[Snyk] Fix for 8 vulnerabilities

[terrorizer1980]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • docs/package.json
  • docs/package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	703/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 6.2	Cross-site Scripting (XSS) SNYK-JS-DOMPURIFY-8184974	Yes	Proof of Concept
	701/1000 Why? Recently disclosed, Has a fix available, CVSS 8.3	Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-8172694	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	No	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Code Injection SNYK-JS-LODASH-1040724	No	Proof of Concept
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHPARSE-1077067	No	Proof of Concept
	429/1000 Why? Has a fix available, CVSS 4.3	Exposure of Sensitive Information to an Unauthorized Actor SNYK-JS-PHIN-6598077	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Prototype Pollution SNYK-JS-XML2JS-5414874	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: gatsby

The new version differs by 250 commits.

• f1d3f7b chore(release): Publish
• 6e6ea56 chore(release): Publish rc
• df50ce7 fix(gatsby): Add dir=ltr to Fast Refresh overlay (feat(sqllab): Replace FilterableTable by AgGrid Table apache/superset#29900) (The in-memory storage for tracking rate limits apache/superset#29908)
• 83adec5 chore(docs): update readme (Where is this "Select Value" placeholder located in code apache/superset#29837) (Filtered values not appearing/not working after selected from dropdown Post Migration to Latest Superset Version apache/superset#29909)
• b2628da will git stop being weird (feat(explore): Add time shift color control to ECharts apache/superset#29897) (Disabling emit cross-filters for a single chart apache/superset#29907)
• c98c87f chore(release): Publish rc
• c8bf571 fix(gatsby-source-wordpress): image fixes (build(deps): bump chrono-node from 2.7.5 to 2.7.6 in /superset-frontend apache/superset#29813) ([SIP-144] Proposal to Integrate VisActor Visualization Plugin into Superset apache/superset#29886)
• 85bb8ea fix(gatsby-plugin-image): Update peerdeps (Dashboard Permissions: Copy Permalink / URL with Native Filters apache/superset#29880) (Background color - Y axis apache/superset#29888)
• c266b83 fix(gatsby): Remove `react-hot-loader` deps & other unused deps (fix: mypy issue on py3.9 + prevent similar issues apache/superset#29864) (chore(docs): reorder fs users apache/superset#29876)
• 222ca3f fix(gatsby): with some custom babel configs array spreading with Set is not safe (fix: add mutator to get_columns_description apache/superset#29885) (World Map apache/superset#29889)
• ea31900 chore(release): Publish rc
• f070422 fix(gatsby): Fix various small DEV_SSR bugs exposed in development_runtime tests (Change options in Show Entries #records dropdown apache/superset#29720) (chore: pre-matrixify pre-commit check apache/superset#29866)
• cb3b1ca chore: update peerdeps to latest major versions (Duplicated entries in Alerts & Reports execution log apache/superset#29857) (fix(capitalization): Capitalizing a button. apache/superset#29867)
• 8639f7b fix(create-gatsby): Use legacy peer deps (Slack apache/superset#29856) (fix: update celery config imports apache/superset#29862)
• fdc1fe2 fix(gatsby): fix some css HMR edge cases ([SIP-143] Global Async Task Framework apache/superset#29839) (test: testing bumping cached-dependencies apache/superset#29865)
• e8a7e3b fix(gatsby-plugin-preact): fix fast-refresh (Creating thread in superset_config.py freezes app apache/superset#29831) (fix: upgrade_catalog_perms and downgrade_catalog_perms implementation apache/superset#29860)
• e7453c3 fix(gatsby): Improve Fast Refresh overlay styles (perf: Lazy load rehype-raw and react-markdown apache/superset#29855) (fix: mypy fails related to simplejson.dumps apache/superset#29861)
• 76f4f96 chore: upgrade postcss & plugins (Request for Cache Metrics in Apache Superset apache/superset#29793)
• de6cba6 chore(release): Publish rc
• aafe584 fix: query on demand loading indicator always active on preact. (ValueError: Invalid decryption key - multiple superset instance and single database apache/superset#29829) ("user_favorite_tag" table not created after "superset db upgrade" when upgrade superset 3.0.1 to 4.0.2 on docker apache/superset#29836)
• 34f5b8c fix(hmr): accept hot updates for modules above page templates (build(deps): bump query-string from 6.14.1 to 9.1.0 in /superset-frontend apache/superset#29752) (No module named 's3cache' apache/superset#29835)
• b8d21f8 fix(gatsby): workaround graphql-compose issue (feat: frontend webpack proxy support zstd encoding apache/superset#29822) (Scheduling Queries linkback isn't work apache/superset#29834)
• 32fee71 fix(gatsby): eslint linting (perf: Lazy load React Ace apache/superset#29796) (build(deps-dev): bump eslint-plugin-cypress from 2.11.2 to 3.4.0 in /superset-frontend apache/superset#29814)
• bca7951 fix(gatsby-source-wordpress): HTML image regex's (调用DELETE /api/v1/dashboard/ 接口时，一直提示要登录 apache/superset#29778) (build(deps-dev): bump @types/react-syntax-highlighter from 15.5.11 to 15.5.13 in /superset-frontend apache/superset#29816)

See the full diff

Package name: gatsby-plugin-sharp

The new version differs by 250 commits.

• c1e67a2 chore(release): Publish
• 0c45654 chore: remove tracedSVG (#37093) (#37137)
• d7edf95 chore(release): Publish
• 2d00ea0 fix(gatsby-plugin-mdx): Do not leak frontmatter into page (feat(country-map): add cross-filters support apache/superset#35859) (#35913)
• 4997d63 chore(release): Publish
• ff94ed5 fix(gatsby-plugin-mdx): don't allow JS frontmatter by default (Helm chart do not follow best practices for k8s manifests apache/superset#35830) (fix(dashboard): prevent tab content cutoff and excessive whitespace in empty tabs apache/superset#35834)
• 36f21b0 chore: Removate validate-renovate from v3-latest branch (chore(deps-dev): bump eslint-import-resolver-typescript from 3.7.0 to 4.4.4 in /superset-frontend apache/superset#34460)
• 1acb1bc chore(release): Publish
• 1589bd8 fix(gatsby): ensure that writing node manifests to disk does not break on Windows (build(deps): remove legacy browser polyfills apache/superset#33853) (Apply multiple filters in embedded dashboard apache/superset#34020)
• 9694010 fix(gatsby-source-drupal): Ensure all new nodes are created before creating relationships (fix: #33862 – Security menu missing on MySQL due to case mismatch apache/superset#33864) (Failing to parse a saved query completely breaks the listing page apache/superset#34019)
• 76deb39 fix(gatsby-source-drupal): searcParams missing from urls (HostAliases not added to init job on apache/superset#33861) (fix: Update spacing on echart legends apache/superset#34018)
• f74cc8f feat(gatsby-source-drupal): Add node manifest support for previews (How to Implement Long Screenshot Capture in Reports apache/superset#33683) (feat(deckgl): add new color controls with color breakpoints apache/superset#34017)
• 476a591 chore(release): Publish
• 35b48f8 fix(gatsby-plugin-image): GatsbyImage not displaying image in IE11 (In Apache Superset, to include a logo in PDF/email reports, does it require frontend code change? apache/superset#33416) (chore(🦾): bump python bottleneck subpackage(s) apache/superset#33806)
• 880022e fix(gatsby-plugin-image): flickering when state changes (Best Practices for Multi-Environment Dashboard Promotion (Dev, Acceptance, Prod) with Superset CLI apache/superset#33732) (Two Jinja date filters apache/superset#33807)
• c0d07e7 feat(gatsby-source-wordpress): Update supported-remote-plugin-versions.ts (chore(🦾): bump python importlib-metadata subpackage(s) apache/superset#33801) (chore(🦾): bump python pandas subpackage(s) apache/superset#33804)
• 3d9a702 chore(release): Publish
• 84053a2 fix(gatsby-plugin-sharp): pass input buffer instead of readStream when processing image jobs (### Bug: SSO Logout Not Working with Keycloak + Iframe Embedded Superset apache/superset#33685) (fix(theming): Fix visual regressions from theming P4 apache/superset#33703)
• 4722a0d fix(gatsby-source-drupal): Add timeout in case of stalled API requests (Chart migration from one instance to another instance. apache/superset#33668) (Dynamically get the Embeded dashboard UUID's for a Logged in User.. apache/superset#33705)
• 857a628 fix(gatsby): single page node manifest accuracy (chore(deps-dev): bump @docusaurus/module-type-aliases from 3.7.0 to 3.8.0 in /docs apache/superset#33642) (#33698)
• 6bfd0f1 Properly set the pathPrefix and assetPrefix in the pluginData (chore(wip): giving migrate-ts a shot apache/superset#33667) ("Embed dashboard" option does not appear in the dashboard menu apache/superset#33702)
• 26c51c0 fix(gatsby-source-drupal): cache backlink records (fix: allow metadata to parse json apache/superset#33444) (chore: update sqlglot dialect map apache/superset#33701)
• b80c53a fix(gatsby-source-drupal): Correctly update nodes with changed back references so queries are re-run (chore(deps): update @deck.gl/aggregation-layers requirement from ^9.0.38 to ^9.1.11 in /superset-frontend/plugins/legacy-preset-chart-deckgl apache/superset#33328) ("Last Updated" time at top of Alerts list looks odd in 5.0.0rc3 apache/superset#33699)
• e29a194 chore: use gatsby-dev-cli@latest-v3 in tests

See the full diff

Package name: gatsby-transformer-sharp

The new version differs by 250 commits.

• c1e67a2 chore(release): Publish
• 0c45654 chore: remove tracedSVG (#37093) (#37137)
• d7edf95 chore(release): Publish
• 2d00ea0 fix(gatsby-plugin-mdx): Do not leak frontmatter into page (feat(country-map): add cross-filters support apache/superset#35859) (#35913)
• 4997d63 chore(release): Publish
• ff94ed5 fix(gatsby-plugin-mdx): don't allow JS frontmatter by default (Helm chart do not follow best practices for k8s manifests apache/superset#35830) (fix(dashboard): prevent tab content cutoff and excessive whitespace in empty tabs apache/superset#35834)
• 36f21b0 chore: Removate validate-renovate from v3-latest branch (chore(deps-dev): bump eslint-import-resolver-typescript from 3.7.0 to 4.4.4 in /superset-frontend apache/superset#34460)
• 1acb1bc chore(release): Publish
• 1589bd8 fix(gatsby): ensure that writing node manifests to disk does not break on Windows (build(deps): remove legacy browser polyfills apache/superset#33853) (Apply multiple filters in embedded dashboard apache/superset#34020)
• 9694010 fix(gatsby-source-drupal): Ensure all new nodes are created before creating relationships (fix: #33862 – Security menu missing on MySQL due to case mismatch apache/superset#33864) (Failing to parse a saved query completely breaks the listing page apache/superset#34019)
• 76deb39 fix(gatsby-source-drupal): searcParams missing from urls (HostAliases not added to init job on apache/superset#33861) (fix: Update spacing on echart legends apache/superset#34018)
• f74cc8f feat(gatsby-source-drupal): Add node manifest support for previews (How to Implement Long Screenshot Capture in Reports apache/superset#33683) (feat(deckgl): add new color controls with color breakpoints apache/superset#34017)
• 476a591 chore(release): Publish
• 35b48f8 fix(gatsby-plugin-image): GatsbyImage not displaying image in IE11 (In Apache Superset, to include a logo in PDF/email reports, does it require frontend code change? apache/superset#33416) (chore(🦾): bump python bottleneck subpackage(s) apache/superset#33806)
• 880022e fix(gatsby-plugin-image): flickering when state changes (Best Practices for Multi-Environment Dashboard Promotion (Dev, Acceptance, Prod) with Superset CLI apache/superset#33732) (Two Jinja date filters apache/superset#33807)
• c0d07e7 feat(gatsby-source-wordpress): Update supported-remote-plugin-versions.ts (chore(🦾): bump python importlib-metadata subpackage(s) apache/superset#33801) (chore(🦾): bump python pandas subpackage(s) apache/superset#33804)
• 3d9a702 chore(release): Publish
• 84053a2 fix(gatsby-plugin-sharp): pass input buffer instead of readStream when processing image jobs (### Bug: SSO Logout Not Working with Keycloak + Iframe Embedded Superset apache/superset#33685) (fix(theming): Fix visual regressions from theming P4 apache/superset#33703)
• 4722a0d fix(gatsby-source-drupal): Add timeout in case of stalled API requests (Chart migration from one instance to another instance. apache/superset#33668) (Dynamically get the Embeded dashboard UUID's for a Logged in User.. apache/superset#33705)
• 857a628 fix(gatsby): single page node manifest accuracy (chore(deps-dev): bump @docusaurus/module-type-aliases from 3.7.0 to 3.8.0 in /docs apache/superset#33642) (#33698)
• 6bfd0f1 Properly set the pathPrefix and assetPrefix in the pluginData (chore(wip): giving migrate-ts a shot apache/superset#33667) ("Embed dashboard" option does not appear in the dashboard menu apache/superset#33702)
• 26c51c0 fix(gatsby-source-drupal): cache backlink records (fix: allow metadata to parse json apache/superset#33444) (chore: update sqlglot dialect map apache/superset#33701)
• b80c53a fix(gatsby-source-drupal): Correctly update nodes with changed back references so queries are re-run (chore(deps): update @deck.gl/aggregation-layers requirement from ^9.0.38 to ^9.1.11 in /superset-frontend/plugins/legacy-preset-chart-deckgl apache/superset#33328) ("Last Updated" time at top of Alerts list looks odd in 5.0.0rc3 apache/superset#33699)
• e29a194 chore: use gatsby-dev-cli@latest-v3 in tests

See the full diff

Package name: theme-ui

The new version differs by 250 commits.

• 6f37cdd v0.6.0
• 8ff0379 docs: change version in readme
• d8b715d chore: update snapshots
• 0c6d050 Merge branch 'develop' into stable
• 949cbcf chore(docs): remove comma
• ac60158 chore: write more on migrating
• 7e3afbb refactor(theme-provider): remove unused import
• 15c7a0b chore: describe color mode flash fix in changelog
• 4b34c2c Merge branch '0.6-stable' into develop
• ac304c7 chore: make contributors table narrower
• c1a2c09 Merge pull request add oracle time_grains apache/superset#1544 from system-ui/chores
• 6b11630 fix(color-modes): stop mutating theme
• 469dc4a feat(core): export internal base provider
• 9c3c7db fix(editor): fix colors logic
• 6652bb1 chore: we must run prepare before publish, because Lerna does not build in order
• 7f8f796 Merge branch 'develop' into chores
• a368159 fix(editor): make editor demo work (broken for a longer time)
• ed94681 fix(color-modes): read correct color mode name
• 00cd0e6 refactor(docs): format themed.mdx, add title to styled.mdx
• 79a678c chore: bump Gatsby peer dep again
• 2bbfea7 Revert "chore: bump Gatsby peer dep"
• d52e4ec chore: write migration notes for 0.6
• c0f6551 Merge pull request Bogdan/query status polling apache/superset#1453 from atanasster/css-vars-remove-defaults
• 8433b4e feat(types): rename ContextValue to ThemeUIContextValue

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Cross-site Scripting (XSS)
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Code Injection
🦉 More lessons are available in Snyk Learn

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. For admin, please label this issue .pinned to prevent stale bot from closing the issue.