build: npm audit

[melsener]

Change description

Before:

# npm audit report

axios  0.8.1 - 0.27.2
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
fix available via `npm audit fix --force`
Will install @zeplin/[email protected], which is outside the stated dependency range
node_modules/@pm2/js-api/node_modules/axios
node_modules/@zeplin/sdk/node_modules/axios
  @pm2/js-api  <=0.7.0
  Depends on vulnerable versions of axios
  node_modules/@pm2/js-api
    pm2  3.0.0 - 5.3.0
    Depends on vulnerable versions of @pm2/js-api
    node_modules/pm2
  @zeplin/sdk  <=1.20.0
  Depends on vulnerable versions of axios
  node_modules/@zeplin/sdk

express  <4.19.2
Severity: moderate
Express.js Open Redirect in malformed URLs - https://github.com/advisories/GHSA-rv95-896h-c2vc
fix available via `npm audit fix`
node_modules/express

follow-redirects  <=1.15.5
Severity: moderate
follow-redirects' Proxy-Authorization header kept across hosts - https://github.com/advisories/GHSA-cxjh-pqwp-8mfp
fix available via `npm audit fix`
node_modules/follow-redirects

ip  <1.1.9 || =2.0.0
Severity: moderate
NPM IP package incorrectly identifies some private IP addresses as public - https://github.com/advisories/GHSA-78xj-cgh5-2h22
NPM IP package incorrectly identifies some private IP addresses as public - https://github.com/advisories/GHSA-78xj-cgh5-2h22
fix available via `npm audit fix`
node_modules/ip
node_modules/socks/node_modules/ip

lodash.set  *
Severity: high
Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw
fix available via `npm audit fix`
node_modules/lodash.set
  nock  13.0.0-beta.1 - 13.2.4
  Depends on vulnerable versions of lodash.set
  node_modules/nock

next  0.9.9 - 13.5.4-canary.11
Severity: moderate
Next.js missing cache-control header may lead to CDN caching empty reply - https://github.com/advisories/GHSA-c59h-r6p8-q9wc
Depends on vulnerable versions of postcss
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/next

postcss  <8.4.31
Severity: moderate
PostCSS line return parsing error - https://github.com/advisories/GHSA-7fh5-64p2-3v2j
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/postcss
  next  0.9.9 - 13.5.4-canary.11
  Depends on vulnerable versions of postcss
  node_modules/next

semver  7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install @commitlint/[email protected], which is a breaking change
node_modules/@commitlint/is-ignored/node_modules/semver
node_modules/simple-update-notifier/node_modules/semver
  @commitlint/is-ignored  9.0.0 - 17.6.5
  Depends on vulnerable versions of semver
  node_modules/@commitlint/is-ignored
    @commitlint/lint  9.0.0 - 16.2.4
    Depends on vulnerable versions of @commitlint/is-ignored
    node_modules/@commitlint/lint
      @commitlint/cli  9.0.0 - 16.3.0
      Depends on vulnerable versions of @commitlint/lint
      node_modules/@commitlint/cli
  simple-update-notifier  1.0.7 - 1.1.0
  Depends on vulnerable versions of semver
  node_modules/simple-update-notifier
    nodemon  2.0.19 - 2.0.22
    Depends on vulnerable versions of simple-update-notifier
    node_modules/nodemon

17 vulnerabilities (15 moderate, 2 high)

After:

# npm audit report

next  0.9.9 - 13.5.4-canary.11
Severity: moderate
Next.js missing cache-control header may lead to CDN caching empty reply - https://github.com/advisories/GHSA-c59h-r6p8-q9wc
Depends on vulnerable versions of postcss
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/next

postcss  <8.4.31
Severity: moderate
PostCSS line return parsing error - https://github.com/advisories/GHSA-7fh5-64p2-3v2j
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/postcss
  next  0.9.9 - 13.5.4-canary.11
  Depends on vulnerable versions of postcss
  node_modules/next

2 moderate severity vulnerabilities

• Although commitlint's latest version is 19.3.0 at the moment, we updated it to 17.8.1 due to breaking changes in v18.0.0 – they dropped supporting TS4.
• nodemon's only breaking change on v3 is dropping Node 8 support. see https://github.com/remy/nodemon/releases

Description here

Type of change

• Bug fix (fixes an issue)
• New feature (adds functionality)

Related issues

Fix #1

Checklists

Development

• Lint rules pass locally
• Application changes have been tested thoroughly
• Automated tests covering modified code pass

Security

• Security impact of change has been considered
• Code follows company security practices and guidelines

Code review

• Pull request has a descriptive title and it follows conventional commit format and breaking change indicator if required (You can use the Angular convention)
• Screenshots or screencasts are attached as necessary
• "Ready for review" label attached and reviewers assigned
• Changes have been reviewed by at least one other contributor
• Pull request linked to task tracker where applicable