[Snyk] Fix for 6 vulnerabilities

[ekmixon]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • packages/grafana-toolkit/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	579/1000 Why? Has a fix available, CVSS 7.3	Cross-site Scripting (XSS) SNYK-JS-GRAFANAUI-3252488	No	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-HTMLMINIFIER-3091181	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Improper Input Validation SNYK-JS-POSTCSS-5926692	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: babel-jest

The new version differs by 250 commits.

• be16e47 v27.0.0
• 63102ec chore: update changelog for release
• 564694a docs(blog): Jest 27 blog post (Right panel responsive grafana/grafana#11131)
• b68d91b feat(pretty-print): add option `printBasicPrototype` (Repeated SingleStat panel with variable All option doesn't handle missing values when prefix is filled grafana/grafana#11441)
• 2226742 chore: minor simplify format results error (Dashboard links don't open the correct dashboard grafana/grafana#11432)
• 78eb25d chore: remove needless assign (Improve file structure in the grafana repo grafana/grafana#11433)
• 696c455 chore: update lockfile after publish
• e2eb9ae v27.0.0-next.11
• 3b253f8 Wait for closed resources to actually close before detecting open handles (Reduce the amount of full page reloads in playlist mode. grafana/grafana#11429)
• 27bee72 fix: run GC before collecting open handles (version cleanup fails on old databases with many entries  grafana/grafana#11278)
• 50451df feat: use fallback if prettier not found (Prometheus Alert Query Wrong Diff Calculation grafana/grafana#11400)
• 150dbd8 chore: update lockfile after publish
• 6f44529 v27.0.0-next.10
• cbcec7d Upgrade fsevents in jest-haste-map (Avoid panic when GF_DATABASE_URL contains illegal chars grafana/grafana#11428)
• 9633a26 feat: support reporters written in ESM ([bug] Timestamps in CSV export for UTC dashboard are in local time grafana/grafana#11427)
• 59f42d8 fix: do not cache modules that throw during evaluation (Scoping of template variables in Row repeats grafana/grafana#11263)
• 57e32e9 Detect open handles with done callbacks (Split dashboard config & state grafana/grafana#11382)
• a397607 Document and test dontThrow for custom inline snapshot matchers (Remove panel keyboard shortcut doesn't work grafana/grafana#10995)
• 4fa3a0b feat: custom haste (Seconds to HH:mm:ss grafana/grafana#11107)
• 2047a36 chore: bump deps (Create alert rules when importing dashboard grafana/grafana#11419)
• a4358d6 chore: run prettier on changelog
• bdd6282 Move all default values into `jest-config` (changed padding to pixels, fixes #9916 grafana/grafana#9924)
• db643a1 Link to Jest config (Share PNG for plugin panels (e.g. Pie Chart) not working grafana/grafana#11106)
• b16082c Fix locale issue Ugly scrollbar for table view in firefox grafana/grafana#10014 (Clarified formatting multiple values doc grafana/grafana#11412)

See the full diff

Package name: fork-ts-checker-webpack-plugin

The new version differs by 166 commits.

• 5ba6839 Release 5.0.0 ([Snyk] Fix for 1 vulnerabilities #445)
• d056616 feat: remove "incremental: true" from ts default options ([Snyk] Security upgrade simple-git from 1.132.0 to 3.15.0 #444)
• 188d44d feat: add issue.scope option ([Snyk] Security upgrade alpine from 3.14.2 to 3.16 #442)
• b865f1d fix: always pass compilation to issues hook ([Snyk] Security upgrade nginx from 1.19.3-alpine to 1.25.1-alpine #443)
• e812f18 feat: overwrite other fields in tsconfig.json ([Snyk] Security upgrade alpine from 3.14.2 to 3.16 #440)
• 2b72fd0 fix: properly disconnect rpc client to be able to reconnect ([Snyk] Security upgrade nginx from 1.19.3-alpine to 1.24-alpine #439)
• c4796b2 fix: include files that are outside project context ([Snyk] Fix for 1 vulnerabilities #437)
• 1f7ae0d docs: update bug-report template by merging master into alpha branch
• aa8f74d feat: rename tsconfig option to configFile for consistency ([Snyk] Security upgrade nginx from 1.19.3-alpine to 1.24-alpine #436)
• 944e0c9 feat: improve overall typescript performance ([Snyk] Security upgrade nginx from 1.19.3-alpine to 1.24-alpine #435)
• a430979 feat: add `context` option for typescript reporter ([Snyk] Fix for 1 vulnerabilities #430)
• 503a948 fix: support webpack multi-compiler ([Snyk] Security upgrade optimize-css-assets-webpack-plugin from 5.0.8 to 6.0.0 #431)
• 9b3b9dd feat: add "mode" for typescript reporter ([Snyk] Security upgrade yaml from 1.10.2 to 2.2.2 #429)
• 2ba396d fix: respect eslint extensions in incremental check
• 8a10ca9 docs: add babel-loader example
• be9cd64 docs: add ts-loader example
• b5d5977 docs: add vscode-tasks example
• e59a8d2 chore: fix github actions release job
• 37b8944 feat: export `version` const for external tools ([Snyk] Security upgrade nginx from 1.19.3-alpine to 1.24-alpine #428)
• 5552f62 docs: update bug template to use eslint, not tslint
• 5665dac feat: change start hook to AsyncSeriesWaterfallHook ([Snyk] Security upgrade nginx from 1.19.3-alpine to 1.23.2-alpine #425)
• 8687c63 feat: support @ vue/compiler-sfc in the vue extension ([Snyk] Security upgrade nginx from 1.19.3-alpine to 1.23.2-alpine #423)
• f277444 fix: remove references to external typings ([Snyk] Security upgrade nginx from 1.19.3-alpine to 1.23.3-alpine #422)
• cfcc0fe fix: properly handle import modules with .vue suffix ([Snyk] Security upgrade @storybook/react from 6.3.7 to 7.0.0 #420)

See the full diff

Package name: html-loader

The new version differs by 55 commits.

• d7cccfa chore(release): 1.0.0
• 3c9a1d8 refactor: `attributes` option ([Snyk] Security upgrade alpine from 3.14.2 to 3.15 #265)
• 8c73761 feat: `preprocessor` option ([Snyk] Security upgrade alpine from 3.14.2 to 3.15 #263)
• f2ce5b1 feat: improve errors
• 9923244 chore(deps): update ([Snyk] Security upgrade simple-git from 1.132.0 to 3.5.0 #260)
• 9835bde feat: supports `link:href` attribute for css ([Snyk] Security upgrade nginx from 1.19.3-alpine to 1.22.0-alpine #258)
• 7af2eff refactor: improve schema ([Snyk] Security upgrade nginx from 1.19.3-alpine to 1.22.0-alpine #257)
• 98412f9 docs: `filter` sources ([Snyk] Security upgrade nginx from 1.19.3-alpine to 1.22.0-alpine #256)
• ff0f44c feat: implement the `filter` option for filtering some of sources ([Snyk] Security upgrade node from 12.19.0-buster-slim to 12.22.12-buster-slim #255)
• 1c24662 refactor: move the `root` option under the `attributes` option ([Snyk] Security upgrade nginx from 1.19.3-alpine to 1.22-alpine #254)
• 888b8fe docs: add footnote for `-attributes` ([Snyk] Security upgrade lerna from 4.0.0 to 5.0.0 #252)
• 3d2907e refactor: remove the `interpolate` option
• bd979e2 refactor: remove the `interpolate` option
• fcba4ec fix: handle only valid srcset tags (Bump @kusto/monaco-kusto from 3.2.7 to 5.1.4 #253)
• 9e5ce56 perf: improve source parse ([Snyk] Fix for 1 vulnerabilities #251)
• c9c8dad refactor: improve source parse ([Snyk] Security upgrade alpine from 3.14.2 to 3.14.6 #250)
• 079d623 fix: respect `#hash` in sources
• a17df49 fix: reduce `import`/`require` count
• d0b0150 fix: adding quotes when necessary for unquoted sources ([Snyk] Security upgrade alpine from 3.14.2 to 3.14.6 #247)
• e3727ab test: minifier
• 0bbe29c feat: migrate on `htmlparse2`
• b7af031 fix: escape `\u2028` and `\u2029` characters (Bump github.com/Azure/azure-sdk-for-go/sdk/azcore from 0.19.0 to 1.0.0 #244)
• 24b0427 fix: parser tags and attributes according spec ([Snyk] Security upgrade alpine from 3.14.2 to latest #243)
• 3df909d feat: support `script:src` attributes

See the full diff

Package name: html-webpack-plugin

The new version differs by 139 commits.

• eb73905 chore(release): 4.0.0
• 42a6d4a Add typing for getHooks
• a1a37cf Release html-webpack-plugin 4.0.0-beta.14
• 97f9fb9 fix: load script files before style files files in defer script loading mode
• e97ce17 Release html-webpack-plugin 4.0.0-beta.13
• e448b5d Release html-webpack-plugin 4.0.0-beta.12
• de315eb feat: Add defer script loading
• 7df269f feat: Provide a verbose error message if html minification failed
• 1d66e53 feat: merge templateParameters with default template parameters
• dfb98e7 Fix typo in template option docts
• 096a760 Fix broken links in examples
• a195c34 docs: Update template-option documentation
• 40b410e docs: Update example for template parameters
• bf017f3 chore: Release 4.0.0-beta.11
• 2549557 test: Don't use minification for speed measurement
• de22fc2 test: Adjust measurment for node 6 on travis
• 24bf1b5 fix: Update references to html-minifier
• f4eafdc chore: Release 4.0.0-beta.10
• a2ad30a refactor: Use getAssetPath instead of calling the hook directly
• 2595a79 chore: Release 4.0.0-beta.9
• c66766c feat: Add support for minifying inline ES6 inside html templates
• 655cbcd Fix README typo
• 6de319b update lodash dependency for prototype polution vulnerability
• 35a1541 Properly encode file names emitted as part of URLs.

See the full diff

Package name: jest

The new version differs by 250 commits.

• be16e47 v27.0.0
• 63102ec chore: update changelog for release
• 564694a docs(blog): Jest 27 blog post (Right panel responsive grafana/grafana#11131)
• b68d91b feat(pretty-print): add option `printBasicPrototype` (Repeated SingleStat panel with variable All option doesn't handle missing values when prefix is filled grafana/grafana#11441)
• 2226742 chore: minor simplify format results error (Dashboard links don't open the correct dashboard grafana/grafana#11432)
• 78eb25d chore: remove needless assign (Improve file structure in the grafana repo grafana/grafana#11433)
• 696c455 chore: update lockfile after publish
• e2eb9ae v27.0.0-next.11
• 3b253f8 Wait for closed resources to actually close before detecting open handles (Reduce the amount of full page reloads in playlist mode. grafana/grafana#11429)
• 27bee72 fix: run GC before collecting open handles (version cleanup fails on old databases with many entries  grafana/grafana#11278)
• 50451df feat: use fallback if prettier not found (Prometheus Alert Query Wrong Diff Calculation grafana/grafana#11400)
• 150dbd8 chore: update lockfile after publish
• 6f44529 v27.0.0-next.10
• cbcec7d Upgrade fsevents in jest-haste-map (Avoid panic when GF_DATABASE_URL contains illegal chars grafana/grafana#11428)
• 9633a26 feat: support reporters written in ESM ([bug] Timestamps in CSV export for UTC dashboard are in local time grafana/grafana#11427)
• 59f42d8 fix: do not cache modules that throw during evaluation (Scoping of template variables in Row repeats grafana/grafana#11263)
• 57e32e9 Detect open handles with done callbacks (Split dashboard config & state grafana/grafana#11382)
• a397607 Document and test dontThrow for custom inline snapshot matchers (Remove panel keyboard shortcut doesn't work grafana/grafana#10995)
• 4fa3a0b feat: custom haste (Seconds to HH:mm:ss grafana/grafana#11107)
• 2047a36 chore: bump deps (Create alert rules when importing dashboard grafana/grafana#11419)
• a4358d6 chore: run prettier on changelog
• bdd6282 Move all default values into `jest-config` (changed padding to pixels, fixes #9916 grafana/grafana#9924)
• db643a1 Link to Jest config (Share PNG for plugin panels (e.g. Pie Chart) not working grafana/grafana#11106)
• b16082c Fix locale issue Ugly scrollbar for table view in firefox grafana/grafana#10014 (Clarified formatting multiple values doc grafana/grafana#11412)

See the full diff

Package name: optimize-css-assets-webpack-plugin

The new version differs by 2 commits.

• 29c44fb 6.0.0
• 51313e4 feat(deps): upgrade cssnano and postcss major version

See the full diff

Package name: webpack

The new version differs by 250 commits.

• 610f368 5.0.0
• 5ce65c1 update examples
• bbe1230 Merge pull request Add version sort for variables grafana/grafana#11628 from webpack/bugfix/real-content-hash
• 75ecff2 5.0.0-rc.6
• bfc35d6 Merge pull request [Feature request] Focus to the row with the same timestamp on a table when hovering on a data point on a graph grafana/grafana#11603 from MayaWolf/master
• 76e8cbd Merge pull request Revert "removes codecov from frontend tests" grafana/grafana#11622 from webpack/dependabot/npm_and_yarn/types/node-13.13.25
• 9fd1be2 chore(deps-dev): bump @ types/node from 13.13.23 to 13.13.25
• 36bcfaa Merge pull request Alerting(RED) line should only there in grafana's graph. There should not be OK alert(GREEN line) grafana/grafana#11621 from webpack/bugfix/11619
• 9130d10 fix called variables with ProvidePlugin
• 3e42105 Merge pull request Addressing dashboards by uid: Request for raising the maximum length of 40 characters grafana/grafana#11620 from webpack/bugfix/11617
• 4709719 skip connections copied to concatenated module
• 57b493f 5.0.0-rc.5
• 1658e2f Merge pull request MSSQL: Improve $__timeFilter macro grafana/grafana#11618 from webpack/bugfix/11615
• a8fb45d fixes crash in SideEffectsFlagPlugin
• 84b196d emit error instead of crashing when unexpected problem occurs
• 5573fed Merge pull request Unable to save playlist, Permission Denied grafana/grafana#11601 from Hornwitser/improve-suggested-polyfill-config
• 9b5cce9 Merge pull request Elasticsearch and InfluxDB docs for group by time interval option grafana/grafana#11609 from snitin315/export-types
• 37c495c export type RuleSetUseItem
• 39faf34 export type RuleSetUse
• e5fd246 export type RuleSetConditionAbsolute
• 660baad export RuleSetCondition types
• 13e3ca5 Merge pull request add codespell to CircleCI grafana/grafana#11602 from webpack/bugfix/shared-runtime-chunk
• 9c0587e Merge pull request Duplicating panels shifts existing panels in unexpected ways grafana/grafana#11606 from webpack/dependabot/npm_and_yarn/simple-git-2.21.0
• 502d166 Merge pull request Make temp file time to live configurable grafana/grafana#11607 from webpack/dependabot/npm_and_yarn/acorn-8.0.4

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Cross-site Scripting (XSS)
🦉 Improper Input Validation
🦉 More lessons are available in Snyk Learn

[secure-code-warrior-for-github]

Micro-Learning Topic: Regular expression denial of service (Detected by phrase)

Matched on "Regular Expression Denial of Service"

What is this? (2min video)

Denial of Service (DoS) attacks caused by Regular Expression which causes the system to hang or cause them to work very slowly when attacker sends a well-crafted input(exponentially related to input size).Denial of service attacks significantly degrade the service quality experienced by legitimate users. These attacks introduce large response delays, excessive losses, and service interruptions, resulting in direct impact on availability.

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Weak input validation (Detected by phrase)

Matched on "Improper Input Validation"

Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Try a challenge in Secure Code Warrior

Helpful references

• OWASP Top Ten 2021 A03: Injection - OWASP Top Ten articles provide basic techniques to protect against these high risk problem areas, and guidance on where to go next.
• OWASP Injection Prevention Cheat Sheet in Java - This article is focused on providing clear, simple, actionable guidance for preventing injection flaws in your Java applications.
• OWASP Input Validation Cheat Sheet - This cheatsheet is focused on providing clear, simple, actionable guidance for preventing injection and input validation flaws in your applications.
• OWASP Injection Prevention Cheat Sheet - This article is focused on providing clear, simple, actionable guidance for preventing injection flaws in your applications.
• OWASP Top Ten Proactive Controls 2018 C5: Validate All Inputs - Detailed article on input validation as a programming technique for ensuring that only properly formatted data may enter a software system component.

Micro-Learning Topic: Cross-site scripting (Detected by phrase)

Matched on "Cross-site Scripting"

What is this? (2min video)

Cross-site scripting vulnerabilities occur when unescaped input is rendered into a page displayed to the user. When HTML or script is included in the input, it will be processed by a user's browser as HTML or script and can alter the appearance of the page or execute malicious scripts in their user context.

Try a challenge in Secure Code Warrior

Helpful references

• Prevent Cross-Site Scripting (XSS) in ASP.NET Core - A detailed Microsoft article on how to prevent cross-site scripting in ASP.NET Core.
• OWASP Cross Site Scripting (XSS) Software Attack - OWASP community page with comprehensive information about cross site scripting, and links to various OWASP resources to help detect or prevent it.
• OWASP Cross Site Scripting Prevention Cheat Sheet - This article provides a simple positive model for preventing XSS using output encoding properly.

Micro-Learning Topic: Denial of service (Detected by phrase)

Matched on "Denial of Service"

The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Prototype pollution (Detected by phrase)

Matched on "Prototype Pollution"

What is this? (2min video)

By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf).

Try a challenge in Secure Code Warrior