[Snyk] Fix for 27 vulnerabilities

[Ivajkin]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	484/1000 Why? Has a fix available, CVSS 5.4	Open Redirect SNYK-JS-GOT-2932019	Yes	No Known Exploit
	741/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.4	DLL Injection SNYK-JS-KERBEROS-568900	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	Yes	Proof of Concept
	541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	No	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Poisoning SNYK-JS-QS-3153490	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-TRIMNEWLINES-1298042	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-UGLIFYJS-1727251	Yes	No Known Exploit
	596/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.5	Arbitrary Code Injection SNYK-JS-UNDERSCORE-1080984	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Content Injection due to quoteless attributes npm:mustache:20151207	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) npm:qs:20140806	Yes	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Denial of Service (DoS) npm:qs:20140806-1	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Override Protection Bypass npm:qs:20170213	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:semver:20150403	No	No Known Exploit
	629/1000 Why? Has a fix available, CVSS 8.3	Improper minification of non-boolean comparisons npm:uglify-js:20150824	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:uglify-js:20151024	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: grunt-browserify

The new version differs by 49 commits.

• fd0f242 Update browserify, bump version, changelog.
• c061a05 Merge pull request Restarting the server kills query motifs HabitRPG/habitica#413 from mdblr/mdblr/upgrade-watchify-for-nodejs-14
• 8ae8687 Upgrade watchify from 3.x to 4.x
• f20e21c Version bump.
• 30ad90d Merge pull request Feature Request : Fight someone for not doing a task HabitRPG/habitica#401 from zkochan/master
• 6cb1429 fix(deps): update browserify to version 16
• 4e8eb1f Merge pull request Re-Roll hover description flickers rapidly HabitRPG/habitica#399 from ChuanyuWang/master
• 4899438 Add example to use plulgin with options
• c660306 Typo.
• 9146bea Add aknowledgement to changelog.
• 42250e6 Remove lockfile.
• 3d18513 added browserify-incremental support
• afa393c Changelog, bump version to 5.1.0
• 4718295 Housekeeping: update dependencies + dates.
• 4f96beb Merge pull request Suggestion: Separate money for in-game rewards and other rewards HabitRPG/habitica#392 from gaurav21r/patch-1
• 2233e43 Update browserify to 14.1.0 to support async / await
• 8c30159 Remove the call for maintainers.
• cda0b5f Merge pull request Refactor & Update Progress Bars HabitRPG/habitica#379 from mrmartineau/patch-1
• e152c57 Fixes broken issue links
• b26e20f 5.0.0
• 76537ce adds 5.0 changelog
• 2e9680c Merge pull request "Data column(s) for axis #0 cannot be of type string" in Daily Progress HabitRPG/habitica#378 from Sjors/browserify-13
• ace5e1f Merge pull request User Dropdown not working HabitRPG/habitica#358 from jeron-diovis/fix_watchify_for_mac_os
• 2d41265 Merge pull request [Feature] [maybe way down the track] Other role-playing premises. HabitRPG/habitica#319 from tleunen/patch-transform

See the full diff

Package name: grunt-contrib-uglify

The new version differs by 171 commits.

• a3f3f34 5.2.1
• 3c8d904 Update Readme
• 0850dcd update dependencies (onlies now reset their value every day HabitRPG/habitica#568)
• c27ad5f Bump minimist from 1.2.5 to 1.2.6 (Added Pet css sprite and removed genders from player css sprites HabitRPG/habitica#567)
• 98b4c5f Fix documentation in relation to issue Custom day change did not work.  HabitRPG/habitica#565 (Suggestion: Undo Button HabitRPG/habitica#566)
• 7228446 Bump minimist from 1.2.5 to 1.2.6 (XP required to gain a level just changed? HabitRPG/habitica#563)
• e410511 Update deps, v5.1.0 (Some users getting way too much GP / Exp with new algos HabitRPG/habitica#564)
• 2cb31be Update uglify-js to v3.15.2 (Clicks not registering HabitRPG/habitica#562)
• 12ca0f2 Fix wording in README.md (Free rewards (or severly discounted) for a certain time after extremely stressful events [suggestion] HabitRPG/habitica#560)
• 1f6a012 Bump path-parse from 1.0.6 to 1.0.7 (Dying with almost full HP HabitRPG/habitica#558)
• 0e4b1a0 Update uglify-js ([Old] XP Changes, Better Notifications and Fixes! HabitRPG/habitica#557)
• 9ccf10d Bump hosted-git-info from 2.8.8 to 2.8.9 (tokens for holidays/birthdays? HabitRPG/habitica#556)
• 4e83e45 Update UglifyJS to 3.13.3 (Feature suggestion : improved graphs HabitRPG/habitica#554)
• 8674feb Bump ini from 1.3.5 to 1.3.8 ([Suggestion] Update Log HabitRPG/habitica#552)
• 14b71da v5.0.0
• 9259448 Bump lodash from 4.17.11 to 4.17.19 ([Suggestion] Random Loot Chests HabitRPG/habitica#550)
• 4645446 Bump js-yaml from 3.5.5 to 3.14.0 (Standard rewards not working HabitRPG/habitica#551)
• b7bcde4 Delete .travis.yml
• cba2631 Delete appveyor.yml
• 3dc53f0 ini github workflow
• f65dbb9 v4.0.1. (Notifications HabitRPG/habitica#535)
• b33a071 upgrade devDependencies (Replaced Bootstrap "Add to Homescreen" icons HabitRPG/habitica#536)
• 1e40037 upgrade to uglify-js 3.5.0 (sudden death on system clock change HabitRPG/habitica#534)
• 33724cd update links to uglifyJS documentation (Cant login  HabitRPG/habitica#530)

See the full diff

Package name: grunt-spritesmith

The new version differs by 39 commits.

• 19d3be5 Release 4.3.0
• ba6e7cf Fixed up broken test
• 2eceb0c Added useful link
• 0030bd9 Upgraded to fixed spritesheet-templates
• a261f20 Fixed up our example
• 7ffb4bb Added handlebars inheritance example
• 020221e Starting to document inheritance
• 518cf4b Completed mustache to handlebars transition
• 48182c8 Scrapped legacy example
• f45589c Updated more references
• 17b2b4a Added a lot of mustache to handlebars updates
• c268bd0 Updated final traces of item
• 8f0ff25 Updating all item references to sprite
• ae0d546 Upgraded spritesheet templates to support inheritance
• 68fe3a5 Release 4.2.0
• 2bf64dc Upgraded to `[email protected]` to pick up background fill support for `pixelsmith`
• ef4040f Release 4.1.0
• f3b306b Fixed up test expectations
• e390bfd Upgraded to `[email protected]` to add single sprite fixes/warnings
• fd59f0f Release 4.0.0
• d1d91cb Updated documentation for breaking changes
• 02cdcf7 Upgraded to `[email protected]` to reintroduce `3.7.0` as a major release
• 3bf4525 Release 3.9.0
• f6209a9 Upgraded to `[email protected]` to pick up optimal `binary-tree` fixes

See the full diff

Package name: jade

The new version differs by 50 commits.

• 53cec74 Merge pull request Very strange and important bug :( HabitRPG/habitica#1746 from rlidwka/text-block-stuff
• d451082 Fix empty text-only block case
• 1870f47 Merge pull request Custom rewards cost 0 GP HabitRPG/habitica#1734 from jadejs/date-warn-all
• a5dbbb1 Warn about future change to ISO 8601 style dates
• 87554b3 Merge pull request Hatching potion captions on inventory not wrapping HabitRPG/habitica#1736 from skylerzhang/master
• 28cf735 Merge pull request Repeated lazy loading HabitRPG/habitica#1735 from jadejs/ampersand-warn
• f4cf1e3 Add warning if a data attribute value contains ampersand(s)
• 5598487 Merge pull request Group challenges not showing on group page HabitRPG/habitica#1725 from TimothyGu/contrib
• ce563fd Merge pull request 500 after when editign task via PUT /api/v1/user/task/:tid HabitRPG/habitica#1726 from TimothyGu/pretty
• 28007f1 Merge pull request challenge tasks getting scored multiple times HabitRPG/habitica#1729 from TimothyGu/less
• acada93 Pin to less <2.0.0
• 8fb4272 Better `pretty` documentation
• a85c86f layout: Add "contributed by many others"
• d8dd7ee layout: Remove commented out cruft
• 6181f5d Update Readme_zh-cn.md
• 77b2caa Merge pull request collapse participants (ui-router) HabitRPG/habitica#1716 from TimothyGu/globals-doc
• abca356 Document `globals` option
• 2314090 Merge pull request challenge tasks don’t retain sort order when creating or editing a challenge HabitRPG/habitica#1703 from chharvey/master
• 0d87396 Merge pull request Hatching not working HabitRPG/habitica#1663 from bfred-it/master
• f2d9266 Merge pull request TypeError: Cannot read property 'type' of undefined HabitRPG/habitica#1708 from TimothyGu/master
• 45f8f6f Fix link to Travis CI and GitHub repo
• e236e1a Merge pull request Leaving a challenge doesn't remove its tag from user's tags HabitRPG/habitica#1704 from jadejs/object-classes
• 138e255 Document the object form of `class` and `style` attributes
• 8e85b96 Add support for an object in the style attribute

See the full diff

Package name: mongoose

The new version differs by 250 commits.

• ddff80d release 4.0.0
• 2ef9a42 Merge branch '3.8.x'
• 73d7dc6 Merge pull request Made incorrect username and password show the same error, for security purposes HabitRPG/habitica#2791 from Automattic/docs-switch
• 06ee56c fix; docs generation for embedded docs
• c339edd chore; set up legacy / master doc generation
• 3846944 chore; update gitter badge to Automattic/, reference acquit in README
• 5eb0b7d upgraded; node driver to 2.0.24
• 5ed48e2 Merge pull request Wrong equipment item lost on death (server loses diff gear than client) HabitRPG/habitica#2789 from chetverikov/patch-2
• 343811b Merge pull request Improbable death- three dailies undone, on quest with 40 health HabitRPG/habitica#2788 from chetverikov/errors
• 5d488e1 LearnBoost -> Automattic
• 9408e1d Fix errors is not defined
• 174e1f0 fix; test broken from 3.8.x merge
• 0ffbf77 Merge branch '3.8.x'
• 1624116 Merge pull request Suddenly dead after dailies didn't record HabitRPG/habitica#2783 from artiifix/patch-1
• e1196a9 Correct typo in documentation
• 8454a49 Merge branch '3.8.x'
• b7c7040 Fix Died without taking damage, lost armor belonging to another class. HabitRPG/habitica#2656; upgrade to node driver 2.0.23
• ea2558b Merge pull request Don't block future http ops on client, after initial 500 err HabitRPG/habitica#2775 from LearnBoost/improve-cast-error
• 3d201b9 Persist cast errors across calls to validate()
• 5371e36 Repro issue with cast errors not persisting across validation
• ad4462c Merge pull request Changed hints style (and small quick fixes) HabitRPG/habitica#2773 from chetverikov/gh2719
• 80f8332 Merge branch 'master' into gh2719
• a6a47cd Merge remote-tracking branch 'upstream/master'
• 78f3ebb Fix Tags disappeared upon dying HabitRPG/habitica#2719

See the full diff

Package name: pageres

The new version differs by 111 commits.

• e54a5b3 5.0.0
• 9685504 Switch from PhantomJS to Puppeteer (Chrome) 🎉
• d13dc9a Update dependencies
• 908e525 Finish TypeScript rewrite
• 42ff5ae Start TypeScript rewrite (Feature Request: Add a customizable "To Do in X Days" HabitRPG/habitica#339)
• f5a092a Require Node.js 8
• 05055c8 Add Patreon badge
• 2434e36 Fix linting
• bb0447e Update URL to XO
• cdbdc54 Bump dependencies
• e0fb3cb 4.5.1
• 18fbf6d Meta tweaks
• bfce337 Don't error when removing atomic files in a custom destination
• bd9d52f Document `transparent` option
• 7576249 4.5.0
• 9a777be Switch to `make-dir` and `del`
• cdd335a 4.4.0
• 7283c93 Simplify Restart server when down HabitRPG/habitica#298
• f7324f1 Include URL hash fragment in filename (Restart server when down HabitRPG/habitica#298)
• bff35b8 Bump dependencies
• c870039 Bump XO
• 5e390b3 Minor readme tweaks
• c565afd 4.3.0
• b91f0ea Incremental number for filename - Fixes Suggestion: Cumulative experience points HabitRPG/habitica#239 (Drag/Drop issue HabitRPG/habitica#288)

See the full diff

Package name: universal-analytics

The new version differs by 90 commits.

• bb7abdd Version 0.4.21
• aa8a790 Merge pull request "Unticking" a yellow or red daily or ToDo removes you 10% less gold than it awards HabitRPG/habitica#144 from beeman/beeman/dependencies
• fe696ff Upgrade request to native-request
• 859bc37 Upgrade package versions
• e534517 Version 0.4.20
• 127aa72 Version 0.4.19
• 0846ead Version 0.4.18
• e676a15 Merge pull request Internal Server Error HabitRPG/habitica#113 from pioug/package-lock
• 8ba84c9 Merge pull request Updating updateStats for mass update HabitRPG/habitica#115 from atkit/master
• a39f75f Updated README.md about supported uid parameter that is used internally for User ID
• e0c9762 Install latest [email protected]
• 1a98a24 Regenerate package-lock.json
• e13640c Merge pull request [just a fancy feature] Colors in rewards HabitRPG/habitica#108 from XanderLuciano/documentation-update
• 63c5514 Merge pull request Everything I inputted gone? HabitRPG/habitica#109 from XanderLuciano/history-update
• 00c9317 Updated repo history for version 0.4.17
• 0e86f08 Typo Fix
• 47a55a0 Update README.md
• 28fc799 Version 0.4.17
• bfcb719 Updated request package to 2.28 to fix stringstream vulnerability
• f2aaa85 Merge pull request [Snyk] Fix for 12 vulnerabilities #73 from bbruneau/use-https-by-default
• 2cc5e1e Merge pull request [Snyk] Security upgrade express from 3.17.8 to 4.0.0 #82 from armsteadj1/master
• 108ad66 Merge pull request [Snyk] Fix for 1 vulnerabilities #76 from maxbbn/master
• 6ed8b2f Merge branch 'master' into master
• 177dd69 Merge pull request Password reset without confirmation HabitRPG/habitica#99 from pirxpilot/debug

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Open Redirect
🦉 Prototype Pollution
🦉 More lessons are available in Snyk Learn