[Snyk] Fix for 41 vulnerabilities

[NOUIY]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json
  • package-lock.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	509/1000 Why? Has a fix available, CVSS 5.9	Denial of Service (DoS) SNYK-JS-JSYAML-173999	No	No Known Exploit
	619/1000 Why? Has a fix available, CVSS 8.1	Arbitrary Code Execution SNYK-JS-JSYAML-174129	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-MERGE-1040469	Yes	No Known Exploit
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-MERGE-1042987	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Improper Certificate Validation SNYK-JS-NODESASS-1059081	Yes	No Known Exploit
	550/1000 Why? Has a fix available, CVSS 6.5	Out-of-bounds Read SNYK-JS-NODESASS-535499	Yes	No Known Exploit
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Out-of-bounds Read SNYK-JS-NODESASS-535501	Yes	Proof of Concept
	600/1000 Why? Has a fix available, CVSS 7.5	Uncontrolled Recursion SNYK-JS-NODESASS-535503	Yes	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Resource Exhaustion SNYK-JS-NODESASS-535504	Yes	Proof of Concept
	761/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.8	NULL Pointer Dereference SNYK-JS-NODESASS-535505	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Uncontrolled Recursion SNYK-JS-NODESASS-540960	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Out-of-bounds Read SNYK-JS-NODESASS-540962	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Improper Input Validation SNYK-JS-NODESASS-540966	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Improper Input Validation SNYK-JS-NODESASS-540968	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Uncontrolled Recursion SNYK-JS-NODESASS-540970	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Out-of-bounds Read SNYK-JS-NODESASS-540972	Yes	No Known Exploit
	761/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.8	NULL Pointer Dereference SNYK-JS-NODESASS-540974	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Denial of Service (DoS) SNYK-JS-NODESASS-540982	Yes	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Out-of-bounds Read SNYK-JS-NODESASS-540984	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Out-of-bounds Read SNYK-JS-NODESASS-540986	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-NODESASS-540988	Yes	No Known Exploit
	509/1000 Why? Has a fix available, CVSS 5.9	Denial of Service (DoS) SNYK-JS-NODESASS-542662	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-SCSSTOKENIZER-2339884	Yes	No Known Exploit
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536528	Yes	No Known Exploit
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536531	Yes	No Known Exploit
	410/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579147	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579152	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579155	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-TRIMNEWLINES-1298042	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-UGLIFYJS-1727251	Yes	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:fresh:20170908	No	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	No	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Override Protection Bypass npm:qs:20170213	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: gulp-coffee

The new version differs by 19 commits.

• 39df753 3.0.3
• 8c9ec9a Merge pull request [Snyk] Upgrade gulp from 4.0.0 to 4.0.2 #89 from TheDancingCode/no-coercion
• 9db3c01 Merge pull request [Snyk] Upgrade gulp-replace from 0.5.4 to 0.6.1 #90 from TheDancingCode/remove-require
• 64b0784 Remove unneeded Mocha require statement
• 8cd8339 Avoid implicit type coercion
• f668318 Remove unused variables
• 428393b Replace deprecated `new Buffer()`
• 841228b Update repo location
• 95c3621 Replace unneeded `merge`
• a752a2a Fix node version in README
• 2b17e7c 3.0.2
• e8a6459 closes [Snyk] Upgrade gulp-replace from 0.5.4 to 0.6.1 #81
• e39eac8 closes [Snyk] Upgrade gulp-connect from 5.5.0 to 5.7.0 #82
• bbb041d 3.0.1
• 4e4fe84 respond to https://github.com/Ecosystem migration gulpjs/gulp-util#143
• 2b1623c 3.0.0
• eaf44ad more dep updating
• 480d8ee Merge pull request [Snyk] Upgrade gulp from 4.0.0 to 4.0.2 #80 from ndrewtl/master
• e3939ff Bump Coffeescript to version 2.1.0

See the full diff

Package name: gulp-connect

The new version differs by 7 commits.

• aa10ee3 5.6.1
• a80e3e5 Merge pull request [Snyk] Upgrade gulp from 4.0.0 to 4.0.2 #257 from rejas/update_dependencies
• c6034b8 Cleanup test file
• edcfba8 Update ansi-colors package
• 429068d Only test supported node versions
• 2055d29 Undo typescript update to avoid breaking tests
• 4e3c831 Update all dependencies

See the full diff

Package name: gulp-sass

The new version differs by 42 commits.

• 5775044 Update CHANGELOG.md
• 978b8f6 Update to major version 5 ([Snyk] Upgrade gulp-replace from 0.5.4 to 0.6.1 #802)
• 10eae93 Update changelog for 4.1.1
• 947b26c Upgrade lodash to fix a security issue ([Snyk] Upgrade gulp from 4.0.0 to 4.0.2 #776)
• 8d6ac29 Update changelog
• 43c0547 4.1.0
• ebe3ec6 Set appropriate file stat times ([Snyk] Upgrade js-yaml from 3.10.0 to 3.14.1 #763)
• 7ab018e Migrate to the lodash package
• fa670c6 4.0.2
• fefa00e Revert package.json version bump
• 98254d2 Fix README typos
• 8a14419 Continue loading Node Sass by default
• 938afbe Add a note about synchronous versus asynchronous speed
• 7cc2db1 Make this package implementation-agnostic
• 643f73b Add documentation for synchronous code options
• 0b3c7e7 4.0.1
• daca90d Merge pull request [Snyk] Upgrade gulp-connect from 5.5.0 to 5.7.0 #681 from DKvistgaard/master
• 71471c2 Declaring logError as function instead of arrow function.
• 450a7b8 4.0.0
• e9b1fe8 Fix node versions in appveyor.yml
• 44be409 Merge pull request [Snyk] Upgrade js-yaml from 3.10.0 to 3.14.1 #667 from dlmanning/next
• 7656eff Adopt airbnb eslint preset
• 1293169 Bump autoprefixer@^8.1.0, gulp-postcss@^7.0.1
• 9fa817b Bump gulp-sourcemaps@^2.6.4

See the full diff

Package name: gulp-uglify

The new version differs by 37 commits.

• 76b5b3a fix(package): update files array
• 5d4c4c6 chore(all): refactor unit tests
• f2b779b feat(composer): implement new API for composing deps
• dbbba30 fix(minify): log warnings to gulplog
• 4cc8751 feat(uglify): add support for UglifyJS3
• ad73ab8 chore(pkg): update dependencies, run lint
• 4656fe5 2.1.2
• ba83a45 fix(package): move eslint dependencies to dev
• 3d0f155 2.1.1
• c722ab9 fix(errors): restore file and line info
• da3e18f chore(prettier): setup prettier
• ec8ba54 fix(tests): UglifyJS errors use "message" property
• 6c336ec v2.1.0
• 35c33f1 chore(uglifyjs): loosen uglify-js pin
• 74b6eff 2.0.1
• 832b427 chore(package): update uglify-js to version 2.7.5
• 1bf0f72 docs(README): link to Why Use Pump?
• ccdc482 docs(pump): fix typo
• 5ddafd2 chore(package): update uglify-js to version 2.7.4
• d5801ca chore(greenkeeper): ignore "gulp-sourcemaps" dependency
• 129df84 chore(package.json): update repository field
• 533ee01 fix(package): update uglify-js to version 2.7.3
• 1f2c508 docs(why-use-pump): fix plugin name
• 2829956 docs(README): fix typo

See the full diff

Package name: js-yaml

The new version differs by 27 commits.

• 665aadd 3.13.1 released
• da8ecf2 Browser files rebuild
• b2f9e88 Merge pull request [Snyk] Upgrade gulp from 4.0.0 to 4.0.2 #480 from nodeca/toString
• e18afbf Fix possible code execution in (already unsafe) load()
• 9d4ce5e 3.13.0 released
• f64c673 Browser files rebuild
• a567ef3 Restrict data types for object keys
• 59b6e76 Fix test name
• e4267fc 3.12.2 released
• 7231a49 Browser files rebuild
• 99c0bf9 Fix for issue [Snyk] Upgrade gulp-replace from 0.5.4 to 0.6.1 #468 includes passing test ([Snyk] Upgrade gulp from 4.0.0 to 4.0.2 #469)
• b6d2609 3.12.1 released
• 7b68122 Browser files rebuild
• 784d1d0 Add "noArrayIndent" option ([Snyk] Upgrade gulp-replace from 0.5.4 to 0.6.1 #461)
• 00bba11 Fix description of onWarning ([Snyk] Upgrade gulp from 4.0.0 to 4.0.2 #460)
• 2d1fbed Travis-CI: increase tests timeout
• 5cdad9b 3.12.0 released
• ef00891 Browser files rebuild
• 337595a Dev deps bump
• 290705b Support arrow functions without a block statement ([Snyk] Upgrade gulp-connect from 5.5.0 to 5.7.0 #421)
• bab69b5 Check for leading newlines when determining if block indentation indicator is needed ([Snyk] Upgrade gulp-replace from 0.5.4 to 0.6.1 #404)
• bb7f0cf Add property based tests to assess load reverses dump ([Snyk] Upgrade js-yaml from 3.10.0 to 3.14.1 #398)
• f2bb207 3.11.0 released
• b7eb2e6 Browser files rebuild

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	No Known Exploit
	579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution npm:extend:20180424	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:hoek:20180212	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	No Known Exploit
	646/1000 Why? Mature exploit, Has a fix available, CVSS 5.2	Uninitialized Memory Exposure npm:stringstream:20180511	Mature

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 More lessons are available in Snyk Learn