[Snyk] Fix for 14 vulnerabilities

[adamlaska]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • docs/package.json
  • docs/package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	786/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 9.3	Incomplete List of Disallowed Inputs SNYK-JS-BABELTRAVERSE-5962462	Yes	Proof of Concept
	601/1000 Why? Recently disclosed, Has a fix available, CVSS 6.3	Cross-site Scripting (XSS) SNYK-JS-COOKIE-8163060	Yes	No Known Exploit
	641/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.4	Prototype Pollution SNYK-JS-JSON5-3182856	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LOADERUTILS-3042992	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-LOADERUTILS-3043105	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LOADERUTILS-3105943	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	Yes	No Known Exploit
	521/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4	Information Exposure SNYK-JS-NANOID-2332193	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	Yes	Proof of Concept
	676/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.1	Improper Privilege Management SNYK-JS-SHELLJS-2332187	Yes	Proof of Concept
	489/1000 Why? Has a fix available, CVSS 5.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SIDEWAYFORMULA-3317169	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-TERSER-2806366	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-TRIM-1017038	Yes	Proof of Concept
	736/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.3	Sandbox Bypass SNYK-JS-WEBPACK-3358798	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @docusaurus/core

The new version differs by 250 commits.

• 2ec4e07 v3.3.0
• 8af29a7 refactor: apply lint autofix
• 7319a1b prepare 3.3.0 release
• 4159b25 docs: Fix `déja` to `déjà` in `swizzling.mdx` (Use serde provided serialization for atomics solana-labs/solana#10096)
• 10b76d8 chore(deps): bump ejs from 3.1.9 to 3.1.10 (Bump byte-unit from 3.0.3 to 3.1.0 solana-labs/solana#10097)
• 3939413 docs: Fix dead Typesense links (Consider correcting Bank::slots_per_year drift solana-labs/solana#10093)
• 7057ba4 feat: add createSitemapItems hook (Add option to wait for a specific epoch length to bench-tps solana-labs/solana#10083)
• be9081a chore: Upgrade svgr / svgo / cssnano (Deal with misleading storage rewards in Inflation struct solana-labs/solana#10092)
• 2154dcc fix(theme): `<Tabs>` props should allow overriding defaults (RPC: getConfirmedBlocks doesn't limit return results solana-labs/solana#10091)
• c967ea5 fix(theme): `<Admonition>` should render properly without heading/icon (Make repair metrics less chatty (#9094) solana-labs/solana#10080)
• 3ee7760 fix(core): `docusaurus serve` redirects should include the site `/baseUrl/` prefix (ledger-tool: Add an analysis-account command solana-labs/solana#10090)
• 0b49e6c chore(deps): bump actions/dependency-review-action from 4.2.5 to 4.3.1 (RPC: getBlockTime returns null for slot that hasn't been purged solana-labs/solana#10089)
• a6dbd92 chore(deps): bump preactjs/compressed-size-action from 2.5.0 to 2.6.0 (Rent should only be collected per block (not per transaction) solana-labs/solana#10088)
• ca33858 fix: handle React v18.3 warnings (Bump thiserror from 1.0.17 to 1.0.18 solana-labs/solana#10079)
• f1cb4ed docs: make `ThemedImage` example work out of the box (RPC: getConfirmedBlock doesn't include collected rent solana-labs/solana#10085)
• e20b329 docs: add note regarding ts extension for config file. (Invalid tick count causes slot dumping solana-labs/solana#10082)
• da2c0b4 chore: Upgrade to TypeScript 5.4 (v1.1: Add nonce to shreds repairs, add shred data size to header solana-labs/solana#10076)
• daba917 feat(core): add new site config option `siteConfig.markdown.anchors.maintainCase` (Abort if the open fd limit cannot be increased solana-labs/solana#10064)
• 9418786 fix(theme-translations): add missing theme translations for pt-BR (Add docs section to upgrade Solana App on Ledger Live solana-labs/solana#10070)
• f88da6c refactor: extract base TS client config + upgrade TS + refactor TS setup (RecentBlockhashes sysvar needs to carry the full BlockhashQueue solana-labs/solana#10065)
• e736dcb test(e2e): TypeCheck website/starter in min/max range of TS versions (Correct comment stating lockup gates stake authorize ixs solana-labs/solana#10063)
• eb07e9d refactor(core): optimize App entrypoint, it should not re-render when navigating (Fix unstable test after eager rent collection (bp #10031) solana-labs/solana#10060)
• c746289 refactor(theme): simplify CSS solution to solve empty search container (validator: Forge a confirmed root before halting for RPC inspection solana-labs/solana#10061)
• a612b4e feat(cli): docusaurus deploy should support a --target-dir option (Use Blockstore lowest_slot to initialize root iterator (bp #9738) solana-labs/solana#9767)

See the full diff

Package name: @docusaurus/preset-classic

The new version differs by 250 commits.

• cb5829f v3.5.0
• a19d54f Merge remote-tracking branch 'origin/slorber/docusaurus-v3.5' into slorber/docusaurus-v3.5
• ea49177 3.5 docs
• 55a58ee changelog
• 8f8f7f2 Merge branch 'main' into slorber/docusaurus-v3.5
• a096bbc feat(blog): add `onUntruncatedBlogPosts` blog options (Enable rolling update of "Permit paying oneself" / "No longer allow create-account to add funds to an existing account" solana-labs/solana#10375)
• 2611aa1 refactor: apply lint autofix
• f9e5adb v3.5 blog post
• c3af215 v3.5 blog post
• af24976 v3.5 blog post
• 2028ca4 v3.5 blog post
• f43be85 fix(translations): fix wrong Estonian (et) translations and typos (Reduce stable jobs solana-labs/solana#10344)
• a2e30be fix(search): fix algolia search ignore ctrl + F in search input (Permit paying oneself (bp #10337) solana-labs/solana#10342)
• 44ddada fix(docs): the _category_.json description attribute should display on generated index pages (validator: Added --health-check-slot-distance solana-labs/solana#10324)
• 95ab9f8 feat(theme): show unlisted/draft banners in dev mode (Purge TransactionStatus and AddressSignatures exactly from ledger-tool (bp #10358) solana-labs/solana#10376)
• c58fcbd feat(ci): continuous releases for main and PRs with pkg.pr.new (BPF SDK cloning of dependent repositories may be causing us to be throttled solana-labs/solana#10369)
• 087a329 fix(cli): Fix bad docusaurus CLI behavior on for --version, -V, --help, -h (Writing to Log Blocks Other Operations solana-labs/solana#10368)
• 7be1fea feat(blog): add feed xlst options to render beautiful RSS and Atom feeds (Backport: confirmations fix solana-labs/solana#9252)
• 08a893a chore: add prettier-xml plugin (simulateTransaction RPC endpoint should optionally return program log output solana-labs/solana#10364)
• f356e29 feat(blog): authors page (Consider making --no-rocksdb-compaction the default solana-labs/solana#10216)
• 50f9fce docs: rename @ getcanary/docusaurus-pagefind in docs (Rolling upgrade test automation solana-labs/solana#10361)
• 347070b fix(translations): Fix and Improve Spanish translations (Cleanup program docs (bp #10283) solana-labs/solana#10360)
• 95990c6 docs: Add @ getcanary/docusaurus-pagefind in docs (More cluster stats and add epoch stakes cache in retransmit stage solana-labs/solana#10345)
• 40676cd chore(deps): update infima npm dependency to version 0.2.0-alpha.44 (Add switch threshold local cluster tests + fix check_switch_threshold solana-labs/solana#10343)

See the full diff

Package name: @docusaurus/theme-search-algolia

The new version differs by 250 commits.

• cb5829f v3.5.0
• a19d54f Merge remote-tracking branch 'origin/slorber/docusaurus-v3.5' into slorber/docusaurus-v3.5
• ea49177 3.5 docs
• 55a58ee changelog
• 8f8f7f2 Merge branch 'main' into slorber/docusaurus-v3.5
• a096bbc feat(blog): add `onUntruncatedBlogPosts` blog options (Enable rolling update of "Permit paying oneself" / "No longer allow create-account to add funds to an existing account" solana-labs/solana#10375)
• 2611aa1 refactor: apply lint autofix
• f9e5adb v3.5 blog post
• c3af215 v3.5 blog post
• af24976 v3.5 blog post
• 2028ca4 v3.5 blog post
• f43be85 fix(translations): fix wrong Estonian (et) translations and typos (Reduce stable jobs solana-labs/solana#10344)
• a2e30be fix(search): fix algolia search ignore ctrl + F in search input (Permit paying oneself (bp #10337) solana-labs/solana#10342)
• 44ddada fix(docs): the _category_.json description attribute should display on generated index pages (validator: Added --health-check-slot-distance solana-labs/solana#10324)
• 95ab9f8 feat(theme): show unlisted/draft banners in dev mode (Purge TransactionStatus and AddressSignatures exactly from ledger-tool (bp #10358) solana-labs/solana#10376)
• c58fcbd feat(ci): continuous releases for main and PRs with pkg.pr.new (BPF SDK cloning of dependent repositories may be causing us to be throttled solana-labs/solana#10369)
• 087a329 fix(cli): Fix bad docusaurus CLI behavior on for --version, -V, --help, -h (Writing to Log Blocks Other Operations solana-labs/solana#10368)
• 7be1fea feat(blog): add feed xlst options to render beautiful RSS and Atom feeds (Backport: confirmations fix solana-labs/solana#9252)
• 08a893a chore: add prettier-xml plugin (simulateTransaction RPC endpoint should optionally return program log output solana-labs/solana#10364)
• f356e29 feat(blog): authors page (Consider making --no-rocksdb-compaction the default solana-labs/solana#10216)
• 50f9fce docs: rename @ getcanary/docusaurus-pagefind in docs (Rolling upgrade test automation solana-labs/solana#10361)
• 347070b fix(translations): Fix and Improve Spanish translations (Cleanup program docs (bp #10283) solana-labs/solana#10360)
• 95990c6 docs: Add @ getcanary/docusaurus-pagefind in docs (More cluster stats and add epoch stakes cache in retransmit stage solana-labs/solana#10345)
• 40676cd chore(deps): update infima npm dependency to version 0.2.0-alpha.44 (Add switch threshold local cluster tests + fix check_switch_threshold solana-labs/solana#10343)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Cross-site Scripting (XSS)
🦉 Prototype Pollution
🦉 Regular Expression Denial of Service (ReDoS)
🦉 More lessons are available in Snyk Learn

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[socket-security]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@crowdin/[email protected]	None	0	6.78 MB	andrii.bodnar
npm/@docusaurus/[email protected]	Transitive: environment, eval, filesystem, network, shell, unsafe	+355	47.8 MB	slorber
npm/@docusaurus/[email protected]	environment Transitive: eval, filesystem, network, shell, unsafe	+376	53.7 MB	slorber
npm/@docusaurus/[email protected]	filesystem Transitive: environment, eval, network, shell, unsafe	+369	53.1 MB	slorber
npm/[email protected]	Transitive: environment	+26	6.86 MB	kaicataldo
npm/[email protected]	None	0	6.28 kB	lukeed
npm/[email protected]	filesystem Transitive: eval	+25	2.91 MB	ljharb
npm/[email protected]	filesystem Transitive: environment, eval, shell, unsafe	+56	10.5 MB	eslintbot

🚮 Removed packages: npm/@babel/[email protected], npm/@babel/[email protected], npm/@babel/[email protected], npm/@babel/[email protected], npm/@babel/[email protected], npm/@babel/[email protected], npm/@babel/[email protected], npm/@commitlint/[email protected], npm/@commitlint/[email protected], npm/@ethersproject/[email protected], npm/@rollup/[email protected], npm/@rollup/[email protected], npm/@rollup/[email protected], npm/@rollup/[email protected], npm/@rollup/[email protected], npm/@rollup/[email protected], npm/@rollup/[email protected], npm/@solana/[email protected], npm/@solana/[email protected], npm/@types/[email protected], npm/@types/[email protected], npm/@types/[email protected], npm/@types/[email protected], npm/@types/[email protected], npm/@types/[email protected], npm/@types/[email protected], npm/@types/[email protected], npm/@types/[email protected], npm/@types/[email protected], npm/@types/[email protected], npm/@types/[email protected], npm/@typescript-eslint/[email protected], npm/@typescript-eslint/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected]

View full report↗︎

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	Source	CI
Critical CVE	npm/[email protected]	CVE: GHSA-76p3-8jx3-jpfq Prototype pollution in webpack loader-utils (CRITICAL) Affected versions: >= 2.0.0, < 2.0.3 Patched version: 2.0.3	docs/package-lock.json docs/package.json	⚠︎

View full report↗︎

Next steps

What is a critical CVE?

Contains a Critical Common Vulnerability and Exposure (CVE).

Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/[email protected] or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore npm/[email protected]