[Snyk] Fix for 13 vulnerabilities

[nathan-snyk]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-CSVPARSE-467403	Yes	No Known Exploit
	484/1000 Why? Has a fix available, CVSS 5.4	Open Redirect SNYK-JS-GOT-2932019	Yes	No Known Exploit
	429/1000 Why? Has a fix available, CVSS 4.3	Reverse Tabnabbing SNYK-JS-ISTANBULREPORTS-2328088	Yes	No Known Exploit
	816/1000 Why? Mature exploit, Has a fix available, CVSS 8.6	Command Injection SNYK-JS-MADGE-1082875	Yes	Mature
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-NCONF-2395478	Yes	Proof of Concept
	706/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.7	Server-side Request Forgery (SSRF) SNYK-JS-NETMASK-1089716	Yes	Proof of Concept
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Remote Code Execution (RCE) SNYK-JS-PACRESOLVER-1564857	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Authorization Bypass Through User-Controlled Key SNYK-JS-PARSEPATH-2936439	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-PARSEURL-3023021	Yes	Proof of Concept
	643/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 5	Improper Input Validation SNYK-JS-PARSEURL-3024398	Yes	Proof of Concept
	713/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 6.4	Command Injection SNYK-JS-SNYKGOPLUGIN-3037316	No	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Timing Attack npm:http-signature:20150122	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: git-url-parse

The new version differs by 55 commits.

• 129677c Updated docs
• 26cc5fe Fix shorthand urls
• 4e3b1cc Merge branch 'custom-ssh-user-tests' of github.com:privatenumber/git-url-parse into new-version
• 32ed275 ⬆️ 13.0.0 🎉
• 7cce252 refactor: remove enterpriseSsh
• c674528 test: failing test for custom SSH user
• f4ea05e wip
• 6c0ca07 Updated docs
• 9746972 ⬆️ 12.0.0 🎉
• 60011fb Update dependencies
• 246c911 Updated docs
• f3093dc Merge branch 'bugfix/parse-bitbucket-server-subpaths' of https://github.com/goober/git-url-parse into new-version
• 263143f ⬆️ 11.6.0 🎉
• 37f5c50 Fix parsing Bitbucket Server urls with files located in subfolders
• f56cbc1 Updated docs
• be1efb4 Merge branch 'feature/support-commits-url-for-bitbucket-server' of https://github.com/goober/git-url-parse into new-version
• 1cb827f ⬆️ 11.5.0 🎉
• 8e9bc4b Merge branch 'new-version' of github.com:IonicaBizau/git-url-parse into new-version
• 4b61233 ⬆️ 11.5.0 🎉
• 0abc5c1 Add support for Bitbucket Server repository root and commit endpoints
• 49f5342 ⬆️ 11.4.5 🎉
• 71c7298 Updated docs
• c44df32 Merge branch 'azure_branch' of https://github.com/n2ygk/git-url-parse into new-version
• 2003390 ⬆️ 11.4.4 🎉

See the full diff

Package name: madge

The new version differs by 7 commits.

• abae6d0 4.0.1
• da5cbc9 Fix potential command injection vulnerability
• c0600c4 4.0.0
• dfbd312 Merge pull request [Snyk] Security upgrade ember-cli from 0.2.7 to 3.5.0 EitanGayor/monorepo_demo#269 from realityking/node-10
• 5ca410c Upgrade commander to version 6
• fe8a186 Upgrade core dependencies
• eee3dc0 Require Node.js 10.13

See the full diff

Package name: proxy-agent

The new version differs by 9 commits.

• 3f45710 5.0.0
• 31be875 Update "pac-proxy-agent" to v5
• dabbfb3 Drop Node v6 support
• 13b1544 4.0.1
• 8e6305a Fix type definitions to account for transparent proxy discovery ([Snyk] Fix for 1 vulnerabilities EitanGayor/monorepo_demo#57)
• 9963359 Add Node.js 14 to testing matrix ([Snyk] Fix for 1 vulnerabilities EitanGayor/monorepo_demo#58)
• f4d6ff6 README.md: Mention proxy-from-env support ([Snyk] Fix for 1 vulnerabilities EitanGayor/monorepo_demo#56)
• b9fcf37 4.0.0
• d18c6bd Update `agent-base` to v6 ([Snyk] Fix for 1 vulnerabilities EitanGayor/monorepo_demo#55)

See the full diff

Package name: restify

The new version differs by 250 commits.

• 6259b24 chore(release): release 8.1.0
• 6baeafd docs(CHANGELOG): Update changelog
• 3b71229 fix(dev): upgrading modules including restify-errors (feat(@snyk/fix): unify calculating relevant pins & upgrades snyk/cli#1755)
• a67b25f feat(plugin): plugin to serve static files (feat: scan terraform plan delta, experimental snyk/cli#1753)
• 0700cfd feat: add router.render() back to support hypermedia usecase (Refactor and improve testing and un-skip skipped test re JSON file output snyk/cli#1752)
• d901e43 docs(CHANGELOG): Update changelog (#1751)
• 5051f41 chore(release): release 8.0.0
• f070751 docs(CHANGELOG): Update changelog
• a05a090 BREAKING CHANGE: restify drops Node v4.x and v6.x (chore: lerna release with exact version snyk/cli#1750)
• 23c80b8 chore(release): release 7.7.0
• 09f3560 docs(CHANGELOG): Update changelog
• 6231acd feat(audit): Add the ability to specify a custom audit log serializer (for err, req and res) (test: results formatter for iac snyk/cli#1746)
• 1dc34b4 fix(dev): remove nsp since the project merged with npm
• 3740a6b fix(dev): pin to exact versions of linting tools and fix lint errors
• bb97ac0 chore(release): release 7.6.0
• aea15ee docs(CHANGELOG): Update changelog
• 4900d6b feat(req): add restifyDone event (fix:increase max buffer for exec snyk/cli#1740)
• 9552755 Add missing , to Versioned Routes docs (Install AWS CLI in the release step snyk/cli#1705)
• 0c36c9b update dedupeSlashes() invocation in docs (test: terraform plan parsing snyk/cli#1736)
• 4e03a83 chore(release): release 7.5.0
• fdac11e docs(CHANGELOG): Update changelog
• 6e35e01 feat(plugins): context, req.get() returns the whole context (feat: add elixir support snyk/cli#1739)
• 7a1378b fix: emit after event with proper error param for node versions >= 11.4.0 (fix: snyk code - test fails if token provided snyk/cli#1732)
• df3b5b0 chore(release): release 7.4.0

See the full diff

Package name: snyk-config

The new version differs by 32 commits.

• 34bd34e Merge pull request [Snyk] Security upgrade python from 3.7-slim to 3.13.0b1-slim #43 from snyk/fix/bundle-nconf
• b9cc6b6 feat: swap yargs parser with minimist
• 2b3935c feat: re-enable argv parsing with yargs
• 3b8a4e1 feat: add the original argv module
• 392e6f2 fix: use vendored nconf
• b90e7e7 fix: vendor nconf to remove vulnerable yargs version
• f2c0e1e chore: add the original nconf library
• eb0f55f Merge pull request [Snyk] Security upgrade python from 3.7-slim to 3.13.0a6-slim #42 from snyk/test/add-more-test-cases
• bf4231e test: add more tests for argument parsing
• c10881d test: add test case for value type changing
• f167704 Merge pull request [Snyk] Security upgrade python from 3.7-slim to 3.13.0a4-slim #40 from snyk/fix/less-lodash
• d671a6e fix: Reduce lodash, use lodash.merge directly
• 136b3a9 Merge pull request [Snyk] Security upgrade python from 3.7-slim to 3.13.0a3-slim #39 from snyk/feat/use-patched-lodash
• a2d2453 feat: use forked lodash patched against zipObjectDeep vulnerability
• b4b4912 Merge pull request [Snyk] Security upgrade python from 3.7-slim to 3.13.0a4-slim #38 from snyk/fix/major-release
• 5c3aaef fix: trigger a major release
• af60412 Merge pull request [Snyk] Security upgrade python from 3.7-slim to 3.13.0a3-slim #37 from snyk/feat/service-env
• d177015 docs: package name is wrong
• 1037183 BREAKING CHANGE: load SERVICE_ENV instead of local by default
• 5e90504 chore: disable lots of eslint warnings
• 9cac115 feat: eslint --fix
• e670f86 BREAKING CHANGE: drop node 6 support
• 39eba76 chore: remove unused npm run semantic-release, travis runs it
• 6e60b3b feat: basic types

See the full diff

Package name: snyk-go-plugin

The new version differs by 66 commits.

• d8dfc11 Merge pull request [Snyk] Security upgrade npm from 2.15.12 to 5.6.0 EitanGayor/monorepo_demo#99 from snyk/fix/disable-shell-for-child-processes
• 6cce106 fix: disable 'shell' for child processes
• 8fa65dc Merge pull request [Snyk] Security upgrade less from 2.7.3 to 3.0.2 EitanGayor/monorepo_demo#97 from snyk/feat/add-additional-args-option
• 6b18447 feat: add additional args to be sent to "go list" command.
• b130876 Merge pull request [Snyk] Security upgrade snyk from 1.101.1 to 1.124.1 EitanGayor/monorepo_demo#96 from snyk/jason-snyk/remove-vscode-condition
• 6a7223d fix: remove error for vscode terminal
• 8d3cba1 Merge pull request [Snyk] Security upgrade npm from 2.15.12 to 6.14.6 EitanGayor/monorepo_demo#94 from snyk/chore/fix-release
• 87bcad1 chore: fix release phase in circle ci
• c152e19 Merge pull request [Snyk] Security upgrade sanitize from 4.6.2 to 5.2.1 EitanGayor/monorepo_demo#93 from snyk/fix/support-go-1-16
• 4e31716 feat: add support go 1.16
• d698cbe Merge pull request [Snyk] Fix for 1 vulnerabilities EitanGayor/monorepo_demo#91 from snyk/feat/support-replace-directive
• 6e8bcf0 feat: support replace directive
• 9b7e5ce Merge pull request [Snyk] Fix for 1 vulnerabilities EitanGayor/monorepo_demo#89 from snyk/fix/reduce-lodash
• ebd509d fix: use @ snyk/dep-graph@1.23.1 which doesnot depend on lodash
• 4512966 fix: use @ snyk/graphlib which uses only required lodash packages
• daa5673 Merge pull request [Snyk] Fix for 1 vulnerabilities EitanGayor/monorepo_demo#88 from snyk/chore/update-codeowners
• 81aa5fc chore/codeowners -> Loki
• db9ffba Merge pull request [Snyk] Fix for 1 vulnerabilities EitanGayor/monorepo_demo#87 from snyk/fix/ignore-broken-symlinks
• 1fd0711 fix: ignore broken symlinks
• da21cd0 Merge pull request [Snyk] Fix for 1 vulnerabilities EitanGayor/monorepo_demo#85 from snyk/chore/fix-release-pipeline
• d700975 chore: Enable releasing
• a6394cd Merge pull request [Snyk] Fix for 1 vulnerabilities EitanGayor/monorepo_demo#84 from snyk/fix/update-dep-graph
• 0bb0169 fix: Update `@ snyk/dep-graph`
• da60908 Merge pull request [Snyk] Fix for 1 vulnerabilities EitanGayor/monorepo_demo#83 from snyk/chore/fix-release-circle-stages

See the full diff

Package name: tap

The new version differs by 250 commits.

• bc49fb7 15.0.0
• 4378608 remove publishConfig beta tag
• 2c2e75f provide mkdirRecursive polyfill for old node versions
• 8f4c855 correctly specify 10.0.x versions
• 5e61672 update deps
• c44c418 Support 10.0 and test in CI
• dc5c841 tcompare@5.0.4
• 385b6d2 Add .taprc.yml/yaml handling to change log
• 4f87466 just run regular test script as snap script
• 315a921 delete FORCE_COLOR/NO_COLOR rather than setting to '0'
• 564e96f Add detection for .yaml and .yml
• 75bae93 update cli doc
• c1289bf 15.0.0-3
• d6fe32f Do not CI on node 10
• d2e0428 do not use equals() alias in self-test
• 3f787c4 tell npm to be colorful in CI
• 1512818 run tests with color on github actions
• 4626fa1 Docs: update documentation for tap v15
• 02d536b libtap@1.0.1
• f7c7c58 update cli doc
• 2aa497c 15.0.0-2
• 8d7f62e Add support for overriding libtap's internal settings
• 29eed63 new snapshot folder layout
• 3a28d4d update libtap git ref to isaacs/tap-v15-prep branch

See the full diff

Package name: update-notifier

The new version differs by 42 commits.

• 311557e 6.0.0
• 9183541 Require Node.js 14 and move to ESM
• 3fdb218 5.1.0
• 73c391b Upgrade dependencies
• 0a6027e Move to GitHub Actions
• d8fa601 Rename `master` branch to `main`
• f63b2eb 5.0.1
• 9e2b772 Update dependencies
• da7c464 5.0.0
• 5b440c2 Require Node.js 10
• 3dfe42d Don't suggest to upgrade to lower version ([Snyk] Security upgrade actionpack from 4.2.5 to 4.2.5 EitanGayor/monorepo_demo#192)
• 132b7ce Remove a project from "Users" section ([Snyk] Security upgrade sanitize from 4.6.2 to 4.6.2 EitanGayor/monorepo_demo#191)
• c9d2166 4.1.1
• f42fc8f Improve vertical alignment of the notifier output ([Snyk] Fix for 2 vulnerabilities EitanGayor/monorepo_demo#183)
• 71a3f19 Use HTTPS links
• 64c5236 Fix Travis
• 9d9f4ff 4.1.0
• 4062f12 Update dependencies
• adbeb6e Add template support for the `message` option ([Snyk] Security upgrade snyk from 1.101.1 to 1.230.7 EitanGayor/monorepo_demo#175)
• adf7803 4.0.0
• fb5161c Remove the `callback` option ([Snyk] Security upgrade aiohttp from 2.2.2 to 3.7.4 EitanGayor/monorepo_demo#158)
• 39682de Rename `boxenOpts` option to `boxenOptions`
• bc1721a Avoid showing notification if current version is the latest ([Snyk] Fix for 2 vulnerabilities EitanGayor/monorepo_demo#174)
• ccaf686 Update dependencies

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Open Redirect
🦉 More lessons are available in Snyk Learn