[Snyk] Fix for 8 vulnerabilities

[ekmixon]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • samples/javascript_es6/01.browser-echo/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	676/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.1	Cross-site Request Forgery (CSRF) SNYK-JS-AXIOS-6032459	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Information Exposure SNYK-JS-NODEFETCH-2342118	No	No Known Exploit
	520/1000 Why? Has a fix available, CVSS 5.9	Denial of Service SNYK-JS-NODEFETCH-674311	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Improper Input Validation SNYK-JS-XMLDOM-1534562	No	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Prototype Pollution SNYK-JS-XMLDOM-3042242	No	No Known Exploit
	811/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 9.8	Improper Input Validation SNYK-JS-XMLDOM-3092935	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: webpack

The new version differs by 250 commits.

• 610f368 5.0.0
• 5ce65c1 update examples
• bbe1230 Merge pull request #11628 from webpack/bugfix/real-content-hash
• 75ecff2 5.0.0-rc.6
• bfc35d6 Merge pull request #11603 from MayaWolf/master
• 76e8cbd Merge pull request #11622 from webpack/dependabot/npm_and_yarn/types/node-13.13.25
• 9fd1be2 chore(deps-dev): bump @ types/node from 13.13.23 to 13.13.25
• 36bcfaa Merge pull request #11621 from webpack/bugfix/11619
• 9130d10 fix called variables with ProvidePlugin
• 3e42105 Merge pull request #11620 from webpack/bugfix/11617
• 4709719 skip connections copied to concatenated module
• 57b493f 5.0.0-rc.5
• 1658e2f Merge pull request #11618 from webpack/bugfix/11615
• a8fb45d fixes crash in SideEffectsFlagPlugin
• 84b196d emit error instead of crashing when unexpected problem occurs
• 5573fed Merge pull request #11601 from Hornwitser/improve-suggested-polyfill-config
• 9b5cce9 Merge pull request #11609 from snitin315/export-types
• 37c495c export type RuleSetUseItem
• 39faf34 export type RuleSetUse
• e5fd246 export type RuleSetConditionAbsolute
• 660baad export RuleSetCondition types
• 13e3ca5 Merge pull request #11602 from webpack/bugfix/shared-runtime-chunk
• 9c0587e Merge pull request #11606 from webpack/dependabot/npm_and_yarn/simple-git-2.21.0
• 502d166 Merge pull request #11607 from webpack/dependabot/npm_and_yarn/acorn-8.0.4

See the full diff

Package name: webpack-cli

The new version differs by 250 commits.

• fb50f76 chore(release): publish new version
• 2c75aeb chore: new version of the packages
• 0d05c30 chore(release): publish %s
• 3f9e151 chore: fix lerna config
• 2c1e34c tests(generator): enhance init generator tests ([Snyk] Security upgrade nodemon from 1.19.4 to 2.0.3 #1236)
• 6ee61b9 Fix loader-generator and plugin-generator tests ([Snyk] Security upgrade eslint from 5.16.0 to 9.15.0 #1250)
• 52956a2 Fixing the typos and grammatical errors in Readme files ([Snyk] Security upgrade eslint from 6.8.0 to 9.15.0 #1246)
• 7faaed2 chore: update Bug_report & Feature_request Templates ([Snyk] Fix for 1 vulnerabilities #1256)
• 7a5b33d feat(webpack-cli): added mode argument ([Snyk] Fix for 1 vulnerabilities #1253)
• 3715756 tests(webpack-cli): add test case for defaults flag ([Snyk] Security upgrade botbuilder from 4.13.6 to 4.21.0 #1254)
• a7cba2f chore: project maintanance and typescript fix ([Snyk] Security upgrade eslint from 6.8.0 to 9.15.0 #1247)
• 7748472 chore: ignore package-lock.json and remove its references ([Snyk] Security upgrade botbuilder from 4.9.2 to 4.17.1 #1252)
• a014aa7 docs: fix supported arguments & commands link in README ([Snyk] Security upgrade eslint from 6.8.0 to 9.15.0 #1244)
• 06129a1 feat(webpack-cli): add progress bar for progress flag ([Snyk] Security upgrade yeoman-generator from 4.10.1 to 5.0.0 #1238)
• 6cc6a49 chore: post refactor CLI ([Snyk] Security upgrade nodemon from 1.19.4 to 2.0.3 #1237)
• 358651e chore: move cli under lerna package ([Snyk] Security upgrade nodemon from 1.19.4 to 2.0.3 #1225)
• 2dc495a fix(init): fix webpack config scaffold ([Snyk] Security upgrade nodemon from 1.19.4 to 2.0.3 #1231)
• 1ab62d2 tests(generator): add tests for plugin generator ([Snyk] Security upgrade nodemon from 1.19.4 to 2.0.3 #1235)
• d2dd0c1 tests(sourcemap): fix flaky stats statement ([Snyk] Security upgrade nodemon from 1.19.4 to 2.0.3 #1232)
• f6dc680 tests(loader-generator): add tests for loader generator ([Snyk] Security upgrade nodemon from 1.19.4 to 2.0.3 #1234)
• 35d1381 tests(generator): enable init generator test ([Snyk] Security upgrade ts-node from 8.10.2 to 10.2.0 #1233)
• 66cdcb6 chore(generator): remove transpiled tests ([Snyk] Fix for 1 vulnerabilities #1229)
• f29a170 fix(init): fix the invalid package name ([Snyk] Security upgrade nodemon from 1.19.4 to 2.0.3 #1228)
• 8c3a66d chore(cli): updated changelog of v3 ([Snyk] Security upgrade nodemon from 1.19.4 to 2.0.3 #1224)

See the full diff

Package name: webpack-dev-server

The new version differs by 250 commits.

• c9271b9 chore(release): 4.0.0
• 18bf369 test: fix stability (Update README.md for Orchestrator Sample microsoft/BotBuilder-Samples#3676)
• cdcabb2 fix: respect protocol from browser for manual setup (Fix for custom view tasks microsoft/BotBuilder-Samples#3675)
• 1768d6b fix: initial reloading for lazy compilation (Bump log4j-core from 2.16.0 to 2.17.0 in /samples/java_springboot/23.facebook-events microsoft/BotBuilder-Samples#3662)
• 4f5bab1 docs: improve examples (Update v5 samples to align with OOTB .Net 6 code microsoft/BotBuilder-Samples#3672)
• f2d87fb fix: improve https CLI output (Adds dotnet SSO sample using CloudAdapter microsoft/BotBuilder-Samples#3673)
• 0277c5e chore: remove redundant console statements (Samples cleanup for preview release microsoft/BotBuilder-Samples#3671)
• 16fcdbc docs: add `ipc` example (46.teams-auth sample got 401 unauthorized when used the latest Azure Bot service to register a MS Teams bot.  microsoft/BotBuilder-Samples#3667)
• 8915fb8 test: add e2e tests for built in routes (log4j to 2.17.1 microsoft/BotBuilder-Samples#3669)
• 4d1cbe1 docs: ask `version` information in issue template (Update log4j to 2.17.1 to address CVE-2021-44832. microsoft/BotBuilder-Samples#3668)
• b6c1881 chore(deps-dev): bump core-js from 3.16.1 to 3.16.2 (Feature Request: Bot Builder Composer with Custom Adapter sample microsoft/BotBuilder-Samples#3666)
• ffa8cc5 chore(deps-dev): bump supertest from 6.1.5 to 6.1.6 (Bump log4j-core from 2.16.0 to 2.17.0 in /samples/java_springboot/05.multi-turn-prompt microsoft/BotBuilder-Samples#3665)
• f1fdaa7 chore(release): 4.0.0-rc.1
• c4678bc fix: legacy API (Bump log4j-core from 2.16.0 to 2.17.0 in /samples/java_springboot/15.handling-attachments microsoft/BotBuilder-Samples#3660)
• d8bdd03 test: fix stability (Bump log4j-core from 2.16.0 to 2.17.0 in /samples/java_springboot/24.bot-authentication-msgraph microsoft/BotBuilder-Samples#3661)
• 22b1414 refactor: remove `killable` (Bump log4j-core from 2.16.0 to 2.17.0 in /samples/java_springboot/11.qnamaker microsoft/BotBuilder-Samples#3657)
• 75bafbf test: add e2e tests for module federation (Bump log4j-core from 2.16.0 to 2.17.0 in /samples/java_springboot/06.using-cards microsoft/BotBuilder-Samples#3658)
• 493ccbd chore(deps): update `ws` (Bump log4j-core from 2.16.0 to 2.17.0 in /samples/java_springboot/13.core-bot microsoft/BotBuilder-Samples#3652)
• ae8c523 test: add e2e test for universal compiler (Bump log4j-core from 2.16.0 to 2.17.0 in /samples/java_springboot/21.corebot-app-insights microsoft/BotBuilder-Samples#3656)
• f94b84f chore(deps): update (Bump log4j-core from 2.16.0 to 2.17.0 in /samples/java_springboot/07.using-adaptive-cards microsoft/BotBuilder-Samples#3655)
• 1923132 test: fix cli
• 2adfd01 test: fix todo (Bump log4j-core from 2.16.0 to 2.17.0 in /samples/java_springboot/03.welcome-user microsoft/BotBuilder-Samples#3653)
• 6e2cbde fix: proxy logging and allow to pass options without the `target` option (Bump log4j-core from 2.16.0 to 2.17.0 in /samples/java_springboot/14.nlp-with-dispatch microsoft/BotBuilder-Samples#3651)
• c9ccc96 fix: respect infastructureLogging.level for client.logging (Adding dependency on Conversations SDK, prebuilts and support for Orchestration projects microsoft/BotBuilder-Samples#3613)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Cross-site Request Forgery (CSRF)
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 More lessons are available in Snyk Learn

[secure-code-warrior-for-github]

Micro-Learning Topic: Regular expression denial of service (Detected by phrase)

Matched on "Regular Expression Denial of Service"

What is this? (2min video)

Denial of Service (DoS) attacks caused by Regular Expression which causes the system to hang or cause them to work very slowly when attacker sends a well-crafted input(exponentially related to input size).Denial of service attacks significantly degrade the service quality experienced by legitimate users. These attacks introduce large response delays, excessive losses, and service interruptions, resulting in direct impact on availability.

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Weak input validation (Detected by phrase)

Matched on "Improper Input Validation"

Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Try a challenge in Secure Code Warrior

Helpful references

• OWASP Top Ten 2021 A03: Injection - OWASP Top Ten articles provide basic techniques to protect against these high risk problem areas, and guidance on where to go next.
• OWASP Injection Prevention Cheat Sheet in Java - This article is focused on providing clear, simple, actionable guidance for preventing injection flaws in your Java applications.
• OWASP Input Validation Cheat Sheet - This cheatsheet is focused on providing clear, simple, actionable guidance for preventing injection and input validation flaws in your applications.
• OWASP Injection Prevention Cheat Sheet - This article is focused on providing clear, simple, actionable guidance for preventing injection flaws in your applications.
• OWASP Top Ten Proactive Controls 2018 C5: Validate All Inputs - Detailed article on input validation as a programming technique for ensuring that only properly formatted data may enter a software system component.

Micro-Learning Topic: Cross-site request forgery (Detected by phrase)

Matched on "Cross-site Request Forgery"

What is this? (2min video)

Session-related but not session-based, this attack is based on the ability of an attacker to force an action on a user’s browser (commonly in the form of a POST request) to perform an unauthorized action on behalf of the user. This can often occur without the user even noticing it… or only noticing when it is too late. The root cause is that browsers automatically send session cookies with all requests to a given domain, regardless of where the source of the request came from, and the application server cannot differentiate between a request that came from pages it served or a request that came from an unrelated page.

Try a challenge in Secure Code Warrior

Helpful references

• Securing Rails Applications - Cross-Site Request Forgery (CSRF) - A Rails Guide that describes common security problems in web applications and how to avoid them with Rails.
• Spring Security - Cross Site Request Forgery (CSRF) - A Spring Security article that describes Spring support for protecting against Cross Site Request Forgery attacks.
• csurf Node.js CSRF protection middleware - Documentation on CSRF protection provided by the csurf middleware for Express.
• XSRF/CSRF Prevention in ASP.NET MVC and Web Pages - A detailed Microsoft article on how to prevent cross-site request forgery in ASP.NET MVC and Web Pages.
• Django Documentation - Cross Site Request Forgery protection - Documentation on CSRF protection provided by the Django framework.
• OWASP Cross-Site Request Forgery Prevention Cheat Sheet - This cheatsheet is focused on providing clear, simple, actionable guidance for preventing cross-site request forgery flaws in your applications.
• Laravel Docs - CSRF Protection - Documentation on CSRF protection provided by the Laravel framework.
• OWASP Cross Site Request Forgery (CSRF) - OWASP community page with comprehensive information about cross-site request forgery, and links to various OWASP resources to help detect or prevent it.
• Preventing Cross-Site Request Forgery (CSRF) Attacks in ASP.NET MVC Application - A detailed Microsoft article on how to prevent cross-site request forgery in ASP.NET MVC.

Micro-Learning Topic: Denial of service (Detected by phrase)

Matched on "Denial of Service"

The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Information disclosure (Detected by phrase)

Matched on "Information Exposure"

Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser. Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Prototype pollution (Detected by phrase)

Matched on "Prototype Pollution"

What is this? (2min video)

By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf).

Try a challenge in Secure Code Warrior