[Snyk] Fix for 30 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json
  • package-lock.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-GETOBJECT-1054932	No	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Directory Traversal SNYK-JS-GRUNT-2635969	No	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Race Condition SNYK-JS-GRUNT-2813632	No	Proof of Concept
	569/1000 Why? Has a fix available, CVSS 7.1	Arbitrary Code Execution SNYK-JS-GRUNT-597546	No	No Known Exploit
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-JQUERY-174006	No	Proof of Concept
	701/1000 Why? Mature exploit, Has a fix available, CVSS 6.3	Cross-site Scripting (XSS) SNYK-JS-JQUERY-565129	No	Mature
	711/1000 Why? Mature exploit, Has a fix available, CVSS 6.5	Cross-site Scripting (XSS) SNYK-JS-JQUERY-567880	No	Mature
	509/1000 Why? Has a fix available, CVSS 5.9	Denial of Service (DoS) SNYK-JS-JSYAML-173999	No	No Known Exploit
	619/1000 Why? Has a fix available, CVSS 8.1	Arbitrary Code Execution SNYK-JS-JSYAML-174129	No	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	No	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	No	Proof of Concept
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	No	Proof of Concept
	541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	No	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOCHA-561476	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-TRIMNEWLINES-1298042	No	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-UGLIFYJS-1727251	Yes	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Yes	No Known Exploit
	676/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.1	Regular Expression Denial of Service (ReDoS) npm:diff:20180305	Yes	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	No	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:underscore.string:20170908	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: grunt

The new version differs by 117 commits.

• 82d79b8 1.5.3
• 572d79b Merge pull request #1745 from gruntjs/fix-copy-op
• 58016ff Patch up race condition in symlink copying.
• 0749e1d Merge pull request #1746 from JamieSlome/patch-1
• 69b7c50 Create SECURITY.md
• ac667b2 1.5.2
• 7f15fd5 Update Changelog
• b0ec6e1 Merge pull request #1743 from gruntjs/cleanup-link
• 433f91b Clean up link handling
• d5969ec 1.5.1
• ad22608 Merge pull request #1742 from gruntjs/update-symlink-test
• 0652305 Fix symlink test
• a7ab0a8 1.5.0
• b2b2c2b Updated changelog
• 3eda6ae Merge pull request #1740 from gruntjs/update-deps-22-10
• 47d32de Update testing matrix
• 2e9161c More updates
• 04b960e Remove console log
• aad3d45 Update dependencies, tests...
• fdc7056 Merge pull request #1736 from justlep/main
• e35fe54 support .cjs extension
• ee722d1 1.4.1
• e7625e5 Update Changelog
• 5d67e34 Merge pull request #1731 from gruntjs/update-options

See the full diff

Package name: grunt-contrib-uglify

The new version differs by 16 commits.

• f65dbb9 v4.0.1. (npm package still has version 4.2.1 jquery-form/form#535)
• b33a071 upgrade devDependencies (Cannot read property 'success' of undefined (with jquery 4.2.2) jquery-form/form#536)
• 1e40037 upgrade to uglify-js 3.5.0 (How do I terminate requests for uploading files? jquery-form/form#534)
• 33724cd update links to uglifyJS documentation (License Confusion jquery-form/form#530)
• 5cdebda v4.0.0. (feature for Deferred jquery-form/form#527)
• 7b4ecb5 v3.4.0.
• f6f834b v3.4.0.
• e7915ce v3.3.0.
• bf23f0b Lock grunt-contrib-internal to v1.3.0.
• 6db68bd upgrade to uglify-js 3.3.0
• 04494d9 Update docs/uglify-options.md.
• 263196c Add a Git .mailmap with my new name (File upload progress jquery-form/form#497)
• 3105f8d v3.2.1.
• 602ced4 Update uglify-js to v3.2.0
• 5251b6f decouple `sourceMapIn` from `sourceMap.url`
• 2edfe0b Update uglify-js to v3.1.0.

See the full diff

Package name: grunt-mocha

The new version differs by 16 commits.

• d63e112 1.2.0
• db75d78 Re-add some trailing commas
• 21c694f Update dependencies
• 3fedda0 Mocha isnt needed as devDependency, cleanup license field, add lint script
• 44ebd32 Cleanup grunt file
• ae7b303 Fix cyclical test
• c0d8935 Dont growl on tests
• b6df458 Update grunt
• c1c12b2 Update dependencies
• 6167d38 Add node 10, remove node 4 from travis config
• db9ddbb 1.1.0
• a88781c Merge branch 'master' of github.com:disqus/grunt-mocha
• c88d517 Add growlOnFail option
• 46e41f3 1.0.5
• ada8c23 Adding titlePath in bridge to propagate over failure data to the grunt task for reporting ([Snyk] Security upgrade grunt from 1.0.1 to 1.3.0 #7)
• 590234f ci(node): Update node versions to run tests against ([Snyk] Fix for 1 vulnerabilities #8)

See the full diff

Package name: mocha

The new version differs by 250 commits.

• 42303e2 Release v6.0.0
• a553ca7 punctuation updates for changelog v6.0.0
• c710792 grammar updates for changelog v6.0.0
• 9f9293a update changelog for v6.0.0
• a540eb0 remove "projects" section from MAINTAINERS.md [ci skip]
• 52b5c42 Uppercased JSON reporter name in `describe` title (#3739)
• 82307fb Fix `.globals` to remove falsy values (#3737)
• 56dc28e Remove unnecessary post-processing code having no effect; closes #3708 (#3733)
• 16b4281 Documentation updates (#3728)
• 5d9d3eb Update nyc
• 118c9ae Refactor out usages of Suite#_onlyTests and Suite#_onlyTests (#3689) (#3707)
• 0dacd1f Add ability to unload files from `require` cache (redux) (#3726)
• 66a52f2 update release steps [ci skip]
• 45ae014 Refactor `lookupFiles` and `files` (#3722)
• 94c9320 fix --reporter-option to allow comma-separated options; closes #3706
• 0f546fc Refactor checkGlobals() error message creation (#3711)
• 2d21fd6 add missing user reference in CHANGELOG.md [ci skip]
• 6cb4e27 add all changes since v6.0.0-1 to CHANGELOG.md [ci skip]
• 186ca36 add createInvalidArgumentError(); see #3676 (#3677)
• 3a7fa37 Revert 00ca06b0e957ec4f067268c98053782ac5dcb69f; closes #3414 (#3715)
• 21ba5ce fix --inspect and its ilk; closes #3681 (#3699)
• 52b9a5f refactor: use constants for event names instead of string literals
• 29aa611 Eliminated variable shadowing from test event listeners (runner.spec.js) (#3712)
• e01a54e update usage info in docs [ci skip]

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	No Known Exploit
	579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution npm:extend:20180424	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:hoek:20180212	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	No Known Exploit
	646/1000 Why? Mature exploit, Has a fix available, CVSS 5.2	Uninitialized Memory Exposure npm:stringstream:20180511	Mature
	509/1000 Why? Has a fix available, CVSS 5.9	Regular Expression Denial of Service (ReDoS) npm:tough-cookie:20170905	No Known Exploit
	576/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.1	Uninitialized Memory Exposure npm:tunnel-agent:20170305	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:uglify-js:20151024	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Regular Expression Denial of Service (ReDoS)
🦉 More lessons are available in Snyk Learn