[Snyk] Fix for 21 vulnerabilities

[matthiasak]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-COLORSTRING-1082939	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	661/1000 Why? Recently disclosed, Has a fix available, CVSS 7.5	Missing Release of Resource after Effective Lifetime SNYK-JS-INFLIGHT-6095116	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Open Redirect SNYK-JS-NODEFORGE-2330875	Yes	Proof of Concept
	529/1000 Why? Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-NODEFORGE-2331908	Yes	No Known Exploit
	494/1000 Why? Has a fix available, CVSS 5.6	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430337	Yes	No Known Exploit
	579/1000 Why? Has a fix available, CVSS 7.3	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430339	Yes	No Known Exploit
	494/1000 Why? Has a fix available, CVSS 5.6	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430341	Yes	No Known Exploit
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-NODEFORGE-598677	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-POSTCSS-1255640	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Improper Input Validation SNYK-JS-POSTCSS-5926692	Yes	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:node-forge:20180226	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:timespan:20170907	Yes	No Known Exploit
	324/1000 Why? Has a fix available, CVSS 2.2	Uninitialized Memory Exposure npm:utile:20180614	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: envify

The new version differs by 3 commits.

• ae5d17b 4.0.0
• 79d00c8 Merge pull request #52 from ariya/single-pass
• 2e773ff Single-pass transformation

See the full diff

Package name: forever

The new version differs by 38 commits.

• b2120f9 Remove utile (#1099)
• 071cc04 Update changelog
• c1bcbff Remove dependency on broadway (#1098)
• 3586afe Prepare 3.0.1 for release
• 67cc950 Prepare 3.0.1 for release
• 877d93a Replaced optimist with yargs (#1093)
• a36330a Update forever-monitor (#1081)
• 0c5d32a Update dependencies and test Node 14 (#1080)
• 9e85c59 Fix argument type of fs.writeFileSync (#1075)
• 58eb131 Add CLI test for starting/stopping from a directory with space (#1068)
• 437ca4a Remove unnecessary path-is-absolute dependency (#1062)
• 8f739b0 Execute Mocha tests (#1054)
• ceb235c Update changelog
• 008766f Add linting (#1053)
• a5b97ae add '--version' to help text (#1041)
• 3c09b6f Update async to 1.x.x (#1052)
• c551947 Update async (#1051)
• dda79a6 Update dependencies (#1050)
• 70259bc Drop support for Node < 6 (#1049)
• 8b41d16 Bump version in package-lock.json
• 2f6d4e0 Only publish necessary files
• 067c758 Bump version to 1.0.1, update changelog
• bce5991 Update forever-monitor (#1047)
• 0ef5100 Fix CI (#1048)

See the full diff

Package name: npm-run-all

The new version differs by 68 commits.

• 59219e8 4.1.0
• f7f7b43 Fix: MaxListenersExceededWarning (fixes #105)
• 64f6479 Chore: use async/await in tests
• 66fa8ff Chore: upgrade dependencies
• 8c8bec0 Docs: update docs
• 8c6debf Chore: tweak CI settings
• 5fcc2c6 Chore: no package-lock
• e07e782 New: add `--aggregate-output` option (fixes [Snyk] Security upgrade autoprefixer from 6.7.7 to 9.0.0 #36)(#104)
• dff6409 Docs: add note about Yarn compatibility (#103)
• 94f1b64 Merge pull request #101 from ntwb/patch-1
• a8364ce Add Node.j 8.x to AppVeyor CI
• c6d3092 Add Node.js 8.x to Travis CI
• 873f036 Merge pull request #95 from goto-bus-stop/feature/docs-in-pkg
• 0fca0e0 Include docs in published npm package.
• 46cfd57 4.0.2
• b90575b Fix: it threw for --race even if --parallel exists (fixes #88)
• acb1582 4.0.1
• 378c54b Chore: switch to codecov
• 779720c Chore: fix trivial
• 6beda60 Docs: update README.md
• 558da4b Merge pull request #82 from vinkla/patch-1
• 181b689 Merge pull request #84 from bmarcaur/fix/npm-execpath-case-sensitivity
• bb9e627 NPM_EXECPATH -> npm_execpath, this variable is case sensitive
• 81e3d0f Merge pull request #83 from evilebottnawi/patch-2

See the full diff

Package name: nsp

The new version differs by 28 commits.

• 1495eb3 3.0.0
• 70b1f1f wrap meta
• ff5566d update docs and dockerfile
• eb8ae26 force localhost as hostname
• 6e9e7fd use older boom to make node 6 happy
• e11c996 not sure what changed here but ok npm
• 868291f merge
• c3928e5 start adding tests
• ad94628 lint
• 3a00902 adding engines casue we only support 6.0.0 and greater for nsp 3.0.0- thx @ jweinsteincbt
• 740f213 suggestion to run nsp gather when offline fails due to node advisory db, thanks @ jweinsteincbt
• e28c457 dont require auth to fetch online exceptions
• 619460d add login command, fixup config saving
• 47407b8 help grouping
• 84c8646 cleanup error message output
• af8a486 dont wrap output
• dc8a3b1 group options
• f57a35c allow fetching exceptions from api with auth
• f1702ef print 400 error details in all reporters
• d3856ae cleanup
• 849f527 load .nsprc
• 97cfe6f make args.path consistent
• c2e23f4 Merge branch '3.0.0' of github.com:nodesecurity/nsp into 3.0.0
• 8c8b08c pass result.message for checks, fixed width in table reporter

See the full diff

Package name: postcss-cli

The new version differs by 250 commits.

• d2e7678 7.1.1
• 0758cd1 Do not use package-lock.json
• 8b39a4e Update dependency uuid to v7 (#318)
• 7a9c4ef Fix: External source maps not being generated (#324)
• 47104bc Update dependency chalk to v4 (#322)
• 96699c1 Update dependency prettier to v2 (#319)
• 42fc85e Update dependency globby to v11 (#317)
• 7574638 Configure Renovate (#316)
• 62ac6a4 Update fs-extra to version 9.0.0 (#315)
• e6828a9 Update dependency-graph to version 0.9.0 (#311)
• 459cc48 Update eslint-config-problems to the latest version 🚀 (#310)
• 6b0666e Update ava to version 3.1.0 (#309)
• 9fb5dbe 7.1.0
• 568528d Respect map.annotation string (#307)
• 745ad2c 7.0.0
• cf6ea09 Update eslint config
• ea1cec4 Update eslint-config-problems to version 3.1.0 (#306)
• 1519430 Update globby to version 10.0.1 (#303)
• 5b47456 Update eslint to version 6.8.0 (#305)
• e241672 Update nyc to version 15.0.0 (#297)
• 4a87ff1 Update chalk to version 3.0.0 (#294)
• e666505 Update prettier to version 1.19.1 (#304)
• 0d3591a Update ava to version 2.4.0 (#302)
• cb9f451 Update fs-extra to version 8.1.0 (#301)

See the full diff

Package name: precss

The new version differs by 14 commits.

• bafe9c3 3.0.0
• 559e84d 2.0.0
• a229fd8 package.json
• 867b221 Update plugin organization
• bd71070 Merge branch 'master' of github.com:jonathantneal/precss
• 6c51f13 PostCSS 6 - updated dependencies
• d25d0ac README.md - Use scss for code blocks
• cd3279d Merge pull request #85 from jboelen/patch-1
• 2935fae .travis.yml - Node 4
• c2520f6 Merge pull request #72 from pacosegovia/master
• eb4866f Merge pull request #79 from RobLoach/fix-tests
• 1ba6285 Update postcss-partial-import dependency
• b9f8293 Fix the tests
• 04635ea Update README.md

See the full diff

Package name: sane

The new version differs by 22 commits.

• 6324f3a release v2.5.0 🎉
• a419f94 Use `micromatch` and bump `anymatch`. (#115)
• ec657e4 release v2.4.1 🎉
• adf6305 release v2.4.0 🎉
• f051102 fixed test failure - closing WatchmanWatcher instance was not passing the instance to close into WatchmanClient, resulted in spurious events (#114)
• 14fbf09 Fix node 4 support (#112)
• 8be8b96 Fix issues: (#111)
• cd7d33d Updated to WatchmanWatcher, created singleton WatchmanClient using promises (#109)
• d9158e9 fix sane signatures (#110)
• c07724b 2.3.0
• e1bcc0c Allow to set a custom watchman binary path (#108)
• 516623b cli ignored option
• 9f753a6 Expose ignored option to CLI (#99)
• 480af5d 2.1.0
• 488b969 Bump watch version to ~0.18.0 (#101)
• 724040e Add support for fsevents watcher. Bumping major because of the native (optional) dep
• 3b6e45b improve error handling in node_watcher (#100)
• 5e3a10f dont run fsevents tests in CI
• 402a760 try optional dependency
• 803407c FSEvents watcher (#97)
• 5195f7b Format and lint tests
• 34defa0 Update tooling (eslint + prettier)

See the full diff

Package name: watchify

The new version differs by 40 commits.

• 7b27a3c 4.0.0
• 5d4842a bump deps (#380)
• b840f29 disable package-lock.json
• bae5e02 update chokidar and anymatch (#378)
• 3445775 ci: use github actions (#379)
• f79e59f Change URLs from "Substack" (someones personal site & acc) to "browserify" (#369)
• bd2f677 ci: run on more node versions
• 563a90d Merge pull request #367 from Trott/update-readme-badge
• bb2b429 chore: Fix Travis-CI badge in readme.markdown
• c3fe218 3.11.1
• e90101b Merge pull request #362 from digipost/upgrade-deps
• d163b4f upgrade dependencies: fix errors from npm audit
• 1917270 Merge pull request #351 from menzow/feature/update-docs
• d232754 Merge pull request #357 from Kamil93/patch-1
• d924e9b Update readme.markdown
• 9ea8a65 Support for working with transforms
• 11989b2 3.11.0
• 82669ad Merge pull request #355 from browserify/browserify-16
• 495b6f2 Update to browserify@16
• 2bc76db Merge pull request #353 from BridgeAR/master
• b2a2ab1 test: add callbacks
• 5f7f27b 3.10.0
• 6de686b browserify@15
• 8147bc5 Add troubleshooting information for silenced errors

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Open Redirect
🦉 More lessons are available in Snyk Learn