[Snyk] Fix for 19 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • js-old/package.json
  • js-old/package-lock.json
  • js-old/.snyk

Vulnerabilities that will be fixed

With an upgrade:

Severity	Issue	Breaking Change
	Timing Attack SNYK-JS-ELLIPTIC-511941	No
	Prototype Pollution SNYK-JS-LODASH-450202	No
	Prototype Pollution SNYK-JS-LODASH-73638	No
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	No
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-174116	No
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-451540	No
	Cross-site Scripting (XSS) SNYK-JS-REACTTOOLTIP-72363	No
	Prototype Pollution npm:lodash:20180130	No
	Cross-site Scripting (XSS) via Data URIs npm:marked:20170112	No
	Cross-site Scripting (XSS) npm:marked:20170815	No
	Cross-site Scripting (XSS) npm:marked:20170815-1	No
	Regular Expression Denial of Service (ReDoS) npm:marked:20170907	No
	Regular Expression Denial of Service (ReDoS) npm:marked:20180225	No
	Regular Expression Denial of Service (ReDoS) npm:moment:20170905	No
	Prototype Override Protection Bypass npm:qs:20170213	No
	Uninitialized Memory Exposure npm:tunnel-agent:20170305	Yes
	Buffer Overflow npm:validator:20160218	No
	Regular Expression Denial of Service (ReDoS) npm:validator:20180218	Yes

Commit messages

Package name: keythereum

The new version differs by 44 commits.

• 6b30068 Incremented version
• 4a9e16b Merge branch 'fix-recover'
• a937a2b Minor recover tweak
• fc325ef Merge branch 'master' into fix-recover
• 7f652c6 Updated distributable
• e18418c Merge branch 'remove-validator'
• 7cd44d7 Export and unit test isHex and isBase64
• a2cfd43 Added validator as devDependency for test/checkKeyObj
• 42537d8 isBase64 now returns boolean
• 043e7e8 isHexadecimal now returns boolean
• 495d0dd `.recover` should not affect `.constants`
• c67c936 Remove validator package
• 2bdf6c4 Export and unit test str2buf and hex2utf16le; use Buffer.from instead of new Buffer
• 1483a7d Merge branch 'simplify-create'
• 8c57e13 Tweaked comments, randomBytes callback
• e2749bd Merge branch 'master' into simplify-create
• 8ab5590 Merge branch 'improvement/isCipherAvailable'
• 0b38e71 Linting
• ee4238a Merge branch 'master' into improvement/isCipherAvailable
• 6557352 Left-pad private keys to 32 bytes; added more privateKeyToAddress test cases
• 6629160 Merge branch 'remove-ethereumjs-util'
• 7a279ca Linting; fixed secp256k1 version number
• 2f5a2c1 Simplify `create`
• ecf0449 Remove ethereumjs-util

See the full diff

Package name: marked

The new version differs by 250 commits.

• 529a8d4 Merge pull request Images for the wiki openethereum/parity-ethereum#1441 from styfle/release-0.6.2
• fc5dbf1 🗜️ minify [skip ci]
• b1ddd3c Merge pull request Allow configuration of when to reseal blocks. openethereum/parity-ethereum#1460 from andersk/inline-text-quadratic
• be27472 Improve worst-case performance of inline.text regex
• 6b88601 0.6.2
• ba1de1e 🗜️ minify [skip ci]
• d94253c Merge pull request Windows: Node's web3.js fails to connect to parity JSONRPC openethereum/parity-ethereum#1438 from UziTech/html-new-line-fix
• 6eec528 Merge pull request Crash in MIO on connection aborted. openethereum/parity-ethereum#1449 from UziTech/use-htmldiffer
• 0cd0333 remove redundant comments
• ff127c5 use template literals
• a16251d fix test spacing
• da57301 use htmldiffer in file tests & update to node 4
• 621f649 abstract htmldiffer
• 42e816c fix again
• 246dd3d fix whitespace after tag
• f1089fe add test
• 0f0b763 allow html without \n after
• d069d0d Merge pull request Signer panics when port is not available. openethereum/parity-ethereum#1448 from UziTech/version
• 5d6bde0 Merge pull request --author argument doesn't fail when misformatted openethereum/parity-ethereum#1444 from UziTech/normalize-tests
• 4760772 fix tests
• df310a8 remove header ids from original tests
• 775d08d move redos tests to /redos folder
• b169e7b add excerpt length constant
• fd9dc21 update deps

See the full diff

Package name: napa

The new version differs by 12 commits.

• 09bd26e v3.0.0
• 089c10e Update copyright 2017
• b998270 Merge pull request [Snyk] Fix for 3 vulnerable dependencies #79 from chitoku-k/fix/dep
• 6e38787 Drop support for Node.js < 4
• 707ec6c Downgrade devDependencies
• a76b475 Update dependencies
• bc0eddb Merge pull request [Snyk] Fix for 3 vulnerable dependencies #77 from Grawl/patch-2
• 741e296 Update README.md
• 6be8fb2 Merge pull request [Snyk] Fix for 3 vulnerable dependencies #75 from Grawl/patch-1
• 78b75af Update README.md
• 9e07ff2 Update README.md
• 899da15 Update README.md

See the full diff

Package name: qs

The new version differs by 18 commits.

• 9ee5612 v6.3.2
• 0a63fc8 [Tests] up to `node` `v7.7`, `v6.10`,` v4.8`; disable osx builds since they block linux builds.
• 8e1f3e7 [Fix] support keys starting with brackets.
• febe81a [Fix] chmod a-x
• e54c5ec [Dev Deps] update `eslint`
• 8e2af08 [Fix] follow `allowPrototypes` option during merge
• 153ce84 v6.3.1
• d73b7a6 [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `browserify`
• beade02 [Fix] ensure that `allowPrototypes: false` does not ever shadow Object.prototype properties.
• 8bd4c6c Document allowDots option for stringify
• 0adcf3e [Docs] add empty object and array values example.
• 5f27353 [Tests] on all node minors; improve test matrix
• 657f8df [Docs] Fix minor inconsistency/typo
• 839b1f2 [Docs] Show example of sort option
• ec3bc8e Remove contributing.md, since `qs` is no longer part of `hapi`. ([Snyk] Fix for 6 vulnerabilities #183)
• b041eb9 [Refactor] `stringify`: throw faster with an invalid encoder
• 2ca339e [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `browserify`, `iconv-lite`, `qs-iconv`, `tape`
• eb9fbe4 remove unnecessary escapes (according to npm test results)

See the full diff

Package name: react-tooltip

The new version differs by 136 commits.

• cb16d97 Merge pull request Make clippy an optional dependency openethereum/parity-ethereum#422 from wichniowski/fix/sanitizeHtmlPreventXSS
• 182df11 fix(tooltip): sanitize HTML to prevent XSS
• ce365fe Merge branch 'plondon-fix/nonce-support'
• cf105a1 feat: The only way to support styling react-tooltips with a strict csp is to inject the style.css di
• 9617aa7 Merge pull request Network/Sync fixes and optimizations openethereum/parity-ethereum#416 from RobertGary1/rmg-mouseover
• 19a8a67 feat: Small bug fix to previous commit
• 79342ce feat(tooltip): Add ability to hover on tooltip. Provide optional delay of updating so if the mouse p
• f6f8401 Merge pull request Use latest era instead of end era as journal marker openethereum/parity-ethereum#414 from AlexanderEllis/master
• 57dc55a Fixed jsdoc return typos
• 86f3cf8 Merge pull request Using modified version of ctrlc that catches SIGTERM openethereum/parity-ethereum#399 from jstettner/master
• 02b6fef fixes typos
• f02ff35 Update dev dependencies for avoiding warning
• 4fb4b40 Merge pull request jsonrpc openethereum/parity-ethereum#391 from hassanbot/tooltip-orientation
• 6f01ed8 Change orientation priority
• 424e43b Fix formatting
• f33d5b3 Make sure tooltip is oriented correctly when close to edge
• c44cc2d Merge pull request Release 1.0 openethereum/parity-ethereum#389 from wwayne/current_target_fix
• 28b8493 fix(isCapture): better guard that preserves logic
• 99bf5ec Merge branch 'master' into current_target_fix
• 4f89a2d fix(isCapture): guard use of currentTarget
• 871b77c Merge pull request Editorconfig file. openethereum/parity-ethereum#384 from P0lip/master
• 6d7b3fa Add info about workaround
• f14c6ca Code review fixes
• 68fd5b5 Detach custom event listener

See the full diff

Package name: recharts

The new version differs by 39 commits.

• 49c3e7e Version 0.16.0
• 67dd4c6 test: fix test case
• 2bc2dc6 docs: update packages
• dd0f213 test: update some test case and fix test error
• 515279c feat: support both x-axis and y-axis are numerical axis, fix [Snyk] Fix for 6 vulnerabilities #183
• dcff8ce fix: fix angle in PolarRadiusAxis
• ff63d75 fix: fix the axis when change new data
• 208e39c fix: fix server render bug of Text, fix ethcore docs openethereum/parity-ethereum#301
• 69e56b3 fix: 1. fix angle of PolorRadiusAxis 2. fix BrushDemo 3.fix lint error
• 223a20d lint: fix some lint errors
• cc5b435 Merge pull request update ethcore.github.io documentation automatically openethereum/parity-ethereum#311 from konstantin24121/issue310
• 7a19c5a Merge pull request [Snyk] Security upgrade web3 from 1.0.0-beta.26 to 1.2.0 #277 from billneff79/axis-performance
• ee72d56 add animation events
• 84400a0 Version 0.15.3
• 25d9e76 fixed bugs in @developit pull request for performance in ReactUtils
• 43e6691 Fix painfully slow sanitization methods
• 5cf6283 autofix some lint errors
• 2193758 merge in origin/master and fix merge conflicts
• 2c823d8 Add angle property to PRESENTATION_ATTRIBUTES (Immutable Transaction data structure openethereum/parity-ethereum#307)
• 8600611 chore: update istanbul plugin
• fa41282 Merge pull request [Snyk] Security upgrade keythereum from 0.4.6 to 0.4.9 #294 from recharts/fix/update_deps
• 716be6c chore: add yarn.lock and update deps
• 8589639 Added more tests to LineChart and AreaChart to ensure pure rendering
• dfe08f8 Added tests to future proof against PureRendering getting messed up on LineCharts, which should help catch issues with several others as well

See the full diff

Package name: validator

The new version differs by 250 commits.

• 748d499 9.4.1
• 1950835 Patch a REDOS
• 77ed1ed Update the changelog and min version
• 5c4c971 Merge pull request Auto detect available port (with fixed test) openethereum/parity-ethereum#788 from malachiwa/patch-1
• 6a91b75 Update Israel's prefixes of mobile phone numbers
• c93cf2c Merge pull request Listen on all interfaces for JSONRPC by default. openethereum/parity-ethereum#786 from amilajack/patch-1
• eeba049 Run against node 8
• 4e455d2 9.4.0
• 4fb34e9 Re-add the change to the en-IN phone regex
• f2b9806 Updates from the previous merge
• ca20e91 Merge pull request Allow 0x prefix for --author. openethereum/parity-ethereum#785 from geekguy/master
• f51344f Indian mobile numbers can start with 6 now.
• 0ccb1c7 Update the changelog and min version
• e7b8557 Merge pull request Transaction trace querying openethereum/parity-ethereum#769 from ProfNandaa/feat-741-is-phone-number-cc
• 5615a12 isMobilePhone: add option for strictMode
• ca0f25f 9.3.0
• e9a4009 Remove the leftover compiled isDate
• bf46b58 Update the changelog and min version
• 06d6b16 Merge pull request Geth-compatible IPC module openethereum/parity-ethereum#774 from vetoshko/new-phones
• 3920f9d Merge branch 'master' into new-phones
• f5fcb6d Merge pull request added output to execution result openethereum/parity-ethereum#777 from athivvat/support-thailand-locale
• cbea0c7 Merge branch 'master' into support-thailand-locale
• ab898d5 Merge pull request Make Externalities::ret consume self openethereum/parity-ethereum#779 from aniham/master
• cfca110 Merge branch 'master' into master

See the full diff

With a Snyk patch:

Severity	Issue
	Prototype Pollution npm:extend:20180424

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:

🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic