[Snyk] Fix for 1 vulnerabilities

[benweizhu]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	768/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-LODASH-6139239	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: browser-sync

The new version differs by 117 commits.

• e7ced1b 2.13.0
• d9063d6 deps: update eazy-logger micromatch serve-static
• dcba582 docs: remove ref to anymatch. re: https://github.com/Chokidar or Anymatch for glob patterns? BrowserSync/browser-sync#1122#issuecomment-224199203
• a3e115d remove invalid invocation ofl enableDestroy;
• 4b17d60 fix(socket/server): Allow .exit() to immediately shut down all servers as expected
• 2282cad fix(files): implement a more robust (correct) debounce, along with throttle & delay - re: #982 #1121
• 66be45c dev-deps: update bs-html-injector
• 4467e87 2.12.12
• 38ce6ba Add legacy property to plugins options - fix #1120
• 3b7ea77 2.12.11
• 400f10f Add legacy `moduleName` property to plugins options - fix #1120
• 1159244 deps: Add bs-latency for dev
• 5a0ed9d 2.12.10
• cbcb642 Merge branch '1109-directory'
• d0d0c3d test: allow all
• c771362 Merge pull request #1110 from donaldpipowitch/patch-1
• c62cd55 support falsey values for directory setting
• 379b7fc 2.12.9
• 32c927d test: added failing test for #1109
• 50e740c ci: ignore custom lodash build for coverage report
• d5efbd8 ci: Remove lodash dependency from test files
• fbccc2f perf: custom lodash build to reduce start-up time
• 223ae23 Merge pull request #1101 from zhongdeliu/patch-1
• 54f1765 only a comment fix for proxyReq variable

See the full diff

Package name: gulp

The new version differs by 134 commits.

• 55eb23a Release: 4.0.0
• 173a532 Docs: Fix the installation instructions
• ec54d09 Docs: Improve note about out-of-date docs
• 03b7c98 Docs: Update recipes to install gulp@next
• 2eba29e Docs: Remove run-sequence from recipes
• 76eb4d6 Docs: Add installation instructions & update badges
• fbc162f Docs: Remove references to gulp-util
• 3011cf9 Scaffold: Normalize repository
• f27be05 Update: Remove graceful-fs from test suite
• 361ab63 Upgrade: Update glob-watcher
• 064d100 Build: Avoid broken node 9
• 057df59 Release: 4.0.0-alpha.3
• c1ba80c Breaking: Upgrade major versions of glob-watcher, gulp-cli & vinyl-fs
• 89acc5c Docs: Improve ES2015 task exporting examples (#1999)
• 0ac9e04 Docs: Add "Project structure" section to CONTRIBUTING.md (#1859)
• 723cbc4 Docs: Fix syntax in recipe example (#1715)
• d420a6a Docs: Have gulp.lastRun take a function to avoid task registration (#1828)
• 29ece6f Upgrade: Update undertaker
• e931cb0 Docs: Fix changelog typos (#1696)
• 477db84 Docs: Add a "BrowserSync with Gulp 4" recipe (#1659)
• d4ed3c7 Docs: Add options.cwd for gulp.src API (#1645)
• 5dc3b07 Docs: Update gulp.watch API to align with glob-watcher
• 0c66069 Breaking: Replace chokidar as gulp.watch with glob-watcher wrapper
• c3dbc10 Docs: Clarify incremental builds example (#1609)

See the full diff

Package name: gulp-angular-filesort

The new version differs by 8 commits.

• f63f018 chore(release): version 1.2.0
• 1f03068 chore(dependencies): update dependencies
• 526a078 chore(dependencies): drop dependency on deprecated `gulp-util` ([Snyk] Security upgrade browser-sync from 2.9.12 to 2.25.0 #56)
• 6c23f65 Initial Alphabetic Sorting ([Snyk] Security upgrade gulp-autoprefixer from 3.0.2 to 8.0.0 #50)
• adb2679 Adding recommendation about Browserify/Webpack
• 1eb07a5 Merge pull request [Snyk] Security upgrade gulp-sass from 2.0.4 to 3.0.0 #40 from mgcrea/patch
• 2446f35 refactor(plugin): use through2
• f1c766a chore(npm): update deps

See the full diff

Package name: gulp-useref

The new version differs by 12 commits.

• b2358b8 Update .npmignore.
• 79c2a0e 2.0.0
• 8d6e5eb Fix failing tests.
• cbc0716 Merge branch 'hadrienk-master'
• 0937855 Merge branch 'master' of https://github.com/hadrienk/gulp-useref into hadrienk-master
• 2858b57 Update README.
• 1360869 Fix issue with files being lost.
• b15579d Update vinyl-fs.
• 3b9c0fe Update dependencies.
• 8bb699c Update gulp and jscs packages.
• d9acf23 Add the mustexist option to make the stream emit and error if a file is missing
• 0b64feb Add tests for the pull request

See the full diff

Package name: http-proxy-middleware

The new version differs by 18 commits.

• 6606489 chore(release): v0.13.0
• ea41a26 Merge pull request [Snyk] Security upgrade browser-sync from 2.9.12 to 2.26.9 #59 from chimurai/custom-context-matching
• 814e0fc feat(context): custom context matcher
• 483f757 docs(option.pathRewrite): add example for adding a base path to requests
• 029cd18 chore(package.json): update dependencies
• e35420b typo(changelog): fix "onProxyReqWS" -> "onProxyReqWs"
• 951d9bf v0.12.0
• 9fdc84f Merge pull request [Snyk] Security upgrade browser-sync from 2.9.12 to 2.25.0 #56 from chimurai/proxyReqWs
• 84f8e7f chore(unused): remove 'url' import
• 6b18dc5 feat(handlers) - add options: onProxyReqWs, onOpen, onClose
• e88d6e0 chore(code style) jscs & editorconfig
• 1f21fed v0.11.0
• 07e83b3 Merge pull request [Snyk] Security upgrade gulp-sass from 2.0.4 to 5.0.0 #53 from chimurai/logging-improvement
• c41a64a feat(logging): improve debug logging.
• 5bed3c6 v0.10.0
• 8ce646f v0.10.0-beta
• 6cfd0f3 Merge pull request [Snyk] Fix for 1 vulnerabilities #49 from chimurai/proxyTable-does-not-work-for-websocket-connections
• bb28503 feat(proxyTable): add proxyTable support for ws

See the full diff

Package name: karma

The new version differs by 250 commits.

• db41e8e chore: release v2.0.0
• 0a1a8ef chore: update contributors
• 1afcb09 chore: add yarn.lock
• f64e1e0 Merge pull request #2899 from outsideris/fix-bad-url-in-stacktrace
• 78ad12f refactor(server): move compile step to first run
• 34dc7d3 fix(reporter): show file path correctly when urlRoot specified
• b53929a Merge pull request #2712 from macjohnny/patch-1
• c9e1ca9 feat: better string representation of errors
• 10fac07 Merge pull request #2885 from karma-runner/prep-2
• 00e3f88 chore: remove yarn.lock for now
• 60dfc5c feat: drop core-js and babel where possible
• 0e1907d test: improve linting and fix test on node 4
• af0efda test(e2e): update cucumber step definitions
• c3ccc5d chore(ci): focus on even node versions
• bf25094 chore(deps): update to latest
• d93cc5f docs(config): Document port collision scenario.
• 871d46f feat(launcher): trim whitespace in browser name
• 99fd3f0 fix(config): Call debug log methods after setting the loglevel based upon config/cli-options.
• 7bd54ed Merge pull request #2890 from reda-alaoui/patch-1
• 91e916a docs(config): Document port collision scenario.
• 334f9fb feat(launcher): trim whitespace in browser name
• e23c0d4 Merge pull request #2837 from JakeChampion/logs
• a340dae fix(config): Call debug log methods after setting the loglevel based upon config/cli-options.
• 6d353dc docs: improve comments in config.tpl.*

See the full diff

Package name: karma-phantomjs-launcher

The new version differs by 28 commits.

• eb0ca03 chore: release v1.0.4
• 895fb86 fix: windows pathing
• 00c3321 chore: release v1.0.3
• c342607 chore: update contributors
• db7ebc3 chore: add yarn.lock
• fe013cd Merge pull request #131 from leightarasenko/master
• 482eba5 fix: path issue with phantomjs and phantomjs-prebuilt
• 9c56c0f chore: release v1.0.2
• 5938221 chore: update contributors
• fb11f35 Merge pull request #127 from enterit/binary-path-fix
• faa7474 fix: incorrect phantomjs path calculation
• f9e2de3 chore: release v1.0.1
• 33b3421 chore: update contributors
• 215bf0e Merge pull request #123 from joelmukuthu/master
• 9ae8ada chore: add phantomjs-prebuilt to dependencies
• 9b0f5e3 fix(version-reset): set version back to 1.0
• 1b98e4c chore: release v2.0.0
• a6da030 chore: update contributors
• 4dec36d chore(1.0): version bump to 1.0
• 22622e4 chore: release v1.0.0
• 45807be chore: update contributors
• 950292f Merge pull request [Snyk] Fix for 1 vulnerabilities #99 from shinnn/lodash
• 9167041 Merge pull request [Snyk] Security upgrade gulp from 3.9.1 to 5.0.0 #98 from shinnn/rename
• 2a03f46 Merge pull request [Snyk] Fix for 2 vulnerabilities #100 from shinnn/ci

See the full diff

Package name: main-bower-files

The new version differs by 25 commits.

• 3e72915 Merge branch 'nathanaelnsmith-master'
• c10c547 Updated README.md and added unit test for exclude group feature
• 7597ec7 2.12.0
• 795e59b Finished implementing excluding group from bower file list.
• ff9ae8a Fixed issue with variable referenced out of order
• fa9b96d Exclude group from dependencies
• 8f4bb2c updated vinyl-fs
• 8ef5cf6 version 2.11.1
• 74c146e Merge branch 'pwang2-fix-bower-main-slash'
• d49d53d Merge branch 'fix-bower-main-slash' of https://github.com/pwang2/main-bower-files into pwang2-fix-bower-main-slash
• 78e91cd updated tern config file
• 580e540 add test for slash path deny
• 4e2a320 Deny absolute bower main file,
• b9cb4fc prove giving wrong message when main path start with /
• 5eb5072 version 2.11.0
• 75d0445 Merge pull request #123 from ball6847/feature-deps-group
• 73faa81 add semicolon to the missing line
• 39524a7 add more test and document about group option
• 09e230e add tests for group options
• e918565 make it supports node v0.10, as travis-ci run on this version
• d9dff42 add dependency group options
• bafd804 Merge pull request #120 from red2678/patch-1
• f2f53e1 Fix Typos
• 22db94e Fixed readme linebreaks

See the full diff

Package name: wiredep

The new version differs by 50 commits.

• 3416e1e 4.0.0
• d4d23b9 tests: fix cached config from multiple runs
• 58b9441 update lodash and fix breaking changes from it
• 4d98906 split wiredep-cli into its own module
• e4cb7a6 update devDeps
• 9b72b7a update safe main deps
• dc88ab0 warn on invalid or missing bowerJson file
• b649193 use appropriate log methods for cli
• b5f6644 only use the fixtures for real cli tests
• 851483f refactor wiredep-cli to reduce loops and double checks
• 366e655 expanded wiredep_cli testing
• becb3d6 DRY cli args
• fa5ad59 add code coverage reports
• 649afc8 OS-ify the cli file
• 3fea870 remove beforeEach def
• 8e859b6 split cli test suite
• cf11f71 allow multiple test runs (--watch)
• e4b48ad add badges
• 8712b18 travis newer
• ae0271f Unmaintained notice
• eab46b8 3.0.0
• 0f5e9b4 Merge pull request #223 from danielsiwiec/master
• c84c057 Fix a problem with CLI -b argument misbehaving
• 5339a49 Merge pull request #206 from ahmednuaman/patch-1

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution