[Snyk] Upgrade: node-fetch, xml2js, , dayjs, semver, vscode-tas-client, dockerfile-language-server-nodejs, fs-extra, tar

[X-oss-byte]

Snyk has created this PR to upgrade multiple dependencies.

👯‍♂ The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name	Versions	Released on

node-fetch
from 2.6.9 to 2.7.0 | 5 versions ahead of your current version | a year ago
on 2023-08-23
xml2js
from 0.5.0 to 0.6.2 | 3 versions ahead of your current version | a year ago
on 2023-07-26
@azure/storage-blob
from 12.14.0 to 12.24.0 | 112 versions ahead of your current version | 2 months ago
on 2024-07-23
dayjs
from 1.11.7 to 1.11.13 | 6 versions ahead of your current version | 23 days ago
on 2024-08-20
semver
from 7.5.0 to 7.6.3 | 8 versions ahead of your current version | 2 months ago
on 2024-07-16
vscode-tas-client
from 0.1.63 to 0.1.84 | 2 versions ahead of your current version | 7 months ago
on 2024-02-05
dockerfile-language-server-nodejs
from 0.10.2 to 0.13.0 | 3 versions ahead of your current version | 3 months ago
on 2024-06-19
fs-extra
from 11.1.1 to 11.2.0 | 1 version ahead of your current version | 10 months ago
on 2023-11-28
tar
from 6.1.13 to 6.2.1 | 4 versions ahead of your current version | 6 months ago
on 2024-03-21

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Cross-site Request Forgery (CSRF) SNYK-JS-AXIOS-6032459	676	Proof of Concept
	Improper Input Validation SNYK-JS-FOLLOWREDIRECTS-6141137	676	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	676	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-AXIOS-6124857	676	Proof of Concept
	Information Exposure SNYK-JS-FOLLOWREDIRECTS-6444610	676	Proof of Concept
	Uncontrolled Resource Consumption ('Resource Exhaustion') SNYK-JS-TAR-6476909	676	Proof of Concept

Release notes

Package name: node-fetch

• 2.7.0 - 2023-08-23
  

  2.7.0 (2023-08-23)

  Features

  • AbortError (#1744) (9b9d458)
• 2.6.13 - 2023-08-18
  

  2.6.13 (2023-08-18)

  Bug Fixes

  • Remove the default connection close header (#1765) (65ae25a), closes #1735 #1473 #1736
• 2.6.12 - 2023-06-29
  

  2.6.12 (2023-06-29)

  Bug Fixes

  • socket variable testing for undefined (#1726) (8bc3a7c)
• 2.6.11 - 2023-05-09
  

  2.6.11 (2023-05-09)

  Reverts

  • Revert "fix: handle bom in text and json (#1739)" (#1741) (afb36f6), closes #1739 #1741
• 2.6.10 - 2023-05-08
  

  2.6.10 (2023-05-08)

  Bug Fixes

  • handle bom in text and json (#1739) (29909d7)
• 2.6.9 - 2023-01-30
  

  2.6.9 (2023-01-30)

  Bug Fixes

  • "global is not defined" (#1704) (70f592d)

from node-fetch GitHub release notes

Package name: xml2js

• 0.6.2 - 2023-07-26
  

  New release, 0.6.2

• 0.6.1 - 2023-07-25
  

  Update version number for release 0.6.1

• 0.6.0 - 2023-05-25
  

  Release new version

• 0.5.0 - 2023-04-09
  

  Update package.json with latest PR

from xml2js GitHub release notes

Package name: dayjs

• 1.11.13 - 2024-08-20
  

  1.11.13 (2024-08-20)

  Bug Fixes

  • customParseFormat supports Q quter / w ww weekOfYear (#2705) (8ca74f1)
• 1.11.12 - 2024-07-18
  

  1.11.12 (2024-07-18)

  Bug Fixes

  • Add NegativeYear Plugin support (#2640) (6a42e0d)
  • add UTC support to negativeYear plugin (#2692) (f3ef705)
  • Fix zero offset issue when use tz with locale (#2532) (d0e6738)
  • Improve typing for min/max plugin (#2573) (4fbe94a)
  • timezone plugin currect parse UTC tz (#2693) (b575c81)
• 1.11.11 - 2024-04-28
  

  1.11.11 (2024-04-28)

  Bug Fixes

  • day of week type literal (#2630) (f68d73e)
  • improve locale "zh-hk" format and meridiem (#2419) (a947a51)
  • Update 'da' locale to match correct first week of year (#2592) (44b0936)
  • update locale Bulgarian monthsShort Jan (#2538) (f0c9a41)
• 1.11.10 - 2023-09-19
  

  1.11.10 (2023-09-19)

  Bug Fixes

  • Add Korean Day of Month with ordinal (#2395) (dd55ee2)
  • change back fa locale to the Gregorian calendar equivalent (#2411) (95e9458)
  • duration plugin - MILLISECONDS_A_MONTH const calculation (#2362) (f0a0b54)
  • duration plugin getter get result 0 instead of undefined (#2369) (061aa7e)
  • fix isDayjs check logic (#2383) (5f3f878)
  • fix timezone plugin to get correct locale setting (#2420) (4f45012)
  • locale: add meridiem in ar locale (#2418) (361be5c)
  • round durations to millisecond precision for ISO string (#2367) (890a17a)
  • sub-second precisions need to be rounded at the seconds field to avoid adding floats (#2377) (a9d7d03)
  • update $x logic to avoid plugin error (#2429) (2254635)
  • Update Slovenian locale for relative time (#2396) (5470a15)
  • update uzbek language translation (#2327) (0a91056)
• 1.11.9 - 2023-07-01
  

  1.11.9 (2023-07-01)

  Bug Fixes

  • Add null to min and max plugin return type (#2355) (62d9042)
  • check if null passed to objectSupport parser (#2175) (013968f)
  • dayjs.diff improve performance (#2244) (33c80e1)
  • dayjs(null) throws error, not return dayjs object as invalid date (#2334) (c79e2f5)
  • objectSupport plugin causes an error when null is passed to dayjs function (closes #2277) (#2342) (89bf31c)
  • Optimize format method (#2313) (1fe1b1d)
  • update Duration plugin add/subtract take into account days in month (#2337) (3b1060f)
  • update MinMax plugin 1. ignore the 'null' in args 2. return the only one arg (#2330) (3c2c6ee)
• 1.11.8 - 2023-06-02
  

  1.11.8 (2023-06-02)

  Bug Fixes

  • .format add padding to 'YYYY' (#2231) (00c223b)
  • Added .valueOf method to Duration class (#2226) (9b4fcfd)
  • timezone type mark date parameter as optional (#2222) (b87aa0e)
  • type file first parameter date is optional in isSame(), isBefore(), isAfter() (#2272) (4d56f3e)
• 1.11.7 - 2022-12-06
  

  1.11.7 (2022-12-06)

  Bug Fixes

  • Add locale (zh-tw) meridiem (#2149) (1e9ba76)
  • update fa locale (#2151) (1c26732)

from dayjs GitHub release notes

Package name: semver

• 7.6.3 - 2024-07-16
  

  7.6.3 (2024-07-16)

  Bug Fixes

  • 73a3d79 #726 optimize Range parsing and formatting (#726) (@ jviide)

  Documentation

  • 2975ece #719 fix extra backtick typo (#719) (@ stdavis)
• 7.6.2 - 2024-05-09
  

  7.6.2 (2024-05-09)

  Bug Fixes

  • 6466ba9 #713 lru: use map.delete() directly (#713) (@ negezor, @ lukekarrys)
• 7.6.1 - 2024-05-07
  

  7.6.1 (2024-05-04)

  Bug Fixes

  • c570a34 #704 linting: no-unused-vars (@ wraithgar)
  • ad8ff11 #704 use internal cache implementation (@ mbtools)
  • ac9b357 #682 typo in compareBuild debug message (#682) (@ mbtools)

  Dependencies

  • 988a8de #709 uninstall lru-cache (#709)
  • 3fabe4d #704 remove lru-cache

  Chores

  • dd09b60 #705 bump @ npmcli/template-oss to 4.22.0 (@ lukekarrys)
  • ec49cdc #701 chore: chore: postinstall for dependabot template-oss PR (@ lukekarrys)
  • b236c3d #696 add benchmarks (#696) (@ H4ad)
  • 692451b #688 various improvements to README (#688) (@ mbtools)
  • 5feeb7f #705 postinstall for dependabot template-oss PR (@ lukekarrys)
  • 074156f #701 bump @ npmcli/template-oss from 4.21.3 to 4.21.4 (@ dependabot[bot])
• 7.6.0 - 2024-02-05
  

  7.6.0 (2024-01-31)

  Features

  • a7ab13a #671 preserve pre-release and build parts of a version on coerce (#671) (@ madtisa, madtisa, @ wraithgar)

  Chores

  • 816c7b2 #667 postinstall for dependabot template-oss PR (@ lukekarrys)
  • 0bd24d9 #667 bump @ npmcli/template-oss from 4.21.1 to 4.21.3 (@ dependabot[bot])
  • e521932 #652 postinstall for dependabot template-oss PR (@ lukekarrys)
  • 8873991 #652 chore: chore: postinstall for dependabot template-oss PR (@ lukekarrys)
  • f317dc8 #652 bump @ npmcli/template-oss from 4.19.0 to 4.21.0 (@ dependabot[bot])
  • 7303db1 #658 add clean() test for build metadata (#658) (@ jethrodaniel)
  • 6240d75 #656 add missing quotes in README.md (#656) (@ zyxkad)
  • 14d263f #625 postinstall for dependabot template-oss PR (@ lukekarrys)
  • 7c34e1a #625 bump @ npmcli/template-oss from 4.18.1 to 4.19.0 (@ dependabot[bot])
  • 123e0b0 #622 postinstall for dependabot template-oss PR (@ lukekarrys)
  • 737d5e1 #622 bump @ npmcli/template-oss from 4.18.0 to 4.18.1 (@ dependabot[bot])
  • cce6180 #598 postinstall for dependabot template-oss PR (@ lukekarrys)
  • b914a3d #598 bump @ npmcli/template-oss from 4.17.0 to 4.18.0 (@ dependabot[bot])
• 7.5.4 - 2023-07-07
  

  7.5.4 (2023-07-07)

  Bug Fixes

  • cc6fde2 #588 trim each range set before parsing (@ lukekarrys)
  • 99d8287 #583 correctly parse long build ids as valid (#583) (@ lukekarrys)
• 7.5.3 - 2023-06-22
  

  7.5.3 (2023-06-22)

  Bug Fixes

  • abdd93d #571 set max lengths in regex for numeric and build identifiers (#571) (@ lukekarrys)

  Documentation

  • bf53dd8 #569 add example for > comparator (#569) (@ mbtools)
• 7.5.2 - 2023-06-15
  

  7.5.2 (2023-06-15)

  Bug Fixes

  • 58c791f #566 diff when detecting major change from prerelease (#566) (@ lukekarrys)
  • 5c8efbc #565 preserve build in raw after inc (#565) (@ lukekarrys)
  • 717534e #564 better handling of whitespace (#564) (@ lukekarrys)
• 7.5.1 - 2023-05-12
  

  7.5.1 (2023-05-12)

  Bug Fixes

  • d30d25a #559 show type on invalid semver error (#559) (@ tjenkinson)
• 7.5.0 - 2023-04-17

from semver GitHub release notes

Package name: dockerfile-language-server-nodejs

• 0.13.0 - 2024-06-19
  

  Tag for the v0.13.0 release.

• 0.12.0 - 2024-05-23
  

  Tag for the v0.12.0 release.

• 0.11.0 - 2023-09-10
  

  Tag for the v0.11.0 release

• 0.10.2 - 2023-06-01
  

  Tag for the v0.10.2 release.

from dockerfile-language-server-nodejs GitHub release notes

Package name: fs-extra

• 11.2.0 - 2023-11-28
  

  11.2.0

• 11.1.1 - 2023-03-20
  

  11.1.1

from fs-extra GitHub release notes

Package name: tar

• 6.2.1 - 2024-03-21
  

  v6.2.1

• 6.2.0 - 2023-09-05
  

  6.2.0

• 6.1.15 - 2023-05-17
  

  6.1.15

• 6.1.14 - 2023-05-02
  

  6.1.14

• 6.1.13 - 2022-12-07
  

  6.1.13 (2022-12-07)

  Dependencies

  • cc4e0dd #343 bump minipass from 3.3.6 to 4.0.0

from tar GitHub release notes

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.
• Max score is 1000. Note that the real score may have changed since the PR was raised.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[//]: # 'snyk:metadata:{"customTemplate":{"variablesUsed":[],"fieldsUsed":[]},"dependencies":[{"name":"node-fetch","from":"2.6.9","to":"2.7.0"},{"name":"xml2js","from":"0.5.0","to":"0.6.2"},{"name":"","from":"azure/storage-blob","to":"azure/storage-blob"},{"name":"dayjs","from":"1.11.7","to":"1.11.13"},{"name":"semver","from":"7.5.0","to":"7.6.3"},{"name":"vscode-tas-client","from":"0.1.63","to":"0.1.84"},{"name":"dockerfile-language-server-nodejs","from":"0.10.2","to":"0.13.0"},{"name":"fs-extra","from":"11.1.1","to":"11.2.0"},{"name":"tar","from":"6.1.13","to":"6.2.1"}],"env":"prod","hasFixes":true,"isBreakingChange":false,"isMajorUpgrade":false,"issuesToFix":[{"exploit_maturity":"proof-of-concept","id":"SNYK-JS-AXIOS-6032459","issue_id":"SNYK-JS-AXIOS-6032459","priority_score":676,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"7.1","score":355},{"type":"scoreVersion","label":"v1","score":1}],"severity":"high","title":"Cross-site Request Forgery (CSRF)"},{"exploit_maturity":"proof-of-concept","id":"SNYK-JS-FOLLOWREDIRECTS-6141137","issue_id":"SNYK-JS-FOLLOWREDIRECTS-6141137","priority_score":686,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"7.3","score":365},{"type":"scoreVersion","label":"v1","score":1}],"severity":"high","title":"Improper Input Validation"},{"exploit_maturity":"proof-of-concept","id":"SNYK-JS-SEMVER-3247795","issue_id":"SNYK-JS-SEMVER-3247795","priority_score":696,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"7.5","score":375},{"type":"scoreVersion","label":"v1","score":1}],"severity":"high","title":"Regular Expression Denial of Service (ReDoS)"},{"exploit_maturity":"proof-of-concept","id":"SNYK-JS-AXIOS-6124857","issue_id":"SNYK-JS-AXIOS-6124857","priority_score":586,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"5.3","score":265},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Regular Expression Denial of Service (ReDoS)"},{"exploit_maturity":"proof-of-concept","id":"SNYK-JS-FOLLOWREDIRECTS-6444610","issue_id":"SNYK-JS-FOLLOWREDIRECTS-6444610","priority_score":646,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"6.5","score":325},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Information Exposure"},{"exploit_maturity":"proof-of-concept","id":"SNYK-JS-TAR-6476909","issue_id":"SNYK-JS-TAR-6476909","priority_score":646,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"6.5","score":325},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Uncontrolled Resource Consumption ('Resource Exhaustion')"}],"prId":"c057e905-252a-4e77-9a37-6d584d8d122e","prPublicId":"c057e905-252a-4e77-9a37-6d584d8d122e","packageManager":"npm","priorityScoreList":[676,686,696,586,646,646],"projectPublicId":"89fc9fdf-8886-44ee-bb55-53cdb6839141","projectUrl":"https://app.snyk.io/org/sammytezzy/project/89fc9fdf-8886-44ee-bb55-53cdb6839141?utm_source=github&utm_medium=referral&page=upgrade-pr","prType":"upgrade","templateFieldSources":{"branchName":"default","commitMessage":"default","description":"default","title":"default"},"templateVariants":["priorityScore"],"type":"auto","upgrade":["SNYK-JS-AXIOS-6032459","SNYK-JS-FOLLOWREDIRECTS-6141137","SNYK-JS-SEMVER-3247795","SNYK-JS-AXIOS-6124857","SNYK-JS-FOLLOWREDIRECTS-6444610","SNYK-JS-TAR-6476909"],"upgradeInfo":{"versionsDiff":5,"publishedDate":"2023-08-23T17:18:39.396Z"},"vulns":["SNYK-JS-AXIOS-6032459","SNYK-JS-FOLLOWREDIRECTS-6141137","SNYK-JS-SEMVER-3247795","SNYK-JS-AXIOS-6124857","SNYK-JS-FOLLOWREDIRECTS-6444610","SNYK-JS-TAR-6476909"]}'

[stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 6e844ea

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[sourcery-ai]

We have skipped reviewing this pull request. Here's why:

• It seems to have been created by a bot ('[Snyk]' found in title). We assume it knows what it's doing!
• We don't review packaging changes - Let us know if you'd like us to change this.