[Snyk] Fix for 43 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • test/fixtures/demo-os/package.json
  • test/fixtures/demo-os/.snyk

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	599/1000 Why? Has a fix available, CVSS 7.7	Remote Memory Exposure SNYK-JS-BL-608877	No	No Known Exploit
	614/1000 Why? Has a fix available, CVSS 8	Arbitrary File Write via Archive Extraction (Zip Slip) SNYK-JS-BOWER-73627	No	No Known Exploit
	704/1000 Why? Has a fix available, CVSS 9.8	Arbitrary File Write via Archive Extraction (Zip Slip) SNYK-JS-DECOMPRESSZIP-73598	No	No Known Exploit
	569/1000 Why? Has a fix available, CVSS 7.1	Arbitrary Code Execution SNYK-JS-GRUNT-597546	Yes	No Known Exploit
	579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-HANDLEBARS-173692	No	No Known Exploit
	579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-HANDLEBARS-469063	No	No Known Exploit
	619/1000 Why? Has a fix available, CVSS 8.1	Arbitrary Code Execution SNYK-JS-HANDLEBARS-534478	No	No Known Exploit
	704/1000 Why? Has a fix available, CVSS 9.8	Prototype Pollution SNYK-JS-HANDLEBARS-534988	No	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-HANDLEBARS-567742	No	Proof of Concept
	619/1000 Why? Has a fix available, CVSS 8.1	Arbitrary Code Execution SNYK-JS-JSYAML-174129	Yes	No Known Exploit
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	Yes	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-LODASH-567746	Yes	Proof of Concept
	704/1000 Why? Has a fix available, CVSS 9.8	Prototype Pollution SNYK-JS-LODASH-590103	Yes	No Known Exploit
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
	579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	Yes	No Known Exploit
	434/1000 Why? Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-1019388	Yes	No Known Exploit
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOCHA-561476	Yes	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Yes	No Known Exploit
	579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution npm:deep-extend:20180409	No	No Known Exploit
	579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution npm:extend:20180424	Yes	No Known Exploit
	704/1000 Why? Has a fix available, CVSS 9.8	Arbitrary Code Injection npm:growl:20160721	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Cross-site Scripting (XSS) npm:handlebars:20151207	No	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:hawk:20160119	No	No Known Exploit
	529/1000 Why? Has a fix available, CVSS 6.3	Prototype Pollution npm:hoek:20180212	No	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Timing Attack npm:http-signature:20150122	No	No Known Exploit
	529/1000 Why? Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	Yes	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:ms:20151024	Yes	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Override Protection Bypass npm:qs:20170213	Yes	No Known Exploit
	469/1000 Why? Has a fix available, CVSS 5.1	Remote Memory Exposure npm:request:20160119	No	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:semver:20150403	No	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Denial of Service (DoS) npm:superagent:20170807	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Information Exposure npm:superagent:20181108	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:tough-cookie:20160722	No	No Known Exploit
	509/1000 Why? Has a fix available, CVSS 5.9	Regular Expression Denial of Service (ReDoS) npm:tough-cookie:20170905	No	No Known Exploit
	576/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.1	Uninitialized Memory Exposure npm:tunnel-agent:20170305	No	Proof of Concept
	629/1000 Why? Has a fix available, CVSS 8.3	Improper minification of non-boolean comparisons npm:uglify-js:20150824	No	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:uglify-js:20151024	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: csscomb

The new version differs by 50 commits.

• 3204363 v3.1.0
• 854005c Tests: Unskip green parser test
• ac2c972 Add test for [Snyk] Fix for 6 vulnerabilities #374
• 33388bc Use readFileSync and JSON parse to read config
• ecfc41e Follow the configPath to the real path
• efa3d8d Tests: Unskip green vendor-prefix test
• 5750550 Tests: Unskip core tests
• 658173b Tests: Unskip integral tests
• dc1cffd Gonzales 3.0: Fix detection tests
• 7c4f5cb Add test for [Snyk] Security upgrade sanitize from 4.6.2 to 4.6.2 #333
• 52501c7 Fix [Snyk] Security upgrade django from 1.6.1 to 2.2.27 #319: Nested properties
• f556116 add iojs & 0.12
• 6af71be Update options
• 6960b03 Update names of node types
• 93b2e7f Update dependencies
• 5efd46b Tests: Unskip green tests
• 2ece912 Gonzales 3.0: Update `space-before-closing-brace`
• a25249a Gonzales 3.0: Update `sort-order` option
• 76732e4 Tests: Add `readFile` to public methods
• 587a877 Tests: Uncomment sass tests
• c8dd880 Gonzales 3.0: Update `block-indent` option
• 9be754b Gonzales 3.0: Update `vendor-prefix-align`
• d39942e Gonzales 3.0: Update `unitless-zero` option
• a848aa3 Gonzales 3.0: Update `tab-size` option

See the full diff

Package name: grunt-contrib-compress

The new version differs by 69 commits.

• b0488b4 v1.3.0
• f8f2ff4 v1.2.0
• fe2f565 Merge pull request [Snyk] Security upgrade validator from 3.40.0 to 13.6.0 #182 from dharammaniar/master
• b8dfc50 Update archiver to v1.0.0
• c1cd66d Update CI configs from the latest grunt-contrib-internal.
• 8c2ca32 Reindent and use camelcase variable names.
• 4e049b4 Update CI configs from the latest grunt-contrib-internal.
• a2a6b33 Upgrade grunt and devDeps to 1.0
• 24e0204 v1.2.0
• 0af6341 Update devDeps
• 2edf867 Use lodash directly. Fixes [Snyk] Security upgrade ember-cli from 0.2.7 to 3.16.0 #177.
• ff37330 Update CHANGELOG.
• 9dffe39 v1.1.1
• 94e8d8a Merge pull request [Snyk] Security upgrade snyk from 1.101.1 to 1.230.7 #175 from ascripcaru/verbose
• e0ab230 list each file archived only with verbose flag
• abcda60 v1.1.0
• 15f62b1 Merge branch 'fix-gruntjs#61' of https://github.com/philippsimon/grunt-contrib-compress into philippsimon-fix-gruntjs#61
• bef6a27 v1.0.0
• 12ffb95 Update archiver, chalk and pretty-bytes
• 39e13f8 Update versions of Node.js supported
• 54190aa Add Grunt as >=0.4.5 peerDep
• f3465bd Doc fixes
• fff3ef5 Fix typo
• fd63f99 Merge pull request [Snyk] Fix for 2 vulnerabilities #156 from daemonl/master

See the full diff

Package name: grunt-contrib-uglify

The new version differs by 39 commits.

• d7704c4 v0.11.1
• c129bf6 Merge pull request [Snyk] Security upgrade ember-cli-mocha from 0.7.0 to 0.9.4 #377 from avdg/fix-screw-ie8-option-crash
• d74556f Merge pull request [Snyk] Security upgrade ember-cli from 0.2.7 to 2.12.0 #387 from joeldenning/patch-1
• 758b7d5 Merge branch 'master' of github.com:gruntjs/grunt-contrib-uglify
• 92c84c8 Point main to task
• 0b00c0b Remove peerDeps. Ref Remove peerDependencies from plugins gruntjs/grunt#1116
• 52cc6ae Merge pull request [Snyk] Security upgrade tap from 5.8.0 to 9.0.0 #388 from swarajgiri/bump-dependencies
• 2ff0283 Update lodash, maxmin and dev dependencies
• 6352022 Improve documentation for conditional compilation
• a6dd1cb Merge pull request [Snyk] Security upgrade sinatra from 1.3.2 to 2.2.0 #386 from ramswaroop/master
• f3c4592 Update README.md
• ea77dde Merge pull request [Snyk] Security upgrade snyk from 1.101.1 to 1.465.0 #375 from jrhite/master
• 63279df Update copyright to 2016
• 71bf6f5 Merge branch 'master' of https://github.com/vibornoff/grunt-contrib-uglify into fix-screw-ie8-option-crash
• be7de43 CI: Remove node.js '0.12' and add '5'.
• 8578547 add handling of mangle_properties regex option in uglifyjs
• 1deb3be v0.11.0
• 13e95a2 Bump uglify-js to v2.6.0.
• 17ee505 Revert "Do not use "^" versions, ever, use ~"
• 2562bb2 v0.10.1
• 326f932 Merge pull request [Snyk] Security upgrade django from 1.6.1 to 1.8.16 #369 from Rialgar/patch-1
• 7276245 Do not use "^" versions, ever, use ~
• b8bd228 v0.10.0
• e47d9e1 Merge pull request [Snyk] Security upgrade actionpack from 4.2.5 to 4.2.5.1 #361 from UltCombo/patch-1

See the full diff

Package name: grunt-jscs

The new version differs by 24 commits.

• d13072f Release v2.3.0
• d8fef95 Update jscs to 2.5.0 version
• c272f8f Release v2.2.0
• 4767f7f Check 4. and .12 nodes with travis CI
• cc63399 Update "load-grunt-tasks" dependency
• 1e4c9bf Use "idiomatic" preset instead of "jquery"
• 0c86a48 Use new "Checker#execute" method
• 6011f05 Release v2.1.0
• 31f9ced Release v2.0.1
• 3f2499e Update dependencies
• 302d8da Use Travis CI container-based builds
• 4a34df6 Release v2.0.0
• 9e6d86e Update dependecies
• 17f9e9c Bump jscs version to 2.0.0
• 8715716 Fix code style issues
• ad532e2 Update package.json
• 49936c6 Add enmasse testing merge with path config and inline options
• 330f2bc Merge branch 'remove-grunt-bump'
• 34dba9c Change package.json indent size to 2
• 8c7064b Document how to publish a new version
• de383ba Create npm scripts to bump version
• 1e60f29 Remove grunt-bump and the bump task
• 37a7757 Correct docs example
• b2d9ff9 Improve doc examples

See the full diff

Package name: grunt-mocha-cli

The new version differs by 56 commits.

• 4ca8d04 5.0.0
• e37c4ac Fix eslint on windows
• 78e36af Drop Node 4 and 6 support
• 6208ef4 Upgrade mocha and dependencies
• da68e65 Upgrade xo
• e587511 Upgrade ava
• d994d31 readme: https all the links
• bb878b4 Update Mocha link ([Snyk] Fix for 1 vulnerabilities #44)
• 5f5402c v4.0.0
• 0561b60 Upgrade to mocha 4
• a738f24 Don't use sync methods
• ded2b59 Make grunt task requireable
• 24a2ab5 Revert "Upgrade coffeescript"
• bb5c30a Upgrade coffeescript
• 965f0bf Use Promises and remove some eslint-disable
• e8acd0e Stop exposing lib
• facc78f Upgrade dev setup, add prettier and switch to xo
• ed591d2 Release version 3.0.0
• a3fadd6 Drop support for node 0.10 and 0.12
• 1f10946 Fix lint warnings
• 1cf5be9 Update dependencies
• 8d4c95d Update node test versions
• 4241cd0 Release version 2.1.0
• 2b7a994 Update mocha and switch to caret semver range

See the full diff

Package name: nock

The new version differs by 250 commits.

• c7b156a v8.0.0
• 43e9b2f added missing dep
• 1735038 Merge branch 'greenkeeper-request-2.70.0'
• 568cd04 Merge branch 'master' into greenkeeper-request-2.70.0
• ca251b3 making the latest version of lodash work
• 6d997a6 Merge pull request [Snyk] Security upgrade aiohttp from 2.2.2 to 3.8.0 #521 from node-nock/greenkeeper-update-all
• 149d7ab fixes for latest tap version
• 361dc21 chore(package): update request to version 2.70.0
• d4877f7 chore(package): update dependencies
• 5d8e77d v7.7.3
• 9684dc6 Merge pull request [Snyk] Security upgrade actionpack from 4.2.5 to 4.2.5 #520 from ericsaboia/master
• 2834178 properly remove interceptor with regex domain from the list after used
• 3ce48c9 Merge pull request [Snyk] Security upgrade sanitize from 4.6.2 to 4.6.2 #519 from Byron-TW/patch-1
• 35e4f4f Fix typo
• 842ecfc changelog update
• 646dfd2 v7.7.2
• d8bbaab v7.7.1
• b40d53a Merge branch 'master' of github.com:node-nock/nock
• bc95ed6 v7.7.0
• 29af0e6 Merge pull request [Snyk] Security upgrade sanitize from 4.6.2 to 5.2.1 #514 from kevinburkeshyp/fix-req-no-match
• 3d08263 Merge pull request [Snyk] Fix for 1 vulnerabilities #512 from kevinburkeshyp/fix-typo
• e4d7433 browserify bundle update
• 4aae26b request abort destroys socket. fixes [Snyk] Fix for 4 vulnerabilities #511
• 37d10ab Fix nock.emitter.on('no match') undefined argument

See the full diff

Package name: supertest

The new version differs by 72 commits.

• 199506d Prepare 3.0.0 release. Small readme updates, update dev libs.
• 1d82e5b Allow TestAgent pass a cert and key to request ([Snyk] Security upgrade grunt from 0.4.5 to 1.5.0 #373)
• 188f8f2 Update readme ([Snyk] Fix for 6 vulnerabilities #392)
• bd63752 Use superagent 3 ([Snyk] Security upgrade snyk from 1.101.1 to 1.230.7 #400)
• 3c16aa1 Couple small updates to README
• 5930d2c Change package.json to 2.0.1 version and update engines field.
• 4d21f0d Remove node 0.12 from travis testing. A little early for 0.12 EOF but I want the new eslint libs which don't support 0.12.
• 6fcd9b3 Update dev deps. Fix couple lint issues. Add node v6 and remove 0.10 for travis tests.
• 2026549 Prepare for 2.0.1 release.
• e07e981 fix request with content-length > 0 and content-encoding: gzip ([Snyk] Security upgrade actionpack from 4.2.5 to 4.2.5.2 #371)
• cf9f991 Update Release History for v2.0.0
• df45dd7 Handle server not-running & superagent system errors ([Snyk] Security upgrade actionpack from 4.2.5 to 4.2.11.3 #348)
• 054ad57 Prepare for 2.0.0 release.
• 7ca0574 Upgrade superagent to 2.x ([Snyk] Security upgrade actionpack from 4.2.5 to 4.2.11.3 #347)
• 7d35f22 Change 'super-agent' to 'superagent' in Readme. ([Snyk] Security upgrade ember-cli from 0.2.7 to 3.5.0 #343)
• d0c1457 Fix eslint checks .pem ([Snyk] Security upgrade actionpack from 4.2.5 to 4.2.5 #331)
• 076ce21 Fix typo on line 74 ([Snyk] Security upgrade express from 4.12.4 to 4.15.3 #330)
• a920af5 MISC Update dev deps, small updates to README.
• 25665c0 Fix readme for .expect(fn), fixes [Snyk] Security upgrade actionpack from 4.2.5 to 4.2.5 #253 ([Snyk] Security upgrade ember-cli from 0.2.7 to 2.4.0 #262)
• 480b9bb Merge pull request [Snyk] Fix for 2 vulnerabilities #324 from visionmedia/eslint-refactor
• af3c013 Slight cleanup to esline rules. Remove some overrides, refactor logic in _assertHeader function.
• 1849094 Refactor source code to use eslint with airbnb legacy rules.
• ecced93 Merge pull request [Snyk] Security upgrade ember-cli from 0.2.7 to 1.13.5 #318 from oskarcieslik/patch-1
• a1533e5 Changed example with cookie-parser

See the full diff

Package name: testem

The new version differs by 250 commits.

• 379a0ea 1.9.0
• fccb6a5 Merge pull request [Snyk] Security upgrade actionpack from 4.2.5 to 4.2.5 #898 from johanneswuerbach/glob-7
• 1b56c81 Replace fileset with plain glob 7
• bd03b4a Merge pull request [Snyk] Security upgrade actionpack from 4.2.5 to 4.2.11.3 #896 from testem/greenkeeper-bluebird-retry-0.7.0
• 2762202 chore(package): update bluebird-retry to version 0.7.0
• 729ff79 Merge pull request [Snyk] Upgrade snyk from 1.101.1 to 1.1139.0 #889 from testem/greenkeeper-npmlog-3.0.0
• 371cd22 Merge pull request [Snyk] Upgrade snyk from 1.101.1 to 1.1126.0 #866 from tjni/metadata
• 476ea31 Lets custom adapters configure max decycle depth.
• 328a53c Passing metadata from an adapter to a reporter.
• 16c8f76 chore(package): update npmlog to version 3.0.0
• 1a9914f Merge pull request [Snyk] Upgrade snyk-nodejs-lockfile-parser from 1.17.0 to 1.48.3 #888 from johanneswuerbach/bluebird
• 7fa0dfd Extract signal listeners
• b97b9c2 Extract reporter creation
• 700732a Extract run timeout
• bbca2bb Use promises (bluebird) consistently
• 6e4ccbb 1.8.1
• c2c98c7 Merge pull request [Snyk] Upgrade snyk from 1.101.1 to 1.1137.0 #887 from johanneswuerbach/unknown-error
• c996d89 Handle different which exit codes
• b71e0ca 1.8.0
• 6418e12 Merge pull request [Snyk] Upgrade @grpc/proto-loader from 0.1.0 to 0.7.6 #884 from johanneswuerbach/use-sinon
• 13595ca Unify spying and stubbing to sinon
• 4f142a5 Merge pull request [Snyk] Security upgrade actionpack from 4.2.5 to 4.2.11.3 #782 from johanneswuerbach/parallel-integration-tests
• 02ac45e Use a shared cache for npm
• a4bfa4e Run integration tests in parallel

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	No Known Exploit
	529/1000 Why? Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Denial of Service (DoS) npm:qs:20140806-1	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the effected dependencies could be upgraded.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic