[Snyk] Fix for 13 vulnerabilities

[moehlone]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	Yes	Proof of Concept
	541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Poisoning SNYK-JS-QS-3153490	No	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-TRIMNEWLINES-1298042	No	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Override Protection Bypass npm:qs:20170213	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: grunt

The new version differs by 76 commits.

• 27bc5d9 Merge pull request #1714 from gruntjs/release-1.2.0
• 64a3cf4 Release v1.2.0
• 0d23eff Merge pull request #1570 from bhldev/feature-options-keys
• ee70306 Merge pull request #1697 from philz/1696
• 05c0634 Merge pull request #1712 from gruntjs/fix-lint
• cdd1c19 fix lint in file.js
• bc168e3 Merge pull request #1283 from greglittlefield-wf/recognize-relative-links
• 5f16b5a Merge pull request #1675 from STRML/remove-coffeescript
• 58f80ae Merge pull request #1677 from micellius/monorepo-support
• 1f61427 Add CODE_OF_CONDUCT.md
• 4c6fcd9 Merge pull request #1709 from NotMoni/patch-1
• 169d496 add link to license
• 288ea76 add license link
• d5cdac0 Merge pull request #1706 from gruntjs/tag-neew
• 4674c59 v1.1.0
• 6124409 Merge pull request #1705 from gruntjs/mkdirp-update
• 0a66968 Fix up Buffer usage
• 4bfa98e Support versions of node >= 8
• f1898eb Update to mkdirp ~1.0.3
• 7985b19 Avoiding infinite loop on very long command names.
• 75da17b HTTPS link to gruntjs.com (#1683)
• 5a0a02b support monorepo (relative path)
• 6795d31 Update js-yaml dependecy to ~3.13.1 (#1680)
• 66fc8fa support monorepo (test case)

See the full diff

Package name: grunt-contrib-coffee

The new version differs by 8 commits.

• 14be62b Merge pull request #203 from gruntjs/v210
• 66dda8c v2.1.0
• 6879d8f Merge pull request #202 from gruntjs/upt-deps-a
• 93768c5 Fix tests for latest coffeescript
• 7d5b1c5 Update deps within delclared range
• 14315b4 Merge pull request #201 from gruntjs/upt-deps
• d211122 Drop Node 6 in CI, add node 10
• 0681fc7 Update dependencies

See the full diff

Package name: grunt-contrib-cssmin

The new version differs by 11 commits.

• 3ff3635 v4.0.0.
• a62ac0e package.json: switch to the caret operator for clean-css
• f8b6a7b Adds "no rebase" test case.
• 5c05f6b Updates clean-css dependency to version 5.
• 83b0c2f Update all dependencies except clean-css
• e6dc6f8 Bump lodash from 4.17.15 to 4.17.19 (#305)
• efa725b Bump underscore.string from 3.3.4 to 3.3.5 (#303)
• 6d57138 Merge pull request #302 from gruntjs/dependabot/npm_and_yarn/lodash-4.17.15
• 866523c Bump lodash from 4.17.10 to 4.17.15
• 052b0cb v3.0.0.
• 142e850 Update all deps and require Node.js >= 6.

See the full diff

Package name: grunt-contrib-less

The new version differs by 25 commits.

• 8842e4f v2.1.0
• 51d03a3 Remove tabs
• 57256e0 Update more deps (#357)
• e7a6d59 Remove extra tabs
• 25062cf Update more deps
• b8785aa Switch to Github actions, update deps (#356)
• 94533ed Add a process option to the compiler (#349)
• 7e8057c Updating lodash patch 4.17.11 (#348)
• 815cef9 v2.0.0 with dep updates (#342)
• 5b04ca0 Update less to 3.0.0 (#340)
• d8231dc Add node 8, remove node 0.10 (#337)
• 0353e53 accept a function for sourceMapFilename (#306)
• c81d284 accept a function for sourceMapURL (#307)
• e0c3722 Update AppVeyor project.
• 459ca0b Update less-options.md
• c282d0d v1.4.1.
• a507646 Rethrow the compilation error after printing the message. (#315)
• 924189e Use path.basename for sourceMappingURL. (#322)
• 5501c3b Add a test case for `calc` and `strictMath`.
• a4ef5e1 Reduce lodash usage.
• a50a622 v1.4.0.
• 22720e2 Merge pull request #321 from gruntjs/deps
• 88daf05 Update dependencies, including less ~2.7.1.
• 1d749b0 Simplify code.

See the full diff

Package name: grunt-contrib-watch

The new version differs by 4 commits.

• 3b7ddf4 v1.1.0
• 72b1214 Updating dependencies, async, lodash and tiny-lr
• 5adb27c Merge pull request #543 from digitalbazaar/master
• f07311b Update tiny-lr dependency to 1.x

See the full diff

Package name: sails-disk

The new version differs by 85 commits.

• 15faa44 1.0.0
• a2b7ee6 1.0.0-12
• 9d7118c Only set footprint keys for uniqueness violations.
• a2c2261 Add some assertions.
• a222824 Update gitignore and scripts
• 3b3c334 1.0.0-11
• cef95b4 Support updating the primary key value, as long as it's not using _id as the column.
• aad2a15 Set _id column to value of primary key when creating records.
• 333e2d1 1.0.0-10
• c8a26c5 Add shim to replicate MongoDB's behavior w/ `{ $ne: null }` and empty arrays.
• bf92cb8 1.0.0-9
• af97943 Workaround issue with projections including only `_id`
• b5b985b Relax restrictions on using `_id` column in sails disk.
• f4adfd7 Add an entry in the `refCols` dictionary for every model, so we don't have to short-circuit checks for it later
• b494fd9 In `find`, deserialize Buffer objects into `ref` attributes where possible.
• 7aaaaa4 Merge pull request [Snyk] Security upgrade sails from 0.12.14 to 1.0.0 #58 from balderdashy/expose-lib
• 70ead96 (whoops) Add back 0.10 and 0.12 in appveyor.yml
• beabe7a Merge pull request [Snyk] Security upgrade sails from 0.12.14 to 1.5.3 #57 from balderdashy/expose-lib
• 9c80187 1.0.0-8
• f7a349d Actually, don't expose the static lib. (No reason to do so, and better to not introduce something experimental if there's any chance it could make an app dependent on random stuff in a dev-only adapter)
• 2d4d97e 1.0.0-7
• f2dd761 Rename afterwards function to avoid perceived scope conflict (whether or not it'd ever actually be a big deal, this avoids any potential future scope issues from refactoring, etc).
• 4051e5e 1.0.0-6
• 250c32e Handle stray error (and a couple of other trivial changes just from when I was reading through the code)

See the full diff

Package name: sails-mysql

The new version differs by 202 commits.

• e9ca5d0 1.0.0
• 1c8eba9 1.0.0-17
• 2384285 Same as 2cc4850eb0fc3ff58eeaef044c2b14379af1be32 but for 2 other occurrences.
• 2cc4850 Apply fix from eslint to properly pass through compileStatement() errors
• ba40d9a Update eslint
• ed86ee1 1.0.0-16
• 227e9ba Bump versions of mariadb tests-- and explicitly test node 8
• 917db33 Use mp-mysql@3 (see https://github.com/Memory leak balderdashy/sails#4264#issuecomment-353152823)
• 5e8ed7e Follow-up to 075d7590dfb5fc51ee7c3084df87261b46ea5356
• 075d759 Update machine runner to v15. (refs https://github.com/Memory leak balderdashy/sails#4264)
• 0d0503c Even better
• 6186297 Update language in config errors
• d1f0791 1.0.0-15
• d511f24 Allow `ref` type attributes to represent any object, not just Buffers.
• 3a62cf5 1.0.0-14
• b8c74aa Merge pull request #349 from balderdashy/revert-utf8mb4-default
• b98a2f0 Revert code that defaults to the `utf8mb4` character set.
• 987f467 Merge pull request #346 from balderdashy/support-emojis
• 3adc445 1.0.0-13
• 65aa28f lint fix
• 9fd09c9 1.0.0-12
• e9cbd78 Change default charset to support emojis. This also adds some comments and notes for the future.
• 6efdddc 1.0.0-11
• 056b12b use LONGTEXT by default because mysql truncates data silently

See the full diff

Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Prototype Override Protection Bypass
🦉 More lessons are available in Snyk Learn