From 9b0d7c2a7023e6a83222d96febaee74880601ad8 Mon Sep 17 00:00:00 2001
From: johnd0e <johnd0e@mail.ua>
Date: Tue, 19 May 2020 00:25:15 +0300
Subject: [PATCH] Update dev dependencies, fix most of vulnerabilities (#7133)

* Update rollup-plugin-git-version to ^0.3.1

* Update uglify-js to ^3.9.2

* Update git-rev-sync to ^2.0.0

* Update ssri to ^8.0.0

* Update rollup to ^0.59.4

(latests version with support of IE 8)

Remove Object.freeze hack, use rollup's `output.freeze` option instead

* Update eslint to ^5.16.0

And fix a couple of warnings.
Ref:
https://eslint.org/docs/user-guide/migrating-to-5.0.0#eslint-recommended-changes
https://eslint.org/docs/user-guide/migrating-to-5.0.0#deprecated-globals

* Update eslint to ^6.8.0

Ref:
https://eslint.org/docs/user-guide/migrating-to-6.0.0#eslint-recommended-changes
---
 build/rollup-config.js                 |  8 +++++---
 build/rollup-watch-config.js           |  5 +++--
 package.json                           | 12 ++++++------
 spec/karma.conf.js                     | 10 +++++++---
 spec/suites/layer/vector/CanvasSpec.js | 10 +++++-----
 src/Leaflet.js                         |  3 ---
 src/core/Browser.js                    |  2 +-
 src/core/Class.js                      |  2 +-
 src/core/Util.js                       |  5 +----
 src/dom/Draggable.js                   |  2 +-
 src/layer/VideoOverlay.js              |  4 +++-
 src/layer/vector/Path.js               |  2 +-
 12 files changed, 34 insertions(+), 31 deletions(-)

diff --git a/build/rollup-config.js b/build/rollup-config.js
index 2e2db54663d..2937b5e2184 100644
--- a/build/rollup-config.js
+++ b/build/rollup-config.js
@@ -42,16 +42,18 @@ export default {
 			name: 'L',
 			banner: banner,
 			outro: outro,
-			sourcemap: true
+			sourcemap: true,
+			legacy: true, // Needed to create files loadable by IE8
+			freeze: false
 		},
 		{
 			file: 'dist/leaflet-src.esm.js',
 			format: 'es',
 			banner: banner,
-			sourcemap: true
+			sourcemap: true,
+			freeze: false
 		}
 	],
-	legacy: true, // Needed to create files loadable by IE8
 	plugins: [
 		release ? json() : rollupGitVersion()
 	]
diff --git a/build/rollup-watch-config.js b/build/rollup-watch-config.js
index 1c604047229..c6f207703f4 100644
--- a/build/rollup-watch-config.js
+++ b/build/rollup-watch-config.js
@@ -20,9 +20,10 @@ export default {
 		format: 'umd',
 		name: 'L',
 		banner: banner,
-		sourcemap: true
+		sourcemap: true,
+		legacy: true, // Needed to create files loadable by IE8
+		freeze: false,
 	},
-	legacy: true, // Needed to create files loadable by IE8
 	plugins: [
 		rollupGitVersion()
 	]
diff --git a/package.json b/package.json
index d5e3eb37a91..64bc8861343 100644
--- a/package.json
+++ b/package.json
@@ -4,9 +4,9 @@
   "homepage": "https://leafletjs.com/",
   "description": "JavaScript library for mobile-friendly interactive maps",
   "devDependencies": {
-    "eslint": "^4.19.1",
+    "eslint": "^6.8.0",
     "eslint-config-mourner": "^2.0.1",
-    "git-rev-sync": "^1.12.0",
+    "git-rev-sync": "^2.0.0",
     "happen": "~0.3.2",
     "karma": "^5.0.3",
     "karma-chrome-launcher": "^3.1.0",
@@ -23,12 +23,12 @@
     "mocha": "^7.1.2",
     "phantomjs-prebuilt": "^2.1.16",
     "prosthetic-hand": "^1.3.1",
-    "rollup": "0.51.8",
-    "rollup-plugin-git-version": "0.2.1",
+    "rollup": "^0.59.4",
+    "rollup-plugin-git-version": "^0.3.1",
     "rollup-plugin-json": "^4.0.0",
     "sinon": "^7.5.0",
-    "ssri": "^6.0.1",
-    "uglify-js": "~3.5.10"
+    "ssri": "^8.0.0",
+    "uglify-js": "^3.9.2"
   },
   "main": "dist/leaflet-src.js",
   "style": "dist/leaflet.css",
diff --git a/spec/karma.conf.js b/spec/karma.conf.js
index 1660583da42..a093f6f2589 100644
--- a/spec/karma.conf.js
+++ b/spec/karma.conf.js
@@ -62,9 +62,13 @@ module.exports = function (config) {
 			plugins: [
 				json()
 			],
-			format: 'umd',
-			name: 'L',
-			outro: outro
+			output: {
+				format: 'umd',
+				name: 'L',
+				outro: outro,
+				legacy: true, // Needed to create files loadable by IE8
+				freeze: false,
+			},
 		},
 
 		// test results reporter to use
diff --git a/spec/suites/layer/vector/CanvasSpec.js b/spec/suites/layer/vector/CanvasSpec.js
index 296335d7d1f..375bc014128 100644
--- a/spec/suites/layer/vector/CanvasSpec.js
+++ b/spec/suites/layer/vector/CanvasSpec.js
@@ -144,12 +144,12 @@ describe('Canvas', function () {
 		    layerId = L.stamp(layer),
 		    canvas = map.getRenderer(layer);
 
-		expect(canvas._layers.hasOwnProperty(layerId)).to.be(true);
+		expect(canvas._layers).to.have.property(layerId);
 
 		map.removeLayer(layer);
 		// Defer check due to how Canvas renderer manages layer removal.
 		L.Util.requestAnimFrame(function () {
-			expect(canvas._layers.hasOwnProperty(layerId)).to.be(false);
+			expect(canvas._layers).to.not.have.property(layerId);
 			done();
 		}, this);
 	});
@@ -159,14 +159,14 @@ describe('Canvas', function () {
 		    layerId = L.stamp(layer),
 		    canvas = map.getRenderer(layer);
 
-		expect(canvas._layers.hasOwnProperty(layerId)).to.be(true);
+		expect(canvas._layers).to.have.property(layerId);
 
 		map.removeLayer(layer);
 		map.addLayer(layer);
-		expect(canvas._layers.hasOwnProperty(layerId)).to.be(true);
+		expect(canvas._layers).to.have.property(layerId);
 		// Re-perform a deferred check due to how Canvas renderer manages layer removal.
 		L.Util.requestAnimFrame(function () {
-			expect(canvas._layers.hasOwnProperty(layerId)).to.be(true);
+			expect(canvas._layers).to.have.property(layerId);
 			done();
 		}, this);
 	});
diff --git a/src/Leaflet.js b/src/Leaflet.js
index 2b18450274a..f4339b9b812 100644
--- a/src/Leaflet.js
+++ b/src/Leaflet.js
@@ -22,6 +22,3 @@ export * from './layer/index';
 
 // map
 export * from './map/index';
-
-import {freeze} from './core/Util';
-Object.freeze = freeze;
diff --git a/src/core/Browser.js b/src/core/Browser.js
index 13c50ae1c5f..ee2583e0fa3 100644
--- a/src/core/Browser.js
+++ b/src/core/Browser.js
@@ -120,7 +120,7 @@ export var passiveEvents = (function () {
 	var supportsPassiveOption = false;
 	try {
 		var opts = Object.defineProperty({}, 'passive', {
-			get: function () {
+			get: function () { // eslint-disable-line getter-return
 				supportsPassiveOption = true;
 			}
 		});
diff --git a/src/core/Class.js b/src/core/Class.js
index df367b61772..f60bda9e13e 100644
--- a/src/core/Class.js
+++ b/src/core/Class.js
@@ -35,7 +35,7 @@ Class.extend = function (props) {
 
 	// inherit parent's statics
 	for (var i in this) {
-		if (this.hasOwnProperty(i) && i !== 'prototype' && i !== '__super__') {
+		if (Object.prototype.hasOwnProperty.call(this, i) && i !== 'prototype' && i !== '__super__') {
 			NewClass[i] = this[i];
 		}
 	}
diff --git a/src/core/Util.js b/src/core/Util.js
index f3d22ece0c5..da678e3b10a 100644
--- a/src/core/Util.js
+++ b/src/core/Util.js
@@ -4,9 +4,6 @@
  * Various utility functions, used by Leaflet internally.
  */
 
-export var freeze = Object.freeze;
-Object.freeze = function (obj) { return obj; };
-
 // @function extend(dest: Object, src?: Object): Object
 // Merges the properties of the `src` object (or multiple objects) into `dest` object and returns the latter. Has an `L.extend` shortcut.
 export function extend(dest) {
@@ -133,7 +130,7 @@ export function splitWords(str) {
 // @function setOptions(obj: Object, options: Object): Object
 // Merges the given properties to the `options` of the `obj` object, returning the resulting options. See `Class options`. Has an `L.setOptions` shortcut.
 export function setOptions(obj, options) {
-	if (!obj.hasOwnProperty('options')) {
+	if (!Object.prototype.hasOwnProperty.call(obj, 'options')) {
 		obj.options = obj.options ? create(obj.options) : {};
 	}
 	for (var i in options) {
diff --git a/src/dom/Draggable.js b/src/dom/Draggable.js
index 52b875bc6c7..8a4a456cb7f 100644
--- a/src/dom/Draggable.js
+++ b/src/dom/Draggable.js
@@ -164,7 +164,7 @@ export var Draggable = Evented.extend({
 			this._lastTarget = e.target || e.srcElement;
 			// IE and Edge do not give the <use> element, so fetch it
 			// if necessary
-			if ((window.SVGElementInstance) && (this._lastTarget instanceof SVGElementInstance)) {
+			if (window.SVGElementInstance && this._lastTarget instanceof window.SVGElementInstance) {
 				this._lastTarget = this._lastTarget.correspondingUseElement;
 			}
 			DomUtil.addClass(this._lastTarget, 'leaflet-drag-target');
diff --git a/src/layer/VideoOverlay.js b/src/layer/VideoOverlay.js
index 5dc8a885a7e..b2c705edba9 100644
--- a/src/layer/VideoOverlay.js
+++ b/src/layer/VideoOverlay.js
@@ -72,7 +72,9 @@ export var VideoOverlay = ImageOverlay.extend({
 
 		if (!Util.isArray(this._url)) { this._url = [this._url]; }
 
-		if (!this.options.keepAspectRatio && vid.style.hasOwnProperty('objectFit')) { vid.style['objectFit'] = 'fill'; }
+		if (!this.options.keepAspectRatio && Object.prototype.hasOwnProperty.call(vid.style, 'objectFit')) {
+			vid.style['objectFit'] = 'fill';
+		}
 		vid.autoplay = !!this.options.autoplay;
 		vid.loop = !!this.options.loop;
 		vid.muted = !!this.options.muted;
diff --git a/src/layer/vector/Path.js b/src/layer/vector/Path.js
index e8f939f9e28..9d80273ea74 100644
--- a/src/layer/vector/Path.js
+++ b/src/layer/vector/Path.js
@@ -105,7 +105,7 @@ export var Path = Layer.extend({
 		Util.setOptions(this, style);
 		if (this._renderer) {
 			this._renderer._updateStyle(this);
-			if (this.options.stroke && style && style.hasOwnProperty('weight')) {
+			if (this.options.stroke && style && Object.prototype.hasOwnProperty.call(style, 'weight')) {
 				this._updateBounds();
 			}
 		}