[Snyk] Fix for 32 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	619/1000 Why? Has a fix available, CVSS 8.1	Prototype Pollution SNYK-JS-AJV-584908	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Command Injection SNYK-JS-CODECOV-543183	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Command Injection SNYK-JS-CODECOV-548879	Yes	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Command Injection SNYK-JS-CODECOV-585979	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-ENGINEIO-1056749	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	509/1000 Why? Has a fix available, CVSS 5.9	Denial of Service (DoS) SNYK-JS-JSYAML-173999	Yes	No Known Exploit
	619/1000 Why? Has a fix available, CVSS 8.1	Arbitrary Code Execution SNYK-JS-JSYAML-174129	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	Yes	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-LODASH-567746	Yes	Proof of Concept
	704/1000 Why? Has a fix available, CVSS 9.8	Prototype Pollution SNYK-JS-LODASH-590103	Yes	No Known Exploit
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	Yes	Proof of Concept
	541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Insecure Defaults SNYK-JS-SOCKETIO-1024859	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-SOCKETIOPARSER-1056752	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-TRIMNEWLINES-1298042	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	Yes	Proof of Concept
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Arbitrary Code Injection SNYK-JS-XMLHTTPREQUESTSSL-1082936	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Access Restriction Bypass SNYK-JS-XMLHTTPREQUESTSSL-1255647	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:braces:20180219	Yes	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:eslint:20180222	Yes	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	Yes	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	Yes	No Known Exploit
	761/1000 Why? Mature exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) npm:ws:20171108	Yes	Mature

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: codecov

The new version differs by 109 commits.

• 29dd5b6 3.7.1
• c0711c6 Switch from execSync to execFileSync (Modified the post, put, head and del shortcuts to support uri optional param request/request#180)
• 5f6cc62 Bump lodash from 4.17.15 to 4.17.19 (Encoding defined in HTML meta tag... request/request#183)
• 0c4d7f3 Merge pull request Fix request.defaults to support (uri, options, callback) api request/request#182 from codecov/update-readme-badges
• cc5e121 Update depstat image and urls
• b44b44e Update readme with 400 error info (Adding common SemWeb file extensions as mime type request/request#181)
• bb79335 V3.7.0 (fix to add opts in .pipe(stream, opts) request/request#179)
• 0d7b9b0 Remove `'x-amz-acl': 'public-read'` header (.pipe() doesn't take an option request/request#178)
• eeff4e1 Bump acorn from 5.7.3 to 5.7.4 (oauth invalid credentials request/request#174)
• eb8a527 Merge pull request query parameters request/request#172 from RoboCafaz/bugfix/codebuild-pr-parser
• 55d69cd Merge pull request Requests freeze, timeouts do not work when make request through a proxy request/request#159 from SaferNodeJS/master
• ef348ec Verify source version before parsing PR
• ebe132e 3.6.5
• 02cf13d [CE-1330] Escaping args (add .toJSON method to all objects request/request#167)
• e138efe Merge lastest changes
• bac0787 v3.6.4
• 203ff3a Merge pull request Fix cookie jar/headers.cookie collision (#125) request/request#161 from codecov/drazisil-patch-1
• 696562d Merge pull request only sending half the file? request/request#147 from iansu/patch-1
• 7856231 v3.6.3
• 96e6d96 Merge pull request authentication request/request#166 from codecov/chore/updates
• c8ea169 update deps
• 7c4cdc4 Merge pull request Catch URI errors request/request#149 from aiell0/master
• 62389fa Merge pull request Fix issue #159 request/request#162 from codecov/dependabot/npm_and_yarn/handlebars-4.5.3
• 73ae008 Add dependabot config

See the full diff

Package name: coveralls

The new version differs by 3 commits.

• 2ed4d09 major version bump for node > 4.x
• 5ebe57f bump version
• 428780c Expand allowed dependency versions to all API compatible versions (query parameters request/request#172)

See the full diff

Package name: har-validator

The new version differs by 13 commits.

• a38c067 5.1.3
• 45c48fa chore(deps): lock file maintenance (Read path for cookies request/request#106)
• 957913b chore(release): 5.1.2 [skip ci]
• 1764b7c fix(docs): update badge links
• 75dfab0 chore(release): 5.1.1 [skip ci]
• fd01aff fix(scaffold): update project scaffold template
• 759bffe Update AJV to version 6 (parseError with certain requests request/request#109)
• e0fee11 chore(deps): update dependency tap to v12 (ECONNREFUSED when connecting locally request/request#108)
• d09cc80 Prefer const over let (Avoid buffer.toString() utf-8 encoding problems... request/request#111)
• a19a82d build(renovate): replace dependencies.io with Renovate app
• 33e6dbd build(semantic-release): improved semantic-release flow
• c97c963 feat(lock-files): add lock files for yarn & npm
• ab3860b fix(jsonify): update to ajv v5.3.0 which removes jsonify

See the full diff

Package name: karma

The new version differs by 250 commits.

• 3653caf chore(release): 6.0.0 [skip ci]
• 04a811d fix(ci): abandon browserstack tests for Safari and IE (#3615)
• 4bf90f7 feat(client): update banner with connection, test status, ping times (#3611)
• 68c4a3a chore(test): run client tests without grunt wrapper (#3604)
• fec972f fix(middleware): catch errors when loading a module (#3605)
• 3fca456 fix(server): clean up close-server logic (#3607)
• 1c9c2de fix(test): mark all second connections reconnects (#3598)
• 87f7e5e chore(license): Update copyright notice to 2020 [ci skip] (#3568)
• e6b045f chore(deps): npm audit fix the package-lock.json (#3603)
• 3c649fa chore(build): remove obsolete Grunt tasks (#3602)
• 8997b74 fix(test): clear up clearContext (#3597)
• fe0e24a chore(build): unify client bundling scripts (#3600)
• 1a65bf1 feat(server): remove deprecated static methods (#3595)
• fb76ed6 chore(test): remove usage of deprecated buffer API (#3596)
• 35a5842 feat(server): print stack of unhandledrejections (#3593)
• 4a8178f fix(client): do not reset karmaNavigating in unload handler (#3591)
• 603bbc0 feat(cli): error out on unexpected options or parameters (#3589)
• 7a3bd55 feat: remove support for running dart code in the browser (#3592)
• 1b9e1de fix(deps): bump socket-io to v3 (#3586)
• 3fed0bc fix(cve): update yargs to 16.1.1 to fix cve-2020-7774 in y18n (#3578)
• f819fa8 fix(cve): update ua-parser-js to 0.7.23 to fix CVE-2020-7793 (#3584)
• 05dc288 fix(context): do not error when karma is navigating (#3565)
• e5086fc docs: clarify `browser_complete` vs `run_complete`
• ead31cd chore(release): 5.2.3 [skip ci]

See the full diff

Package name: karma-coverage

The new version differs by 36 commits.

• 32acafa chore(release): 2.0.2 [skip ci]
• bb8f9ee chore: add semantic-release for project - fix How to override / use ip address of particular machine instead of default machine ip using http module request/request#408 (rename googledoodle.png to .jpg request/request#413)
• 9c37de6 chore: add check commit message (Header key 'host' should be 'Host' request/request#411)
• 27822c9 ci(test): use eslint as ci command and add all js files to check by eslint (A request within a request callback does not pipe back to server response request/request#410)
• 1adb27a ci: drop node 8, adopt node 12 (Need a way to not escape querystrings request/request#409)
• 4962a70 fix(reporter): update calls to match new API in istanbul-lib-report fix Add more reporting to tests request/request#398 (Optimize environment lookup to happen once only request/request#403)
• fc6e289 refactor: remove isAbsolute and replace with path.isAbsolute (Requesting a pictures results in a 0 byte file. request/request#405)
• 83bafc3 refactor: replace migrate coffee unit tests to modern JS (Add noproxy configuration request/request#407)
• 49f174d refactor: onRunComplete method to upgrade on new major version of Istanbul (Check for Host header should be case-insensitive request/request#406)
• 4cfa697 chore: Update dev Dependencies eslint and load-grunt-tasks (Request.prototype.toJSON is wrong in the head request/request#387)
• 5cf931a fix: remove information about old istanbul lib (HTTP 400 on some URIs (but works ok with http.request) request/request#404)
• 352254a chore(deps): bump handlebars from 4.1.2 to 4.5.3 (node v0.9.x compatibility request/request#399)
• 0ee780c chore(deps): bump lodash.template from 4.4.0 to 4.5.0 (Redirection 302 issue: response.statuscode == 200 with body == undefined request/request#392)
• d18cde4 chore(deps-dev): bump eslint from 2.13.1 to 4.18.2 (Client side request/request#397)
• 55aeead Update Source Map Handling (multipart working or broke? request/request#394)
• b23664e Added debug msg whether coverage is in reporters (411 Length Required Error request/request#396)
• d3f53e3 chore(all): Migrate to ES6 (Use latest form-data 0.0.5 request/request#385)
• 9c8a222 Make travis file simpler (https - Socket hang up request/request#386)
• b76db9e Remove unused dateformat dependency (Destroy the response if present when destroying the request request/request#384)
• 075ece0 Remove unused istanbul dependency (http.createClient is deprecated request/request#382)
• 9184fc0 chore: release v2.0.1
• 57d4bd3 chore(deps): npm audit fix --force; update travis.yml (Fixes missing host header on retried request when using forever agent request/request#380)
• 0e2800b chore: release v2.0.0
• 99c0c35 chore: update contributors

See the full diff

Package name: standard

The new version differs by 250 commits.

• 9c505a9 13.0.0
• 7f3dd5d [email protected]
• 8cfb0ee [email protected]
• e235cb5 changelog 13.0.0
• f125f0c add link to security disclosure policy
• bd44694 add nodejs logo; change logos to 4 per row
• f7f98bf Update CHANGELOG.md
• 5e6315c remove badge
• e3862be Update AUTHORS.md
• f796995 13.0.0-0
• 16ffaef Update CHANGELOG.md
• c1f817e bump deps
• ffb0b8e travis: drop node 6, add node 12
• d5565b5 Update CHANGELOG.md
• 4dcd00a add Nuxt.js logo
• ee3104d compress logos
• 6e077d7 standard
• d33bfe9 Merge pull request Add browser test to keep track of browserify compability. request/request#1308 from munierujp/update_japanese_documents
• dd8fe00 Create FUNDING.yml
• 318bfac readme/changelog: global installation changes
• 329a2e0 readme: fix typescript instructions
• db61e3f Update CHANGELOG.md
• 7c661eb Automatically pass on Node 6 or earlier
• 0cfc932 Update Japanese document for 40d1d5e

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:hoek:20180212	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	No Known Exploit
	576/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.1	Uninitialized Memory Exposure npm:tunnel-agent:20170305	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic