[Snyk] Fix for 36 vulnerabilities #230

teelee7133 · 2023-11-27T14:04:38Z

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json

Vulnerabilities that will be fixed

With an upgrade:

Priority Score (*)	Issue	Breaking Change	Exploit Maturity
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
679/1000 Why? Has a fix available, CVSS 9.3	Incomplete List of Disallowed Inputs SNYK-JS-BABELTRAVERSE-5962463	Yes	No Known Exploit
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
641/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.4	Prototype Pollution SNYK-JS-JSON5-3182856	Yes	Proof of Concept
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	Yes	Proof of Concept
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	Yes	Proof of Concept
541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	Yes	Proof of Concept
681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASHTEMPLATE-1088054	Yes	Proof of Concept
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-2342073	Yes	Proof of Concept
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-2342082	Yes	Proof of Concept
520/1000 Why? Has a fix available, CVSS 5.9	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-584281	Yes	No Known Exploit
589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-1019388	Yes	No Known Exploit
479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	Yes	No Known Exploit
646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Out-of-Bounds SNYK-JS-NODESASS-535498	Yes	Proof of Concept
761/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.8	NULL Pointer Dereference SNYK-JS-NODESASS-535500	Yes	Proof of Concept
536/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.3	Out-of-bounds Read SNYK-JS-NODESASS-540958	Yes	Proof of Concept
536/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.3	Uncontrolled Recursion SNYK-JS-NODESASS-540964	Yes	Proof of Concept
646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Denial of Service (DoS) SNYK-JS-NODESASS-540978	Yes	Proof of Concept
536/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.3	NULL Pointer Dereference SNYK-JS-NODESASS-540992	Yes	Proof of Concept
646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Out-of-Bounds SNYK-JS-NODESASS-540998	Yes	Proof of Concept
654/1000 Why? Has a fix available, CVSS 8.8	Use After Free SNYK-JS-NODESASS-541000	Yes	No Known Exploit
646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Out-of-bounds Read SNYK-JS-NODESASS-541002	Yes	Proof of Concept
479/1000 Why? Has a fix available, CVSS 5.3	Improper Input Validation SNYK-JS-POSTCSS-5926692	Yes	No Known Exploit
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Poisoning SNYK-JS-QS-3153490	Yes	Proof of Concept
646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-TRIMNEWLINES-1298042	Yes	No Known Exploit
589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit
506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Yes	Proof of Concept
636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	Yes	Proof of Concept
589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	Yes	No Known Exploit
399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	Yes	No Known Exploit
589/1000 Why? Has a fix available, CVSS 7.5	Prototype Override Protection Bypass npm:qs:20170213	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: gulp

The new version differs by 134 commits.

55eb23a Release: 4.0.0
173a532 Docs: Fix the installation instructions
ec54d09 Docs: Improve note about out-of-date docs
03b7c98 Docs: Update recipes to install gulp@next
2eba29e Docs: Remove run-sequence from recipes
76eb4d6 Docs: Add installation instructions & update badges
fbc162f Docs: Remove references to gulp-util
3011cf9 Scaffold: Normalize repository
f27be05 Update: Remove graceful-fs from test suite
361ab63 Upgrade: Update glob-watcher
064d100 Build: Avoid broken node 9
057df59 Release: 4.0.0-alpha.3
c1ba80c Breaking: Upgrade major versions of glob-watcher, gulp-cli & vinyl-fs
89acc5c Docs: Improve ES2015 task exporting examples (#1999)
0ac9e04 Docs: Add "Project structure" section to CONTRIBUTING.md (#1859)
723cbc4 Docs: Fix syntax in recipe example (#1715)
d420a6a Docs: Have gulp.lastRun take a function to avoid task registration (#1828)
29ece6f Upgrade: Update undertaker
e931cb0 Docs: Fix changelog typos (#1696)
477db84 Docs: Add a "BrowserSync with Gulp 4" recipe (#1659)
d4ed3c7 Docs: Add options.cwd for gulp.src API (#1645)
5dc3b07 Docs: Update gulp.watch API to align with glob-watcher
0c66069 Breaking: Replace chokidar as gulp.watch with glob-watcher wrapper
c3dbc10 Docs: Clarify incremental builds example (#1609)

See the full diff

Package name: gulp-autoprefixer

The new version differs by 27 commits.

ede5a11 8.0.0
a953087 Require Node.js 12 and upgrade dependencies
87ff53d Move to GitHub Actions ([Snyk] Security upgrade Django from 1.8.18 to 2.2.22 #117)
c5e7214 7.0.1
da50fd2 Make Gulp an optional peer dependency
40fba84 7.0.0
ab49120 Require Node.js 8 and Gulp 4
83cc576 Enable the repo sponsor button
adec1a7 6.1.0
7b080bf Upgrade dependencies
dfe3919 6.0.0
c225cbd Upgrade `autoprefixer` and `postcss`
ea0b7f8 Require Node.js 6
18a27be 5.0.0
e526a78 Meta tweaks
e954e6e Update sourcemap paths to be relative to `file.base` ([Snyk] Security upgrade bleach from 1.5.0 to 3.1.4 #92)
7828646 Upgrade to Autoprefixer 8 ([Snyk] Fix for 5 vulnerabilities #96)
d008588 4.1.0
27816c3 Meta tweaks
94f3447 Drop dependency on deprecated gulp-util ([Snyk] Fix for 1 vulnerabilities #94)
60aead3 Test against Node.js v8 ([Snyk] Security upgrade bleach from 1.5.0 to 3.1.2 #90)
5188604 4.0.0
04814b7 Rewrite tests to use AVA
7df69ba ES2015ify, bump postcss, require Node.js 4

See the full diff

Package name: gulp-babel

The new version differs by 4 commits.

8e6fa78 7.0.0
8afcd30 make babel-core a peerDep, similar to babel-loader (Bump django from 1.8.18 to 2.2.24 #122)
744f633 7.0.0-alpha.18
21bf286 Babel 7 alpha ([Snyk] Fix for 4 vulnerabilities #112)

See the full diff

Package name: gulp-clean-css

The new version differs by 35 commits.

e2bf4d2 dep updates, test cleanup
48e956f removed deprecated gulp-util (fix vagrant file so it will install gulp client #50)
9f5c4ab readme syntax consistency
869e147 clean-css => 4.1.9
e6c44e4 clean-css => 4.1.8
2f70027 bump clean-css 4-1-7
47425a2 link fix for badge
a43222d 😎
4a4daa1 clean-css bump
edd64a9 bump to clean-css 4.1.5
6db6e08 readme
c93de53 dm, readme
bc636fc build, node v8
8709c50 slight cleanup
414e7cb clean-css => 4.1.4, dep updates
d6729f2 bump
f389d8f ensure that URLs of inlined imports are recalculated relative to current file (Fixes/20170806 handle no blog image #44)
5dc705c Fixes/job board fixes #43 ; dep updated (clean-css 4.1.3)
eeee392 pass rebase option
ba2ee13 fix the url of job details #42
0efd1c3 bump 3.3.0
81d70a7 Merge remote-tracking branch 'origin/master'
92ddf63 rebasing, clean-css 4.1.2
38b8899 update dep, clean-css 4.1.1

See the full diff

Package name: gulp-clone

The new version differs by 6 commits.

3252782 2.0
f3a113e Test on Node 4 and up
6ebd1e4 1.1.1
db8ea95 Update chai and mocha
4ba729d 1.1.0
918beb6 Replace deprecated gulp util (Fixes Added formspree to allo stories submitions #6)

See the full diff

Package name: gulp-concat-css

The new version differs by 3 commits.

8d11ad5 3.0.0
e8f7ad3 Merge pull request Fixes/20170806 handle no blog image #44 from TheDancingCode/pr/remove-gutil
2266a2c Drop dependency on deprecated `gulp-util`

See the full diff

Package name: gulp-copy

The new version differs by 35 commits.

433c976 Bump version
ffde364 Merge pull request deploying to staging app #25 from grig0ry/drop-deprecated
ddd05a4 Replace deprecated dependency gulp-util
cf6bd7a Merge pull request Feature/201705 blog update2 #23 from OmgImAlexis/master
ff8ff0c fix syntax highlighting
d21a458 Release bugfixes version 1.0.1
6c6b293 Merge pull request Feature/auto deploy #22 from klaascuvelier/fixes
216f00a Updates
5bd080c Update options
ab171d2 Merge pull request Fix/20170419 minor fixes plus tests #20 from klaascuvelier/major-update
5131700 update readme
d812177 add some example data
1e69d09 add example to repo
bde5166 Update path exists
e8a8fba add master build status
82a30a4 add version badge
80121dd fix syntax error
e3c96bd clean up
8df47cb update version
15fbbf6 update readme
c776778 Add some tests
4caa555 Move logic to lib
bd0aad4 don't add example to repo
ca8e4c7 add lint command

See the full diff

Package name: gulp-csslint

The new version differs by 15 commits.

c895cee 1.0.1
0a47d89 Only test against the latest note and lts
c40191e Merge pull request [Snyk] Fix for 2 vulnerable dependencies #62 from ladom/no-gulp-util
38488da gulp-util removed
b74cfc3 gulp-util changed
371a4ce 1.0.0
a395233 Merge pull request [Snyk Update] New fixes for 4 vulnerable dependency paths #57 from SimenB/csslint-v1
e368e93 Update to CSSLint v1
6b371c2 Merge pull request Fix/20180315 fix filter show button #54 from SimenB/deps
209d7a3 Use nyc instead of istanbul
40d46d4 Add `node-version-check` to avoid linting on usupported nodes
09a037b Update deps
3cfacb3 Merge pull request Create app.json #29 from SimenB/custom-formatter
16f810f Allow registering custom formatter
17d99d6 Rename `reporter` to `formatter` to match CSSLint

See the full diff

Package name: gulp-eslint

The new version differs by 25 commits.

1d79ed0 4.0.1
8f7e966 replace all HTTP protocols with HTTPS
b48a04a remove deprecated gulp-util dependency ([Snyk] Security upgrade django from 1.8.18 to 3.2.18 #213)
35eae57 update devDependencies ([Snyk] Fix for 54 vulnerabilities #207)
47bd269 use npx to simplify after_script
29dbab5 inherit autofix-related props even if `quiet` option is enabled
a398838 4.0.0
18a4299 emit an error when it fails to load an ESLint plugin
b8bf261 update ESLint from v3 to v4 ([Snyk] Fix for 52 vulnerabilities #198)
c0e82ce use `Buffer.from` instead of `new Buffer`
e6c67a2 drop support for linting `Stream` contents
132d5cc Fix formatting issues in README.md ([Snyk] Fix for 51 vulnerabilities #194)
7f65378 remove link to config file `globals` doc
8ddfb84 correct the type of `globals` option in README
6059c22 3.0.1
b0c2816 ensure sharable config works
08b9212 test the case where babel-eslint is actually useful
eb98701 mock stream-mode vinyl files with from2-string
bcd7736 fix invalid `envs` option
286b0c4 remove unused fixtures
e2723e1 Remove unnecessary `object-assign` dependency
82c1949 3.0.0
97d8638 Remove invalid options in example code
505779d Remove option aliases

See the full diff

Package name: gulp-filter

The new version differs by 14 commits.

845b913 5.1.0
b00bb32 Meta tweaks
52df753 Remove deprecated gulp-util dependency ([Snyk] Security upgrade bleach from 1.5.0 to 3.1.1 #86)
b9fb0bc 5.0.1
b40dd36 Meta tweaks
d7cf3d4 Support Windows for resolve path ([Snyk] Fix for 8 vulnerabilities #80)
f27adc6 Fix testcase for Windows ([Snyk] Fix for 2 vulnerabilities #81)
7276430 5.0.0
835efdf ES2015ify and require Node.js 4
f148c7b Add support for relative parent paths ([Snyk] Fix for 5 vulnerabilities #78)
2e3dd05 Fix option typo
f1dbe11 meta tweaks
a551307 Merge pull request [Snyk] Fix for 1 vulnerable dependencies #60 from leocaseiro/patch-1
922496e Fix documents with references from [Snyk Update] New fixes for 1 vulnerable dependency path #55

See the full diff

Package name: gulp-flatten

The new version differs by 5 commits.

0119b8c new verstion with dropped deprecated deps
14b1908 tests now passes on node 9.x.x
fc2e3f9 Merge pull request move hard coded image urls from cloudinary to aws s3 #15 from TheDancingCode/issue-14
bff1212 Drop dependency on deprecated `gulp-util`
8a83216 exapmple output fix

See the full diff

Package name: gulp-git

The new version differs by 31 commits.

9327f6a 2.5.0
83ff535 core: remove deprecated gulp-util dependency ([Snyk] Fix for 54 vulnerabilities #176)
d54339b Add current branch name example to readme
852ffda added the possiblity to use an array of strings as message in git.commit ([Snyk] Fix for 20 vulnerabilities #173)
61c9eaa node 4, 7, 8
a5c8391 added the possiblity to use an array of strings as message in git.commit and git.tag to the docs ([Snyk] Fix for 52 vulnerabilities #172)
f831f03 travis only clones depth 10, fixes tag test
38eb389 2.4.2
951c0d7 ensure all tags are returned if no message is sent - closes [Snyk] Fix for 54 vulnerabilities #170
0accffa Added git.add({ cwd: '/cwd/path' }) option to ReadMe ([Snyk] Security upgrade gulp from 3.9.1 to 4.0.0 #169)
0d49cbf 2.4.1
71ba307 fix all double callback errors - closes [Snyk] Security upgrade pillow from 4.3.0 to 9.0.1 #166
4578bed 2.4.0
2aeb295 Updated push.js, default branch to push will be current branch with this fix ([Snyk] Fix for 20 vulnerabilities #163)
8e4ecd9 2.3.2
167d083 fix double callbacks + missing cb check - closes [Snyk] Fix for 54 vulnerabilities #162 closes [Snyk] Security upgrade gulp-sass from 2.3.2 to 5.0.0 #159
968f95d 2.3.1
de6fb9a Update require-dir for node v8 - closes [Snyk] Fix for 20 vulnerabilities #164
3afb0cd 2.3.0
fa10a51 support git branch --contains ([Snyk] Fix for 52 vulnerabilities #160)
747a196 2.2.0
ca63976 Fix pull with callback only ([Snyk] Security upgrade django from 1.8.18 to 3.2.15 #158)
aaac3c7 update title
7894cdd 2.1.0

See the full diff

Package name: gulp-less

The new version differs by 2 commits.

7d9df97 4.0.0
cde149b Update accord to support [email protected] - closes #269

See the full diff

Package name: gulp-livereload

The new version differs by 11 commits.

85e7ca0 Update README.md
0a3f940 Update dependencies
909c139 Replace `mini-lr` dependency by `tiny-lr`
e3be670 Generate new certificate for HTTPS tests
5af4318 Update minimum supported Node version to Node 6
f7eeeba Eemove deprecated gulp-util ([Snyk] Security upgrade gulp-sass from 2.3.2 to 5.0.0 #127)
bbf71b1 Merge branch 'lukehorvat-travis-nodejs'
6e58e67 Add Node.js v0.12 and v4 to Travis config
7fc51e9 update README.md
fc39c77 Merge branch 'patch-1' of https://github.com/bigtiger/gulp-livereload into bigtiger
314344a Update README.md

See the full diff

Package name: gulp-notify

The new version differs by 25 commits.

398d0a4 v3.1.0
fc51ff2 Merge pull request [Snyk] Security upgrade Django from 1.8.18 to 3.1.13 #124 from ohbarye/replace-gulp-util
46efdc6 Move vinyl to devDependencies
173fcb0 Use ansi-colors instead of chalk due to node version compatibility
1e8c372 Remove unused through import
3284a51 Drop dependency on deprecated gulp-util
455250c npm install chalk fancy-log plugin-error lodash.template vinyl
658efc5 v3.0.0
b1ba7a2 Adds changelog for bump with node-notifier
7d6944e Updates all dependencies
08244ea Adds log files to ignore
8df5320 Bumps node-notifier dependency to latest
507e21f Merge pull request [Snyk] Security upgrade gulp-sass from 2.3.2 to 3.0.0 #105 from queicherius/patch-1
f32b692 Update node-notifier dependency
f5d3f46 Merge pull request [Snyk] Security upgrade gulp from 3.9.1 to 4.0.0 #103 from Toby-S/patch-1
bbcc4d1 Correct indent_style in .editorconfig
c0d7501 Update README.md
21eed88 Update README.md
084f6a1 Adds support for overriding host/port/appname onError. Fixes Bump bleach from 1.5.0 to 3.1.4 #91
e45ef63 Merge pull request Bump bleach from 1.5.0 to 3.1.1 #85 from stevelacy/patch-1
ef56795 Update license attribute
80a4c0d Merge pull request [Snyk] Fix for 1 vulnerable dependencies #72 from dhruska/master
0783a5c Typo fix in README
b4e95ec Merge pull request [Snyk] Fix for 9 vulnerable dependencies #71 from Andorbal/master

See the full diff

Package name: gulp-print

The new version differs by 16 commits.

d9353ec 3.0.0
d64cc43 Merge pull request try again by adding circle.yml to see if it runs #19 from alexgorbatchev/greenkeeper/mocha-5.0.0
807f01b Merge branch 'master' into greenkeeper/mocha-5.0.0
d181d50 Merge pull request Feature/201704 minor changes #17 from TheDancingCode/pr/remove-gutil
7e02c8a chore(package): update mocha to version 5.0.0
4c2f3e0 Drop dependency on deprecated `gulp-util`
f218ad2 Merge pull request Feature/201702 blog take1 #16 from alexgorbatchev/greenkeeper/mocha-4.0.1
9fb86af Merge branch 'master' into greenkeeper/mocha-4.0.1
06d97dd Updates travis to use node v6 and v8
0f78882 Merge pull request move hard coded image urls from cloudinary to aws s3 #15 from alexgorbatchev/greenkeeper/chai-4.1.2
fb24f18 Merge pull request django-stroage s3boto3 use another options to set cache-control header #14 from alexgorbatchev/greenkeeper/sinon-4.0.1
4869c10 chore(package): update mocha to version 4.0.1
48e5be4 chore(package): update sinon to version 4.0.1
cbf0a9b chore(package): update chai to version 4.1.2
aa1a949 Merge pull request Feature/20161210 google analytic tracking code #9 from alexgorbatchev/greenkeeper/update-all
f317075 chore(package): update dependencies

See the full diff

Package name: gulp-sass

The new version differs by 42 commits.

5775044 Update CHANGELOG.md
978b8f6 Update to major version 5 (#802)
10eae93 Update changelog for 4.1.1
947b26c Upgrade lodash to fix a security issue (#776)
8d6ac29 Update changelog
43c0547 4.1.0
ebe3ec6 Set appropriate file stat times (#763)
7ab018e Migrate to the lodash package
fa670c6 4.0.2
fefa00e Revert package.json version bump
98254d2 Fix README typos
8a14419 Continue loading Node Sass by default
938afbe Add a note about synchronous versus asynchronous speed
7cc2db1 Make this package implementation-agnostic
643f73b Add documentation for synchronous code options
0b3c7e7 4.0.1
daca90d Merge pull request #681 from DKvistgaard/master
71471c2 Declaring logError as function instead of arrow function.
450a7b8 4.0.0
e9b1fe8 Fix node versions in appveyor.yml
44be409 Merge pull request #667 from dlmanning/next
7656eff Adopt airbnb eslint preset
1293169 Bump autoprefixer@^8.1.0, gulp-postcss@^7.0.1
9fa817b Bump gulp-sourcemaps@^2.6.4

See the full diff

Package name: gulp-uglify

The new version differs by 9 commits.

e4f9045 2.0.0
566ec6a refactor(tests): write tests with mocha
5651111 refactor(tests): replace `cmem` with `testdouble`
b82387b refactor(tests): compose streams with `mississippi` utilities

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Snyk] Fix for 36 vulnerabilities #230

[Snyk] Fix for 36 vulnerabilities #230

teelee7133 commented Nov 27, 2023

[Snyk] Fix for 36 vulnerabilities #230

Are you sure you want to change the base?

[Snyk] Fix for 36 vulnerabilities #230

Conversation

teelee7133 commented Nov 27, 2023

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Vulnerabilities that will be fixed

With an upgrade: