[Snyk] Fix for 35 vulnerabilities

[CharaD7]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	Yes	Proof of Concept
	541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASHTEMPLATE-1088054	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-2342073	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-2342082	Yes	Proof of Concept
	520/1000 Why? Has a fix available, CVSS 5.9	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-584281	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-1019388	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	494/1000 Why? Has a fix available, CVSS 5.6	Command Injection SNYK-JS-NODENOTIFIER-1035794	Yes	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Out-of-Bounds SNYK-JS-NODESASS-535498	Yes	Proof of Concept
	761/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.8	NULL Pointer Dereference SNYK-JS-NODESASS-535500	Yes	Proof of Concept
	536/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.3	Out-of-bounds Read SNYK-JS-NODESASS-540958	Yes	Proof of Concept
	536/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.3	Uncontrolled Recursion SNYK-JS-NODESASS-540964	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Denial of Service (DoS) SNYK-JS-NODESASS-540978	Yes	Proof of Concept
	536/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.3	NULL Pointer Dereference SNYK-JS-NODESASS-540992	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Out-of-Bounds SNYK-JS-NODESASS-540998	Yes	Proof of Concept
	654/1000 Why? Has a fix available, CVSS 8.8	Use After Free SNYK-JS-NODESASS-541000	Yes	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Out-of-bounds Read SNYK-JS-NODESASS-541002	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-UGLIFYJS-1727251	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:hoek:20180212	Yes	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	Yes	No Known Exploit
	629/1000 Why? Has a fix available, CVSS 8.3	Improper minification of non-boolean comparisons npm:uglify-js:20150824	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:uglify-js:20151024	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: browserify

The new version differs by 19 commits.

• 26c58a9 forgot the "has" dep
• 9a3864e more changelog info about browser field mappings
• 42c2052 fix now works with the latest resolve
• 29d917e failing browser field file test
• ef257ed remove dnode test, was causing issues
• 16611da some upgrades
• ee3be4a more info on v9 fixes
• e6438ea failing cases in pkg_event
• 145ea52 failing pkg_event test
• 97203b3 upgrades for 9.0.0
• fbd6e2e Merge branch 'fix-expose' of https://github.com/jmm/node-browserify
• dbe2c71 9.0.0
• 53821dd Merge branch 'remove-unused-umd-dep' of https://github.com/zertosh/node-browserify
• f6593fb Update browser-pack to ^4.0.0
• 7ff5676 Merge branch 'remove-unused-umd-dep' of https://github.com/zertosh/node-browserify
• ab4b4b8 Remove unused "umd" dep
• d938408 failing relative dedupe case
• c14da43 Eliminate path resolution and set row.expose.
• bdf78c8 Pass this._expose to mdeps.

See the full diff

Package name: eslint

The new version differs by 250 commits.

• ff8c4bb 4.5.0
• 480bbee Build: changelog update for 4.5.0
• decdd2c Update: allow arbitrary nodes to be ignored in `indent` (fixes #8594) (#9105)
• 79062f3 Update: fix indentation of multiline `new.target` expressions (#9116)
• d00e24f Upgrade: `chalk` to 2.x release (#9115)
• 6ef734a Docs: add missing word in processor documentation (#9106)
• a4f53ba Fix: Include files with no messages in junit results (#9093) (#9094)
• 1d6a9c0 Chore: enable eslint-plugin/test-case-shorthand-strings (#9067)
• f8add8f Fix: don't autofix with linter.verifyAndFix when `fix: false` is used (#9098)
• 77bcee4 Docs: update instructions for adding TSC members (#9086)
• bd09cd5 Update: avoid requiring NaN spaces of indentation (fixes #9083) (#9085)
• c93a853 Chore: Remove extra space in blogpost template (#9088)
• 0d9da6d 4.4.1
• 1ea9a6c Build: changelog update for 4.4.1
• ec93614 Fix: no-multi-spaces to avoid reporting consecutive tabs (fixes #9079) (#9087)
• a113cd3 4.4.0
• 181bd46 Build: changelog update for 4.4.0
• 89196fd Upgrade: Espree to 3.5.0 (#9074)
• b3e4598 Fix: clarify AST and don't use `node.start`/`node.end` (fixes #8956) (#8984)
• 62911e4 Update: Add ImportDeclaration option to indent rule (#8955)
• de75f9b Chore: enable object-curly-newline & object-property-newline.(fixes #9042) (#9068)
• 5ae8458 Docs: fix typo in object-shorthand.md (#9066)
• c3d5b39 Docs: clarify options descriptions (fixes #8875) (#9060)
• 37158c5 Docs: clarified behavior of globalReturn option (fixes #8953) (#9058)

See the full diff

Package name: gulp

The new version differs by 134 commits.

• 55eb23a Release: 4.0.0
• 173a532 Docs: Fix the installation instructions
• ec54d09 Docs: Improve note about out-of-date docs
• 03b7c98 Docs: Update recipes to install gulp@next
• 2eba29e Docs: Remove run-sequence from recipes
• 76eb4d6 Docs: Add installation instructions & update badges
• fbc162f Docs: Remove references to gulp-util
• 3011cf9 Scaffold: Normalize repository
• f27be05 Update: Remove graceful-fs from test suite
• 361ab63 Upgrade: Update glob-watcher
• 064d100 Build: Avoid broken node 9
• 057df59 Release: 4.0.0-alpha.3
• c1ba80c Breaking: Upgrade major versions of glob-watcher, gulp-cli & vinyl-fs
• 89acc5c Docs: Improve ES2015 task exporting examples (#1999)
• 0ac9e04 Docs: Add "Project structure" section to CONTRIBUTING.md (#1859)
• 723cbc4 Docs: Fix syntax in recipe example (#1715)
• d420a6a Docs: Have gulp.lastRun take a function to avoid task registration (#1828)
• 29ece6f Upgrade: Update undertaker
• e931cb0 Docs: Fix changelog typos (#1696)
• 477db84 Docs: Add a "BrowserSync with Gulp 4" recipe (#1659)
• d4ed3c7 Docs: Add options.cwd for gulp.src API (#1645)
• 5dc3b07 Docs: Update gulp.watch API to align with glob-watcher
• 0c66069 Breaking: Replace chokidar as gulp.watch with glob-watcher wrapper
• c3dbc10 Docs: Clarify incremental builds example (#1609)

See the full diff

Package name: gulp-add-src

The new version differs by 8 commits.

• c52a037 chore: release 1.0.0
• ae8496c Merge pull request [Snyk] Security upgrade gulp-sass from 2.3.2 to 5.0.0 #15 from konsultaner/master
• 1215372 make node 8 LTS compatible
• ab2cabd Merge pull request [Snyk] Fix for 1 vulnerabilities #12 from dslpp056193/patch-1
• 7899433 Update README.md
• 5837ec1 More understandable readme.md
• 8898a42 Merge pull request [Snyk] Security upgrade laravel-elixir from 4.2.1 to 5.0.0 #6 from SimenB/package.json-files
• d68d978 Don't publish dotfiles or tests to npm registry

See the full diff

Package name: gulp-eslint

The new version differs by 55 commits.

• 1d79ed0 4.0.1
• 8f7e966 replace all HTTP protocols with HTTPS
• b48a04a remove deprecated gulp-util dependency (#213)
• 35eae57 update devDependencies (#207)
• 47bd269 use npx to simplify after_script
• 29dbab5 inherit autofix-related props even if `quiet` option is enabled
• a398838 4.0.0
• 18a4299 emit an error when it fails to load an ESLint plugin
• b8bf261 update ESLint from v3 to v4 (#198)
• c0e82ce use `Buffer.from` instead of `new Buffer`
• e6c67a2 drop support for linting `Stream` contents
• 132d5cc Fix formatting issues in README.md (#194)
• 7f65378 remove link to config file `globals` doc
• 8ddfb84 correct the type of `globals` option in README
• 6059c22 3.0.1
• b0c2816 ensure sharable config works
• 08b9212 test the case where babel-eslint is actually useful
• eb98701 mock stream-mode vinyl files with from2-string
• bcd7736 fix invalid `envs` option
• 286b0c4 remove unused fixtures
• e2723e1 Remove unnecessary `object-assign` dependency
• 82c1949 3.0.0
• 97d8638 Remove invalid options in example code
• 505779d Remove option aliases

See the full diff

Package name: gulp-htmlmin

The new version differs by 21 commits.

• 3bd9d8f 4.0.0
• f549ab4 run verb to generate readme
• dd66fbc run updaters
• d692f1a Merge pull request can you update it its version? silverbux/laravel-angular-admin#90 from TheDancingCode/pr/remove-gulp-util
• 5ae2d6f Merge branch 'master' into pr/remove-gulp-util
• b960c98 Merge branch 'master' into pr/remove-gulp-util
• 5cfb4a5 Merge pull request On fresh install on fresh VM silverbux/laravel-angular-admin#89 from TheDancingCode/pr/native-object-assign
• f13f3b7 Replace deprecated gulp-util
• 0c08069 Use native Object.assign
• e7e5766 use the stronger word "must" instead of "should"
• 8e4bd06 3.0.0
• 96f2641 Merge pull request Project is not running silverbux/laravel-angular-admin#69 from jdalton/html-min-3
• 74b63d9 Update html-minifier to v3.
• 0aab24b fix missing semicolon on the example task (Bootstrap modals have lost their rounded corners silverbux/laravel-angular-admin#59)
• ebdefba 2.0.0
• 406a5bf update html-minifier from v1.x to v2.x
• 02e984e update expected output for html-minifier v1.3.1
• a69cc25 clarify where we should report minified issues
• fa3c2ab update html-minifier version
• a318460 upgrade to ESLint v2.x
• b9aac9f update expected output

See the full diff

Package name: gulp-ng-annotate

The new version differs by 9 commits.

• 18ba641 2.1.0
• 998fbc9 Disable package lock
• 002e043 Migrate away from deprecated gulp-util
• edeac0f Fix travis build
• 9ce0ed8 Merge pull request [Snyk] Security upgrade gulp-notify from 2.2.0 to 5.0.0 #43 from suvjunmd/options
• 5ded9c5 Fixed options link
• 3e8d504 2.0.0
• c92de58 Update deps
• 3a42189 Remove [Snyk] Fix for 1 vulnerabilities #26 workaround

See the full diff

Package name: gulp-notify

The new version differs by 25 commits.

• 398d0a4 v3.1.0
• fc51ff2 Merge pull request #124 from ohbarye/replace-gulp-util
• 46efdc6 Move vinyl to devDependencies
• 173fcb0 Use ansi-colors instead of chalk due to node version compatibility
• 1e8c372 Remove unused through import
• 3284a51 Drop dependency on deprecated gulp-util
• 455250c npm install chalk fancy-log plugin-error lodash.template vinyl
• 658efc5 v3.0.0
• b1ba7a2 Adds changelog for bump with node-notifier
• 7d6944e Updates all dependencies
• 08244ea Adds log files to ignore
• 8df5320 Bumps node-notifier dependency to latest
• 507e21f Merge pull request The project are not going to run. where are problem ?? silverbux/laravel-angular-admin#105 from queicherius/patch-1
• f32b692 Update node-notifier dependency
• f5d3f46 Merge pull request Google Login Functionality silverbux/laravel-angular-admin#103 from Toby-S/patch-1
• bbcc4d1 Correct indent_style in .editorconfig
• c0d7501 Update README.md
• 21eed88 Update README.md
• 084f6a1 Adds support for overriding host/port/appname onError. Fixes Two errors when signing in: Cannot read property 'userRole' of undefined AND Cannot read property 'errors' of undefined silverbux/laravel-angular-admin#91
• e45ef63 Merge pull request Login problem silverbux/laravel-angular-admin#85 from stevelacy/patch-1
• ef56795 Update license attribute
• 80a4c0d Merge pull request Updating a fresh install gives errors regarding Dingo API silverbux/laravel-angular-admin#72 from dhruska/master
• 0783a5c Typo fix in README
• b4e95ec Merge pull request Url Redirection and Getting Http Response silverbux/laravel-angular-admin#71 from Andorbal/master

See the full diff

Package name: gulp-phpcs

The new version differs by 27 commits.

• b9f60a4 Bump version
• 879fd3e Merge branch 'rotous-remove-gulp-utils'
• e9682a0 Fix indention
• e081f72 Update Travis configuration to not use very old nodejs version
• 09f97cc Update mocha to 6.1.4
• 067daab Remove deprecated gulp-util package
• fd0424a Improve docs for `standard` option
• 5da7a54 Revert build matrix back
• b9f948b Update build matrix
• 46f0162 Merge branch 'edisch-master'
• ae0a361 Corrected version to follow semver standards
• bd818dd Bumped version, updated changelog, corrected spelling mistakes
• d0caabf Added more tests for ignore option
• 6b14e97 Added tests and documentation for ignore options
• f87eb78 Added support for ignore option
• 4be73fa Bump version
• 1f4efe2 Merge branch 'amwhalen-add-report-arg'
• 3298815 Add support and tests for the --report option
• 6be65bd Add [email protected] to build matrix
• a1e8e55 Make change log \r\n free
• e3a5b72 Update change log
• 101aca2 Fix README
• 653b06e Bump version
• cedca88 Clean up tests

See the full diff

Package name: gulp-sass

The new version differs by 42 commits.

• 5775044 Update CHANGELOG.md
• 978b8f6 Update to major version 5 (#802)
• 10eae93 Update changelog for 4.1.1
• 947b26c Upgrade lodash to fix a security issue (#776)
• 8d6ac29 Update changelog
• 43c0547 4.1.0
• ebe3ec6 Set appropriate file stat times (#763)
• 7ab018e Migrate to the lodash package
• fa670c6 4.0.2
• fefa00e Revert package.json version bump
• 98254d2 Fix README typos
• 8a14419 Continue loading Node Sass by default
• 938afbe Add a note about synchronous versus asynchronous speed
• 7cc2db1 Make this package implementation-agnostic
• 643f73b Add documentation for synchronous code options
• 0b3c7e7 4.0.1
• daca90d Merge pull request #681 from DKvistgaard/master
• 71471c2 Declaring logError as function instead of arrow function.
• 450a7b8 4.0.0
• e9b1fe8 Fix node versions in appveyor.yml
• 44be409 Merge pull request #667 from dlmanning/next
• 7656eff Adopt airbnb eslint preset
• 1293169 Bump autoprefixer@^8.1.0, gulp-postcss@^7.0.1
• 9fa817b Bump gulp-sourcemaps@^2.6.4

See the full diff

Package name: gulp-uglify

The new version differs by 9 commits.

• e4f9045 2.0.0
• 566ec6a refactor(tests): write tests with mocha
• 5651111 refactor(tests): replace `cmem` with `testdouble`
• b82387b refactor(tests): compose streams with `mississippi` utilities
• 1232c3c fix(errors): emit errors of type `GulpUglifyError`
• 5632cee fix(minifer): use `gulplog` for the warning
• 8160697 feat(minifier): use UglifyJS 2.7.0's input map support
• 3ec8fc3 chore(package): update uglify-js to version 2.7.0
• a9c55b9 doc(README): spelling mistake in example

See the full diff

Package name: laravel-elixir

The new version differs by 11 commits.

• 2def8c9 v5.0.0
• b0bfaf6 Merge pull request #434 from SethTompkins/master
• 4442316 add cache and package cache browserify options keys by default
• cc5cab9 Remove some duplication
• f0491ba Remove gulp-phpspec plugin
• 5fa4b86 Remove gulp-phpunit - closes #418
• e2b2a0f Bump gulp-uglify
• 1a26399 Ignore bang when asserting files exist - closes #429
• 7881b51 Wrote a test for the scripts to test if my changes broke anything.
• 589f56c Moved Uglify Config to the Config.js
• a95c787 Add 4.2.1 notes

See the full diff

Package name: webpack

The new version differs by 250 commits.

• 4be093d 2.2.0
• 2278469 2.2.0-rc.8
• b946eb4 Merge pull request #3988 from malstoun/bug/2664
• 260e413 Merge pull request #3986 from webpack/bugfix/revert_use_of_buffer_dot_from
• 0ec7de9 Fix regression with watch cli opt, add tests for this case
• 72226db add missing disable line
• 4d30675 build fresh yarn.lock file to remove buffer polyfill
• 91c1f35 fix(node): rollback changes of Buffer.from to new Buffer() and bump down travis to 4.3 min node v
• 0b47602 2.2.0-rc.7
• db6ccbc Merge pull request #3978 from webpack/bugfix/conditional-reexports
• 82a5b03 Merge pull request #3977 from malstoun/bug/2664
• fc1a43b Merge pull request #3976 from timse/rely-on-defaults
• a44694a hoist exports declarations too
• 682bde8 Fix lint
• c6d7d90 Add tests
• af8d49e remove defaults values to shave a few bytes
• 9796696 2.2.0-rc.6
• e9bdb05 Merge pull request #3971 from webpack/bugfix/fix_available_vars_in_fmtp
• bd45bdc add test case for global in harmony modules
• bfccb20 fix PR
• 5a3a23f fix(nmf): Fix exports for var injection to include free glob exports or arguments
• 437dce4 2.2.0-rc.5
• 91cb1df Merge pull request #3970 from webpack/ci/appveyor
• 9fd55e5 Merge pull request #3969 from webpack/bugfix/issue-3964

See the full diff

Package name: webpack-dev-server

The new version differs by 250 commits.

• 298341f chore(release): 2.11.4
• c42d0da fix: check origin header for websocket connection (#1626)
• 2be7196 chore: update dependencies in V2 branch, fix compatibility with Node 10 (#1715)
• 7cdfb74 2.11.3
• b71137e Increase sockjs-client version for security fix
• f33be5b 2.11.2
• dd32166 Fix support for DynamicEntryPlugin (#1319)
• ab4eeb0 Fix page not reloading after fixing first error on page (#1317)
• 83c1625 2.11.1
• 3aa15aa Merge pull request #1273 from yyx990803/master
• b78e249 fix: pin strip-ansi to 3.x for ES5 compat
• 8c1ed7a 2.11.0
• b0fa5f6 Merge pull request #1270 from yyx990803/client-refactor
• 676d590 revert to prepublish (fix ci)
• 449494f cleanup client build setup
• 6689cb8 adding test for dependency lock-down
• 3e220fe 2.10.1
• aaf7fce rollback yargs to 6.6.0
• ca8b5aa 2.10.0 (#1258)
• 17355f0 transpile client bundles with babel (#1242)
• ce30460 rolling back webpack-dev-midddleware 2.0, as it's node6+
• 00e8500 updating deps and patching as necessary
• 082ddae maint only mode
• c9c61f2 fix(package): Increase minimum `marked` version for ReDos vuln (#1255)

See the full diff

Package name: webpack-stream

The new version differs by 30 commits.

• 7aa049a v4.0.1
• 5b92d84 Update copyright year
• 0859da6 Updating deps
• 8bb72bc Merge pull request #176 from demurgos/issue-175
• c94ad9c Drop dependency on deprecated `gulp-util`