[Snyk] Fix for 55 vulnerabilities

[Dargon789]

Snyk has created this PR to fix 55 vulnerabilities in the yarn dependencies of this project.

Snyk changed the following file(s):

• standalone-packages/codesandbox-browserfs/package.json

Note for zero-installs users

If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the .yarn/cache/ directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to run yarn to update the contents of the ./yarn/cache directory.
If you are not using zero-install you can ignore this as your flow should likely be unchanged.

⚠️ Warning

Failed to update the yarn.lock, please update manually before merging.

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Arbitrary Code Injection SNYK-JS-XMLHTTPREQUESTSSL-1082936	280
	Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-8187303	243
	Cross-site Scripting (XSS) SNYK-JS-WEBPACK-7840298	207
	Improper Input Validation SNYK-JS-SOCKETIOPARSER-3091012	188
	Excessive Platform Resource Consumption within a Loop SNYK-JS-BRACES-6838727	169
	Regular Expression Denial of Service (ReDoS) SNYK-JS-CROSSSPAWN-8303230	169
	Denial of Service (DoS) SNYK-JS-HTTPPROXYMIDDLEWARE-8229906	169
	Denial of Service (DoS) SNYK-JS-WS-7266574	169
	Prototype Poisoning SNYK-JS-QS-3153490	163
	Denial of Service (DoS) SNYK-JS-ENGINEIO-1056749	161
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIHTML-1296849	159
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	159
	Denial of Service (DoS) SNYK-JS-SOCKETIOPARSER-1056752	159
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOCHA-2863123	154
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOCHA-561476	154
	Access Restriction Bypass SNYK-JS-XMLHTTPREQUESTSSL-1255647	150
	Asymmetric Resource Consumption (Amplification) SNYK-JS-BODYPARSER-7926860	148
	Path Traversal SNYK-JS-WEBPACKDEVMIDDLEWARE-6476555	147
	Cross-site Scripting (XSS) SNYK-JS-ROLLUP-8073097	144
	Cross-site Scripting (XSS) SNYK-JS-KARMA-2395349	138
	Prototype Pollution SNYK-JS-MINIMIST-559764	137
	Prototype Pollution SNYK-JS-YARGSPARSER-560381	137
	Missing Release of Resource after Effective Lifetime SNYK-JS-INFLIGHT-6095116	131
	Inefficient Regular Expression Complexity SNYK-JS-MICROMATCH-6838728	124
	Server-Side Request Forgery (SSRF) SNYK-JS-IP-7148531	119
	Denial of Service (DoS) SNYK-JS-ENGINEIO-3136336	118
	Denial of Service (DoS) SNYK-JS-TRIMNEWLINES-1298042	117
	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	115
	Regular Expression Denial of Service (ReDoS) SNYK-JS-USERAGENT-174737	115
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-584281	102
	Denial of Service SNYK-JS-NODEFETCH-674311	101
	Cross-site Scripting (XSS) SNYK-JS-SERIALIZEJAVASCRIPT-6147607	100
	Prototype Pollution SNYK-JS-NODEFORGE-2331908	99
	Open Redirect SNYK-JS-KARMA-2396325	82
	Cross-site Scripting SNYK-JS-EXPRESS-7926867	79
	Cross-site Scripting SNYK-JS-SEND-7926862	79
	Cross-site Scripting SNYK-JS-SERVESTATIC-7926865	79
	Information Exposure SNYK-JS-LOG4JS-2348757	75
	Denial of Service (DoS) SNYK-JS-SOCKJS-575261	70
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHTOREGEXP-7925106	67
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHTOREGEXP-8482416	67
	Regular Expression Denial of Service (ReDoS) SNYK-JS-USERAGENT-8309369	67
	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	63
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-2342073	63
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-2342082	63
	Open Redirect SNYK-JS-NODEFORGE-2330875	63
	Insecure Defaults SNYK-JS-SOCKETIO-1024859	63
	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	63
	Prototype Pollution SNYK-JS-MINIMIST-2429795	58
	Regular Expression Denial of Service (ReDoS) npm:braces:20180219	58
	Regular Expression Denial of Service (ReDoS) SNYK-JS-HIGHLIGHTJS-1048676	46
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-174116	46
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-451540	46
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	45
	Cross-site Scripting (XSS) SNYK-JS-COOKIE-8163060	44

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Cross-site Scripting (XSS)
🦉 Server-Side Request Forgery (SSRF)
🦉 More lessons are available in Snyk Learn

Summary by Sourcery

Upgrade multiple dependencies to address 55 security vulnerabilities in the project's yarn dependencies

Bug Fixes:

• Resolve 55 security vulnerabilities across various npm packages

Enhancements:

• Update dependencies to their latest versions to mitigate security risks

[codesandbox]

Review or Edit in CodeSandbox

Open the branch in Web Editor • VS Code • Insiders

Open Preview

• Application (fast + production)
• Application (fast + stream)

[sourcery-ai]

Reviewer's Guide

This automated Snyk pull request addresses 55 vulnerabilities by updating the versions of multiple development dependencies specified in the package.json file for the codesandbox-browserfs package. Note that the yarn.lock file was not automatically updated and will require manual regeneration before merging.

File-Level Changes

Change	Details	Files
Updated multiple development dependency versions to fix vulnerabilities.	Upgraded archiver from ~2.1.1 to ~7.0.0. Upgraded body-parser from ~1.18.3 to ~1.20.3. Upgraded express from ~4.19.2 to ~4.21.2. Upgraded isomorphic-fetch from ~2.2.1 to ~3.0.0. Upgraded karma from ~3.0.0 to ~6.4.3. Upgraded karma-coverage from ~1.1.2 to ~2.0.2. Upgraded karma-mocha from ~1.3 to ~2.0.0. Upgraded mocha from ~5.2.0 to ~11.0.1. Upgraded rimraf from ~2.6.2 to ~4.3.1. Upgraded rollup from ~1.12.1 to ~2.79.2. Upgraded tslint from ~5.11.0 to ~5.16.0. Upgraded typedoc from ~0.11.1 to ~0.21.10. Upgraded webpack from ~4.31.0 to ~5.98.0. Upgraded webpack-cli from ~3.3.2 to ~4.0.0. Upgraded webpack-dev-server from ~3.3.1 to ~5.2.0.	standalone-packages/codesandbox-browserfs/package.json

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	json-schema@​0.2.3
	lodash@​1.0.2
	mixin-deep@​1.3.2 ⏵ 1.3.1		-75
	set-value@​2.0.1 ⏵ 2.0.0	+1	-75
	handlebars@​4.7.8 ⏵ 4.0.11	+1	-75	+1
	@​nrwl/​nx-linux-arm64-musl@​15.9.7
	@​nrwl/​nx-win32-arm64-msvc@​15.9.7
	@​nrwl/​nx-linux-arm64-gnu@​15.9.7
	@​nrwl/​nx-darwin-arm64@​15.9.7
	@​nrwl/​nx-linux-arm-gnueabihf@​15.9.7
	@​nrwl/​nx-darwin-x64@​15.9.7
	@​nrwl/​nx-linux-x64-gnu@​15.9.7
	@​nrwl/​nx-linux-x64-musl@​15.9.7
	@​nrwl/​nx-win32-x64-msvc@​15.9.7
	has-gulplog@​0.1.0
	abab@​2.0.6
	aggregate-error@​3.0.1
	path-parse@​1.0.7 ⏵ 1.0.5		-4	+3
See 443 more rows in the dashboard

View full report

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.

Action	Severity	Alert (click for details)
Block		[email protected] has a Critical CVE. CVE: GHSA-w457-6q6x-cgp9 Prototype Pollution in handlebars (CRITICAL) Affected versions: >= 4.0.0, < 4.3.0 Patched version: 4.3.0 Source: standalone-packages/codesandbox-browserfs/yarn.lock ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		[email protected] has a Critical CVE. CVE: GHSA-f2jv-r9rf-7988 Remote code execution in handlebars when compiling templates (CRITICAL) Affected versions: < 4.7.7 Patched version: 4.7.7 Source: standalone-packages/codesandbox-browserfs/yarn.lock ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		[email protected] has a Critical CVE. CVE: GHSA-765h-qjxv-5f44 Prototype Pollution in handlebars (CRITICAL) Affected versions: < 4.7.7 Patched version: 4.7.7 Source: standalone-packages/codesandbox-browserfs/yarn.lock ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		[email protected] has a Critical CVE. CVE: GHSA-896r-f27r-55mw json-schema is vulnerable to Prototype Pollution (CRITICAL) Affected versions: < 0.4.0 Patched version: 0.4.0 Source: packages/notifications/example/yarn.lock ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		[email protected] has a Critical CVE. CVE: GHSA-jf85-cpcp-j695 Prototype Pollution in lodash (CRITICAL) Affected versions: < 4.17.12 Patched version: 4.17.12 Source: standalone-packages/monaco-editor/yarn.lock ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		[email protected] has a Critical CVE. CVE: GHSA-jf85-cpcp-j695 Prototype Pollution in lodash (CRITICAL) Affected versions: < 4.17.12 Patched version: 4.17.12 Source: standalone-packages/vscode-editor/package.json Source: standalone-packages/vscode-editor/release/package.json Source: standalone-packages/vscode-editor/yarn.lock ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		[email protected] has a Critical CVE. CVE: GHSA-fhjf-83wg-r2j9 Prototype Pollution in mixin-deep (CRITICAL) Affected versions: < 1.3.2 Patched version: 1.3.2 Source: packages/notifications/example/yarn.lock ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		[email protected] has a Critical CVE. CVE: GHSA-4g88-fppr-53pp Prototype Pollution in set-value (CRITICAL) Affected versions: < 2.0.1 Patched version: 2.0.1 Source: packages/notifications/example/yarn.lock ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		[email protected] has a Critical CVE. CVE: GHSA-4g88-fppr-53pp Prototype Pollution in set-value (CRITICAL) Affected versions: < 2.0.1 Patched version: 2.0.1 Source: packages/notifications/example/yarn.lock ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		[email protected] has a High CVE. CVE: GHSA-jr5f-v2jv-69x6 axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL (HIGH) Affected versions: >= 1.0.0, < 1.8.2 Patched version: 1.8.2 Source: packages/app/package.json Source: packages/executors/package.json Source: yarn.lock ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		[email protected] has a High CVE. CVE: GHSA-8hc4-vh64-cxmj Server-Side Request Forgery in axios (HIGH) Affected versions: >= 1.3.2, <= 1.7.3 Patched version: 1.7.4 Source: packages/app/package.json Source: packages/executors/package.json Source: yarn.lock ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		[email protected] has a High CVE. CVE: GHSA-w573-4hg7-7wgq decode-uri-component vulnerable to Denial of Service (DoS) (HIGH) Affected versions: < 0.2.1 Patched version: 0.2.1 Source: standalone-packages/codesandbox-browserfs/yarn.lock ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		[email protected] has a High CVE. CVE: GHSA-ff7x-qrg7-qggm dot-prop Prototype Pollution vulnerability (HIGH) Affected versions: < 4.2.1 Patched version: 4.2.1 Source: packages/notifications/example/yarn.lock ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		[email protected] has a High CVE. CVE: GHSA-9q64-mpxx-87fg Open Redirect in ecstatic (HIGH) Affected versions: >= 3.0.0, < 3.3.2 Patched version: 3.3.2 Source: standalone-packages/vscode-editor/yarn.lock ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		[email protected] has a High CVE. CVE: GHSA-62gr-4qp9-h98f Regular Expression Denial of Service in Handlebars (HIGH) Affected versions: >= 4.0.0, < 4.4.5 Patched version: 4.4.5 Source: standalone-packages/codesandbox-browserfs/yarn.lock ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		[email protected] has a High CVE. CVE: GHSA-q42p-pg8m-cqh6 Prototype Pollution in handlebars (HIGH) Affected versions: >= 4.0.0, < 4.0.14 Patched version: 4.0.14 Source: standalone-packages/codesandbox-browserfs/yarn.lock ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		[email protected] has a High CVE. CVE: GHSA-g9r4-xpmj-mj65 Prototype Pollution in handlebars (HIGH) Affected versions: >= 4.0.0, < 4.5.3 Patched version: 4.5.3 Source: standalone-packages/codesandbox-browserfs/yarn.lock ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		[email protected] has a High CVE. CVE: GHSA-3cqr-58rm-57f8 Arbitrary Code Execution in Handlebars (HIGH) Affected versions: >= 4.0.0, < 4.5.3 Patched version: 4.5.3 Source: standalone-packages/codesandbox-browserfs/yarn.lock ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		[email protected] has a High CVE. CVE: GHSA-q2c6-c6pm-g3gh Arbitrary Code Execution in handlebars (HIGH) Affected versions: >= 4.0.0, < 4.5.3 Patched version: 4.5.3 Source: standalone-packages/codesandbox-browserfs/yarn.lock ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		[email protected] has a High CVE. CVE: GHSA-2cf5-4w76-r9qv Arbitrary Code Execution in handlebars (HIGH) Affected versions: >= 4.0.0, < 4.5.2 Patched version: 4.5.2 Source: standalone-packages/codesandbox-browserfs/yarn.lock ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
See 61 more rows in the dashboard

View full report

[snyk-io]

⚠️ Snyk checks are incomplete.

⚠️ security/snyk check encountered an error. (View Details)