[Snyk] Fix for 18 vulnerabilities

[chriswrightdesign]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	619/1000 Why? Has a fix available, CVSS 8.1	Prototype Pollution SNYK-JS-AJV-584908	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	786/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 9.3	Incomplete List of Disallowed Inputs SNYK-JS-BABELTRAVERSE-5962463	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	703/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 6.2	Missing Release of Resource after Effective Lifetime SNYK-JS-INFLIGHT-6095116	Yes	Proof of Concept
	429/1000 Why? Has a fix available, CVSS 4.3	Reverse Tabnabbing SNYK-JS-ISTANBULREPORTS-2328088	Yes	No Known Exploit
	641/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.4	Prototype Pollution SNYK-JS-JSON5-3182856	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-MERGE-1040469	Yes	No Known Exploit
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-MERGE-1042987	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-TRIM-1017038	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-UGLIFYJS-1727251	Yes	No Known Exploit
	596/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.5	Arbitrary Code Injection SNYK-JS-UNDERSCORE-1080984	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-YARGSPARSER-560381	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:braces:20180219	Yes	Proof of Concept
	469/1000 Why? Has a fix available, CVSS 5.1	Denial of Service (DoS) npm:mem:20180117	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: all-contributors-cli

The new version differs by 123 commits.

• 74f3b71 refactor: move from "request" to "node fetch" (#277)
• 8af13c3 fix: replace markdownlint-enable with markdownlint-restore to restore (vs. enable all) previous rules (fixes #276). (#278)
• 3bb4a03 feat(contribution-types): adds mentoring (#274)
• bd4bea1 docs: add pavelloz as a contributor (#273)
• fc2d05e perf: add image size to avatar url to improve performance (#269)
• b70d5f3 docs: adds missing contributors (#272)
• e48419c chore(dep): bumped json-fixer to 1.5.1 (#270)
• e736938 chore(package): update kcd-scripts to version 6.2.0 (#263)
• b77f86b feat(repo): github profile url should be valid (#268)
• 649f6ce chore(package): update semantic-release to version 17.0.8 (#262)
• bcc0d99 feat(contribution-types): add missing contribution types (#261)
• e987eb0 chore(package): update cz-conventional-changelog to version 3.0.0 (feat: add .gql files in lintstagedrc kentcdodds/kcd-scripts#198)
• 4573e29 docs: add AnandChowdhary as a contributor (bug: ESLint cannot be imported in Jest 27 kentcdodds/kcd-scripts#219)
• 33e1a43 chore(package): update semantic-release to version 16.0.0 (upgrade rollup to the latest version kentcdodds/kcd-scripts#242)
• 77923a3 docs: add kharaone as a contributor (docs: add eps1lon as a contributor kentcdodds/kcd-scripts#212)
• b5d85de chore(package): update git-cz to version 4.1.0 (chore: update rollup to exclude es5-ext kentcdodds/kcd-scripts#243)
• e2ed91d docs: add ilai-deutel as a contributor (#257)
• d26cd47 docs: add MarceloAlves as a contributor (docs: add nstepien as a contributor for code kentcdodds/kcd-scripts#222)
• 9a6cf19 chore(package): update kcd-scripts to version 5.0.0 (#246)
• db5d731 fix(repo): pass optionalPrivateToken to recursive calls (#258)
• a671507 docs: Add badge for the AUR package (#256)
• 2de352a docs(license): MIT (#255)
• fe76178 fix(package): update chalk to version 4.0.0 (#253)
• b3d0995 feat(alpha-sort): Add a parameter contributorsSortAlphabetically (#249)

See the full diff

Package name: babel-plugin-module-resolver

The new version differs by 20 commits.

• ff8a445 chore(release): 5.0.0
• c43e71c chore: Update dependencies and find-babel-config to fix json5 vulnerabilities (#441)
• f2daf06 docs: Valid install commands when using Github copy button (#426)
• f533cc2 chore(release): 4.1.0
• 57c53c3 chore: Run CI on node >= 10
• 91c053c chore: Update husky & lint-staged
• 2a14940 chore: Update standard-version to v9.0.0
• facf14c feat: Add new jest methods (#419)
• a3eba3a chore(deps): bump ini from 1.3.5 to 1.3.8 (#418)
• e4a1165 docs: update readme to include Intellij / Webstorm workaround for resolving aliases (#410)
• 8a3ac0f chore(deps): bump yargs-parser from 13.1.1 to 13.1.2 (#408)
• aac96f2 chore(deps-dev): bump standard-version from 7.0.1 to 8.0.1 (#401)
• 1179e27 chore(deps): bump lodash from 4.17.15 to 4.17.19 (#402)
• 5e3feaa docs: Add yarn install command (#394)
• a65c39a chore(release): 4.0.0
• a5045b0 chore: Add Test github action (#378)
• 0cef5ee chore: Update dependencies (#377)
• 8963f88 docs: Add Quasar Framework as a user using this lib (#364)
• f2173ee feat: Add support for alias with array of paths (#376)
• 77b1bc1 chore: Update Expo link (#370)

See the full diff

Package name: doctoc

The new version differs by 31 commits.

• 68f070c 2.2.0
• 459856c fix: upgrade deps (feat: update dependencies kentcdodds/kcd-scripts#225)
• ffbb04f 2.1.0
• 095cbbc Bump path-parse from 1.0.6 to 1.0.7 (docs: add eps1lon as a contributor kentcdodds/kcd-scripts#212)
• dcbdb1c Add unit test for skip function (feat: add 'jest-snapshot-serializer-raw/always' as default snapshotSerializer kentcdodds/kcd-scripts#206)
• 5258371 chore: removing patreon badge
• 9f675d5 Bump glob-parent from 5.1.1 to 5.1.2 (feat(babelrc): update browsersConfig kentcdodds/kcd-scripts#207)
• b115924 Handle file skipping internally (docs: add Lukas-Kullmann as a contributor kentcdodds/kcd-scripts#143)
• bc62221 2.0.1
• 41033dc Bump lodash from 4.17.20 to 4.17.21
• d631fa9 Bump hosted-git-info from 2.8.8 to 2.8.9
• 3dddb16 security: CVE-2021-23358 in underscore
• f98b159 Bump y18n from 4.0.0 to 4.0.1
• 2faf563 2.0.0
• 68af396 Bump lodash from 4.17.15 to 4.17.20 (docs: add rafgraph as a contributor kentcdodds/kcd-scripts#187)
• 9bc2c83 Update dependencies to fix deprecation warnings (docs: add MichaelDeBoey as a contributor kentcdodds/kcd-scripts#179)
• d38d04b pre-commit docs: update sha -> rev (docs: add rbusquet as a contributor kentcdodds/kcd-scripts#178)
• bf7896b collapse consecutive blank lines if there's no title (closes Prettier kentcdodds/kcd-scripts#101) (6.1.0 seems to have a regression kentcdodds/kcd-scripts#145)
• 88ec7cd Merge pull request chore: Add 'Cancel Previous Runs' step kentcdodds/kcd-scripts#181 from uetchy/preserve
• f07f3aa fix: update notice text
• 88e4c56 docs: add help text for --update-only
• 04ffd96 feat: add notice for --update-only
• 2be533d chore: rename --preserve to --update-only
• 617c7c5 feat: flag to keep file without toc untouched

See the full diff

Package name: eslint

The new version differs by 250 commits.

• a7985a6 6.0.0
• be74dd9 Build: changelog update for 6.0.0
• 81aa06b Upgrade: espree@6.0.0 (#11869)
• 5f022bc Fix: no-else-return autofix produces name collisions (fixes #11069) (#11867)
• ded9548 Fix: multiline-comment-style incorrect message (#11864)
• cad074d Docs: Add JSHint W047 compat to no-floating-decimal (#11861)
• 41f6304 Upgrade: sinon (#11855)
• 167ce87 Chore: remove unuseable profile command (#11854)
• c844c6f Fix: max-len properly ignore trailing comments (fixes #11838) (#11841)
• 1b5661a Fix: no-var should not fix variables named 'let' (fixes #11830) (#11832)
• 4d75956 Build: CI with Azure Pipelines (#11845)
• 1db3462 Chore: rm superfluous argument & fix perf-multifiles-targets (#11834)
• c57a4a4 Upgrade: @ babel/polyfill => core-js v3 (#11833)
• 65faa04 Docs: Clarify prefer-destructuring array/object difference (fixes #9970) (#11851)
• 81c3823 Fix: require-atomic-updates reports parameters (fixes #11723) (#11774)
• aef8ea1 Sponsors: Sync README with website
• 4f48f5a 6.0.0-rc.0
• 6bad650 Build: changelog update for 6.0.0-rc.0
• f403b07 Update: introduce minKeys option to sort-keys rule (fixes #11624) (#11625)
• 87451f4 Fix: no-octal should report NonOctalDecimalIntegerLiteral (fixes #11794) (#11805)
• e4ab053 Update: support "bigint" in valid-typeof rule (#11802)
• e0fafc8 Chore: removes unnecessary assignment in loop (#11780)
• 20908a3 Docs: removed '>' prefix from from docs/working-with-rules (#11818)
• 1c43eef Sponsors: Sync README with website

See the full diff

Package name: eslint-config-kentcdodds

The new version differs by 75 commits.

• 5c43dcd chore: Remove build from release (docs: add shellthor as a contributor kentcdodds/kcd-scripts#83)
• fc82aaa chore: Update build badge (fix(rollup): remove experimentalCodeSplitting from config kentcdodds/kcd-scripts#82)
• 943cd0b chore: Switch to GitHub Actions (External packages not working kentcdodds/kcd-scripts#79)
• fdd7361 feat: Update dependencies & add new rules (test: force jest to exit when there are open async handles after tests have finished running kentcdodds/kcd-scripts#81)
• b3a1da9 chore: Update all-contributors badge (feat(rollup): simplify external kentcdodds/kcd-scripts#80)
• 9ad1375 feat: update dependencies (Allow to debug unit tests, e.g. Visual Studio Code kentcdodds/kcd-scripts#78)
• f67857d fix: disable no-promise-executor-return
• 9137e63 chore: fix prettier config
• ae2b3dd fix: update best-practices.js (refactor(tests): removes mockClear kentcdodds/kcd-scripts#76)
• d585bd5 chore: remove circular dep on kcd-scripts
• 4d849c5 fix: Fix peerDependencies (Add support for flow in babel kentcdodds/kcd-scripts#77)
• 5ab7684 chore: restore validation in travis
• 7c82d99 chore: disable validate temporarily
• 36edffc chore: update all deps
• d41a11f feat: Support ESLint 7.x (check prettier formatting in validate script kentcdodds/kcd-scripts#64)
• a75feb8 fix: drop Node 8
• 37b6f5c chore: remove node 8 from travis
• b3a6d94 feat: Update dependencies & add new rule (Add support for flow in babel kentcdodds/kcd-scripts#75)
• 9d83799 docs: add benmonro as a contributor (fix(scipts tests): removes unused mocks kentcdodds/kcd-scripts#74)
• 1a27012 feat(jest-dom): add new rule from jest-dom (feat(deps): upgrade everything kentcdodds/kcd-scripts#73)
• 756d2e5 feat: Update dependencies & add new rules (fix: support babel.config.js kentcdodds/kcd-scripts#72)
• 0e47472 fix: Alphabetize jest rules (Use @babel/runtime helpers instead of bundled ones kentcdodds/kcd-scripts#71)
• 84a7959 fix: Update dependencies (lintstagedrc.js failes on Windows  kentcdodds/kcd-scripts#70)
• 7fb9f77 fix: Fix hasJestDom & hasTestingLibrary checks (Scoped package name is resulting into weird path in dist/ kentcdodds/kcd-scripts#69)

See the full diff

Package name: glob

The new version differs by 114 commits.

• a68703e 9.0.0
• 58159ca test: cwd can be a url
• a547a9c more docs
• 42a3ac7 link to bash manual for Pattern Matching
• 474172d update readme with cwd URL support
• ad3904d update readme with posix class support
• b22fc7d minimatch@7.3.0
• cdd1627 update all the things, remove unused mkdirp types
• 75c6416 Merge branch 'v9'
• fa0cd77 cwd can be a file:// url
• d03ed0a typedoc github action
• 9a5a45a put bench results in readme
• 20b2f88 docs, fix benchmark script
• 4829c88 upgrade ci actions
• 5cbacdd minimatch@7.2.0
• 210310b omit symlinks on windows
• d34c8d5 full test coverage, clean up signals and remove extranous code
• 5f21b46 adding lots of tests, clean up types
• b12e6ba slashes on nodir test
• 75f74b0 more windows test slashes
• 3aa1abd more windows test affordances
• 3e68a7b some windows test affordances
• 8c2e082 feature complete and tests passing
• c3be35a correct ** vs ./** behavior

See the full diff

Package name: lint-staged

The new version differs by 250 commits.

• 885a644 Merge pull request #852 from okonet/listr2
• aba3421 fix: all lint-staged output respects the `quiet` option
• b8df31a fix: do not show incorrect error when verbose and no output
• eed6198 style: simplify eslint and prettier config
• b746290 ci: replace Node.js 13 with 14, since 14 will be next LTS
• 2c6f3ad docs: improve `verbose` description
• e749a0b test: remove redundant, misbehaving test
• 16848d8 fix: use test renderer during tests and when TERM=dumb
• efffa22 test: cover `--verbose` option usage
• 1b18550 test: restore variable in test output
• 6aede38 test: add test for error during merge state restoration
• b565481 test: integration test targets the full Node.js API instead of just `runAll`
• a3bd9d7 feat: allow specifying `cwd` using the Node.js API
• 85de3a3 feat: add `--verbose` to show output even when tasks succeed
• d69c65b fix: log task output after running listr to keep everything
• e95d1b0 refactor: move skip and enable cheks of listr tasks to separate file
• 6da7667 refactor: move messages to separate file
• 6392480 refactor: use symbols for errors
• 8f32a3e feat: replace listr with listr2 and print errors inline
• c9adca5 fix: use stash create/store to prevent files from disappearing from disk
• e093b1d fix(deps): update dependencies
• 6066b07 fix: pass correct path to unstaged patch during cleanup
• 0bf1fb0 fix: allow lint-staged to run on empty git repo by disabling backup
• 1ac6863 Merge pull request #837 from okonet/serial-git-add

See the full diff

Package name: rimraf

The new version differs by 102 commits.

• a1268c9 4.3.1
• cacc067 changelog 4.3.1
• cd6fbc6 Only call directory removal method on actual dirs
• 4937e64 format markdown
• ba35d77 always return Dirents from readdir
• f923bb0 4.3.0
• ed7b2a6 test: chmod ordering is nondeterministic
• 4cb1d47 changelog about bin interactivity
• 95e13f2 try to make the interactive test less flaky
• 38e731f bin: add interactive mode
• ca28abb let the filter option be async for async methods
• 3b57687 add --verbose, --no-verbose to bin
• ed3288e add filter option
• e828fe2 Update v4 glob support in README
• 80aef8b 4.2.0
• 0d19a99 changelog 420
• f768f26 treat paths as glob patterns when glob option set
• 5760716 make rimraf cancelable with AbortSignals
• 417cdc7 4.1.4
• bdfa60c update deps, export types properly for cjs module
• 20e3799 use NodeJS.ErrnoException instead of FsError
• 450e3d2 4.1.3
• 8d77621 add declarationMap to tsconfig
• 49a2958 formatting tests

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Server-side Request Forgery (SSRF)
🦉 More lessons are available in Snyk Learn