[Snyk] Fix for 18 vulnerabilities

[adamlaska]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • packages/sol-coverage/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-ASYNC-2441827	Yes	Proof of Concept
	679/1000 Why? Has a fix available, CVSS 9.3	Incomplete List of Disallowed Inputs SNYK-JS-BABELTRAVERSE-5962463	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-BROWSERSLIST-1090194	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	484/1000 Why? Has a fix available, CVSS 5.4	Open Redirect SNYK-JS-GOT-2932019	Yes	No Known Exploit
	641/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.4	Prototype Pollution SNYK-JS-JSON5-3182856	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Information Exposure SNYK-JS-NODEFETCH-2342118	Yes	No Known Exploit
	520/1000 Why? Has a fix available, CVSS 5.9	Denial of Service SNYK-JS-NODEFETCH-674311	Yes	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
	596/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.5	Arbitrary Code Injection SNYK-JS-UNDERSCORE-1080984	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit
	379/1000 Why? Has a fix available, CVSS 3.3	Insecure Credential Storage SNYK-JS-WEB3-174533	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @0x/subproviders

The new version differs by 15 commits.

• aad2bd4 Publish
• ae6753a Updated CHANGELOGS & MD docs
• 91344c0 Bump CirciCI to nodejs16 ([Snyk] Fix for 5 vulnerabilities #68)
• ae232fa Bump CI to node16
• b89d468 Cannot run installation against specific package ([Snyk] Fix for 5 vulnerabilities #67)
• e003034 fix: Update deps fix ([pull] development from 0xProject:development #65)
• 14e5370 empty
• 27955e3 chore: Update deps ([Snyk] Security upgrade moment from 2.21.0 to 2.29.4 #64)
• 7e7e6dc fix: Fix subprovider tests
• dbd0dc0 bump ts
• 094c081 Bump subprovider deps
• 3c0bb9e Update @ ethereumjs/common
• 9d28e7d Unpin merkle-patricia-tree
• b543924 Add repository to @ 0x/subproviders
• 3b01e1d Update package.json to include the repository

See the full diff

Package name: nyc

The new version differs by 21 commits.

• 4a6b327 chore(release): 13.0.1
• ae5318b chore: Update istanbul dependencies. (Update Lerna & other small changes 0xProject/0x-monorepo#896)
• d0b76e2 fix: Enable es-modules by default. (Update Versions & Changelogs 0xProject/0x-monorepo#889)
• 6b6cd5e fix: add flag to allow control of intrumenter esModules option, default to looser parsing (Refactor 0x.js 0xProject/0x-monorepo#863)
• c325799 docs: reference babel 7 in all places (Fix bugs having to do with block timestamps and order expirationTimes 0xProject/0x-monorepo#881)
• 7483ed9 fix: use uuid/v4 to generate unique identifiers. (New tslint rules 0xProject/0x-monorepo#883)
• 8ab1ae3 chore: update dependencies (Bump npm-run-all from 4.1.2 to 4.1.3 0xProject/0x-monorepo#872)
• 52b69ef fix: Update caching-transform options. (Bump nodemon from 1.17.3 to 1.18.1 0xProject/0x-monorepo#873)
• 624a723 chore: update dependencies (Integrate Heap analytics into the website 0xProject/0x-monorepo#866)
• a5818f5 chore(release): 13.0.0
• f0d98a5 docs: update README.md with babel configuration info (Bump nodemon from 1.17.3 to 1.18.0 0xProject/0x-monorepo#860)
• 893345a feat: allow rows with 100% statement, branch, and function coverage to be skipped in text report (Bump less-loader from 2.2.3 to 4.1.0 0xProject/0x-monorepo#859)
• f09cf02 chore: update dependencies ([SoHoAudit] Externally supplied variable salt is used explicitly as timestamp within MixinExchangeCore.sol#47-55 which may lead to confusion 0xProject/0x-monorepo#855)
• d0f654c fix: source was being instrumented twice, due to upstream fix in ista… ([SoHoAudit] Combined taker fees exceeding MAX_INT will revert execution rather than successfully process MixinMatchOrders.sol#281-284: 0xProject/0x-monorepo#853)
• adb310c chore(release): 12.0.2
• ddc9331 fix: stop bundling istanbul-lib-instrument due to npm issue on Node 6 ([SoHoAudit] Suggested usage of transfer in place of call.value() on line AssetProxyOwner.sol#91 0xProject/0x-monorepo#854)
• b4c325b fix: don't bundle istanbul-lib-instrument due to Node 6 issues
• 9fc20e4 chore(release): 12.0.1
• 3e087d4 chore: upgrade to version of istanbul with optional catch binding ([SoHoAudit] Misleading verbiage within batch processing in batchFillOrders, batchFillOrKillOrders, marketSellOrders, marketSellOrdersNoThrow, marketBuyOrders, marketBuyOrdersNoThrow, and batchCancelOrders 0xProject/0x-monorepo#851)
• eaf3f70 chore(release): 12.0.0
• 19b7d21 chore: upgrade to newest version of istanbul codebase (Add revert reasons and optimization to safeMath 0xProject/0x-monorepo#848)

See the full diff

Package name: web3-provider-engine

The new version differs by 172 commits.

• 06ac733 Release 16.0.6 ([Snyk] Fix for 26 vulnerabilities #449)
• d0d93b9 devDeps: bump babel packages ([Snyk] Fix for 21 vulnerabilities #450)
• e131674 ci: run on ubuntu-latest(22.04) instead of ubuntu-20.04 ([Snyk] Fix for 19 vulnerabilities #448)
• 843d875 refresh yarn.lock ([Snyk] Fix for 21 vulnerabilities #451)
• c850d58 deps: ws@^5.1.1->^7.5.9 ([Snyk] Fix for 6 vulnerabilities #446)
• 9ff7230 docs: New package names for @ metamask/json-rpc-engine and @ metamask/eth-json-rpc-middleware ([Snyk] Security upgrade mocha from 6.2.3 to 8.3.0 #440)
• adbc7a4 ci: test major node versions 12,14,16,18,20 ([Snyk] Fix for 20 vulnerabilities #443)
• f5a78a9 fix(suproviders/filters): Rename class from SubsciptionsSubProvider to FiltersSubProvider ([Snyk] Security upgrade jest from 24.9.0 to 27.0.0 #442)
• aa03299 deps: switch from request to @ cypress/request ([Snyk] Security upgrade jest from 24.9.0 to 27.0.0 #441)
• 8ee6004 Bump cached-path-relative from 1.0.2 to 1.1.0 ([Snyk] Fix for 1 vulnerabilities #403)
• 0d705a3 Bump word-wrap from 1.2.3 to 1.2.4 ([Snyk] Fix for 1 vulnerabilities #437)
• 9ac79a4 Bump http-cache-semantics from 4.1.0 to 4.1.1 ([Snyk] Fix for 1 vulnerabilities #429)
• cf612f8 Bump cookiejar from 2.1.3 to 2.1.4 ([Snyk] Security upgrade mocha from 6.2.3 to 8.3.0 #428)
• 2509e6a Release 16.0.5 ([Snyk] Security upgrade @0x/mesh-rpc-client from 7.0.4-beta-0xv3 to 8.1.0 #427)
• 25563f2 Replace scrypt with scryptsy ([Snyk] Security upgrade mocha from 6.2.3 to 8.3.0 #425)
• 18bd6cd chore: update dependencies eth-block-tracker to 5.0.1 ([Snyk] Fix for 1 vulnerabilities #409)
• 9b8fd02 Bump decode-uri-component from 0.2.0 to 0.2.2 ([Snyk] Security upgrade mocha from 6.2.3 to 8.3.0 #420)
• 4984566 Bump minimatch from 3.0.4 to 3.1.2 ([Snyk] Security upgrade @0x/subproviders from 6.6.5 to 7.0.0 #423)
• 963a76c Bump express from 4.17.1 to 4.18.2 ([Snyk] Fix for 1 vulnerabilities #422)
• 763803f Bump qs from 6.5.2 to 6.5.3 ([Snyk] Fix for 1 vulnerabilities #421)
• e835b80 Bump shell-quote from 1.7.2 to 1.7.3 ([Snyk] Security upgrade mocha from 6.2.3 to 8.3.0 #416)
• cdcf608 Communicate project status in README ([Snyk] Fix for 1 vulnerabilities #413)
• df21aa6 Bump cross-fetch from 2.2.3 to 2.2.6 ([Snyk] Fix for 1 vulnerabilities #414)
• e06b531 Bump async from 2.6.3 to 2.6.4 ([Snyk] Security upgrade mocha from 6.2.0 to 8.3.0 #410)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Open Redirect
🦉 More lessons are available in Snyk Learn

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[socket-security]

New dependencies detected. Learn more about Socket for GitHub ↗︎

Packages	Version	New capabilities	Transitives	Size	Publisher
nyc	13.3.0	eval, environment	+1	21 MB	coreyfarrell
tslint	5.16.0	None	+0	1.78 MB	palantir
@0x/subproviders	7.0.1	None	+61	26.4 MB	tobernguyen
web3-provider-engine	16.0.6	None	+17	4.24 MB	lgbot