[Snyk] Fix for 24 vulnerabilities

[ekmixon]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	Yes	Proof of Concept
	541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASHTEMPLATE-1088054	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-1019388	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	Yes	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Out-of-Bounds SNYK-JS-NODESASS-535498	Yes	Proof of Concept
	761/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.8	NULL Pointer Dereference SNYK-JS-NODESASS-535500	Yes	Proof of Concept
	536/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.3	Out-of-bounds Read SNYK-JS-NODESASS-540958	Yes	Proof of Concept
	536/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.3	Uncontrolled Recursion SNYK-JS-NODESASS-540964	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Denial of Service (DoS) SNYK-JS-NODESASS-540978	Yes	Proof of Concept
	536/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.3	NULL Pointer Dereference SNYK-JS-NODESASS-540992	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Out-of-Bounds SNYK-JS-NODESASS-540998	Yes	Proof of Concept
	654/1000 Why? Has a fix available, CVSS 8.8	Use After Free SNYK-JS-NODESASS-541000	Yes	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Out-of-bounds Read SNYK-JS-NODESASS-541002	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: gulp

The new version differs by 134 commits.

• 55eb23a Release: 4.0.0
• 173a532 Docs: Fix the installation instructions
• ec54d09 Docs: Improve note about out-of-date docs
• 03b7c98 Docs: Update recipes to install gulp@next
• 2eba29e Docs: Remove run-sequence from recipes
• 76eb4d6 Docs: Add installation instructions & update badges
• fbc162f Docs: Remove references to gulp-util
• 3011cf9 Scaffold: Normalize repository
• f27be05 Update: Remove graceful-fs from test suite
• 361ab63 Upgrade: Update glob-watcher
• 064d100 Build: Avoid broken node 9
• 057df59 Release: 4.0.0-alpha.3
• c1ba80c Breaking: Upgrade major versions of glob-watcher, gulp-cli & vinyl-fs
• 89acc5c Docs: Improve ES2015 task exporting examples (#1999)
• 0ac9e04 Docs: Add "Project structure" section to CONTRIBUTING.md (#1859)
• 723cbc4 Docs: Fix syntax in recipe example (#1715)
• d420a6a Docs: Have gulp.lastRun take a function to avoid task registration (#1828)
• 29ece6f Upgrade: Update undertaker
• e931cb0 Docs: Fix changelog typos (#1696)
• 477db84 Docs: Add a "BrowserSync with Gulp 4" recipe (#1659)
• d4ed3c7 Docs: Add options.cwd for gulp.src API (#1645)
• 5dc3b07 Docs: Update gulp.watch API to align with glob-watcher
• 0c66069 Breaking: Replace chokidar as gulp.watch with glob-watcher wrapper
• c3dbc10 Docs: Clarify incremental builds example (#1609)

See the full diff

Package name: gulp-coffee

The new version differs by 6 commits.

• bbb041d 3.0.1
• 4e4fe84 respond to https://github.com/Ecosystem migration gulpjs/gulp-util#143
• 2b1623c 3.0.0
• eaf44ad more dep updating
• 480d8ee Merge pull request Test "isVisible() rendering bypass" Performance epochjs/epoch#80 from ndrewtl/master
• e3939ff Bump Coffeescript to version 2.1.0

See the full diff

Package name: gulp-mocha

The new version differs by 41 commits.

• 983b0ac 5.0.0
• 7bc8d9c Add example of using the `exit` option (Geospatial Charts epochjs/epoch#185)
• 3f53145 Add example of using reporterOptions in readme.md (How to define epoch's chart's color? epochjs/epoch#179)
• 5045939 Improve usage example
• 64fef33 Bump Mocha to v4
• 06b96ba Meta tweaks
• ac3d7fc Drop dependency on deprecated `gulp-util` (Fixes #159; Update node-sass NPM Package epochjs/epoch#187)
• 67b1e3e 4.3.1
• 315275f Rewrite tests to use AVA
• 4ac3c98 Cleanup
• 9ddcbd0 Convert objects to key value lists. Closes Add 'main' attribute enabling webpack support. epochjs/epoch#167 (Remove absolute slash prefix from bower.json epochjs/epoch#171)
• 55004ca Fix `require` option for multiple entries (Realtime Charts dont work on IE epochjs/epoch#173)
• e878086 4.3.0
• 9cedf6e Increase the max buffer
• 43f4b4d 4.2.0
• edfa4dd Forward stderr too (Fix bower.json main declaration epochjs/epoch#168)
• 9e5d38a Minor readme tweaks
• 92ec619 4.1.0
• 915351f Use the local Mocha dependency of this package
• bf30380 Print mocha output immediately, not when process finished (Creating time.bar from example causes TypeError epochjs/epoch#160)
• 12d44db Convert all arrays to comma separated lists for Mocha
• fbcaf85 Add compiler option description to the readme (Multiaxes epochjs/epoch#157)
• 32afe0d 4.0.1
• 4e05dce Add manual test gulpfile

See the full diff

Package name: gulp-sass

The new version differs by 42 commits.

• 5775044 Update CHANGELOG.md
• 978b8f6 Update to major version 5 (#802)
• 10eae93 Update changelog for 4.1.1
• 947b26c Upgrade lodash to fix a security issue (#776)
• 8d6ac29 Update changelog
• 43c0547 4.1.0
• ebe3ec6 Set appropriate file stat times (#763)
• 7ab018e Migrate to the lodash package
• fa670c6 4.0.2
• fefa00e Revert package.json version bump
• 98254d2 Fix README typos
• 8a14419 Continue loading Node Sass by default
• 938afbe Add a note about synchronous versus asynchronous speed
• 7cc2db1 Make this package implementation-agnostic
• 643f73b Add documentation for synchronous code options
• 0b3c7e7 4.0.1
• daca90d Merge pull request #681 from DKvistgaard/master
• 71471c2 Declaring logError as function instead of arrow function.
• 450a7b8 4.0.0
• e9b1fe8 Fix node versions in appveyor.yml
• 44be409 Merge pull request #667 from dlmanning/next
• 7656eff Adopt airbnb eslint preset
• 1293169 Bump autoprefixer@^8.1.0, gulp-postcss@^7.0.1
• 9fa817b Bump gulp-sourcemaps@^2.6.4

See the full diff

Package name: gulp-uglify

The new version differs by 9 commits.

• e4f9045 2.0.0
• 566ec6a refactor(tests): write tests with mocha
• 5651111 refactor(tests): replace `cmem` with `testdouble`
• b82387b refactor(tests): compose streams with `mississippi` utilities
• 1232c3c fix(errors): emit errors of type `GulpUglifyError`
• 5632cee fix(minifer): use `gulplog` for the warning
• 8160697 feat(minifier): use UglifyJS 2.7.0's input map support
• 3ec8fc3 chore(package): update uglify-js to version 2.7.0
• a9c55b9 doc(README): spelling mistake in example

See the full diff

Package name: jsdom

The new version differs by 250 commits.

• 74a8d1e Version 16.6.0
• f51f2ec Remove the dependency on request
• 2b6d5ae Update dependencies
• b72b33b Disable now-crashing canvas test
• 39b7972 Handle null and undefined thrown as exceptions
• 04f6c13 Add ParentNode.replaceChildren() (#3176)
• e4c4004 Version 16.5.3
• 2f41466 Fix MutationObserver infinite loop bugs (#3173)
• b232f2a Run partially-failing WPTs in the custom-elements directory
• 35e103e Run partially-failing WPTs in the cors directory
• 77b660a Run partially-failing WPTs in the FileAPI directory
• d8a245f Use `InnerHTML` mixin for `innerHTML` definition (#2981)
• bd50bbe Version 16.5.2
• d5cfd69 Fix event handler ObjectEnvironment instantiation
• 93e3d4a Remove vestigial concurrentNodeIterators option-passing
• c92f9c1 Check all associated elements for form validity
• 2202703 Fix failing WPTs calculation
• 21c7671 Upgrade dependencies
• c1b9ea1 Port skipped "test_body_event_handler_inline" to WPT
• a13d854 Use WeakRefs for NodeIterator tracking when supported
• fdf97d8 Fix radio/checkbox to not fire events when disconnected
• 761d8cc Refactor <output>
• b36d418 Make customElements.whenDefined() resolve with the constructor
• c5d13bb Remove a variety of redundant to-port tests

See the full diff

Package name: node-minify

The new version differs by 137 commits.

• 3092ac8 Bump 2.0.5
• 03129b0 Merge pull request Adding tooltips on time.line chart and also staggering/rotating of labels in x-axis? epochjs/epoch#143 from srod/bump-packages
• 53f175a Bump packages
• 0d4d92e Bump 2.0.4
• 38cf790 Merge pull request Get the color being used for a layer epochjs/epoch#137 from srod/develop
• fe39109 Push tags from master
• 06dbc21 Merge pull request Document Fixed Range for Real-time Graphs epochjs/epoch#136 from srod/feat-package-json
• cb20aae Workaround to avoid errors on npm install
• 1abf897 Refactoring package.json
• ae27984 Merge branch 'master' into develop
• 6aa555b Merge pull request Global Traffic map chart epochjs/epoch#135 from srod/feat-bump-packages
• a930eaf Bump packages
• fa03970 Merge pull request Closes #99, Closes #18; Added Models and Data Formats epochjs/epoch#134 from srod/fix-babili-133
• 4aa393e Require babel preset babili
• e4358f3 Merge pull request Closes #130; Histogram epochjs/epoch#131 from srod/fix-uglifyjs-129
• 5c0c03b Merge branch 'develop' into fix-uglifyjs-129
• e7812e0 Bump 2.0.3
• e5b43f2 Merge pull request New Chart: Histogram epochjs/epoch#130 from srod/fix-uglifyjs-129
• fff0475 Removing test of node 0.12 because of babili
• 6fd2da0 Add test to uglifyjs for source map
• b127aef Fix Closes #128; Add Layer Toggling epochjs/epoch#129 UglifyJS source map file
• 83bf054 Bump packages
• 7e76d64 Merge pull request Dynamically showing and hiding layers epochjs/epoch#128 from srod/bump-packages
• 8285ace Bump packages

See the full diff

Package name: node-sass

The new version differs by 250 commits.

• 3b556c1 7.0.2
• c716359 Bump sass-graph@^4.0.1 (#3292)
• 24741b3 docs(readme): fix docpad plugin link
• 1523330 feat: Drop Node 12
• 365d357 update https://registry.npm.taobao.org to https://registry.npmmirror.com
• 1456114 build(deps): bump actions/upload-artifact from 2 to 3
• b465b69 chore: bump GitHub Actions to Windows 2019 (#3254)
• e6194b1 build(deps): bump make-fetch-happen from 9.1.0 to 10.0.4
• 4edf594 build(deps): bump node-gyp from 8.4.1 to 9.0.0
• 29e2344 build(deps): bump actions/checkout from 2 to 3
• 85b0d22 build(deps): bump actions/setup-node from 2 to 3
• 3bb51da Use make-fetch-happen instead of request (#3193)
• adc2f8b build(deps): bump true-case-path from 1.0.3 to 2.2.1 (#3000)
• 77d12f0 chore: disable Apline for Node 16/17 builds
• 308d533 ci: use Python 3 for Node 12
• c818907 ci: unpin actions/setup-node to v2
• 99242d7 7.0.1
• 77049d1 build(deps): bump sass-graph from 2.2.5 to 4.0.0 (#3224)
• c929f25 build(deps): bump node-gyp from 7.1.2 to 8.4.1 (#3209)
• 918dcb3 Lint fix
• 0a21792 Set rejectUnauthorized to true by default (#3149)
• e80d4af chore: Drop EOL Node 15 (#3122)
• d753397 feat: Add Node 17 support (#3195)
• dcf2e75 build(deps-dev): bump eslint from 7.32.0 to 8.0.0

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 NULL Pointer Dereference
🦉 More lessons are available in Snyk Learn

[secure-code-warrior-for-github]

Micro-Learning Topic: OS command injection (Detected by phrase)

Matched on "Command Injection"

What is this? (2min video)

In many situations, applications will rely on OS provided functions, scripts, macros and utilities instead of reimplementing them in code. While functions would typically be accessed through a native interface library, the remaining three OS provided features will normally be invoked via the command line or launched as a process. If unsafe inputs are used to construct commands or arguments, it may allow arbitrary OS operations to be performed that can compromise the server.

Try a challenge in Secure Code Warrior

Helpful references

• OWASP Command Injection - OWASP community page with comprehensive information about command injection, and links to various OWASP resources to help detect or prevent it.
• OWASP testing for Command Injection - This article is focused on providing testing techniques for identifying command injection flaws in your applications

Micro-Learning Topic: Regular expression denial of service (Detected by phrase)

Matched on "Regular Expression Denial of Service"

What is this? (2min video)

Denial of Service (DoS) attacks caused by Regular Expression which causes the system to hang or cause them to work very slowly when attacker sends a well-crafted input(exponentially related to input size).Denial of service attacks significantly degrade the service quality experienced by legitimate users. These attacks introduce large response delays, excessive losses, and service interruptions, resulting in direct impact on availability.

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Denial of service (Detected by phrase)

Matched on "Denial of Service"

The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Prototype pollution (Detected by phrase)

Matched on "Prototype Pollution"

What is this? (2min video)

By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf).

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Server-side request forgery (Detected by phrase)

Matched on "Server-side Request Forgery"

What is this? (2min video)

Server-Side Request Forgery (SSRF) vulnerabilities are caused when an attacker can supply or modify a URL that reads or sends data to the server. The attacker can create a malicious request with a manipulated URL, when this request reaches the server, the server-side code executes the exploit URL causing the attacker to be able to read data from services that shouldn't be exposed.

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Use-after-free (Detected by phrase)

Matched on "Use After Free"

What is this? (2min video)

Dereferencing pointers to objects that have already been freed opens the door to execution of arbitrary code. Attackers may be able to insert instructions at the freed memory location in order to trigger the exploit when the pointer is used after the memory has been freed.

Try a challenge in Secure Code Warrior