[Snyk] Fix for 1 vulnerabilities

[dotam99]

Snyk has created this PR to fix 1 vulnerabilities in the yarn dependencies of this project.

Snyk changed the following file(s):

• package.json
• yarn.lock

Note for zero-installs users

If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the .yarn/cache/ directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to run yarn to update the contents of the ./yarn/cache directory.
If you are not using zero-install you can ignore this as your flow should likely be unchanged.

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Regular Expression Denial of Service (ReDoS) SNYK-JS-CROSSSPAWN-8303230	828

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)

[guardrails]

⚠️ We detected 39 security issues in this pull request:

Mode: paranoid | Total findings: 39 | Considered vulnerability: 39

Insecure Use of Language/Framework API (9)

Severity	Details	Docs
High	Title: Child process (child_process) methods accept untrusted data to execute action-github-app-token/dist/index.js Line 411 in 8936634 const version = /\d+\.\d/.exec(release || os.release());	📚
High	Title: Child process (child_process) methods accept untrusted data to execute action-github-app-token/dist/index.js Line 4419 in 8936634 str	📚
High	Title: Child process (child_process) methods accept untrusted data to execute action-github-app-token/dist/index.js Line 5253 in 8936634 var tmp = /([^:\*]*)(?::(\d+)|(\*))?/.exec(variable);	📚
High	Title: Child process (child_process) methods accept untrusted data to execute action-github-app-token/dist/index.js Line 7250 in 8936634 res = /charset=([^;]*)/i.exec(ct);	📚
High	Title: Child process (child_process) methods accept untrusted data to execute action-github-app-token/dist/index.js Line 7258 in 8936634 res = /<meta.+?charset=(['"])(.+?)\1/i.exec(str);	📚
High	Title: Child process (child_process) methods accept untrusted data to execute action-github-app-token/dist/index.js Line 7264 in 8936634 str	📚
High	Title: Child process (child_process) methods accept untrusted data to execute action-github-app-token/dist/index.js Line 7268 in 8936634 str	📚
High	Title: Child process (child_process) methods accept untrusted data to execute action-github-app-token/dist/index.js Line 7276 in 8936634 res = /charset=(.*)/i.exec(res.pop());	📚
High	Title: Child process (child_process) methods accept untrusted data to execute action-github-app-token/dist/index.js Line 7282 in 8936634 res = /<\?xml.+?encoding=(['"])(.+?)\1/i.exec(str);	📚

More info on how to fix Insecure Use of Language/Framework API in JavaScript.

---

Vulnerable Libraries (30)

Severity	Details
Medium	pkg:npm/ajv@6.12.2 (t) upgrade to: 6.12.3
High	pkg:npm/ansi-regex@5.0.0 (t) upgrade to: 6.0.1,5.0.1,4.1.1,3.0.1
High	pkg:npm/braces@2.3.2 (t) upgrade to: 3.0.3
High	pkg:npm/braces@3.0.2 (t) upgrade to: 3.0.3
High	pkg:npm/debug@2.6.9 (t) upgrade to: 3.1.0
Medium	pkg:npm/debug@4.1.1 (t) upgrade to: 4.3.1,2.6.9,3.1.0,3.2.7
High	pkg:npm/decode-uri-component@0.2.0 (t) - no patch available
Medium	pkg:npm/jsdom@16.4.0 (t) upgrade to: 16.5.0
Critical	pkg:npm/json-schema@0.2.3 (t) upgrade to: 0.4.0
High	pkg:npm/json5@2.1.3 (t) upgrade to: 2.2.2
High	pkg:npm/json5@1.0.1 (t) upgrade to: 2.2.2
N/A	pkg:npm/micromatch@3.1.10 (t) - no patch available
N/A	pkg:npm/micromatch@4.0.2 (t) - no patch available
High	pkg:npm/minimatch@3.0.4 (t) upgrade to: 3.0.5
Critical	pkg:npm/minimist@1.2.5 (t) upgrade to: 1.2.6
High	pkg:npm/node-fetch@2.6.1 (t) upgrade to: 3.1.1,2.6.7
Medium	pkg:npm/path-parse@1.0.6 (t) upgrade to: 1.0.7
High	pkg:npm/qs@6.5.2 (t) upgrade to: 6.7.3,6.4.1,6.3.3,6.2.4,6.9.7,6.8.3,6.6.1,6.5.3,4.17.3,6.10.3
Medium	pkg:npm/request@2.88.2 (t) - no patch available
High	pkg:npm/semver-regex@3.1.2 (t) upgrade to: 4.0.1,3.1.3
Medium	pkg:npm/semver@5.7.1 (t) upgrade to: 7.5.2
Medium	pkg:npm/semver@7.3.4 (t) upgrade to: 7.5.2
Medium	pkg:npm/semver@6.3.0 (t) upgrade to: 7.5.2
Medium	pkg:npm/semver@7.3.2 (t) upgrade to: 7.5.2
High	pkg:npm/tmpl@1.0.4 (t) upgrade to: 1.0.5
Medium	pkg:npm/tough-cookie@2.5.0 (t) upgrade to: 4.1.3
Medium	pkg:npm/tough-cookie@3.0.1 (t) upgrade to: 4.1.3
Medium	pkg:npm/word-wrap@1.2.3 (t) - no patch available
High	pkg:npm/ws@7.4.2 (t) upgrade to: 5.2.4,6.2.3,7.5.10,8.17.1
High	pkg:npm/yaml@1.10.0 (t) upgrade to: 2.2.2

More info on how to fix Vulnerable Libraries in JavaScript.

---

👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.