteract/hydrogen#1360)
• c801e99 [doc] Improve docs and examples (Uncaught+TypeError:+this.editor.languageMode.rowRangeForCodeFoldAtBufferRow+is+not+a+function nteract/hydrogen#1355)
• 10c92ff [dist] 5.1.1

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Directory Traversal
🦉 Open Redirect