[Snyk] Fix for 54 vulnerabilities

[benweizhu]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	584/1000 Why? Has a fix available, CVSS 7.4	Directory Traversal SNYK-JS-ADMZIP-1065796	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	706/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.7	Remote Memory Exposure SNYK-JS-BL-608877	Yes	Proof of Concept
	626/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.1	Man-in-the-Middle (MitM) SNYK-JS-HTTPSPROXYAGENT-469131	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	No	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	No	Proof of Concept
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	No	Proof of Concept
	541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	No	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-1019388	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Improper Certificate Validation SNYK-JS-NODESASS-1059081	Yes	No Known Exploit
	550/1000 Why? Has a fix available, CVSS 6.5	Out-of-bounds Read SNYK-JS-NODESASS-535499	Yes	No Known Exploit
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Out-of-bounds Read SNYK-JS-NODESASS-535501	Yes	Proof of Concept
	600/1000 Why? Has a fix available, CVSS 7.5	Uncontrolled Recursion SNYK-JS-NODESASS-535503	Yes	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Resource Exhaustion SNYK-JS-NODESASS-535504	Yes	Proof of Concept
	761/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.8	NULL Pointer Dereference SNYK-JS-NODESASS-535505	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Uncontrolled Recursion SNYK-JS-NODESASS-540960	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Out-of-bounds Read SNYK-JS-NODESASS-540962	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Improper Input Validation SNYK-JS-NODESASS-540966	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Improper Input Validation SNYK-JS-NODESASS-540968	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Uncontrolled Recursion SNYK-JS-NODESASS-540970	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Out-of-bounds Read SNYK-JS-NODESASS-540972	Yes	No Known Exploit
	761/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.8	NULL Pointer Dereference SNYK-JS-NODESASS-540974	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Denial of Service (DoS) SNYK-JS-NODESASS-540982	Yes	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Out-of-bounds Read SNYK-JS-NODESASS-540984	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Out-of-bounds Read SNYK-JS-NODESASS-540986	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-NODESASS-540988	Yes	No Known Exploit
	509/1000 Why? Has a fix available, CVSS 5.9	Denial of Service (DoS) SNYK-JS-NODESASS-542662	Yes	No Known Exploit
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536528	Yes	No Known Exploit
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536531	Yes	No Known Exploit
	410/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579147	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579152	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579155	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-TRIMNEWLINES-1298042	Yes	No Known Exploit
	899/1000 Why? Mature exploit, Has a fix available, CVSS 9.4	Arbitrary File Write via Archive Extraction (Zip Slip) npm:adm-zip:20180415	Yes	Mature
	641/1000 Why? Mature exploit, Has a fix available, CVSS 5.1	Uninitialized Memory Exposure npm:concat-stream:20160901	Yes	Mature
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:hawk:20160119	Yes	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:hoek:20180212	Yes	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Timing Attack npm:http-signature:20150122	Yes	No Known Exploit
	796/1000 Why? Mature exploit, Has a fix available, CVSS 8.2	Uninitialized Memory Exposure npm:https-proxy-agent:20180402	Yes	Mature
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	No	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Override Protection Bypass npm:qs:20170213	Yes	No Known Exploit
	469/1000 Why? Has a fix available, CVSS 5.1	Remote Memory Exposure npm:request:20160119	Yes	No Known Exploit
	576/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.1	Uninitialized Memory Exposure npm:tunnel-agent:20170305	Yes	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Remote Memory Exposure npm:ws:20160104	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) npm:ws:20160624	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Insecure Randomness npm:ws:20160920	Yes	No Known Exploit
	761/1000 Why? Mature exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) npm:ws:20171108	Yes	Mature

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: gulp

The new version differs by 134 commits.

• 55eb23a Release: 4.0.0
• 173a532 Docs: Fix the installation instructions
• ec54d09 Docs: Improve note about out-of-date docs
• 03b7c98 Docs: Update recipes to install gulp@next
• 2eba29e Docs: Remove run-sequence from recipes
• 76eb4d6 Docs: Add installation instructions & update badges
• fbc162f Docs: Remove references to gulp-util
• 3011cf9 Scaffold: Normalize repository
• f27be05 Update: Remove graceful-fs from test suite
• 361ab63 Upgrade: Update glob-watcher
• 064d100 Build: Avoid broken node 9
• 057df59 Release: 4.0.0-alpha.3
• c1ba80c Breaking: Upgrade major versions of glob-watcher, gulp-cli & vinyl-fs
• 89acc5c Docs: Improve ES2015 task exporting examples (#1999)
• 0ac9e04 Docs: Add "Project structure" section to CONTRIBUTING.md (#1859)
• 723cbc4 Docs: Fix syntax in recipe example (#1715)
• d420a6a Docs: Have gulp.lastRun take a function to avoid task registration (#1828)
• 29ece6f Upgrade: Update undertaker
• e931cb0 Docs: Fix changelog typos (#1696)
• 477db84 Docs: Add a "BrowserSync with Gulp 4" recipe (#1659)
• d4ed3c7 Docs: Add options.cwd for gulp.src API (#1645)
• 5dc3b07 Docs: Update gulp.watch API to align with glob-watcher
• 0c66069 Breaking: Replace chokidar as gulp.watch with glob-watcher wrapper
• c3dbc10 Docs: Clarify incremental builds example (#1609)

See the full diff

Package name: gulp-angular-filesort

The new version differs by 8 commits.

• f63f018 chore(release): version 1.2.0
• 1f03068 chore(dependencies): update dependencies
• 526a078 chore(dependencies): drop dependency on deprecated `gulp-util` ([Snyk] Security upgrade browser-sync from 2.9.12 to 2.25.0 #56)
• 6c23f65 Initial Alphabetic Sorting ([Snyk] Security upgrade gulp-autoprefixer from 3.0.2 to 8.0.0 #50)
• adb2679 Adding recommendation about Browserify/Webpack
• 1eb07a5 Merge pull request [Snyk] Security upgrade gulp-sass from 2.0.4 to 3.0.0 #40 from mgcrea/patch
• 2446f35 refactor(plugin): use through2
• f1c766a chore(npm): update deps

See the full diff

Package name: gulp-load-plugins

The new version differs by 52 commits.

• bca084b 1.2.3
• 1c080cd Update dependencies to match gulp 4 (#108)
• 229d574 Update package.json
• c54c5ee Update package.json
• 3403a15 Create LICENSE
• a9dd268 1.2.2
• 8a4e1ae Merge pull request [Snyk] Security upgrade del from 2.0.2 to 8.0.0 #105 from jackfranklin/revert-104-'configObject'-initialization
• 95a4b19 Revert "Changed 'configObject' initilization statement to call 'requireFn()' …"
• 59bb7e4 Release 1.2.1
• 420bd67 Merge pull request [Snyk] Security upgrade browser-sync from 2.9.12 to 2.19.0 #104 from mwessner/'configObject'-initialization
• 338852a Update package.json
• 2313d07 Changed 'configObject' initilization statement to call 'requireFn()' function (instead of 'require()') when the 'config' option is provided as a string.
• 440ca65 Merge pull request [Snyk] Fix for 1 vulnerabilities #103 from Trial-In-Error/patch-1
• d981708 Update README
• 672e085 Merge pull request [Snyk] Security upgrade http-proxy-middleware from 0.9.1 to 0.20.0 #101 from iamfrontender/master
• 60fb3e9 addition to contributors list
• fe89f33 Added `enumerable:true` for lazy loaded plugin props
• f302ea5 Add explicit lint task
• c6eb39d Remove Makefile
• dd60b88 Update CONTRIBUTING with eslint info
• 7ac1fd0 Merge pull request [Snyk] Security upgrade browser-sync from 2.9.12 to 2.19.0 #97 from ryan-codingintrigue/master
• 2b894f5 Run Travis on 4.1 and 0.12
• b615316 Added spacing to .eslintrc arrays
• ef63905 Replace jshint with eslint

See the full diff

Package name: gulp-protractor

The new version differs by 52 commits.

• ffb1070 Updated version to v4.0.0
• 4a97325 version updated to v4.0.0
• 6b79a46 Merge pull request #124 from rahulmr/protractor_update
• 884ac5a Update README.md
• 099729d Revert "Updated readme to include travis"
• d508f80 Update README.md
• 2c21db3 Updated readme to include travis
• e534644 node version changed to 6.10.0
• da5d31e Changed node version
• fefa259 npm dependencies update
• 6441022 3.0.0
• 5c451ea Allow protractor v4
• d536f73 2.6.0
• 62d9e1f Allow all protractor v3
• bf59242 Revert "Add protractor v4 support"
• 78cff27 2.5.0
• 54ba2aa Add protractor v4 support
• e66db95 Update changelog for 2.4.0 release
• af9069f 2.4.0
• 2750b17 Merge pull request #109 from manoj9788/master
• c00992b upgrade protractor to 3.3.0
• fc79938 Merge branch 'manoj9788-master'
• d80c203 Update changelog for 2.3.0 release
• 21329d8 2.3.0

See the full diff

Package name: gulp-sass

The new version differs by 106 commits.

• 5775044 Update CHANGELOG.md
• 978b8f6 Update to major version 5 (#802)
• 10eae93 Update changelog for 4.1.1
• 947b26c Upgrade lodash to fix a security issue (#776)
• 8d6ac29 Update changelog
• 43c0547 4.1.0
• ebe3ec6 Set appropriate file stat times (#763)
• 7ab018e Migrate to the lodash package
• fa670c6 4.0.2
• fefa00e Revert package.json version bump
• 98254d2 Fix README typos
• 8a14419 Continue loading Node Sass by default
• 938afbe Add a note about synchronous versus asynchronous speed
• 7cc2db1 Make this package implementation-agnostic
• 643f73b Add documentation for synchronous code options
• 0b3c7e7 4.0.1
• daca90d Merge pull request #681 from DKvistgaard/master
• 71471c2 Declaring logError as function instead of arrow function.
• 450a7b8 4.0.0
• e9b1fe8 Fix node versions in appveyor.yml
• 44be409 Merge pull request #667 from dlmanning/next
• 7656eff Adopt airbnb eslint preset
• 1293169 Bump autoprefixer@^8.1.0, gulp-postcss@^7.0.1
• 9fa817b Bump gulp-sourcemaps@^2.6.4

See the full diff

Package name: gulp-useref

The new version differs by 12 commits.

• b2358b8 Update .npmignore.
• 79c2a0e 2.0.0
• 8d6e5eb Fix failing tests.
• cbc0716 Merge branch 'hadrienk-master'
• 0937855 Merge branch 'master' of https://github.com/hadrienk/gulp-useref into hadrienk-master
• 2858b57 Update README.
• 1360869 Fix issue with files being lost.
• b15579d Update vinyl-fs.
• 3b9c0fe Update dependencies.
• 8bb699c Update gulp and jscs packages.
• d9acf23 Add the mustexist option to make the stream emit and error if a file is missing
• 0b64feb Add tests for the pull request

See the full diff

Package name: karma-coverage

The new version differs by 59 commits.

• 32acafa chore(release): 2.0.2 [skip ci]
• bb8f9ee chore: add semantic-release for project - fix #408 (#413)
• 9c37de6 chore: add check commit message (#411)
• 27822c9 ci(test): use eslint as ci command and add all js files to check by eslint (#410)
• 1adb27a ci: drop node 8, adopt node 12 (#409)
• 4962a70 fix(reporter): update calls to match new API in istanbul-lib-report fix #398 (#403)
• fc6e289 refactor: remove isAbsolute and replace with path.isAbsolute (#405)
• 83bafc3 refactor: replace migrate coffee unit tests to modern JS (#407)
• 49f174d refactor: onRunComplete method to upgrade on new major version of Istanbul (#406)
• 4cfa697 chore: Update dev Dependencies eslint and load-grunt-tasks (#387)
• 5cf931a fix: remove information about old istanbul lib (#404)
• 352254a chore(deps): bump handlebars from 4.1.2 to 4.5.3 (#399)
• 0ee780c chore(deps): bump lodash.template from 4.4.0 to 4.5.0 (#392)
• d18cde4 chore(deps-dev): bump eslint from 2.13.1 to 4.18.2 (#397)
• 55aeead Update Source Map Handling (#394)
• b23664e Added debug msg whether coverage is in reporters (#396)
• d3f53e3 chore(all): Migrate to ES6 (#385)
• 9c8a222 Make travis file simpler (#386)
• b76db9e Remove unused dateformat dependency (#384)
• 075ece0 Remove unused istanbul dependency (#382)
• 9184fc0 chore: release v2.0.1
• 57d4bd3 chore(deps): npm audit fix --force; update travis.yml (#380)
• 0e2800b chore: release v2.0.0
• 99c0c35 chore: update contributors

See the full diff

Package name: main-bower-files

The new version differs by 25 commits.

• 3e72915 Merge branch 'nathanaelnsmith-master'
• c10c547 Updated README.md and added unit test for exclude group feature
• 7597ec7 2.12.0
• 795e59b Finished implementing excluding group from bower file list.
• ff9ae8a Fixed issue with variable referenced out of order
• fa9b96d Exclude group from dependencies
• 8f4bb2c updated vinyl-fs
• 8ef5cf6 version 2.11.1
• 74c146e Merge branch 'pwang2-fix-bower-main-slash'
• d49d53d Merge branch 'fix-bower-main-slash' of https://github.com/pwang2/main-bower-files into pwang2-fix-bower-main-slash
• 78e91cd updated tern config file
• 580e540 add test for slash path deny
• 4e2a320 Deny absolute bower main file,
• b9cb4fc prove giving wrong message when main path start with /
• 5eb5072 version 2.11.0
• 75d0445 Merge pull request #123 from ball6847/feature-deps-group
• 73faa81 add semicolon to the missing line
• 39524a7 add more test and document about group option
• 09e230e add tests for group options
• e918565 make it supports node v0.10, as travis-ci run on this version
• d9dff42 add dependency group options
• bafd804 Merge pull request #120 from red2678/patch-1
• f2f53e1 Fix Typos
• 22db94e Fixed readme linebreaks

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Directory Traversal
🦉 Prototype Pollution
🦉 Uncontrolled Recursion
🦉 More lessons are available in Snyk Learn