[Snyk] Fix for 15 vulnerabilities

[UbuntuEvangelist]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	706/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.7	Remote Memory Exposure SNYK-JS-BL-608877	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-CSSWHAT-3035488	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-1019388	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	No	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:negotiator:20160616	No	No Known Exploit
	644/1000 Why? Mature exploit, Has a fix available, CVSS 4.3	Open Redirect npm:st:20171013	No	Mature

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: chokidar

The new version differs by 250 commits.

• 7b8e02a Release 3.0.0.
• e7bfe2f Move stuff.
• df7f22e Remove changelog from npm, move to hidden dir.
• 3df7692 Improve naming.
• 6e94ca2 Clean-up.
• 2de2f9c test: Add testing of Node.js v12 in Travis pipeline. (add release post for v6.3.1 nodejs/nodejs.org#833)
• 9e0965a Fix Windows tests in Travis CI (Evangelism: Weekly Update for July ~ nodejs/nodejs.org#832)
• c95a98f Update stuff.
• 187ff2b test: Trying to fix blinked tests for Travis CI. (Always translate header & footer templates? nodejs/nodejs.org#825)
• db99076 fix(Windows): Add converting from windows to unix path for all ignored paths. (Seems, 'url.parse' isn't working properly nodejs/nodejs.org#824)
• 41f8782 fix(FsEvents): Remove situation with NaN depth. (Update dependencies nodejs/nodejs.org#823)
• 7cf3f7e Update readdirp to stable.
• 0927a62 Bump packages.
• 11cd857 Update nyc.
• 99c14d7 Uncomment fsevents.
• cf330a5 Update fsevents.
• 0e4fca5 Fix deps.
• 9c575d4 Fix Windows version (Bithound.metalsmith stylus.2.0.0 nodejs/nodejs.org#821)
• 3323d59 fix(Linux): Make event loop hack for keep testing valid. (Add weekly update 2016-07-08 nodejs/nodejs.org#820)
• 06214c5 Update to latest readdirp.
• 793639f Rename osxfswatch.
• 078bc2d Refactor and fix freaking tests.
• 2b9bb41 Try node 11.
• 3fe3d4e Test travis.

See the full diff

Package name: handlebars

The new version differs by 250 commits.

• 7adc19a v4.7.4
• 9dd8d10 Update release notes
• 4671c4b Use tmp directory for files written during tests
• e46baa1 tasks/test-bin.js: Delete duplicate test
• c491b4e Revert "Update release-notes.md"
• 738391a Update release-notes.md
• 80c4516 chore: add unit tests for cli options (Add buffer deprecation migration guide nodejs/nodejs.org#1666)
• d79212a fix: migrate from optimist to yargs (Add buffer deprecation migration guide nodejs/nodejs.org#1666)
• b440c38 chore: ignore external @ types in tests
• 2dba7ee docs: fix comparison link
• c978969 v4.7.3
• 9278f21 Update release notes
• d78cc73 Fixes spelling and punctuation
• 4de51fe Add Type Definition for Handlebars.VERSION, Fixes Docs: Correct spelling nodejs/nodejs.org#1647
• a32d05f Include Type Definition for runtime.js in Package
• ad63f51 chore: add missing "await" in aws-s3 publishing code
• 586e672 v4.7.2
• f0c6c4c Update release notes
• a4fd391 chore: execute saucelabs-task only if access-key exists
• 9d5aa36 fix: don't wrap helpers that are not functions
• 14ba3d0 v4.7.1
• 4cddfe7 Update release notes
• f152dfc fix: fix log output in case of illegal property access
• 3c1e252 fix: log error for illegal property access only once per property

See the full diff

Package name: html-to-text

The new version differs by 88 commits.

• cc4d026 Version bumped 5.1.0
• 30c5556 Remove hardcoded CLI options (Increase body font weight for readability nodejs/nodejs.org#173)
• 14c7475 README updated
• fc487c9 Dependency on fs module removed (checksums nodejs/nodejs.org#171)
• b642ec7 Added tests for the cli arguments (How can we reduce 404's nodejs/nodejs.org#153)
• 4e6127d prepublish script added
• d1e3077 Changelog updated
• ac0e63b Potential security vulnerability fixed
• 8f8a5c8 Merge branch 'jstewmon-fix-href-anchors'
• 5781f8a Closed fix broken link to TC info nodejs/nodejs.org#148
• 3540426 Merge branch 'master' of github.com:werk85/node-html-to-text
• d561095 Version bumped to 4.0.0. package-lock.json added. README updated.
• 655a754 Supports format blockquote (moved events into its own page due to the growing list nodejs/nodejs.org#142)
• 1a3d878 Drop support for Node.js < 4; switch from underscore to lodash (Windows installer for 64-bit installs 32-bit version of node 4.0? nodejs/nodejs.org#150)
• b5d0ea1 customizable ul li item prefix (Add: Code + Learn page in Get Involved section nodejs/nodejs.org#140)
• fc503dc take a stance on semicolons
• 912536a fix: html entities in hrefs should not trigger noAnchorUrl
• 1dbebe1 Fix docs typo (Made code spans more visible nodejs/nodejs.org#146)
• 019f45e chore(package): update chai to version 4.0.1 (Removed gulp stuff #131 nodejs/nodejs.org#133)
• 76b1a89 Version bumped to 3.3.0. Readme updated.
• 5419826 Implement ol type="i" and "I" as fallbacks to "1", add option to not render anchor links. (contributing to localization in locale directory nodejs/nodejs.org#123)
• 2ac2830 Ability to pass custom formatting via the `format` option (Change http://nodejs.org/ to https://nodejs.org/ nodejs/nodejs.org#128)
• 8782c3d Changelog fixed. Version bumped to 3.2.0
• 00f63b1 Changelog updated for Version 3.2.0

See the full diff

Package name: metalsmith-prism

The new version differs by 14 commits.

• 8ec68cb 2.2.0
• 607c567 update README with lineNumbers option
• fd1a584 rever package.json version
• 3352048 refactor spec description
• 7acccef remove invalid test
• 496a990 bump deps
• 89e836d line numbers should only apply for <code> blocks wrapped in <pre>
• ed4fbe7 add test for line number option
• 6423065 Merge branch 'master' into develop
• 0d3243b 2.2.0
• 4c625c3 update README
• 20c63e3 linter fix
• 6feb5f7 Merge pull request [Snyk] Security upgrade html-to-text from 1.6.2 to 6.0.0 #15 from cedric-legallo/master
• 046f1b9 Add line-numbers base on a metalsmith option

See the full diff

Package name: metalsmith-stylus

The new version differs by 4 commits.

• d3bd869 Merge pull request [Snyk] Security upgrade metalsmith-prism from 2.1.1 to 3.1.0 #17 from wdullaer/patch-1
• 0ae1dc2 Update package.json
• a158889 Merge pull request [Snyk] Security upgrade html-to-text from 1.6.2 to 6.0.0 #15 from aubergene/master
• 05d3171 Write out sourcemap if option is present

See the full diff

Package name: node-geocoder

The new version differs by 6 commits.

• 9463c76 v4.0.0
• 72bb7d2 Fix google geocoder buffer
• 5534878 Remove deprecated option from here geocoder (Fixes incorrect closing tag in template nodejs/nodejs.org#333)
• b701cd5 Remove http adapters (4.2.2 Argon MSI for 64 bit contains faulty npm version nodejs/nodejs.org#332)
• 6ef1f47 Prepare 4.0 release
• 836ff39 Add integration test for google geocoder

See the full diff

Package name: node-version-data

The new version differs by 4 commits.

• 4ea0395 1.1.0
• 396346a update deps, fix tests, add node-downloads.js to git (whoops)
• 41c3d5b 1.0.1
• c3b7358 fix typo iojs => nodejs

See the full diff

Package name: st

The new version differs by 18 commits.

• 0e87caf 1.2.2
• 579960c improved traversal detection & location redirect
• ae7b676 1.2.1
• 5744d49 update deps
• 473a344 update mime dependency to avoid ReDoS vulnerability
• 2a5f970 1.2.0
• fad0367 update deps
• 67a521e Test command-line switches, --host in particular
• 128c6fd Introduce -localhost resp. -l abbreviation
• cc20690 Make the host configurable
• 9cc1709 Report actual address we're listening on
• 70b0a48 Configure Travis CI
• f32cf97 1.1.0
• fb0a246 update deps
• d91af76 updated README
• 6b78b33 added mount url as command line option
• 770a6d7 updated README about CORS
• a8f66c0 added basic CORS functionality with tests

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Server-side Request Forgery (SSRF)
🦉 More lessons are available in Snyk Learn