Sort out NPM dependencies

[Rperry2174]

Copy of #2033 so this issues survives the merge. Plus the issue should be fixed at the source which is almost exclusively here in the pyroscope repo

Looking at the dependabot alerts it looks quite bad, quite a few critical, high alerts, I suggest we need to update rather sooner than later. Most of it is coming via pyroscope-oss, as far as I can tell. I failed to update it appropriate.

> trivy filesystem ./yarn.lock
yarn.lock (yarn)

Total: 16 (UNKNOWN: 0, LOW: 1, MEDIUM: 10, HIGH: 4, CRITICAL: 1)

┌──────────────┬─────────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│   Library    │    Vulnerability    │ Severity │ Installed Version │ Fixed Version │                            Title                             │
├──────────────┼─────────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ d3-color     │ GHSA-36jr-mh4h-2g58 │ HIGH     │ 1.4.1             │ 3.1.0         │ d3-color vulnerable to ReDoS                                 │
│              │                     │          │                   │               │ https://github.com/advisories/GHSA-36jr-mh4h-2g58            │
├──────────────┼─────────────────────┤          ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ nth-check    │ CVE-2021-3803       │          │ 1.0.2             │ 2.0.1         │ inefficient regular expression complexity                    │
│              │                     │          │                   │               │ https://avd.aquasec.com/nvd/cve-2021-3803                    │
├──────────────┼─────────────────────┤          ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ parse-path   │ CVE-2022-0624       │          │ 4.0.4             │ 5.0.0         │ Authorization Bypass in parse-path                           │
│              │                     │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-0624                    │
├──────────────┼─────────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ parse-url    │ CVE-2022-2900       │ CRITICAL │ 6.0.5             │ 8.1.0         │ Server-Side Request Forgery (SSRF) in GitHub repository      │
│              │                     │          │                   │               │ ionicabizau/parse-url                                        │
│              │                     │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-2900                    │
│              ├─────────────────────┼──────────┤                   │               ├──────────────────────────────────────────────────────────────┤
│              │ CVE-2022-3224       │ MEDIUM   │                   │               │ parse-url parses http URLs incorrectly, making it vulnerable │
│              │                     │          │                   │               │ to host name spoofing...                                     │
│              │                     │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-3224                    │
├──────────────┼─────────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ protobufjs   │ CVE-2023-36665      │ HIGH     │ 6.11.3            │ 7.2.4         │ protobufjs Prototype Pollution vulnerability                 │
│              │                     │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-36665                   │
├──────────────┼─────────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ request      │ CVE-2023-28155      │ MEDIUM   │ 2.88.2            │               │ The Request package through 2.88.1 for Node.js allows a      │
│              │                     │          │                   │               │ bypass of SSRF...                                            │
│              │                     │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-28155                   │
├──────────────┼─────────────────────┤          ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ semver       │ CVE-2022-25883      │          │ 5.7.1             │ 7.5.2         │ semver vulnerable to Regular Expression Denial of Service    │
│              │                     │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-25883                   │
│              │                     │          ├───────────────────┤               │                                                              │
│              │                     │          │ 6.3.0             │               │                                                              │
│              │                     │          │                   │               │                                                              │
│              │                     │          ├───────────────────┤               │                                                              │
│              │                     │          │ 7.3.8             │               │                                                              │
│              │                     │          │                   │               │                                                              │
│              │                     │          ├───────────────────┤               │                                                              │
│              │                     │          │ 7.5.0             │               │                                                              │
│              │                     │          │                   │               │                                                              │
│              │                     │          ├───────────────────┤               │                                                              │
│              │                     │          │ 7.5.1             │               │                                                              │
│              │                     │          │                   │               │                                                              │
├──────────────┼─────────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ sweetalert2  │ GHSA-qq6h-5g6j-q3cm │ LOW      │ 11.7.3            │               │ sweetalert2 v11.4.9 and above contains hidden functionality  │
│              │                     │          │                   │               │ https://github.com/advisories/GHSA-qq6h-5g6j-q3cm            │
├──────────────┼─────────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ tough-cookie │ CVE-2023-26136      │ MEDIUM   │ 2.5.0             │ 4.1.3         │ prototype pollution in cookie memstore                       │
│              │                     │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-26136                   │
│              │                     │          ├───────────────────┤               │                                                              │
│              │                     │          │ 4.1.2             │               │                                                              │
│              │                     │          │                   │               │                                                              │
├──────────────┼─────────────────────┤          ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ word-wrap    │ CVE-2023-26115      │          │ 1.2.3             │               │ ReDoS                                                        │
│              │                     │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-26115                   │
└──────────────┴─────────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

[darrenjaneczek]

• parse-url CRITICAL
  • Addressed by chore: updated parse-url to secure v8.1.0 #2001
• d3-color HIGH
  • Addressed by chore: fix d3-color version to 3.1.0 #2002
• nth-check HIGH
  • Used by react-svg-core / react-svg-loader and requires a merge of:
    • updated the svgo version due to security issues boopathi/react-svg-loader#346
• parse-path HIGH
  • Resolved by chore: updated parse-url to secure v8.1.0 #2001
• protobufjs HIGH
  • Addressed by chore: fix protobufjs version #2005
  • Used by pprof, fixed in:
    • build(deps): bump protobufjs from 7.0.0 to 7.2.4 google/pprof-nodejs#253
    • fix(deps): update dependency protobufjs to ~7.2.0 [security] google/pprof-nodejs#254
  • The example code imports from pprof directly
  • pyroscope-nodejs also imports from pprof:
    • https://github.com/grafana/pyroscope-nodejs
• request MEDIUM
  • Resolved by chore: updated parse-url to secure v8.1.0 #2001
• semver MEDIUM
  • Addressed by chore: fix semver versions #2003
• tough-cookie MEDIUM
  • Addressed by chore: fix tough-cookie version #2004
• word-wrap MEDIUM
  • Addressed by fix: repace word-wrap with secure variant #2006
• sweetalert2 LOW
  • Addressed by fix: limit version of sweetalert2 #2007

[darrenjaneczek]

@simonswine -- are we satisfied to close this?

• Reduced the dependency warnings to 3 medium level alerts, associated with development time dependencies (vs. runtime).
• See chore: address js dependency security issues #2205