[Snyk] Fix for 12 vulnerabilities

[NubleX]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	706/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.7	Remote Memory Exposure SNYK-JS-BL-608877	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-CSSWHAT-3035488	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	661/1000 Why? Recently disclosed, Has a fix available, CVSS 7.5	Missing Release of Resource after Effective Lifetime SNYK-JS-INFLIGHT-6095116	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-1019388	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	No	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: cheerio

The new version differs by 56 commits.

• c3ec1cd Release 0.20.0
• ef848ca Add coveralls badge, remove link to old report
• dbcbe90 Merge pull request blog: release post for 4.4.7 nodejs/nodejs.org#808 from leifhanack/lodash4
• c04ead1 Merge pull request Remove unused variable in download script nodejs/nodejs.org#668 from rwaldin/prop-method
• b5531bb Merge pull request ES6 page should be ready to be updated when Node.js v6 drops. nodejs/nodejs.org#671 from twolfson/dev/fallback.select.content.sqwished
• 9d98bd7 Merge pull request Fix the id search nodejs/nodejs.org#704 from Rycochet/master
• 1b9c5c9 Merge pull request v0.10.46 release post nodejs/nodejs.org#797 from Delgan/641-appendTo_prependTo
• b12cbe8 Update lodash dependeny to 4.1.0
• 8c9b2e0 Merge pull request Update Code + Learn page nodejs/nodejs.org#796 from Delgan/fix_780
• b09db31 Fix PR blog: release post for v4.4.4 nodejs/nodejs.org#726 adding 'appendTo()' and 'prependTo()'
• ce8829d Added appendTo and prependTo with tests About: update example to use better practices nodejs/nodejs.org#641
• 4779762 Fix Why does nodejs.org use cloudflare-nginx? nodejs/nodejs.org#780 by changing options context in '.find()'
• 8dc1cc9 Add an unit test checking the query of child
• b27bed6 fix Document ReadStream.prototype.destroy nodejs/nodejs.org#667: attr({foo: null}) removes attribute foo, like attr('foo', null)
• 70c5608 Include reference to dedicated "Loading" section
• fa70a84 Added load method to $
• 4e8483a update css-select to 1.2.0
• 5f2777a Merge pull request Evangelism: Weekly Update for May ~ nodejs/nodejs.org#732 from jugglinmike/reinstate-toarray
• 106e42a Merge pull request zh-cn local for Download page(release.md) nodejs/nodejs.org#776 from dYale/master
• 97149d3 Fixing Grammatical Error
• a1367ee Merge pull request Make the release script work with the new changelog structure nodejs/nodejs.org#739 from TrySound/npm-files
• 6c73b7a Merge pull request Newer npm versions in https://nodejs.org/dist nodejs/nodejs.org#773 from JaKXz/patch-1
• 48bb22d Test against node v0.12 --> v4.2
• ec2414d Correct output in example

See the full diff

Package name: chokidar

The new version differs by 250 commits.

• 7b8e02a Release 3.0.0.
• e7bfe2f Move stuff.
• df7f22e Remove changelog from npm, move to hidden dir.
• 3df7692 Improve naming.
• 6e94ca2 Clean-up.
• 2de2f9c test: Add testing of Node.js v12 in Travis pipeline. (add release post for v6.3.1 nodejs/nodejs.org#833)
• 9e0965a Fix Windows tests in Travis CI (Evangelism: Weekly Update for July ~ nodejs/nodejs.org#832)
• c95a98f Update stuff.
• 187ff2b test: Trying to fix blinked tests for Travis CI. (Always translate header & footer templates? nodejs/nodejs.org#825)
• db99076 fix(Windows): Add converting from windows to unix path for all ignored paths. (Seems, 'url.parse' isn't working properly nodejs/nodejs.org#824)
• 41f8782 fix(FsEvents): Remove situation with NaN depth. (Update dependencies nodejs/nodejs.org#823)
• 7cf3f7e Update readdirp to stable.
• 0927a62 Bump packages.
• 11cd857 Update nyc.
• 99c14d7 Uncomment fsevents.
• cf330a5 Update fsevents.
• 0e4fca5 Fix deps.
• 9c575d4 Fix Windows version (Bithound.metalsmith stylus.2.0.0 nodejs/nodejs.org#821)
• 3323d59 fix(Linux): Make event loop hack for keep testing valid. (Add weekly update 2016-07-08 nodejs/nodejs.org#820)
• 06214c5 Update to latest readdirp.
• 793639f Rename osxfswatch.
• 078bc2d Refactor and fix freaking tests.
• 2b9bb41 Try node 11.
• 3fe3d4e Test travis.

See the full diff

Package name: handlebars

The new version differs by 250 commits.

• 7adc19a v4.7.4
• 9dd8d10 Update release notes
• 4671c4b Use tmp directory for files written during tests
• e46baa1 tasks/test-bin.js: Delete duplicate test
• c491b4e Revert "Update release-notes.md"
• 738391a Update release-notes.md
• 80c4516 chore: add unit tests for cli options (Add buffer deprecation migration guide nodejs/nodejs.org#1666)
• d79212a fix: migrate from optimist to yargs (Add buffer deprecation migration guide nodejs/nodejs.org#1666)
• b440c38 chore: ignore external @ types in tests
• 2dba7ee docs: fix comparison link
• c978969 v4.7.3
• 9278f21 Update release notes
• d78cc73 Fixes spelling and punctuation
• 4de51fe Add Type Definition for Handlebars.VERSION, Fixes Docs: Correct spelling nodejs/nodejs.org#1647
• a32d05f Include Type Definition for runtime.js in Package
• ad63f51 chore: add missing "await" in aws-s3 publishing code
• 586e672 v4.7.2
• f0c6c4c Update release notes
• a4fd391 chore: execute saucelabs-task only if access-key exists
• 9d5aa36 fix: don't wrap helpers that are not functions
• 14ba3d0 v4.7.1
• 4cddfe7 Update release notes
• f152dfc fix: fix log output in case of illegal property access
• 3c1e252 fix: log error for illegal property access only once per property

See the full diff

Package name: html-to-text

The new version differs by 88 commits.

• cc4d026 Version bumped 5.1.0
• 30c5556 Remove hardcoded CLI options (Increase body font weight for readability nodejs/nodejs.org#173)
• 14c7475 README updated
• fc487c9 Dependency on fs module removed (checksums nodejs/nodejs.org#171)
• b642ec7 Added tests for the cli arguments (How can we reduce 404's nodejs/nodejs.org#153)
• 4e6127d prepublish script added
• d1e3077 Changelog updated
• ac0e63b Potential security vulnerability fixed
• 8f8a5c8 Merge branch 'jstewmon-fix-href-anchors'
• 5781f8a Closed fix broken link to TC info nodejs/nodejs.org#148
• 3540426 Merge branch 'master' of github.com:werk85/node-html-to-text
• d561095 Version bumped to 4.0.0. package-lock.json added. README updated.
• 655a754 Supports format blockquote (moved events into its own page due to the growing list nodejs/nodejs.org#142)
• 1a3d878 Drop support for Node.js < 4; switch from underscore to lodash (Windows installer for 64-bit installs 32-bit version of node 4.0? nodejs/nodejs.org#150)
• b5d0ea1 customizable ul li item prefix (Add: Code + Learn page in Get Involved section nodejs/nodejs.org#140)
• fc503dc take a stance on semicolons
• 912536a fix: html entities in hrefs should not trigger noAnchorUrl
• 1dbebe1 Fix docs typo (Made code spans more visible nodejs/nodejs.org#146)
• 019f45e chore(package): update chai to version 4.0.1 (Removed gulp stuff #131 nodejs/nodejs.org#133)
• 76b1a89 Version bumped to 3.3.0. Readme updated.
• 5419826 Implement ol type="i" and "I" as fallbacks to "1", add option to not render anchor links. (contributing to localization in locale directory nodejs/nodejs.org#123)
• 2ac2830 Ability to pass custom formatting via the `format` option (Change http://nodejs.org/ to https://nodejs.org/ nodejs/nodejs.org#128)
• 8782c3d Changelog fixed. Version bumped to 3.2.0
• 00f63b1 Changelog updated for Version 3.2.0

See the full diff

Package name: metalsmith

The new version differs by 250 commits.

• ba18d85 Release 2.6.0
• d5ce2c8 Prepare changelog for 2.6.0
• baee1de Removes stray cross-spawn dependency & use --no-package-lock for CI
• 17e421b test: migrate from nyc to c8 for coverage reports
• 2ef473b types: fix source code link line numbers
• e12537f feat/add v0.12.8 announcement post nodejs/nodejs.org#379 - use lodash.clonedeepwith instead, document watch type, fix issues in CLI
• 9d40674 Resolves add v0.12.8 announcement post nodejs/nodejs.org#379: add metalsmith.watch option setter and watcher
• 48a0167 fix: package.json node version, type docs, readme formatting
• 3a93270 test: fix FS race condition in #build should return a promise only when callback omitted
• dbfe32a docs: Updates readme examples to ESM & Gitter link to Matrix Element
• 4469020 CLI: Fix ESM dynamic import issue with absolute paths on Windows
• 58217a5 Adds CLI support & tests for loading ESM configs or Metalsmith instances
• c272b8b ci: remove Node 12, add Node 20
• 0810728 Updates commander from 8.3.0 -> 10.0.1
• ae05945 Removes rimraf dependency, refactors helpers using fs/promises and upgrades @ types/node
• 80d8508 Drops support for Node < 14
• 3754a6a chore: Remove stray console.error log in bin
• acb363e Trims whitespace from parsed front-matter excerpt and adds test for dynamic front-matter lang
• 2bfe800 Fix: don't keep gray-matter excerpt at the start of file contents
• 7ec31d0 Adds a matter member object to metalsmith instance with stringify & parse methods
• 424e6ec Support 'module.exports = Metalsmith()'-style configs in CLI
• 82969ef dev: update devDependencies & fix security warnings
• 58db90c ci: remove obsolete Gitter notification flow
• 58d22a3 Resolves Be consistent with quotes in examples. nodejs/nodejs.org#356: adds Typescript support to Metalsmith package

See the full diff

Package name: metalsmith-prism

The new version differs by 46 commits.

• ab188a8 3.1.0
• 7b51be2 add node 8 to window tests
• 331b299 add node 8
• 4808e1f closes [Snyk] Fix for 1 vulnerable dependencies #21: move pre-load test to seperate fixture folder
• b948271 Merge pull request [Snyk] Fix for 1 vulnerable dependencies #20 from sjking/pre-load-language-components-option
• 1328fe6 Pre-load language component(s) passed in as options
• c5e4a61 3.0.2
• 1b551c9 Merge pull request [Snyk] Fix for 1 vulnerable dependencies #19 from ReedD/master
• 069bfe7 Check file key for html extension
• b60cf7e 3.0.1
• 105164c Merge pull request [Snyk] Fix for 2 vulnerable dependencies #18 from lpinca/fix/missing-dep-error
• baba840 move debug to dependencies
• 203e9f6 update README
• 46480d0 update README
• 96f9ad2 update README
• 00c6a35 3.0.0
• 19191cf update README
• 17b76bf Merge pull request [Snyk] Fix for 1 vulnerable dependencies #17 from Availity/feature/v3
• abec551 update LIC
• 6a9abc4 refactor how language are consumed by plugin
• 992e61f only include lib in npm
• 26faeea use npm 3
• b36dfff bump deps
• 0a44f11 add coverage for node versions 4, 5, 6

See the full diff

Package name: metalsmith-stylus

The new version differs by 4 commits.

• d3bd869 Merge pull request [Snyk] Fix for 1 vulnerable dependencies #17 from wdullaer/patch-1
• 0ae1dc2 Update package.json
• a158889 Merge pull request [Snyk Update] New fixes for 1 vulnerable dependency path #15 from aubergene/master
• 05d3171 Write out sourcemap if option is present

See the full diff

Package name: node-geocoder

The new version differs by 6 commits.

• 9463c76 v4.0.0
• 72bb7d2 Fix google geocoder buffer
• 5534878 Remove deprecated option from here geocoder (Fixes incorrect closing tag in template nodejs/nodejs.org#333)
• b701cd5 Remove http adapters (4.2.2 Argon MSI for 64 bit contains faulty npm version nodejs/nodejs.org#332)
• 6ef1f47 Prepare 4.0 release
• 836ff39 Add integration test for google geocoder

See the full diff

Package name: node-version-data

The new version differs by 4 commits.

• 4ea0395 1.1.0
• 396346a update deps, fix tests, add node-downloads.js to git (whoops)
• 41c3d5b 1.0.1
• c3b7358 fix typo iojs => nodejs

See the full diff

Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Server-side Request Forgery (SSRF)