[Snyk] Fix for 25 vulnerabilities

[Sarrac3873]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	619/1000 Why? Has a fix available, CVSS 8.1	Prototype Pollution SNYK-JS-AJV-584908	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-CONVENTIONALCOMMITSPARSER-1766960	Yes	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-DOTPROP-543489	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	484/1000 Why? Has a fix available, CVSS 5.4	Open Redirect SNYK-JS-GOT-2932019	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	Yes	Proof of Concept
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKDOWNIT-2331914	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKDOWNIT-459438	No	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-MERGE-1040469	Yes	No Known Exploit
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-MERGE-1042987	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Insertion of Sensitive Information into Log File SNYK-JS-NPMREGISTRYFETCH-575432	No	No Known Exploit
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Authorization Bypass Through User-Controlled Key SNYK-JS-PARSEPATH-2936439	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-PARSEURL-3023021	Yes	Proof of Concept
	571/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5	Improper Input Validation SNYK-JS-PARSEURL-3024398	Yes	Proof of Concept
	676/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.1	Improper Privilege Management SNYK-JS-SHELLJS-2332187	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-TRIMNEWLINES-1298042	Yes	No Known Exploit
	596/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.5	Arbitrary Code Injection SNYK-JS-UNDERSCORE-1080984	No	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-YARGSPARSER-560381	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @commitlint/cli

The new version differs by 250 commits.

• 41d4f58 v9.1.2
• 935e3cf test(load): increase test timeout to avoid flakiness
• 0eaee18 docs: correct info regarding modifying npm tags
• dabdfc9 Refactor/armano cli (Managed Package's Object in Org Browser : Metadata forcedotcom/salesforcedx-vscode#1998)
• d4f064c chore: update dependency @ types/node to v12.12.50 (Syntax highlighting is broken for SOQL queries using System.Label forcedotcom/salesforcedx-vscode#1997)
• 4e830b3 chore: update dependency @ types/node to v12.12.48 (Use cli version v7.45.1 on CircleCI builds (#1990) forcedotcom/salesforcedx-vscode#1991)
• 46a27bf chore: update node.js to >=v8.17.0 (Install previous cli version forcedotcom/salesforcedx-vscode#1990)
• 94e7211 chore: update dependency @ types/jest to v26.0.4 (Bump @salesforce/lwc-language-server from 2.2.17 to 2.3.2 in /packages/salesforcedx-vscode-lwc forcedotcom/salesforcedx-vscode#1992)
• 5161307 chore: update typescript-eslint monorepo to v3.6.0 (Changelog v48.1.0 forcedotcom/salesforcedx-vscode#1989)
• be3c3a4 chore: update dependency eslint-plugin-jest to v23.18.0 (Causes PHP Syntax Highlighting Issue forcedotcom/salesforcedx-vscode#1988)
• ac54d5c chore: update dependency eslint to v7.4.0 (Fix broken write-aura doc links forcedotcom/salesforcedx-vscode#1987)
• a406053 chore: v9.1.1 - further gitHead entries
• cb565df v9.1.1
• c8367bf chore: update typescript-eslint monorepo to v3.5.0 (Rename jp to ja forcedotcom/salesforcedx-vscode#1983)
• 90d5804 chore: update dependency @ types/lodash to v4.14.157 (Excessive CPU, Memory, and Energy Use When Salesforce Extension Pack is Enabled forcedotcom/salesforcedx-vscode#1592)
• d0f0eb9 fix(load): resolve plugins from extended configs (Dependabot couldn't authenticate with npm.lwcjs.org forcedotcom/salesforcedx-vscode#1976)
• 50ae7c1 chore: update dependency eslint-plugin-import to v2.22.0 (update lightning language servers to v2.2.17 forcedotcom/salesforcedx-vscode#1981)
• a43c5a3 chore: update dependency @ types/semver to v7.3.1 (Port 1973 to release branch forcedotcom/salesforcedx-vscode#1979)
• 014b82b chore: update dependency @ types/jest to v26.0.3 (GitAction for ChangeLogGenerator forcedotcom/salesforcedx-vscode#1978)
• cff1979 chore: update dependency eslint-plugin-jest to v23.17.1 (fake pull request forcedotcom/salesforcedx-vscode#1975)
• 0fbbb47 chore: update dependency eslint-plugin-jest to v23.17.0 (DONT MERGE YET: Trying to restore the telemetry tests. forcedotcom/salesforcedx-vscode#1974)
• 546ac1b chore: update dependency eslint to v7.3.1 (Update apex-tmlanguage dependency forcedotcom/salesforcedx-vscode#1973)
• f8e1b71 chore: update typescript-eslint monorepo to v3.4.0 (SFDX notification keeps running even when the process has completed. forcedotcom/salesforcedx-vscode#1972)
• a58c0fa chore: update dependency ts-jest to v26.1.1 (Update Org Browser article forcedotcom/salesforcedx-vscode#1971)

See the full diff

Package name: ajv

The new version differs by 250 commits.

• 521c3a5 6.12.3
• bd7107b Merge pull request Extension causes high cpu load forcedotcom/salesforcedx-vscode#1229 from ajv-validator/dependabot/npm_and_yarn/mocha-8.0.1
• 9c26bb2 Merge pull request Set default project create template to standard forcedotcom/salesforcedx-vscode#1234 from ajv-validator/dependabot/npm_and_yarn/eslint-7.3.1
• c6a6daa Merge branch 'master' into dependabot/npm_and_yarn/mocha-8.0.1
• 15eda23 Merge branch 'master' into dependabot/npm_and_yarn/eslint-7.3.1
• d6aabb8 test: remove node 8 from travis test
• c4801ca Merge pull request Extension causes high cpu load forcedotcom/salesforcedx-vscode#1242 from ajv-validator/refactor
• 988982d ignore proto properties
• f2b1e3d whitespace
• 65e3678 Merge pull request Extension causes high cpu load forcedotcom/salesforcedx-vscode#1239 from GrahamLea/patch-1
• 68d72c4 update regex
• 9c009a9 validate numbers in multipleOf
• 332b30d Merge pull request Extension causes high cpu load forcedotcom/salesforcedx-vscode#1241 from ajv-validator/refactor
• 1105fd5 ignore proto properties
• 65b2f7d validate numbers in schemas during schema compilation
• 24d4f8f remove code post-processing
• fd64fb4 Add link to CSP section in Security section
• 0e2c346 Add Contents link to CSP section
• c581ff3 Clarify limitations of ajv-pack in README
• 0006f34 Document pre-compiled schemas for CSP in README
• 140cfa6 Merge pull request Apex Replay will not step through class forcedotcom/salesforcedx-vscode#1238 from cvlab/patch-1
• e7f0c81 Fix mistype in README.md
• 54c96b0 Bump eslint from 6.8.0 to 7.3.1
• 854dbef Bump mocha from 7.2.0 to 8.0.1

See the full diff

Package name: commitizen

The new version differs by 96 commits.

• 0939910 ci(release): defined a github workflow to release with semantic-release (When viewing an Apex Test Class and clicking the inline Run Test link the output shows an error saying that <Namespace>.<Namespace> is not a valid class forcedotcom/salesforcedx-vscode#923)
• 757a806 chore(deps): update all non-major dependencies
• 25dc80c fix: fix the "isFunction" utility to match both "asyncFunction"s and "Function"s (Support for Code Completion in Lighting Components forcedotcom/salesforcedx-vscode#927)
• fc283fb chore(deps): update dependency semver to v7.3.7
• c35a3c7 chore(deps): update all non-major dependencies
• 69de704 fix(deps): update all non-major dependencies
• e79f3ee chore(deps): update dependency @ babel/core to v7.17.8
• 69689fb chore(deps): update all non-major dependencies to v7.17.7
• 3c2553f fix(deps): update all non-major dependencies
• 4118263 docs: add cz-git commitizen adapter (UpdateTypeInfo for all file that has errors for any edit forcedotcom/salesforcedx-vscode#905)
• 70ca1f4 docs: adjust example to a valid husky prepare-commit-msg command (#908)
• fcc85e5 docs(readme): match casing of tutorial's title
• bcd9c73 docs(readme): fix dead link to tutorial
• 941bf38 chore(deps): update all non-major dependencies
• a3f4ffa chore(deps): update dependency @ babel/core to v7.17.2
• 8f76acd chore(deps): update dependency node-fetch to 2.6.7 [security] (System Environment Check forcedotcom/salesforcedx-vscode#902)
• d4e39c6 chore(deps): update all non-major dependencies to v7.17.0
• 056b0ed chore(deps): update all non-major dependencies (Test pane ignores code coverage param setting forcedotcom/salesforcedx-vscode#891)
• 5b2c458 chore: remove unused dev-dependency axios (Update changelog for v44.17.0 forcedotcom/salesforcedx-vscode#894)
• 9c7e863 fix(deps): update dependency inquirer to v8 (Test Panel should use start icon forcedotcom/salesforcedx-vscode#874)
• 218d454 chore: remove unused Travis-CI config (Salesforce extension pack does not work forcedotcom/salesforcedx-vscode#880)
• f1cf649 chore(deps): update all non-major dependencies
• dc7ac60 chore(deps): update all non-major dependencies
• c6a2857 chore(deps): update dependency conventional-changelog-conventionalcommits to v4.6.2

See the full diff

Package name: eslint

The new version differs by 28 commits.

• 02d7542 6.1.0
• 5997f7a Build: changelog update for 6.1.0
• 8f86cca Upgrade: eslint-scope@^5.0.0 (#12011)
• d08683e Fix: glob processing (fixes #11940) (#11986)
• bfcf8b2 Fix: dot-location errors with parenthesized objects (fixes #11868) (#11933)
• 79e8d09 Fix: add parens for sequence expr in arrow-body-style (fixes #11917) (#11918)
• 105c098 Docs: update docs for object-curly-spacing (fixes #11634) (#12009)
• c90a12c Chore: update release script for new website repo (#12006)
• e2c08a9 Sponsors: Sync README with website
• b974fcb Update: Check computed property keys in no-extra-parens (#11952)
• 222d27c Update: Add for-in and for-of checks for props in no-param-reassign (#11941)
• e4c450f Fix: no-extra-parens autofix with `in` in a for-loop init (fixes #11706) (#11848)
• 2dafe2d Fix: prefer-const produces invalid autofix (fixes #11699) (#11827)
• cb475fd Fix: Cache file error handling on read-only file system. (fixes #11945) (#11946)
• 89412c3 Docs: Fixed a typo (fixes #11999) (#12000)
• 6669f78 Fix: --init with Vue.js failed (fixes #11970) (#11985)
• 93633c2 Upgrade: Upgrade lodash dependency (fixes #11992) (#11994)
• 776dae7 Docs: fix wrong Node.js version in getting started (#11993)
• 4448261 Docs: some typos and optimization points (#11960)
• 2a10856 Chore: Add temporary test files to .gitignore (#11978)
• d83b233 Chore: update path for release bundles (#11977)
• 1fb3620 Fix: creating of enabledGlobals object without prototype (fixes #11929) (#11935)
• c2f2db9 Docs: Replace global true and false with writable and readonly in rules (#11956)
• 19335b8 Fix: actual messageId and expected messageId are switched in rule tester (#11928)

See the full diff

Package name: lerna

The new version differs by 250 commits.

• 6a0c3fb chore(release): v5.5.2
• ebf6542 fix(run): warn on incompatible arguments with useNx (VS Code - Salesforce - Code Diff - Allow Direction Change forcedotcom/salesforcedx-vscode#3326)
• 068830e fix(run): missing `fs-extra` dependency declaration (feat: new conflict detection mechanism forcedotcom/salesforcedx-vscode#3332)
• 7971a60 chore(deps): bump parse-url and git-url-parse (chore: update template major version forcedotcom/salesforcedx-vscode#3330)
• 96b6f04 chore: fix formatting after release
• 9f119b0 chore(release): v5.5.1
• 99a13a9 fix(run): exclude dependencies with --scope when nx.json is not present (Bp/merge release to main 51.17.0 forcedotcom/salesforcedx-vscode#3316)
• 1343b9f chore: update cache-tasks.md (Port release 51.6.0 to develop forcedotcom/salesforcedx-vscode#3291)
• 4cb2ac9 chore: update getting-started.md (chore(deps): bump nokogiri from 1.11.1 to 1.11.7 in /docs forcedotcom/salesforcedx-vscode#3293)
• f6717ea chore(run): Update deprecated nx arg _ to __overrides__ (Bp/release to main 51.17.0 forcedotcom/salesforcedx-vscode#3315)
• 036b984 chore(version): add GH_TOKEN scope requirements for --create-release option (Extension issue forcedotcom/salesforcedx-vscode#3318)
• f30e550 chore(website): fix typo on configuration page (Extension causes high cpu load forcedotcom/salesforcedx-vscode#3319)
• 746ce33 fix(core): prevent validation error in version/publish with `workspace:` prefix (Extension issue forcedotcom/salesforcedx-vscode#3322)
• 674ffd3 chore: fix formatting
• 5a69ce5 chore: fixes post release
• bc3eb99 chore(release): v5.5.0
• a3165c1 chore: update nx
• 1b18dbe feat: pnpm workspaces support (Update core version in vscode-soql forcedotcom/salesforcedx-vscode#3284)
• 1d6a6f5 chore(deps-dev): bump @ actions/core from 1.8.2 to 1.9.1 (Extension causes high cpu load forcedotcom/salesforcedx-vscode#3299)
• d261112 Revert "feat(repair): add lerna repair command" (LWC autocomplete/Intellisense isn't working in .html files for JS expressions forcedotcom/salesforcedx-vscode#3313)
• 8fe2220 chore(website): add announcement banner lerna talks
• f5c8480 fix(version): only update existing lockfile deps (Extension causes high cpu load forcedotcom/salesforcedx-vscode#3308)
• aae1a2b feat(repair): add lerna repair command (fix: import FileProperties from the top level forcedotcom/salesforcedx-vscode#3302)
• a248165 chore: fix typo in how-caching-works.md (Xyc/update libs core versions forcedotcom/salesforcedx-vscode#3292)

See the full diff

Package name: remap-istanbul

The new version differs by 6 commits.

• 981dac8 Release 0.10.0
• a50dbf6 Drop dependency on deprecated `gulp-util` ([Snyk] Fix for 4 vulnerabilities #158)
• 9ed0670 Removed typo ([Snyk] Fix for 4 vulnerabilities #156)
• 8342b28 Allow null file name ([Snyk] Security upgrade @salesforce/core from 2.25.1 to 3.32.12 #153)
• 18ba8f6 Add warnMissingSourceMaps parameter ([Snyk] Security upgrade electron from 7.3.2 to 19.1.5 #150)
• 50b3f4f checking if origFileName is defined before using it to build a file path ([Snyk] Security upgrade @salesforce/core from 2.25.1 to 3.32.12 #152)

See the full diff

Package name: shelljs

The new version differs by 4 commits.

• 70668a4 0.8.5
• d919d22 fix(exec): lockdown file permissions (Deploy to source org forcedotcom/salesforcedx-vscode#1060)
• fcf1651 0.8.4
• a1111ee Silence potentially upcoming circular dependency warning (Code Coverage Reporting & UI forcedotcom/salesforcedx-vscode#973)

See the full diff

Package name: shx

The new version differs by 8 commits.

• a942ca0 0.3.0
• d97f98c docs(changelog): updated by Nate Fischer [ci skip]
• 1ce9aab chore: bump shelljs-release dependency
• 7fd4896 feat: bump shelljs to expose new features ([Snyk] Fix for 4 vulnerabilities #126)
• 44943ca fix: use process.exitCode to wait for streams ([Snyk] Fix for 4 vulnerabilities #123)
• bc803b7 Add workaround for pushd and popd to README ([Snyk] Security upgrade electron from 7.3.2 to 18.3.14 #122)
• a73e66d Add node 8 to CI ([Snyk] Security upgrade electron from 7.3.2 to 17.4.11 #115)
• 20f46a3 docs(changelog): updated by Nate Fischer [ci skip]

See the full diff

Package name: vsce

The new version differs by 250 commits.

• 9b2b16b fix: force fix release due to markdown-it
• 3ab7de2 build: ⬆️ update markdown-it
• 507fd82 fix: add preRelease flag to api (#679)
• d81a42f fix: docker base image needs be at latest `node:14-alpine` (Develop Against Any Org in Visual Studio Code failing forcedotcom/salesforcedx-vscode#651)
• e53c78d fix: entrypoint validation without js tag (Deploy speed for single components is slow forcedotcom/salesforcedx-vscode#676)
• dc68cc8 feat: sanity check to validate entrypoints (Open beta for org based development commands forcedotcom/salesforcedx-vscode#669)
• f4a8264 validate the package if pre-release flag is passed (Ruth/release/v44.2.0 forcedotcom/salesforcedx-vscode#666)
• e5af890 fix: 🐛 publishing with version should check for the right version
• 12586ed Merge pull request Disable system tests from running in appveyor forcedotcom/salesforcedx-vscode#668 from microsoft/TylerLeonhardt/only-enforce-major-minor
• 63c89ae fix: typo
• 4cf4c73 fix: only enforce major and minor version of types check
• f710e83 Merge pull request Swap LWC with LWC-next forcedotcom/salesforcedx-vscode#660 from microsoft/sandy081/prerelease-validate-engine
• e675eca refactor: undo
• ba006e3 fix: validate engine for prereleases
• 2c60208 Merge pull request Bump LWC language server option forcedotcom/salesforcedx-vscode#654 from microsoft/sandy081/preReleases
• 376a6a8 test: add tests
• dc4cf1b feat: add --pre-release flag and support
• 4d571f2 feat(api): ✨ add target options to API
• 6a0c946 feat: error when publishing an extension that uses `enabledApiProposals`
• a38657e fix: package should not check for publisher
• 7182692 feat: allow config via package.json for vsce package/publish
• afa459f feat: add --no-rewrite-relative-links
• 35e9716 fix: validate version with prerelease at publish time
• 525f2fc docs: add conventional commit badge

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Regular Expression Denial of Service (ReDoS)
🦉 More lessons are available in Snyk Learn