[Snyk] Fix for 30 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • admin/package.json
  • admin/.snyk

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIHTML-1296849	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-ASYNC-2441827	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Open Redirect SNYK-JS-NODEFORGE-2330875	No	Proof of Concept
	529/1000 Why? Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-NODEFORGE-2331908	No	No Known Exploit
	494/1000 Why? Has a fix available, CVSS 5.6	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430337	No	No Known Exploit
	579/1000 Why? Has a fix available, CVSS 7.3	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430339	No	No Known Exploit
	494/1000 Why? Has a fix available, CVSS 5.6	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430341	No	No Known Exploit
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-NODEFORGE-598677	No	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Improper Certificate Validation SNYK-JS-NODESASS-1059081	Yes	No Known Exploit
	715/1000 Why? Has a fix available, CVSS 9.8	Use After Free SNYK-JS-NODESASS-535497	No	No Known Exploit
	509/1000 Why? Has a fix available, CVSS 5.9	Denial of Service (DoS) SNYK-JS-NODESASS-542662	No	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHPARSE-1077067	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-POSTCSS-1255640	Yes	Proof of Concept
	619/1000 Why? Has a fix available, CVSS 8.1	Cross-site Scripting (XSS) SNYK-JS-SERIALIZEJAVASCRIPT-536840	Yes	No Known Exploit
	706/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.7	Arbitrary Code Injection SNYK-JS-SERIALIZEJAVASCRIPT-570062	Yes	Proof of Concept
	676/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.1	Improper Privilege Management SNYK-JS-SHELLJS-2332187	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Denial of Service (DoS) SNYK-JS-SOCKJS-575261	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SSRI-1246392	Yes	Proof of Concept
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536528	Yes	No Known Exploit
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536531	Yes	No Known Exploit
	410/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579147	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579152	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579155	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-TRIMNEWLINES-1298042	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-UGLIFYJS-1727251	Yes	No Known Exploit
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-YARGSPARSER-560381	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: copy-webpack-plugin

The new version differs by 70 commits.

• 650d44d chore(release): 5.1.2
• a42d63f fix(security): update `serialize-javascript` (rotation and offset of interactables picked up from spawners is not preserved Hubs-Foundation/hubs#521)
• 96e2315 chore(release): 5.1.1
• 3b79595 fix: allow to setup empty array (Adjusting cursor distance when holding an interactable is reversed on Oculus GO Hubs-Foundation/hubs#425)
• 5df649c chore(release): 5.1.0
• c936416 refactor: tests (Perf: Don't use aframe Line component in cursor-controller Hubs-Foundation/hubs#421)
• 08a4d7f docs: fix
• 8b13bc3 refactor: improve schema
• d155dd0 docs: update ignore instructions (Running mozilla hubs build on AWS Cloud 9 Hubs-Foundation/hubs#410)
• 45780be docs: example for placeholders in `to` (Warn users when uBlock Origin's WebRTC option is enabled Hubs-Foundation/hubs#420)
• 452539a feat: validate options (Guide for installing HUBS locally Hubs-Foundation/hubs#419)
• 4826e56 fix: better to determine when glob is used
• 51c3680 docs: issue 408 (Bump A-Frame to recent master Hubs-Foundation/hubs#418)
• f6f72a7 chore(deps): update
• 0675847 chore(release): 5.0.5
• 9146c2a docs: fix typo (explicitly switch between dynamic and static body types Hubs-Foundation/hubs#401)
• 3103940 refactor: minor code refactor (Feature/debug mode Hubs-Foundation/hubs#399)
• c546871 perf: improvement for webpack@5 (Need a way to include cube map reflections for any and all models that are using PBR shader. Hubs-Foundation/hubs#406)
• 5db376b chore(deps): update (Add hubs.local as valid domain for webpack dev server Hubs-Foundation/hubs#409)
• 806eb41 docs: fix broken fragment links (Clicking the middle of the screen while looking down clicks the in-world hud Hubs-Foundation/hubs#398)
• 6158483 chore(release): 5.0.4
• cd0e9f5 docs: clarify plugin description (fix TypeError: Cannot read property enableMicrophone of undefined error (fixes #394) Hubs-Foundation/hubs#395)
• f848140 test: refactor (TypeError: Cannot read property 'enableMicrophone' of undefined error (in src/components/mute-mic.js) Hubs-Foundation/hubs#394)
• ff0c736 refactor: tests (Send to device follow-ups Hubs-Foundation/hubs#393)

See the full diff

Package name: css-loader

The new version differs by 67 commits.

• 634ab49 chore(release): 2.0.0
• 6ade2d0 refactor: remove unused file (Add optional GA tracking telemetry Hubs-Foundation/hubs#860)
• e7525c9 test: nested url (Add proper content type for HLS Hubs-Foundation/hubs#859)
• 7259faa test: css hacks (Re-send entry event on rejoin Hubs-Foundation/hubs#858)
• 5e6034c feat: allow to filter import at-rules (Update hover menu properly if it loads late Hubs-Foundation/hubs#857)
• 5e702e7 feat: allow filtering urls (Remove old video-seek buttons from freeze menu Hubs-Foundation/hubs#856)
• 9642aa5 test: css stuff (WIP Delay loading until hover Hubs-Foundation/hubs#855)
• 3338656 fix: reduce number of require for url (Tweaks to rotation button / mode Hubs-Foundation/hubs#854)
• 533abbe test: issue 636 (Fix ui materials Hubs-Foundation/hubs#853)
• 08c551c refactor: better warning on invalid url resolution (Handle failed pins due to invalid token Hubs-Foundation/hubs#852)
• b0aa159 test: issue Fix up media loading a lot Hubs-Foundation/hubs#589 (Drop cursor on vive Hubs-Foundation/hubs#851)
• f599c70 fix: broken unucode characters (Clear credentials and create anonymous hubs if your token is invalid Hubs-Foundation/hubs#850)
• 1e551f3 test: issue 286 (Room permissions, settings and improved entry flow Hubs-Foundation/hubs#849)
• 419d27b docs: improve readme (Don't whitelist CORS-blocked domains in dev Hubs-Foundation/hubs#848)
• d94a698 refactor: webpack-default (Support MultiMaterials in loaded glTF models Hubs-Foundation/hubs#847)
• b97d997 feat: schema options
• 453248f fix: support module resolution in composes (Refresh expired invite link Hubs-Foundation/hubs#845)
• 8a6ea10 refactor: postcss plugins (Add deadzone to oculus touch joysticks Hubs-Foundation/hubs#844)
• fdcf687 fix: url resolving logic (Room permissions, settings and improved entry flow Hubs-Foundation/hubs#843)
• 889dc7f feat: allow to disable css modules and disable their by default (Rotate and align objects easily Hubs-Foundation/hubs#842)
• ee2d253 test: importLoaders option (Authorize hub mutation commands Hubs-Foundation/hubs#841)
• 1dad1fb feat: reuse postcss ast from other loaders (i.e `postcss-loader`) (Fix scaling of spawned objects Hubs-Foundation/hubs#840)
• fe94ebc test: icss reserved keywords (Fix spawn point rotation Hubs-Foundation/hubs#839)
• 9eaba66 refactor: migrate on message api for postcss-icss-plugin (Video Controls Overlay Hubs-Foundation/hubs#838)

See the full diff

Package name: html-loader

The new version differs by 55 commits.

• d7cccfa chore(release): 1.0.0
• 3c9a1d8 refactor: `attributes` option (Disable zoom on mobile  Hubs-Foundation/hubs#265)
• 8c73761 feat: `preprocessor` option (Show mailing list signup with ?list_signup=true Hubs-Foundation/hubs#263)
• f2ce5b1 feat: improve errors
• 9923244 chore(deps): update (Fix the check to see if the pose is the same as last time. Hubs-Foundation/hubs#260)
• 9835bde feat: supports `link:href` attribute for css (Add block buttons to the avatars during freeze mode. Hubs-Foundation/hubs#258)
• 7af2eff refactor: improve schema (Handle touch/mouse events on mobile better Hubs-Foundation/hubs#257)
• 98412f9 docs: `filter` sources (create new Chrome Origin-Trial tokens for production origin Hubs-Foundation/hubs#256)
• ff0f44c feat: implement the `filter` option for filtering some of sources (add redirects for hub → hubs (naming can be confusing, hard to remember) Hubs-Foundation/hubs#255)
• 1c24662 refactor: move the `root` option under the `attributes` option (Remove action_primary actions from vive triggers. Hubs-Foundation/hubs#254)
• 888b8fe docs: add footnote for `-attributes` (Remove the use of setTimeout from the touchStart handler in cursor-controller. Hubs-Foundation/hubs#252)
• 3d2907e refactor: remove the `interpolate` option
• bd979e2 refactor: remove the `interpolate` option
• fcba4ec fix: handle only valid srcset tags (support non-English languages (l10n localisation, i18n internationalisation) Hubs-Foundation/hubs#253)
• 9e5ce56 perf: improve source parse (Cursor lock when dragging camera Hubs-Foundation/hubs#251)
• c9c8dad refactor: improve source parse (Client crashes when spawning ducks too fast Hubs-Foundation/hubs#250)
• 079d623 fix: respect `#hash` in sources
• a17df49 fix: reduce `import`/`require` count
• d0b0150 fix: adding quotes when necessary for unquoted sources (Fix nipple js error when pointer events are canceled. Hubs-Foundation/hubs#247)
• e3727ab test: minifier
• 0bbe29c feat: migrate on `htmlparse2`
• b7af031 fix: escape `\u2028` and `\u2029` characters (Character controller introduces noise in scale Hubs-Foundation/hubs#244)
• 24b0427 fix: parser tags and attributes according spec (Feature/ui pass for hubs Hubs-Foundation/hubs#243)
• 3df909d feat: support `script:src` attributes

See the full diff

Package name: html-webpack-plugin

The new version differs by 139 commits.

• eb73905 chore(release): 4.0.0
• 42a6d4a Add typing for getHooks
• a1a37cf Release html-webpack-plugin 4.0.0-beta.14
• 97f9fb9 fix: load script files before style files files in defer script loading mode
• e97ce17 Release html-webpack-plugin 4.0.0-beta.13
• e448b5d Release html-webpack-plugin 4.0.0-beta.12
• de315eb feat: Add defer script loading
• 7df269f feat: Provide a verbose error message if html minification failed
• 1d66e53 feat: merge templateParameters with default template parameters
• dfb98e7 Fix typo in template option docts
• 096a760 Fix broken links in examples
• a195c34 docs: Update template-option documentation
• 40b410e docs: Update example for template parameters
• bf017f3 chore: Release 4.0.0-beta.11
• 2549557 test: Don't use minification for speed measurement
• de22fc2 test: Adjust measurment for node 6 on travis
• 24bf1b5 fix: Update references to html-minifier
• f4eafdc chore: Release 4.0.0-beta.10
• a2ad30a refactor: Use getAssetPath instead of calling the hook directly
• 2595a79 chore: Release 4.0.0-beta.9
• c66766c feat: Add support for minifying inline ES6 inside html templates
• 655cbcd Fix README typo
• 6de319b update lodash dependency for prototype polution vulnerability
• 35a1541 Properly encode file names emitted as part of URLs.

See the full diff

Package name: htmlhint

The new version differs by 171 commits.

• 9796b67 chore(release): 0.16.2 [skip ci]
• 98e45b9 fix: clenaup non-functional typos (Fix issues detecting VR input devices Hubs-Foundation/hubs#727)
• 081db96 chore(deps-dev): bump @ types/xml from 1.0.5 to 1.0.6 (Don't do meaningless stuff with empty media components Hubs-Foundation/hubs#740)
• fad78d8 chore(deps): bump async from 3.2.0 to 3.2.2 (Sign In and Persistence Ownership Hubs-Foundation/hubs#739)
• 63d367e refactor: move eslint config to type overrides (Camera focus and tracking Hubs-Foundation/hubs#725)
• 77e9a6c chore(dependabot): correct quoting for prettier (Responsive CSS for Hubs Landing Page Hubs-Foundation/hubs#735)
• e95cd82 chore: run lint once for CI (Fix blur issue Hubs-Foundation/hubs#726)
• 88d3670 chore(build): add Dependabot for website packages (Optimize cors Hubs-Foundation/hubs#721)
• 4f85a1a chore(build): remove redundant matrix (Stub out basic input system Hubs-Foundation/hubs#720)
• 3c25de8 style: run prettier during lint (Animation menu buttons Hubs-Foundation/hubs#724)
• 26b4e44 chore(build): use caching in setup-node (Chat commands for fly mode & avatar size Hubs-Foundation/hubs#723)
• 5b52a27 chore(build): run matrix on current node releases (React dialog fixup Hubs-Foundation/hubs#719)
• 4de808c fix changelog duplication (Fixed checkbox styling Hubs-Foundation/hubs#717)
• ec2da2c chore(release): 0.16.1 [skip ci]
• 4d702d8 fix: tagname-specialchars description (Feature/tweet buttons Hubs-Foundation/hubs#714)
• e027f30 Fix `How To Use` link. (Feature/vr presence count Hubs-Foundation/hubs#715)
• f1030e3 chore(deps): bump y18n from 4.0.0 to 4.0.3 in /website (Feature/surprise me Hubs-Foundation/hubs#713)
• cdba1b3 chore(deps): bump lodash from 4.17.15 to 4.17.21 in /website (Feature/spoke landing Hubs-Foundation/hubs#712)
• 2561560 chore(deps): bump ssri from 6.0.1 to 6.0.2 in /website (Add fly mode Hubs-Foundation/hubs#711)
• d8a28ea chore(deps): bump dns-packet from 1.3.1 to 1.3.4 in /website (Add visual indicator to bubble toggling and invading Hubs-Foundation/hubs#710)
• 37a4d2b chore(deps): bump color-string from 1.5.3 to 1.6.0 in /website (Feature/fly Hubs-Foundation/hubs#706)
• 593ac56 chore(deps): bump url-parse from 1.4.7 to 1.5.3 in /website (Feature/custom environments Hubs-Foundation/hubs#703)
• 9f09a72 chore(deps): bump postcss from 7.0.30 to 7.0.39 in /website (Search and insert google blocks assets. Hubs-Foundation/hubs#708)
• d30a1e7 chore(deps): bump ws from 6.2.1 to 6.2.2 in /website (Feature/gltf animation Hubs-Foundation/hubs#707)

See the full diff

Package name: node-sass

The new version differs by 105 commits.

• 99242d7 7.0.1
• 77049d1 build(deps): bump sass-graph from 2.2.5 to 4.0.0 (A room link is not created when using the short format link of a room Hubs-Foundation/hubs#3224)
• c929f25 build(deps): bump node-gyp from 7.1.2 to 8.4.1 (Landing page panels Hubs-Foundation/hubs#3209)
• 918dcb3 Lint fix
• 0a21792 Set rejectUnauthorized to true by default (Waypoint link reloads room on first click Hubs-Foundation/hubs#3149)
• e80d4af chore: Drop EOL Node 15 (Not getting the option of "Remix in spoke" or "Edit in Spoke" Hubs-Foundation/hubs#3122)
• d753397 feat: Add Node 17 support (Is there any way to access the code for implementing chat commands? Hubs-Foundation/hubs#3195)
• dcf2e75 build(deps-dev): bump eslint from 7.32.0 to 8.0.0
• bfa1a3c build(deps): bump actions/setup-node from 2.4.0 to 2.4.1
• 80d6c00 chore: Windows x86 on GitHub Actions (Is there a way to access the individual elements of a glb in spoke? Hubs-Foundation/hubs#3041)
• 566dc27 build(deps-dev): bump fs-extra from 0.30.0 to 10.0.0 (日本語 Add Japanese language option Hubs-Foundation/hubs#3102)
• 7bb5157 build(deps): bump npmlog from 4.1.2 to 5.0.0 (User-Friendly Naming for Objects in Scene? Hubs-Foundation/hubs#3156)
• 2efb38f build(deps): bump chalk from 1.1.3 to 4.1.2 (Spanish translation Hubs-Foundation/hubs#3161)
• fca5257 build(deps): bump actions/setup-node from 2.3.0 to 2.4.0
• 6200b21 docs: Double word "support" (Media Frames not positioning content correctly when nested under other nodes in Spoke Hubs-Foundation/hubs#3159)
• eaf791a build(deps): bump actions/setup-node from 2.1.5 to 2.3.0
• 16b8d4b build(deps): bump coverallsapp/github-action from 1.1.2 to 1.1.3
• c167004 6.0.1
• 911d4db remove mkdirp dep (Language localization: Spanish Hubs-Foundation/hubs#3108)
• 30a52f7 build(deps): bump meow from 3.7.0 to 9.0.0
• 7e08463 build(deps-dev): bump mocha from 8.4.0 to 9.0.1
• cfcbb2c chore: Use default Apline version from docker-node (Fix bug where invisible audio nodes initialize at the origin Hubs-Foundation/hubs#3121)
• 886319b chore: Drop Node 10 support
• c908f4f fix: Bump OSX minimum to 10.11

See the full diff

Package name: selfsigned

The new version differs by 21 commits.

• ff1857a v1.10.13
• 030bb0c Merge branch 'mkapra-master'
• 4ed3feb 1.10.13
• bc483b9 Upgrade node-forge to non vulnerable version
• da38146 1.10.12
• dd3a994 update mocha and chai. Remove travis
• c5ac42b fix tests
• b206981 1.10.11
• e68ef96 fix tests and minor change in jsdoc
• 162a255 minor
• e361323 1.10.10
• 567bcd6 improve readme and add jsdocs
• afe6029 1.10.9
• 2aff0d6 fix outdated deps and tests
• b7f2afa 1.10.8
• 08012a7 update package-lock
• 30be7f1 chore: update node-forge dependency (Webpack Refactor Hubs-Foundation/hubs#39)
• 7b3fb86 1.10.7
• 866e4e7 Merge branch 'Dalimil-master'
• 333ac8f revert v bump
• 1c89c97 Update node-forge

See the full diff

Package name: shelljs

The new version differs by 4 commits.

• 70668a4 0.8.5
• d919d22 fix(exec): lockdown file permissions (Teleportation sends you to the wrong spot Hubs-Foundation/hubs#1060)
• fcf1651 0.8.4
• a1111ee Silence potentially upcoming circular dependency warning (Set service worker timeout Hubs-Foundation/hubs#973)

See the full diff

Package name: webpack-dev-server

The new version differs by 250 commits.

• c9271b9 chore(release): 4.0.0
• 18bf369 test: fix stability (Room UI Redesign: VR Fixes Hubs-Foundation/hubs#3676)
• cdcabb2 fix: respect protocol from browser for manual setup (Google Poly Broken Links Hubs-Foundation/hubs#3675)
• 1768d6b fix: initial reloading for lazy compilation (ICE retries and RTC fixes Hubs-Foundation/hubs#3662)
• 4f5bab1 docs: improve examples (Upgrading react-admin to v3.0.0 or higher Hubs-Foundation/hubs#3672)
• f2d87fb fix: improve https CLI output (A history entry is registered for every character typed/deleted in the Hubs or Spoke search bars Hubs-Foundation/hubs#3673)
• 0277c5e chore: remove redundant console statements (Change all the ocurrences of "kick" variables, references and kick-button.js file Hubs-Foundation/hubs#3671)
• 16fcdbc docs: add `ipc` example (Room UI Redesign: Fix link button in object menu Hubs-Foundation/hubs#3667)
• 8915fb8 test: add e2e tests for built in routes (Room UI Redesign: Add short link description to invite popover Hubs-Foundation/hubs#3669)
• 4d1cbe1 docs: ask `version` information in issue template ([New UI] Mac Safari Doesn't load Hubs-Foundation/hubs#3668)
• b6c1881 chore(deps-dev): bump core-js from 3.16.1 to 3.16.2 ([new ui] Standalone VR Freezes when you leave immersive mode Hubs-Foundation/hubs#3666)
• ffa8cc5 chore(deps-dev): bump supertest from 6.1.5 to 6.1.6 (Error loading assets Hubs-Foundation/hubs#3665)
• f1fdaa7 chore(release): 4.0.0-rc.1
• c4678bc fix: legacy API ([New UI] There is no reference to the short link where the room code is needed in the invite menu Hubs-Foundation/hubs#3660)
• d8bdd03 test: fix stability (#3661)
• 22b1414 refactor: remove `killable` (SMTP is not working after updating hubs client Hubs-Foundation/hubs#3657)
• 75bafbf test: add e2e tests for module federation (Uploaded music files in a room continue to play at the same volume even when muted Hubs-Foundation/hubs#3658)
• 493ccbd chore(deps): update `ws` (URL Asset wont load on Hubs Cloud Hubs-Foundation/hubs#3652)
• ae8c523 test: add e2e test for universal compiler (#3656)
• f94b84f chore(deps): update (Room UI Redesign: Toggle inspect mode and lights Hubs-Foundation/hubs#3655)
• 1923132 test: fix cli
• 2adfd01 test: fix todo ("/" Stays in chat box instead of disapearing. Hubs-Foundation/hubs#3653)
• 6e2cbde fix: proxy logging and allow to pass options without the `target` option (#3651)
• c9ccc96 fix: respect infastructureLogging.level for client.logging (Update networked aframe with transform validation checks Hubs-Foundation/hubs#3613)

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Open Redirect
🦉 Prototype Pollution
🦉 More lessons are available in Snyk Learn