[Snyk] Fix for 38 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • test/fixtures/qs-package/node_modules/snyk/node_modules/request/package.json
  • test/fixtures/qs-package/node_modules/snyk/node_modules/request/.snyk

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	619/1000 Why? Has a fix available, CVSS 8.1	Prototype Pollution SNYK-JS-AJV-584908	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Command Injection SNYK-JS-CODECOV-543183	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Command Injection SNYK-JS-CODECOV-548879	Yes	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Command Injection SNYK-JS-CODECOV-585979	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-ENGINEIO-1056749	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-ENGINEIO-3136336	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	509/1000 Why? Has a fix available, CVSS 5.9	Denial of Service (DoS) SNYK-JS-JSYAML-173999	Yes	No Known Exploit
	619/1000 Why? Has a fix available, CVSS 8.1	Arbitrary Code Execution SNYK-JS-JSYAML-174129	Yes	No Known Exploit
	591/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.4	Cross-site Scripting (XSS) SNYK-JS-KARMA-2395349	Yes	Proof of Concept
	484/1000 Why? Has a fix available, CVSS 5.4	Open Redirect SNYK-JS-KARMA-2396325	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	Yes	Proof of Concept
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	Yes	Proof of Concept
	541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	Yes	Proof of Concept
	489/1000 Why? Has a fix available, CVSS 5.5	Information Exposure SNYK-JS-LOG4JS-2348757	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	676/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.1	Improper Privilege Management SNYK-JS-SHELLJS-2332187	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Insecure Defaults SNYK-JS-SOCKETIO-1024859	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-SOCKETIOPARSER-1056752	Yes	Proof of Concept
	704/1000 Why? Has a fix available, CVSS 9.8	Improper Input Validation SNYK-JS-SOCKETIOPARSER-3091012	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-TRIMNEWLINES-1298042	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	Yes	Proof of Concept
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Arbitrary Code Injection SNYK-JS-XMLHTTPREQUESTSSL-1082936	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Access Restriction Bypass SNYK-JS-XMLHTTPREQUESTSSL-1255647	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:braces:20180219	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:eslint:20180222	Yes	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	Yes	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	Yes	No Known Exploit
	761/1000 Why? Mature exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) npm:ws:20171108	Yes	Mature

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: codecov

The new version differs by 179 commits.

• 29dd5b6 3.7.1
• c0711c6 Switch from execSync to execFileSync ([Snyk] Security upgrade node-fetch from 2.6.0 to 3.1.1 #180)
• 5f6cc62 Bump lodash from 4.17.15 to 4.17.19 ([Snyk] Security upgrade python from 3.6-slim to 3.7.12-slim #183)
• 0c4d7f3 Merge pull request [Snyk] Security upgrade actionpack from 4.2.5 to 4.2.5 #182 from codecov/update-readme-badges
• cc5e121 Update depstat image and urls
• b44b44e Update readme with 400 error info ([Snyk] Security upgrade actionpack from 4.2.5 to 4.2.5 #181)
• bb79335 V3.7.0 ([Snyk] Security upgrade node-fetch from 2.6.0 to 3.1.1 #179)
• 0d7b9b0 Remove `'x-amz-acl': 'public-read'` header ([Snyk] Security upgrade node-fetch from 2.6.0 to 3.1.1 #178)
• eeff4e1 Bump acorn from 5.7.3 to 5.7.4 ([Snyk] Security upgrade marked from 0.3.5 to 4.0.10 #174)
• eb8a527 Merge pull request [Snyk] Security upgrade actionpack from 4.2.5 to 4.2.11.3 #172 from RoboCafaz/bugfix/codebuild-pr-parser
• 55d69cd Merge pull request [Snyk] Security upgrade django from 1.6.1 to 2.2.26 #159 from SaferNodeJS/master
• ef348ec Verify source version before parsing PR
• ebe132e 3.6.5
• 02cf13d [CE-1330] Escaping args ([Snyk] Security upgrade @google-cloud/profiler from 2.0.2 to 4.0.0 #167)
• e138efe Merge lastest changes
• bac0787 v3.6.4
• 203ff3a Merge pull request [Snyk] Security upgrade django from 1.6.1 to 2.2.26 #161 from codecov/drazisil-patch-1
• 696562d Merge pull request [Snyk] Security upgrade actionpack from 4.2.5 to 4.2.5.2 #147 from iansu/patch-1
• 7856231 v3.6.3
• 96e6d96 Merge pull request [Snyk] Security upgrade actionpack from 4.2.5 to 4.2.5 #166 from codecov/chore/updates
• c8ea169 update deps
• 7c4cdc4 Merge pull request [Snyk] Security upgrade istanbul-reports from 1.5.1 to 3.1.3 #149 from aiell0/master
• 62389fa Merge pull request [Snyk] Security upgrade django from 2.0.1 to 2.2.26 #162 from codecov/dependabot/npm_and_yarn/handlebars-4.5.3
• 73ae008 Add dependabot config

See the full diff

Package name: coveralls

The new version differs by 3 commits.

• 2ed4d09 major version bump for node > 4.x
• 5ebe57f bump version
• 428780c Expand allowed dependency versions to all API compatible versions ([Snyk] Security upgrade actionpack from 4.2.5 to 4.2.11.3 #172)

See the full diff

Package name: eslint

The new version differs by 250 commits.

• c4fffbc 8.0.0
• d51f4cf Build: changelog update for 8.0.0
• 7d3f7f0 Upgrade: unfrozen @ eslint/eslintrc (fixes #15036) (#15146)
• 2174a6f Fix: require-atomic-updates property assignment message (fixes #15076) (#15109)
• f885fe0 Docs: add note and example for extending the range of fix (refs #13706) (#13748)
• 3da1509 Docs: Add jsdoc `type` annotation to sample rule (#15085)
• 68a49a9 Docs: Update Rollup Integrations (#15142)
• d867f81 Docs: Remove a dot from curly link (#15128)
• 9f8b919 Sponsors: Sync README with website
• 4b08f29 Sponsors: Sync README with website
• ebc1ba1 Sponsors: Sync README with website
• 2d654f1 Docs: add example .eslintrc.json (#15087)
• 16034f0 Docs: fix fixable example (#15107)
• 07175b8 8.0.0-rc.0
• 71faa38 Build: changelog update for 8.0.0-rc.0
• 67c0074 Update: Suggest missing rule in flat config (fixes #14027) (#15074)
• cf34e5c Update: space-before-blocks ignore after switch colons (fixes #15082) (#15093)
• c9efb5f Fix: preserve formatting when rules are removed from disable directives (#15081)
• 14a4739 Update: `no-new-func` rule catching eval case of `MemberExpression` (#14860)
• 7f2346b Docs: Update release blog post template (#15094)
• fabdf8a Chore: Remove `target.all` from `Makefile.js` (#15088)
• e3cd141 Sponsors: Sync README with website
• 05d7140 Chore: document target global in Makefile.js (#15084)
• 0a1a850 Update: include `ruleId` in error logs (fixes #15037) (#15053)

See the full diff

Package name: karma

The new version differs by 250 commits.

• ab4b328 chore(release): 6.3.16 [skip ci]
• ff7edbb fix(security): mitigate the "Open Redirect Vulnerability"
• c1befa0 chore(release): 6.3.15 [skip ci]
• d9dade2 fix(helper): make mkdirIfNotExists helper resilient to concurrent calls
• 653c762 ci: prevent duplicate CI tasks on creating a PR
• c97e562 chore(release): 6.3.14 [skip ci]
• 91d5acd fix: remove string template from client code
• 69cfc76 fix: warn when `singleRun` and `autoWatch` are `false`
• 839578c fix(security): remove XSS vulnerability in `returnUrl` query param
• db53785 chore(release): 6.3.13 [skip ci]
• 5bf2df3 fix(deps): bump log4js to resolve security issue
• 36ad678 chore(release): 6.3.12 [skip ci]
• 41bed33 fix: remove depreciation warning from log4js
• c985155 docs: create security.md
• c96f0c5 chore(release): 6.3.11 [skip ci]
• a5219c5 fix(deps): pin colors package to 1.4.0 due to security vulnerability
• de0df2f test: fix version regex in the CLI test case
• eddb2e8 chore(release): 6.3.10 [skip ci]
• 0d24bd9 fix(logger): create parent folders if they are missing
• b8eafe9 chore(release): 6.3.9 [skip ci]
• cf318e5 test: add test case for restarting test run on file change
• 92ffe60 fix: restartOnFileChange option not restarting the test run
• b153355 style: fix grammar error in browser capture log message
• 8f798d5 chore(release): 6.3.8 [skip ci]

See the full diff

Package name: karma-coverage

The new version differs by 36 commits.

• 32acafa chore(release): 2.0.2 [skip ci]
• bb8f9ee chore: add semantic-release for project - fix [Snyk] Security upgrade update-notifier from 0.5.0 to 6.0.0 #408 ([Snyk] Security upgrade @google-cloud/profiler from 2.0.2 to 4.1.3 #413)
• 9c37de6 chore: add check commit message ([Snyk] Security upgrade actionpack from 4.2.5 to 4.2.5.1 #411)
• 27822c9 ci(test): use eslint as ci command and add all js files to check by eslint ([Snyk] Security upgrade update-notifier from 5.1.0 to 6.0.0 #410)
• 1adb27a ci: drop node 8, adopt node 12 ([Snyk] Security upgrade update-notifier from 0.6.3 to 6.0.0 #409)
• 4962a70 fix(reporter): update calls to match new API in istanbul-lib-report fix [Snyk] Security upgrade got from 5.7.1 to 11.8.5 #398 ([Snyk] Security upgrade snyk from 1.101.1 to 1.230.7 #403)
• fc6e289 refactor: remove isAbsolute and replace with path.isAbsolute ([Snyk] Security upgrade snyk from 1.101.1 to 1.230.7 #405)
• 83bafc3 refactor: replace migrate coffee unit tests to modern JS ([Snyk] Security upgrade semver from 2.3.2 to 4.3.2 #407)
• 49f174d refactor: onRunComplete method to upgrade on new major version of Istanbul ([Snyk] Security upgrade cryptiles from 2.0.5 to 3.0.0 #406)
• 4cfa697 chore: Update dev Dependencies eslint and load-grunt-tasks ([Snyk] Security upgrade python from 3.6-slim to 3.8-slim #387)
• 5cf931a fix: remove information about old istanbul lib ([Snyk] Security upgrade django from 1.6.1 to 2.2.28 #404)
• 352254a chore(deps): bump handlebars from 4.1.2 to 4.5.3 ([Snyk] Security upgrade package-json from 1.2.0 to 7.0.0 #399)
• 0ee780c chore(deps): bump lodash.template from 4.4.0 to 4.5.0 ([Snyk] Security upgrade python from 3.6-slim to 3.7-slim #392)
• d18cde4 chore(deps-dev): bump eslint from 2.13.1 to 4.18.2 ([Snyk] Security upgrade latest-version from 2.0.0 to 6.0.0 #397)
• 55aeead Update Source Map Handling ([Snyk] Security upgrade got from 3.3.1 to 11.8.5 #394)
• b23664e Added debug msg whether coverage is in reporters ([Snyk] Security upgrade package-json from 2.4.0 to 7.0.0 #396)
• d3f53e3 chore(all): Migrate to ES6 ([Snyk] Security upgrade sanitize from 4.6.2 to 5.2.1 #385)
• 9c8a222 Make travis file simpler ([Snyk] Security upgrade django from 1.6.1 to 1.8.16 #386)
• b76db9e Remove unused dateformat dependency ([Snyk] Fix for 2 vulnerabilities #384)
• 075ece0 Remove unused istanbul dependency ([Snyk] Fix for 2 vulnerabilities #382)
• 9184fc0 chore: release v2.0.1
• 57d4bd3 chore(deps): npm audit fix --force; update travis.yml ([Snyk] Fix for 2 vulnerabilities #380)
• 0e2800b chore: release v2.0.0
• 99c0c35 chore: update contributors

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:hoek:20180212	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	No Known Exploit
	576/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.1	Uninitialized Memory Exposure npm:tunnel-agent:20170305	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Arbitrary Code Execution
🦉 More lessons are available in Snyk Learn