[Snyk] Fix for 32 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json
  • package-lock.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Issue	Breaking Change	Exploit Maturity
	Remote Memory Exposure SNYK-JS-BL-608877	Yes	No Known Exploit
	Arbitrary Code Execution SNYK-JS-GRUNT-597546	No	No Known Exploit
	Denial of Service (DoS) SNYK-JS-JSYAML-173999	No	No Known Exploit
	Arbitrary Code Execution SNYK-JS-JSYAML-174129	No	No Known Exploit
	Prototype Pollution SNYK-JS-LODASH-450202	Yes	Proof of Concept
	Prototype Pollution SNYK-JS-LODASH-567746	Yes	Proof of Concept
	Prototype Pollution SNYK-JS-LODASH-590103	Yes	No Known Exploit
	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
	Prototype Pollution SNYK-JS-LODASH-73638	Yes	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	Yes	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-1019388	Yes	No Known Exploit
	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOCHA-561476	Yes	No Known Exploit
	Arbitrary File Write via Archive Extraction (Zip Slip) npm:adm-zip:20180415	Yes	Mature
	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Yes	No Known Exploit
	Arbitrary Code Injection npm:growl:20160721	Yes	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:hawk:20160119	No	No Known Exploit
	Prototype Pollution npm:hoek:20180212	Yes	No Known Exploit
	Timing Attack npm:http-signature:20150122	No	No Known Exploit
	Prototype Pollution npm:lodash:20180130	Yes	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	Yes	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	Yes	No Known Exploit
	Denial of Service (DoS) npm:qs:20140806	No	No Known Exploit
	Denial of Service (DoS) npm:qs:20140806-1	No	No Known Exploit
	Prototype Override Protection Bypass npm:qs:20170213	Yes	No Known Exploit
	Remote Memory Exposure npm:request:20160119	Yes	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:tough-cookie:20160722	Yes	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:tough-cookie:20170905	Yes	No Known Exploit
	Uninitialized Memory Exposure npm:tunnel-agent:20170305	Yes	Proof of Concept

Commit messages

Package name: grunt

The new version differs by 45 commits.

• 6f49017 1.3.0
• faab6be Merge pull request #1720 from gruntjs/update-changelog-deps
• 520fedb Update Changelog and legacy-util dependency
• 7e669ac Merge pull request #1719 from gruntjs/yaml-refactor
• e350cea Switch to use `safeLoad` for loading YML files via `file.readYAML`.
• 7125f49 Merge pull request #1718 from gruntjs/legacy-log-bumo
• 00d5907 Bump legacy-log
• 3b75085 1.2.1
• ae11839 Changelog update
• 9d23cb6 Merge pull request #1715 from sibiraj-s/remove-path-is-absolute
• e789b1f Remove path-is-absolute dependency
• 27bc5d9 Merge pull request #1714 from gruntjs/release-1.2.0
• 64a3cf4 Release v1.2.0
• 0d23eff Merge pull request #1570 from bhldev/feature-options-keys
• ee70306 Merge pull request #1697 from philz/1696
• 05c0634 Merge pull request #1712 from gruntjs/fix-lint
• cdd1c19 fix lint in file.js
• bc168e3 Merge pull request #1283 from greglittlefield-wf/recognize-relative-links
• 5f16b5a Merge pull request #1675 from STRML/remove-coffeescript
• 58f80ae Merge pull request #1677 from micellius/monorepo-support
• 1f61427 Add CODE_OF_CONDUCT.md
• 4c6fcd9 Merge pull request #1709 from NotMoni/patch-1
• 169d496 add link to license
• 288ea76 add license link

See the full diff

Package name: grunt-retire

The new version differs by 15 commits.

• fa87c6f 1.0.4
• b31f054 Merge pull request [Snyk] Security upgrade nodemon from 1.19.1 to 2.0.0 #37 from deiga/patch-1
• 84c75c1 Removes request dependency
• c0e84d0 Fixes security vulnerability
• 2cd0ee9 Add "retirejs" to keywords in package.json to align with keywords used in retirejs
• 97b2f46 Formatting in README.md
• 6bc27f8 1.0.3
• ddc76ca Merge pull request [Snyk] Security upgrade zaproxy from 0.2.0 to 1.0.1 #36 from RetireJS/master
• 6f4a644 Removing .find() to support older versions of node.js
• c3320ed 1.0.2
• b9c115e Merge pull request [Snyk] Fix for 11 vulnerabilities #33 from szarouski/feature/improve-vulnerability-ignoring
• 3e0ce68 Improve vulnerability ignoring (https://snyk.io/redirect/github/Improve Vulnerability Ignoring RetireJS/retire.js#67). This change updates retirejs to 1.2.x which now supports vulnerability ignoring based on library version or even issue number. Note that retirejs only implements those features for .retireignore.json, so if you want extra ignoring, you'll need to update your .retireignore to use following format: https://github.com/RetireJS/retire.js/blob/master/example.retireignore.json.
• d3901b7 Released 1.0.1. Removed grunt-contrib-nodeunit as it was not used. Fixes [Snyk] Security upgrade mocha from 2.5.3 to 3.0.0 #27.
• e980e0a Release 1.0.0. Dropped support for Grunt 0.4, we now require Grunt 1.0 or newer. Upgrading to Grunt 1.0 removes the graceful-fs warning. Fixes [Snyk] Security upgrade mongodb from 2.2.36 to 3.1.3 #32
• 854d503 Added license field to package.json

See the full diff

Package name: mocha

The new version differs by 250 commits.

• eb781e2 Release v6.2.3
• 10dbe94 update CHANGELOG for v6.2.3 [ci skip]
• 848d6fb security: update mkdirp, yargs, yargs-parser
• 843a322 6.2.2
• aec8b02 update CHANGELOG for v6.2.2 [ci skip]
• 7a8b95a npm audit fixes
• cebddf2 Improve reporter documentation for mocha in browser. (#4026)
• 3f7b987 uncaughtException: report more than one exception per test (#4033)
• ee82d38 modify alt text of image from Backers to Sponsors inside Sponsors section in Readme (#4046)
• e9c036c special-case parsing of "require" in unparseNodeArgs(); closes #4035 (#4063)
• 954cf0b Fix HTMLCollection iteration to make unhide function work as expected (#4051)
• 816dc27 uncaughtException: fix double EVENT_RUN_END events (#4025)
• 9650d3f add OpenJS Foundation logo to website (#4008)
• f04b81d Adopt the OpenJSF Code of Conduct (#3971)
• aca8895 Add link checking to docs build step (#3972)
• ef6c820 Release v6.2.1
• 9524978 updated CHANGELOG for v6.2.1 [ci skip]
• dfdb8b3 Update yargs to v13.3.0 (#3986)
• 18ad1c1 treat '--require esm' as Node option (#3983)
• fcffd5a Update yargs-unparser to v1.6.0 (#3984)
• ad4860e Remove extraGlobals() (#3970)
• b269ad0 Clarify effect of .skip() (#3947)
• 1e6cf3b Add Matomo to website (#3765)
• 91b3a54 fix style on mochajs.org (#3886)

See the full diff

With a Snyk patch:

Severity	Issue	Exploit Maturity
	Prototype Pollution SNYK-JS-LODASH-567746	Proof of Concept
	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	No Known Exploit
	Prototype Pollution npm:extend:20180424	No Known Exploit
	Prototype Pollution npm:hoek:20180212	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	No Known Exploit
	Prototype Override Protection Bypass npm:qs:20170213	No Known Exploit
	Uninitialized Memory Exposure npm:stringstream:20180511	Mature
	Regular Expression Denial of Service (ReDoS) npm:tough-cookie:20170905	No Known Exploit
	Uninitialized Memory Exposure npm:tunnel-agent:20170305	Proof of Concept

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic