Do periodic security update

[matuzalemsteles]

Well, apparently we've started getting PRs from dependabot, as we have a policy of not merging these PRs but looking more carefully at the dependencies and checking if it makes sense and instead of manipulating yarn.lock to update the root dependency.

This issue has the same effect as the issue that was created in the project liferay/liferay-frontend-projects#112.

• Security implications of dependencies
  

[matuzalemsteles]

• chore(deps): bump tmpl from 1.0.4 to 1.0.5 in /clayui.com/react-docgen #4453 tmpl
• chore(deps): bump ws from 7.2.1 to 7.5.6 in /clayui.com/react-docgen #4454 ws
• chore(deps): bump y18n from 4.0.0 to 4.0.3 in /clayui.com/react-docgen #4455 y18n
• chore(deps): bump path-parse from 1.0.6 to 1.0.7 in /clayui.com/react-docgen #4456 path-parse
• chore(deps): bump browserslist from 4.8.6 to 4.18.1 in /clayui.com/react-docgen #4457 browserslist
• chore(deps): bump lodash from 4.17.19 to 4.17.21 in /clayui.com/react-docgen #4458 lodash

[julien]

@matuzalemsteles

I verified the changes in these dependencies and the only problem I see is that the "react-docgen" directory is something we add manually to the repository. Last time we updated it, was here.

This seems like a manual process so I'm not sure what we want to do about these dependabot alerts. W
e could speak about it during our next meeting (on Thursday 12/2) to see if it sill makes sense keeping this "clayui.com" directory in the repository or moving it to somewhere else - if we keep on using something
like this we're likely to get dependabot alerts once in a while, so we should decide to have an official way
of closing them. (We can also disable dependabot)

[matuzalemsteles]

Hey @julien, yeah we keep it local due to a bug we had to fix locally I don't remember why this fix wasn't sent to react-docgen hoping to get into master but anyway i think we can disregard the dependabot alerts for react-docgen by not affect the components or the user on clayui.com

Usually, we will try to follow the policy that was created and keep this issue open to decide what to do with the alerts that appear, ideally it would be interesting to keep dependabot on despite being quite annoying at times, but at least in our repository it seems to be rare.

About react-docgen, ideally we want to remove this for some other #4130.

[julien]

@matuzalemsteles thanks for the clarification. Let's see if we get time to prioritize work on #4130,
For the moment I think we can safely ignore this.

[matuzalemsteles]

• chore(deps): bump url-parse from 1.5.3 to 1.5.7 #4679 url-parse
• chore(deps): bump ajv from 6.11.0 to 6.12.6 in /clayui.com/react-docgen #4678 ajv

Hey @julien I'm closing the PRs and adding the reference here so that we can track them.

[julien]

@matuzalemsteles OK

[julien]

@matuzalemsteles adding these

• chore(deps): bump prismjs from 1.25.0 to 1.27.0 #4705 prismjs
• chore(deps): bump url-parse from 1.5.3 to 1.5.10 #4706 url-parse

[matuzalemsteles]

• chore(deps): bump ansi-regex from 4.1.0 to 4.1.1 in /clayui.com/react-docgen #4770 ansi-regex
• chore(deps): bump minimist from 1.2.5 to 1.2.6 #4771 minimist

[matuzalemsteles]

• chore(deps): bump moment from 2.29.1 to 2.29.2 #4798 moment

[matuzalemsteles]

• chore(deps): bump gatsby-plugin-mdx from 2.14.0 to 2.14.1 #4902 gatsby-plugin-mdx
• chore(deps): bump devcert from 1.2.0 to 1.2.1 #4901 devcert

[matuzalemsteles]

• chore(deps): bump parse-url from 6.0.0 to 6.0.2 #4974 parse-url

[matuzalemsteles]

• chore(deps): bump moment from 2.29.1 to 2.29.4 #4982 moment

[matuzalemsteles]

• chore(deps): bump parse-url from 6.0.0 to 6.0.5 #5095 parse-url

[matuzalemsteles]

• chore(deps): bump socket.io-parser from 4.0.4 to 4.0.5 #5190 socket.io-parser

[matuzalemsteles]

• chore(deps): bump minimatch from 3.0.4 to 3.1.2 in /clayui.com/react-docgen #5216 minimatch

[matuzalemsteles]

• chore(deps): bump decode-uri-component from 0.2.0 to 0.2.2 #5228 decode-uri-component
• chore(deps): bump decode-uri-component from 0.2.0 to 0.2.2 in /clayui.com/react-docgen #5227 decode-uri-component

[matuzalemsteles]

• chore(deps): bump qs from 6.5.2 to 6.5.3 #5240 bump

[matuzalemsteles]

• chore(deps): bump express from 4.17.1 to 4.18.2 #5244 express
• chore(deps): bump qs from 6.5.2 to 6.5.3 in /clayui.com/react-docgen #5245 qs

[matuzalemsteles]

• chore(deps): bump gatsby-transformer-remark from 4.11.0 to 5.25.1 #5294 gatsby-transformer-remark
• chore(deps): bump json5 from 1.0.1 to 1.0.2 #5285 json5

I should update this next week.

[matuzalemsteles]

• chore(deps): bump json5 from 2.1.1 to 2.2.3 in /clayui.com/react-docgen #5315 json5

[matuzalemsteles]

• chore(deps): bump http-cache-semantics from 4.1.0 to 4.1.1 #5346 http-cache-semantics

[matuzalemsteles]

• chore(deps-dev): bump webpack from 5.74.0 to 5.76.0 #5422 webpack

[matuzalemsteles]

• chore(deps): bump @sideway/formula from 3.0.0 to 3.0.1 #5423 @sideway/formula

[matuzalemsteles]

• chore(deps): bump nunjucks from 3.2.3 to 3.2.4 #5483 nunjucks