[Snyk] Fix for 24 vulnerabilities

[ekmixon]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • openam-ui/openam-ui-ria/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	679/1000 Why? Has a fix available, CVSS 9.3	Incomplete List of Disallowed Inputs SNYK-JS-BABELTRAVERSE-5962463	Yes	No Known Exploit
	706/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.7	Remote Memory Exposure SNYK-JS-BL-608877	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	641/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.4	Prototype Pollution SNYK-JS-JSON5-3182856	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-2342073	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-2342082	No	Proof of Concept
	520/1000 Why? Has a fix available, CVSS 5.9	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-584281	No	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Poisoning SNYK-JS-QS-3153490	No	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-SOCKETIOPARSER-1056752	Yes	Proof of Concept
	704/1000 Why? Has a fix available, CVSS 9.8	Improper Input Validation SNYK-JS-SOCKETIOPARSER-3091012	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Internal Property Tampering SNYK-JS-TAFFYDB-2992450	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-TRIMNEWLINES-1298042	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-USERAGENT-174737	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:braces:20180219	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	No	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:parsejson:20170908	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Override Protection Bypass npm:qs:20170213	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: grunt

The new version differs by 71 commits.

• 27bc5d9 Merge pull request #1714 from gruntjs/release-1.2.0
• 64a3cf4 Release v1.2.0
• 0d23eff Merge pull request #1570 from bhldev/feature-options-keys
• ee70306 Merge pull request #1697 from philz/1696
• 05c0634 Merge pull request #1712 from gruntjs/fix-lint
• cdd1c19 fix lint in file.js
• bc168e3 Merge pull request #1283 from greglittlefield-wf/recognize-relative-links
• 5f16b5a Merge pull request #1675 from STRML/remove-coffeescript
• 58f80ae Merge pull request #1677 from micellius/monorepo-support
• 1f61427 Add CODE_OF_CONDUCT.md
• 4c6fcd9 Merge pull request #1709 from NotMoni/patch-1
• 169d496 add link to license
• 288ea76 add license link
• d5cdac0 Merge pull request #1706 from gruntjs/tag-neew
• 4674c59 v1.1.0
• 6124409 Merge pull request #1705 from gruntjs/mkdirp-update
• 0a66968 Fix up Buffer usage
• 4bfa98e Support versions of node >= 8
• f1898eb Update to mkdirp ~1.0.3
• 7985b19 Avoiding infinite loop on very long command names.
• 75da17b HTTPS link to gruntjs.com (#1683)
• 5a0a02b support monorepo (relative path)
• 6795d31 Update js-yaml dependecy to ~3.13.1 (#1680)
• 66fc8fa support monorepo (test case)

See the full diff

Package name: grunt-babel

The new version differs by 12 commits.

• 3fee421 7.0.0
• 4c89e7e add missing peerDep
• 79450ee Merge pull request Deal with facebook profile encoding issue OpenIdentityPlatform/OpenAM#79 from babel/b7-alpha
• 59ffa73 remove node 0.10/0.12 from travis
• 75bc67f fix readme [skip ci]
• 5e7fdd5 make peerDep on babel-core v7
• cf4f0c7 lock down XO
• 97120ca ES6 → ES2015
• 44e9762 meta tweaks
• a7874fd bump dev deps
• ce3bbc3 bump dev deps
• 766123a fix docs

See the full diff

Package name: grunt-contrib-less

The new version differs by 17 commits.

• 8842e4f v2.1.0
• 51d03a3 Remove tabs
• 57256e0 Update more deps (Cookies not getting set during SP initiated SSO OpenIdentityPlatform/OpenAM#357)
• e7a6d59 Remove extra tabs
• 25062cf Update more deps
• b8785aa Switch to Github actions, update deps (ssoadm [export-entity] causes infinite loop OpenIdentityPlatform/OpenAM#356)
• 94533ed Add a process option to the compiler (Can't search user by user id OpenIdentityPlatform/OpenAM#349)
• 7e8057c Updating lodash patch 4.17.11 (remove submodules mention from README.md OpenIdentityPlatform/OpenAM#348)
• 815cef9 v2.0.0 with dep updates (ForgeRock OATH module not showing QR code for device setup due to old JavaScript library OpenIdentityPlatform/OpenAM#342)
• 5b04ca0 Update less to 3.0.0 (Updating base docker image to latest 8.5.x tomcat OpenIdentityPlatform/OpenAM#340)
• d8231dc Add node 8, remove node 0.10 (Point to OpenAMCommunity OpenIdentityPlatform/OpenAM#337)
• 0353e53 accept a function for sourceMapFilename (ampassword is unusable OpenIdentityPlatform/OpenAM#306)
• c81d284 accept a function for sourceMapURL (Fix invalidate internal auth token OpenIdentityPlatform/OpenAM#307)
• e0c3722 Update AppVeyor project.
• 459ca0b Update less-options.md
• c282d0d v1.4.1.
• a507646 Rethrow the compilation error after printing the message. (Vulnerable javascript library - jQuery-min 1.11.3 OpenIdentityPlatform/OpenAM#315)

See the full diff

Package name: grunt-contrib-watch

The new version differs by 20 commits.

• 3b7ddf4 v1.1.0
• 72b1214 Updating dependencies, async, lodash and tiny-lr
• 5adb27c Merge pull request fix stack overflow when destroying sesson by quota OpenIdentityPlatform/OpenAM#543 from digitalbazaar/master
• 6ec71e9 v1.0.1
• 7d20933 Update copyright year
• e3d19df Update ci configs
• d117574 Updating ci configs
• 99410a7 README.md: Fixed typos (#536)
• f07311b Update tiny-lr dependency to 1.x
• 7f8cf80 Add local grunt-cli
• ab6771e Drop back to [email protected] until the bad test helper can be sorted
• 2e2daa5 Update to [email protected]
• 3d7fa3a Avoid timing issue in tests because of the bad test helper
• 0130a16 Merge pull request CASSANDRA update version OpenIdentityPlatform/OpenAM#500 from gruntjs/deps
• 5289845 Update devDependencies.
• fd3ed7a Lint tweaks.
• e42386a Merge pull request FIX Warning about RELEASE_7 https://github.com/OpenIdentityPlatform/OpenAM/issues/379 OpenIdentityPlatform/OpenAM#501 from cepko33/master
• 8c93077 Updated lodash and changed outdated 'contains' to 'includes'
• 986b8a9 Update CHANGELOG.
• 5e155ec Add AppVeyor for Windows testing.

See the full diff

Package name: grunt-eslint

The new version differs by 11 commits.

• f30dd97 21.0.0
• 476f21e Update eslint to ^5.0.0 ( additional logging when found multiple entries OpenIdentityPlatform/OpenAM#158)
• e1d6368 Require Node.js 6 and Grunt 1
• f7a2a05 20.2.0
• 1154917 Add `failOnError` option (change objectClass condition form AND to OR OpenIdentityPlatform/OpenAM#154)
• 1d97ae7 20.1.0
• 7cb3039 Meta tweaks
• d3746ac Use to latest Chalk (CORSService: Extract Request Header Enumerations To Variable OpenIdentityPlatform/OpenAM#151)
• fdbd6b0 20.0.0
• 79d5e1f Update to ESLint 4 (fix build from scratch OpenIdentityPlatform/OpenAM#143)
• eab8924 Add Node.js 8 to Travis CI test matrix (fix build from scratch OpenIdentityPlatform/OpenAM#144)

See the full diff

Package name: jsdoc

The new version differs by 244 commits.

• 0842185 4.0.0
• b018408 chore!: replace taffydb package with @ jsdoc/salty
• dc48aa6 3.6.11
• cccfd3d chore(deps): resolve dependency vulnerability
• ff5963a fix(deps): rollback klaw to 3.x (#2002)
• 2bf9f88 3.6.10
• ffa07da remove `npm preinstall` script (#1971)
• aab7b50 3.6.9
• 24c1354 fix installation error when installing via npm (#1970)
• c5ea65a 3.6.8
• a024054 update dependencies
• e1f1919 3.6.7
• f7a64bd chore(deps): update selected dependencies
• 3f5c462 3.6.6
• 95e3192 fix: correctly track interface members
• ef05a69 3.6.5
• a59b5cd fix: prevent circular refs when params have the same type expression
• 8d0fce6 chore: bump version; update release notes
• 91c9aa7 chore(deps): update dependencies
• ef33f07 3.6.3
• 0e468af 3.6.2
• d5e0eb0 Add 3.6.2 changelog.
• 61ae11c Ensure that ES 2015 classes appear in the generated docs when they're supposed to. (#1644)
• 03b8abd Add 3.6.1 changelog.

See the full diff

Package name: karma

The new version differs by 250 commits.

• 1b48637 chore(release): 5.0.0 [skip ci]
• a5dbe89 Update issue templates (#3460)
• 1074f38 chore(ci): rely on karma-runnre/integration-tests for saucelabs config (#3462)
• 4d45cf0 chore(ci): remove more old connection security stuffs (#3459)
• be76fcc chore(ci): use travis UI for sauce config (#3458)
• a04a542 chore(ci): remove secure encryption var (#3457)
• 1eaf35e fix: install semantic-release as a regular dev dependency (#3455)
• 0647109 docs: Fix simple typo, overriden -> overridden (#3453)
• ec1e69a fix(server): replace optimist on yargs lib (#3451)
• ffad7fa refactor(launcher): use class syntax (#3437)
• 7166ce2 fix(server): detection new MS Edge Chromium (#3440)
• b8b2ed8 fix(ci): echo travis env that gates release after_success (#3446)
• 33a069f refactor: use native Promise instead of Bluebird (#3436)
• 131d154 refactor: drop safe-buffer dependency in favor of native Buffer (#3438)
• cb1bcbf fix(server): cleanup import of the removed method (#3439)
• 5c334f5 fix(server): createPreprocessor was removed (#3435)
• d7128d4 refactor(server): remove PromiseContainer class (#3416)
• 057d527 feat(docs): document `DEFAULT_LISTEN_ADDR` constant (#3443)
• a673aa8 ci: drop node 8, adopt node 12 (#3430)
• 9eb6436 chore(server): Convert PromiseContainer to object and remove (#3401)
• 0856234 chore(travis): release on node 10 success (#3428)
• 708ae13 feat(preprocessor): obey Pattern.isBinary when set (#3422)
• 00d536f chore(test): logLevel debug in proxy test (#3427)
• da9d8bd chore(docs): delete PULL_REQUEST_TEMPLATE.md

See the full diff

Package name: karma-babel-preprocessor

The new version differs by 5 commits.

• a33f8f7 7.0.0
• dc04a19 use preset-env, test against babel 7, update readme, add lock file
• 2a07480 Merge pull request [Snyk] Fix for 1 vulnerabilities #30 from MattiasBuelens/babel7
• 6aa40b1 Support babel-core@7
• fa6998d Make babel-core a peer dependency

See the full diff

Package name: karma-mocha-reporter

The new version differs by 23 commits.

• 5e062ed chore: Release v2.2.4
• 3a0650f chore: remove package lock file
• eaa5fa7 chore: fix missing chalk functions
• b0aac74 feat: use log-symbols package
• 31baf27 chore: update devDependencies
• 3692121 Merge pull request Add Skew to NotOnOrAfter and NotBefore Assertion Conditions OpenIdentityPlatform/OpenAM#98 from EsrefDurna/master
• 85fee8b Merge pull request SAML set full path goto=%2FSSORedirect OpenIdentityPlatform/OpenAM#97 from litixsoft/greenkeeper-chai-4.0.1
• e066c77 Merge branch 'master' into greenkeeper-chai-4.0.1
• 71bb47f Merge pull request Quick start guide is incorrect. OpenIdentityPlatform/OpenAM#96 from litixsoft/greenkeeper-chai-4.0.0
• b10f6a3 updated package grunt-contrib-jshint from 1.0.0 to 1.1.0
• bc793ea chore(package): update chai to version 4.0.1
• 3edd613 chore(package): update chai to version 4.0.0
• f6d22d1 chore: Release v2.2.3
• 7122cc0 chore: add node.js 7 in travis
• 81d6de6 fix: allow to use reserved prototype names as name for describe or it blocks
• aa801c2 Merge pull request Windows 7 Unexpected LDAP exception during "Create Default Configuration" OpenIdentityPlatform/OpenAM#91 from josephfrazier/patch-1
• c07a2f6 docs: fix typos in README.md
• 1d4c83a chore: update changelog
• f9e6c00 chore: Release v2.2.2
• 67a2af2 chore: remove old node.js version from travis testing
• 9e2f342 feat: add option printFirstSuccess\nCloses Disable problematic grid filter, caused scripts list crash OpenIdentityPlatform/OpenAM#87\n* useful when having conditional, browser specific tests
• 5fa89cf Merge pull request After add new script: scripts page show message "No results to display" OpenIdentityPlatform/OpenAM#85 from gkedge/master
• 3baec39 Print wall clock time when karma is finished. This is handy when 'watching' to have confidence that the most recent test report reflects a recent save.

See the full diff

Package name: karma-notify-reporter

The new version differs by 11 commits.

• 9716b7a bump version to 1.1.0
• 50267a1 Update node-notifier dependency, fix broken variable name ([Snyk] Security upgrade jsdoc from 3.4.3 to 3.6.8 #13)
• 2189ca3 report back to success, [Snyk] Security upgrade karma from 1.3.0 to 2.0.0 #1 ([Snyk] Upgrade jsdoc from 3.4.3 to 3.6.7 #5)
• c2e8639 bump node-notifier version ([Snyk] Security upgrade grunt-eslint from 19.0.0 to 20.0.0 #12)
• bf04cb5 fix: package.json & .snyk to reduce vulnerabilities ([Snyk] Security upgrade grunt-eslint from 19.0.0 to 22.0.0 #11)
• fa44914 fix: package.json & .snyk to reduce vulnerabilities ([Snyk] Security upgrade grunt-eslint from 19.0.0 to 23.0.0 #10)
• e500798 Merge pull request [Snyk] Security upgrade mocha from 3.2.0 to 4.0.0 #8 from neagle/update-readme
• 01de291 Merge pull request [Snyk] Fix for 13 vulnerabilities #9 from ManuelRauber/patch-1
• a526cce Corrected typo
• 8c2335c Update README
• 6f3ddaa Update README.md

See the full diff

Package name: phantomjs-prebuilt

The new version differs by 8 commits.

• a98231b Merge pull request Node.js 16 actions are deprecated. Please update the following actions to use Node.js 20 OpenIdentityPlatform/OpenAM#733 from avindra/patch-1
• 19c6d4c Bump package.json version
• 65b57f7 Merge pull request [#730] Bump xml-sec 2.1.7 -> 3.0.4 OpenIdentityPlatform/OpenAM#732 from Ilshidur/patch-1
• cc52482 Dependencies update : fix security issues
• 750d5f3 Merge pull request Unable to create Session Service, Services fail to be listed after Session Service is registered OpenIdentityPlatform/OpenAM#653 from Medium/nicks/bump
• 379d3ae Upgrade some deps
• df5e2ea Merge pull request FIX ClassCastException: class org.forgerock.opendj.ldap.Filter cannot be cast to class org.forgerock.openam.tokens.CoreTokenField #650 OpenIdentityPlatform/OpenAM#652 from nanaya/master
• 1d2898e Don't download osx binary on freebsd/openbsd

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Prototype Override Protection Bypass
🦉 More lessons are available in Snyk Learn

[secure-code-warrior-for-github]

Micro-Learning Topic: Regular expression denial of service (Detected by phrase)

Matched on "Regular Expression Denial of Service"

What is this? (2min video)

Denial of Service (DoS) attacks caused by Regular Expression which causes the system to hang or cause them to work very slowly when attacker sends a well-crafted input(exponentially related to input size).Denial of service attacks significantly degrade the service quality experienced by legitimate users. These attacks introduce large response delays, excessive losses, and service interruptions, resulting in direct impact on availability.

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Weak input validation (Detected by phrase)

Matched on "Improper Input Validation"

Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Try a challenge in Secure Code Warrior

Helpful references

• OWASP Top Ten 2021 A03: Injection - OWASP Top Ten articles provide basic techniques to protect against these high risk problem areas, and guidance on where to go next.
• OWASP Injection Prevention Cheat Sheet in Java - This article is focused on providing clear, simple, actionable guidance for preventing injection flaws in your Java applications.
• OWASP Input Validation Cheat Sheet - This cheatsheet is focused on providing clear, simple, actionable guidance for preventing injection and input validation flaws in your applications.
• OWASP Injection Prevention Cheat Sheet - This article is focused on providing clear, simple, actionable guidance for preventing injection flaws in your applications.
• OWASP Top Ten Proactive Controls 2018 C5: Validate All Inputs - Detailed article on input validation as a programming technique for ensuring that only properly formatted data may enter a software system component.

Micro-Learning Topic: Denial of service (Detected by phrase)

Matched on "Denial of Service"

The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Prototype pollution (Detected by phrase)

Matched on "Prototype Pollution"

What is this? (2min video)

By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf).

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Server-side request forgery (Detected by phrase)

Matched on "Server-side Request Forgery"

What is this? (2min video)

Server-Side Request Forgery (SSRF) vulnerabilities are caused when an attacker can supply or modify a URL that reads or sends data to the server. The attacker can create a malicious request with a manipulated URL, when this request reaches the server, the server-side code executes the exploit URL causing the attacker to be able to read data from services that shouldn't be exposed.

Try a challenge in Secure Code Warrior