[Snyk] Fix for 10 vulnerabilities

[MaxMood96]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

⚠️ Warning

Failed to update the package-lock.json, please update manually before merging.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	679/1000 Why? Has a fix available, CVSS 9.3	Incomplete List of Disallowed Inputs SNYK-JS-BABELTRAVERSE-5962463	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-TRIMNEWLINES-1298042	No	No Known Exploit
	596/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.5	Arbitrary Code Injection SNYK-JS-UNDERSCORE-1080984	Yes	Proof of Concept
	714/1000 Why? Has a fix available, CVSS 10	Sandbox Bypass npm:constantinople:20180421	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: grunt

The new version differs by 71 commits.

• 27bc5d9 Merge pull request Make the feedback link (in the learn site) look more definite jsbin/jsbin#1714 from gruntjs/release-1.2.0
• 64a3cf4 Release v1.2.0
• 0d23eff Merge pull request Ensure POST'ed content takes precedent over user template jsbin/jsbin#1570 from bhldev/feature-options-keys
• ee70306 Merge pull request Allow users to cancel jsbin/jsbin#1697 from philz/1696
• 05c0634 Merge pull request Trying out cards and moved upgrade out of signin jsbin/jsbin#1712 from gruntjs/fix-lint
• cdd1c19 fix lint in file.js
• bc168e3 Merge pull request Stopped overwriting emmet keymaps, except for the ones we need. jsbin/jsbin#1283 from greglittlefield-wf/recognize-relative-links
• 5f16b5a Merge pull request This CSS breaks the ability to save files [EDIT] character count >7795 breaks save jsbin/jsbin#1675 from STRML/remove-coffeescript
• 58f80ae Merge pull request Remove Kendo UI 2013.Q3, add 2014.Q2. jsbin/jsbin#1677 from micellius/monorepo-support
• 1f61427 Add CODE_OF_CONDUCT.md
• 4c6fcd9 Merge pull request Implement Twitter card API / Open Graph jsbin/jsbin#1709 from NotMoni/patch-1
• 169d496 add link to license
• 288ea76 add license link
• d5cdac0 Merge pull request If we close the new header.... jsbin/jsbin#1706 from gruntjs/tag-neew
• 4674c59 v1.1.0
• 6124409 Merge pull request livecode  jsbin/jsbin#1705 from gruntjs/mkdirp-update
• 0a66968 Fix up Buffer usage
• 4bfa98e Support versions of node >= 8
• f1898eb Update to mkdirp ~1.0.3
• 7985b19 Avoiding infinite loop on very long command names.
• 75da17b HTTPS link to gruntjs.com (Add current opened panes to the bin's URL jsbin/jsbin#1683)
• 5a0a02b support monorepo (relative path)
• 6795d31 Update js-yaml dependecy to ~3.13.1 (Private bins shouldn't have "share" panel jsbin/jsbin#1680)
• 66fc8fa support monorepo (test case)

See the full diff

Package name: grunt-contrib-concat

The new version differs by 8 commits.

• 9e0f72f 2.0.0
• de2b0e9 Merge pull request Move account update from /updatehome to /sethome jsbin/jsbin#192 from gruntjs/release-2
• 2f2aeff Release docs
• 63a42a8 Merge pull request Allow users to create custom urls & protect specific terms jsbin/jsbin#191 from gruntjs/update-deps-oct
• 4c4fab8 Update CI
• 71d6edd Update dependencies
• 9054b14 Merge pull request Preprocessors jsbin/jsbin#176 from alexjking/fix-browserify-sourcemap-regex
• b1cf785 fix(sourcemap-regex): fix regex to match browserify sorucemap charset

See the full diff

Package name: grunt-contrib-uglify

The new version differs by 41 commits.

• a3f3f34 5.2.1
• 3c8d904 Update Readme
• 0850dcd update dependencies (How to disable jslint/jshint? jsbin/jsbin#568)
• c27ad5f Bump minimist from 1.2.5 to 1.2.6 (Fix URL for "running your own JS Bin document" in README.markdown jsbin/jsbin#567)
• 98b4c5f Fix documentation in relation to issue jsbin unresponsive in all browsers except Chrome jsbin/jsbin#565 (YUI 3.10.0 released jsbin/jsbin#566)
• 7228446 Bump minimist from 1.2.5 to 1.2.6 (Only allow spikes and eventsource when referrer domain matches app domain jsbin/jsbin#563)
• e410511 Update deps, v5.1.0 (Add enyo latest and 2.2.0 to libs jsbin/jsbin#564)
• 2cb31be Update uglify-js to v3.15.2 (Add Foundation to Libraries jsbin/jsbin#562)
• 12ca0f2 Fix wording in README.md (custom libraries!! jsbin/jsbin#560)
• 1f6a012 Bump path-parse from 1.0.6 to 1.0.7 (Default save location jsbin/jsbin#558)
• 0e4b1a0 Update uglify-js ("Click to activate watch" appears not to work jsbin/jsbin#557)
• 9ccf10d Bump hosted-git-info from 2.8.8 to 2.8.9 (404 Error for Bootstrap latest jsbin/jsbin#556)
• 4e83e45 Update UglifyJS to 3.13.3 (Owned bin urls jsbin/jsbin#554)
• 8674feb Bump ini from 1.3.5 to 1.3.8 (Not login jsbin/jsbin#552)
• 14b71da v5.0.0
• 9259448 Bump lodash from 4.17.11 to 4.17.19 (Update YUI to the latest version: 3.9.1 jsbin/jsbin#550)
• 4645446 Bump js-yaml from 3.5.5 to 3.14.0 (Show the size of the output window for you repsonsive lovers. Fixes #530 jsbin/jsbin#551)
• b7bcde4 Delete .travis.yml
• cba2631 Delete appveyor.yml
• 3dc53f0 ini github workflow
• f65dbb9 v4.0.1. (line numbers for touch devices jsbin/jsbin#535)
• b33a071 upgrade devDependencies (Add & Update some libs jsbin/jsbin#536)
• 1e40037 upgrade to uglify-js 3.5.0 (Line number jsbin/jsbin#534)
• 33724cd update links to uglifyJS documentation (Show column width when resizing the HTML column jsbin/jsbin#530)

See the full diff

Package name: handlebars

The new version differs by 203 commits.

• 7adc19a v4.7.4
• 9dd8d10 Update release notes
• 4671c4b Use tmp directory for files written during tests
• e46baa1 tasks/test-bin.js: Delete duplicate test
• c491b4e Revert "Update release-notes.md"
• 738391a Update release-notes.md
• 80c4516 chore: add unit tests for cli options (Remove protocol from libraries where possible jsbin/jsbin#1666)
• d79212a fix: migrate from optimist to yargs (Remove protocol from libraries where possible jsbin/jsbin#1666)
• b440c38 chore: ignore external @ types in tests
• 2dba7ee docs: fix comparison link
• c978969 v4.7.3
• 9278f21 Update release notes
• d78cc73 Fixes spelling and punctuation
• 4de51fe Add Type Definition for Handlebars.VERSION, Fixes Fixed #1174 jsbin/jsbin#1647
• a32d05f Include Type Definition for runtime.js in Package
• ad63f51 chore: add missing "await" in aws-s3 publishing code
• 586e672 v4.7.2
• f0c6c4c Update release notes
• a4fd391 chore: execute saucelabs-task only if access-key exists
• 9d5aa36 fix: don't wrap helpers that are not functions
• 14ba3d0 v4.7.1
• 4cddfe7 Update release notes
• f152dfc fix: fix log output in case of illegal property access
• 3c1e252 fix: log error for illegal property access only once per property

See the full diff

Package name: less

The new version differs by 250 commits.

• e4f7551 v3.12.0
• 371185c v3.12.0-RC.2 (Output Only Link Not Working jsbin/jsbin#3540)
• d5aa9d1 Fixes Output window jsbin/jsbin#3371 Allow conditional evaluation of function args (Moddy  jsbin/jsbin#3532)
• a722237 Remove lib folder from git (movie free online jsbin/jsbin#3531)
• e0f5c1a Move changelog to root (Учётная запись. Проблемы с входом на RS School jsbin/jsbin#3530)
• f7bdce7 Duplicate dist files in root for older links (rdsfgtdyh657u68u jsbin/jsbin#3529)
• 0925cf1 Test-data module (BEST MOVIE jsbin/jsbin#3525)
• 51fb02b Fixes Snapshots are not saved, menu is messed up jsbin/jsbin#3504 / organizes tests (Some simple javascript does nothing jsbin/jsbin#3523)
• efb76ec Restore nuked scripts (?), replace dependencies (Payment for upgrade is impossible - link to Stripe learn more. jsbin/jsbin#3501) (Why "You are marked as spam, and therefore cannot authorize a third party application." jsbin/jsbin#3522)
• 2c5e4dd Lerna refactor / TS compiling w/o bundling (Can't open bin jsbin/jsbin#3521)
• a3641e4 Resolve Bins not saving jsbin/jsbin#3398 Add flag to disable sourcemap url annotation (Js.bin not working jsbin/jsbin#3517)
• e018ba8 fix(Forward to jsbin.com webmaster: Broken link on Home-Page jsbin/jsbin#3294): use loadFileSync when loading plugins with syncImport: true (jsbin code editor visibility jsbin/jsbin#3506)
• 95b9007 Update changelog
• 6238bbc Fixes Saving a snapshot command triggers a 500 error jsbin/jsbin#3508 (jsbin is not saving/auto saving. jsbin/jsbin#3509)
• 8338366 Update README.md
• 6313bc5 Update changelog
• 53bf877 Remove tree caching in import manager (Fix GitHub link of JSBin in About page jsbin/jsbin#3498)
• 0f271f3 issue#3481 ignore missing debugInfo ([Snyk] Security upgrade moment from 2.19.2 to 2.29.2 jsbin/jsbin#3482)
• 3bd995b Additional check to avoid evaluating an expression if it is a comment (Ads are covering ui elements on mobile jsbin/jsbin#3494)
• 0715d90 fix: Use make-dir instead of mkdirp (Accessibility improvement suggestions jsbin/jsbin#3490)
• 2634494 Properly exit calc mode after use ([Snyk] Security upgrade moment from 2.19.2 to 2.29.4 jsbin/jsbin#3493)
• 096dd22 Convert to auto-changelog (Getting a string "JS Bin Output" instead of undefined jsbin/jsbin#3477)
• 842386b Fixes can't register jsbin via github. jsbin/jsbin#3469 - Include tslib dependency (My bins cannot be accessed by others jsbin/jsbin#3475)
• 1adaadb 3.11.0 (Issue: UX, Functional: Last few lines of the editor are not accessible by user. Ads are placed on top of it. jsbin/jsbin#3468)

See the full diff

Package name: nodemailer

The new version differs by 4 commits.

• eaef3b5 Merge pull request Multiple CSS file capability requested jsbin/jsbin#719 from nodemailer/v3.0.0
• de5b6f6 updated license
• 652ad8e Do not use PRO in name
• 6218b8d Setup files for EUPL licensed v3.0.0

See the full diff

Package name: tap

The new version differs by 250 commits.

• 8f2baa7 16.0.0
• 65e599e drop support for node v10
• 84fc6df docs: changelog for v16
• e6acf7b update coveralls documentation to say to install it
• 3c7b3ef document coveralls removal in the cli help output
• 43bf1df undocument synonyms
• 1ff75a4 make coveralls an optional peer dep
• 3f1ae47 Add eslint for linting
• 162c1a8 Support Typescript for --before and --after
• 28d2d03 Fix script on using node-tap with codecov
• 3a0e81c docs: fix broken link
• 1b636b2 Add jsonpath-faster
• c4bdeef fix typo `than` to `that`
• 20fbd40 Update Node.js min version to 10.x in CONTRIBUTING
• 90dda0b update cli doc
• 636ab18 15.2.3
• e609d8f docs: changelog for 15.2
• c182328 tap-parser@11.0.1
• f576a60 docs: setting t.snapshotFile
• d9fa241 libtap@1.3.0
• a02f33e update cli doc
• d1500b6 15.2.2
• b784d77 tap-parser@11
• 567384e update cli doc

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Server-side Request Forgery (SSRF)
🦉 More lessons are available in Snyk Learn

[stale]

This issue has been automatically marked as stale because it has not had recent activity. More importantly, jsbin has been undergoing a massive refactor by Remy, and a large number of issues have been resolved, but with the growing 600+ open issues, the Stalebot (me), has been brought in to try to manage the issues.
Keep an eye on jsbin.com blog posts and the @js_bin twitter account for updates on the new version of jsbin ❤️
It will be closed next week if no further activity occurs. Thank you for your contributions.