[Snyk] Fix for 38 vulnerabilities

[aliscco]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • test/fixtures/demo-os/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	761/1000 Why? Mature exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-DICER-2311764	Yes	Mature
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	Yes	Proof of Concept
	541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-1019388	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Poisoning SNYK-JS-QS-3153490	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	/1000 Why?	Denial of Service (DoS) SNYK-JS-SOCKETIOPARSER-1056752	No	Proof of Concept
	/1000 Why?	Improper Input Validation SNYK-JS-SOCKETIOPARSER-3091012	No	No Known Exploit
	/1000 Why?	Arbitrary File Overwrite SNYK-JS-TAR-1536528	Yes	No Known Exploit
	/1000 Why?	Arbitrary File Overwrite SNYK-JS-TAR-1536531	Yes	No Known Exploit
	/1000 Why?	Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758	Yes	No Known Exploit
	/1000 Why?	Arbitrary File Write SNYK-JS-TAR-1579147	Yes	No Known Exploit
	/1000 Why?	Arbitrary File Write SNYK-JS-TAR-1579152	Yes	No Known Exploit
	/1000 Why?	Arbitrary File Write SNYK-JS-TAR-1579155	Yes	No Known Exploit
	/1000 Why?	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
	/1000 Why?	Regular Expression Denial of Service (ReDoS) SNYK-JS-UGLIFYJS-1727251	No	No Known Exploit
	/1000 Why?	Arbitrary Code Injection SNYK-JS-UNDERSCORE-1080984	Yes	Proof of Concept
	/1000 Why?	Improper Input Validation SNYK-JS-XMLDOM-1534562	Yes	No Known Exploit
	/1000 Why?	Prototype Pollution SNYK-JS-XMLDOM-3042242	Yes	No Known Exploit
	/1000 Why?	Improper Input Validation SNYK-JS-XMLDOM-3092935	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	No	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	Yes	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	No	No Known Exploit
	424/1000 Why? Has a fix available, CVSS 4.2	Insecure Randomness npm:node-uuid:20160328	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:parsejson:20170908	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) npm:qs:20140806	Yes	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Denial of Service (DoS) npm:qs:20140806-1	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Override Protection Bypass npm:qs:20170213	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:uglify-js:20151024	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: csscomb

The new version differs by 159 commits.

• fa37c58 v4.0.0
• 7d19f6d [cli] Don't print file path in lint mode twice
• 44642f9 Add note about maintenance mode
• 0ac44e1 [tools] Update Travis config
• da43ff7 [gpe] Update GPE to v3.4.7
• dd30f0b [cli] Use old linter
• 49cae43 [cli] Fix file processing
• 6c88e7e [cli] Print linter errors
• 822f546 Move csscomb-core from separate repo here
• e2d9960 [cli] Make linter the default mode
• 0c2db5f [cli] Fix linter errors
• 54c559e [cli] Add help message
• fc9fd33 [cli] Fix processing of input data
• f22aad3 Update babel dependencies
• cbf7ca5 v4.0.0-alpha
• 5b01fb7 Add license info tp package.json
• 2f3b28f Added flex property to the config
• 91f1aa6 Remove duplicate entries
• aefc1d0 Post-rebase fixes
• 3b3e075 Build files before publishing
• 3bc4e94 Remove postinstall script for csscomb-core
• 19fb8da Update csscomb-core to v3.0.0
• e092650 Remove contributors list from package.json
• 75e0e9e Fix tests

See the full diff

Package name: grunt-contrib-uglify

The new version differs by 127 commits.

• a3f3f34 5.2.1
• 3c8d904 Update Readme
• 0850dcd update dependencies ([Snyk] Security upgrade qs from 0.6.6 to 6.0.4 #568)
• c27ad5f Bump minimist from 1.2.5 to 1.2.6 ([Snyk] Fix for 4 vulnerabilities #567)
• 98b4c5f Fix documentation in relation to issue [Snyk] Security upgrade jsonpointer from 2.0.0 to 5.0.0 #565 ([Snyk] Security upgrade minimatch from 3.0.0 to 3.0.2 #566)
• 7228446 Bump minimist from 1.2.5 to 1.2.6 ([Snyk] Security upgrade string-width from 1.0.2 to 2.1.0 #563)
• e410511 Update deps, v5.1.0 ([Snyk] Security upgrade minimist from 0.0.8 to 1.2.6 #564)
• 2cb31be Update uglify-js to v3.15.2 ([Snyk] Security upgrade lodash from 4.17.15 to 4.17.21 #562)
• 12ca0f2 Fix wording in README.md ([Snyk] Fix for 48 vulnerabilities #560)
• 1f6a012 Bump path-parse from 1.0.6 to 1.0.7 ([Snyk] Security upgrade django from 2.0.1 to 3.2.15 #558)
• 0e4b1a0 Update uglify-js ([Snyk] Security upgrade django from 1.6.1 to 3.2.15 #557)
• 9ccf10d Bump hosted-git-info from 2.8.8 to 2.8.9 ([Snyk] Security upgrade snyk from 1.101.1 to 1.230.7 #556)
• 4e83e45 Update UglifyJS to 3.13.3 ([Snyk] Fix for 10 vulnerabilities #554)
• 8674feb Bump ini from 1.3.5 to 1.3.8 ([Snyk] Fix for 10 vulnerabilities #552)
• 14b71da v5.0.0
• 9259448 Bump lodash from 4.17.11 to 4.17.19 ([Snyk] Fix for 61 vulnerabilities #550)
• 4645446 Bump js-yaml from 3.5.5 to 3.14.0 ([Snyk] Fix for 10 vulnerabilities #551)
• b7bcde4 Delete .travis.yml
• cba2631 Delete appveyor.yml
• 3dc53f0 ini github workflow
• f65dbb9 v4.0.1. ([Snyk] Fix for 1 vulnerabilities #535)
• b33a071 upgrade devDependencies ([Snyk] Security upgrade marked from 0.3.6 to 4.0.10 #536)
• 1e40037 upgrade to uglify-js 3.5.0 ([Snyk] Security upgrade hoek from 2.16.3 to 4.2.1 #534)
• 33724cd update links to uglifyJS documentation ([Snyk] Fix for 1 vulnerabilities #530)

See the full diff

Package name: grunt-shell

The new version differs by 26 commits.

• 0eeba40 3.0.0
• 62cdda5 Require Node.js >=6 and Grunt >=1
• 86680b4 Allow functions as shorthand commands ([Snyk] Security upgrade django from 1.6.1 to 2.2.24 #118)
• 32cac78 2.1.0
• 91aec55 Make it possible to specify cwd as a top-level target config entry ([Snyk] Security upgrade jsonpointer from 2.0.0 to 5.0.0 #113)
• 9f190dc Fix for Windows: don't modify process.env ([Snyk] Security upgrade sanitize from 4.6.2 to 4.6.2 #112)
• 780086a Update links ([Snyk] Security upgrade cryptography from 2.6.1 to 3.2 #110)
• 9fa3d68 2.0.0
• 3619e4c increase default max buffer size
• 1159f25 change `preferLocal` option to be `true` by default
• 3b379e7 [BREAKING] ES2015ify and require Node.js 4
• 88e6f6e simplify and improve `preferLocal` option
• d571099 1.3.1
• 3248996 trying out something new
• 54e6c03 Document ability to fail task with custom callback ([Snyk] Security upgrade snyk-docker-plugin from 4.21.3 to 4.25.1 #103)
• b3cd4b4 1.3.0
• b9a0cb5 meta tweaks
• 82a1770 cleanup [Snyk] Security upgrade jinja2 from 2.7.2 to 2.11.3 #102
• 058629c adds preferLocal option for including 'node_modules/.bin' to path ([Snyk] Security upgrade jinja2 from 2.7.2 to 2.11.3 #102)
• c9ce41e 1.2.1
• 761dbb6 fix [Snyk] Security upgrade django from 1.6.1 to 1.6.3 #99
• b173dcd 1.2.0
• a933620 tweaks
• 7829d57 Close [Snyk] Security upgrade snyk from 1.101.1 to 1.230.7 #98 PR: Add command shorthand.

See the full diff

Package name: html-to-text

The new version differs by 138 commits.

• cc4d026 Version bumped 5.1.0
• 30c5556 Remove hardcoded CLI options ([Snyk] Security upgrade snyk from 1.101.1 to 1.230.7 #173)
• 14c7475 README updated
• fc487c9 Dependency on fs module removed ([Snyk] Security upgrade actionpack from 4.2.5 to 4.2.11.3 #171)
• b642ec7 Added tests for the cli arguments ([Snyk] Security upgrade django from 2.0.1 to 2.2.26 #153)
• 4e6127d prepublish script added
• d1e3077 Changelog updated
• ac0e63b Potential security vulnerability fixed
• 8f8a5c8 Merge branch 'jstewmon-fix-href-anchors'
• 5781f8a Closed [Snyk] Security upgrade tap from 11.1.3 to 15.0.0 #148
• 3540426 Merge branch 'master' of github.com:werk85/node-html-to-text
• d561095 Version bumped to 4.0.0. package-lock.json added. README updated.
• 655a754 Supports format blockquote ([Snyk] Security upgrade tap from 11.1.3 to 15.0.0 #142)
• 1a3d878 Drop support for Node.js < 4; switch from underscore to lodash ([Snyk] Security upgrade tap from 11.1.3 to 15.0.0 #150)
• b5d0ea1 customizable ul li item prefix ([Snyk] Security upgrade istanbul-reports from 1.5.1 to 3.1.3 #140)
• fc503dc take a stance on semicolons
• 912536a fix: html entities in hrefs should not trigger noAnchorUrl
• 1dbebe1 Fix docs typo ([Snyk] Security upgrade tap from 11.1.3 to 15.0.0 #146)
• 019f45e chore(package): update chai to version 4.0.1 ([Snyk] Security upgrade django from 2.0.1 to 2.2.25 #133)
• 76b1a89 Version bumped to 3.3.0. Readme updated.
• 5419826 Implement ol type="i" and "I" as fallbacks to "1", add option to not render anchor links. ([Snyk] Security upgrade django from 1.6.1 to 2.2.25 #123)
• 2ac2830 Ability to pass custom formatting via the `format` option ([Snyk] Security upgrade django from 1.6.1 to 2.2.25 #128)
• 8782c3d Changelog fixed. Version bumped to 3.2.0
• 00f63b1 Changelog updated for Version 3.2.0

See the full diff

Package name: request

The new version differs by 250 commits.

• f422111 2.80.0
• bce66a5 Merge pull request [Snyk] Security upgrade urllib3 from 2.0.7 to 2.2.2 #2571 from JamesMGreene/fix_ipv6_host_header
• ff6d6c6 Correctly format the Host header for IPv6 addresses
• 667e923 Merge pull request [Snyk] Fix for 1 vulnerabilities #2558 from request/FredKSchott-patch-1
• 6862553 Merge pull request [Snyk] Security upgrade django from 1.6.1 to 3.2.14 #2221 from calamarico/change_readme
• 8d78bd0 Update README.md example snippet
• 60f6a00 Merge pull request [Snyk] Fix for 1 vulnerabilities #2452 from nicjansma/master
• da077f7 Merge pull request [Snyk] Fix for 1 vulnerabilities #2553 from request/issue-template
• 921ebee small change to template wording
• 256deea add ISSUE_TEMPLATE, move PR template
• fec1f2b reorder PULL_REQUEST_TEMPLATE sections
• 2046cf3 Merge pull request [Snyk] Security upgrade actionpack from 4.2.5 to 4.2.11.3 #2539 from request/FredKSchott-patch-1
• 0ea3d47 Merge pull request [Snyk] Security upgrade request from 2.57.0 to 2.88.2 #2524 from request/greenkeeper-caseless-0.12.0
• 3f57975 Use performance-now instead of custom solution
• a9ad38a Ensure only the properties we expect are there
• d9e8c3d Added deprecated notes
• a60be68 Create PULL_REQUEST_TEMPLATE.md
• 223f44b Merge pull request [Snyk] Security upgrade mocha from 2.5.3 to 4.0.0 #2460 from OwnageIsMagic/patch-1
• d40f9af Merge pull request [Snyk] Fix for 1 vulnerabilities #2514 from humphd/package.json-keywords
• dfd777a chore(package): update caseless to version 0.12.0
• 4901f96 Change tags to keywords in package.json
• f009af2 Merge pull request [Snyk] Security upgrade tap from 2.3.4 to 5.4.3 #2492 from addaleax/lenient-gzip
• 71081b6 More lenient gzip decompression
• 21e315d Removed extra space

See the full diff

Package name: sqlite3

The new version differs by 250 commits.

• 573784b v5.0.3
• e5a24fd Deleted `examples/` folder
• b05f459 Added note about GitHub Releases to CHANGELOG.md
• 33d0656 Modernised Usage example in README
• 9d05c55 Fixed up more README nits
• 08d6319 Fixed link to API docs
• 0e2235a Altered wording in README
• 76b6c56 Altered README header
• e3df365 Updated README
• 426930f Enabled CI to run when pushing tags
• a21d41f Fixed uploading binaries to commit artifacts
• bc978c7 Fixed CI step wording
• 7f744a1 Added prebuilt binaries via GitHub Releases
• b4b3c3a Deleted `scripts/` directory
• 71bbdea Pinned dev dependencies ([Snyk] Security upgrade django from 1.6.1 to 2.2.28 #1558)
• a597383 Updated badges in README
• 0eb4a0f Deleted Travis and Appveyor configs
• b58d341 Downgraded `mocha` and `eslint`
• f39b10d Added missing Node versions to CI
• 8db96d4 Replaced Python extraction script with JS ([Snyk] Fix for 1 vulnerabilities #1570)
• 11c988c Fixed Windows build architecture in CI
• 8e63848 Updated Windows CI runner to `windows-latest`
• d9e7d8b Fixed building on MacOS Monterey 12.3
• 859b95b Updated `node-gyp` to v8.x

See the full diff

Package name: testem

The new version differs by 250 commits.

• 6387915 3.4.3
• 2d9f931 Merge pull request [Snyk] Security upgrade django from 1.6.1 to 3.2.23 #1469 from testem/dependabot/github_actions/actions/setup-node-2.4.0
• a172f62 Merge pull request [Snyk] Security upgrade django from 1.6.1 to 1.11.29 #1470 from testem/dependabot/npm_and_yarn/path-parse-1.0.7
• ec0a8b0 Merge pull request [Snyk] Security upgrade django from 1.6.1 to 3.2.23 #1473 from mrloop/xmldom-xmldom
• 2898201 Update xmldom to maintained package release
• 1c4bf1d Bump path-parse from 1.0.6 to 1.0.7
• e01ac22 Bump actions/setup-node from 2.1.5 to 2.4.0
• 152b25f 3.4.2
• 2f9d1df Merge pull request [Snyk] Security upgrade @slack/webhook from 5.0.4 to 7.0.0 #1459 from testem/socket-4
• 3d74078 feat: socket.io v4.1.2
• ff71d5d Merge pull request [Snyk] Security upgrade django from 1.6.1 to 2.2.28 #1458 from testem/dependabot/npm_and_yarn/ws-7.4.6
• 3584157 Bump ws from 7.4.4 to 7.4.6
• b3f7865 Merge pull request [Snyk] Security upgrade werkzeug from 2.2.3 to 3.0.1 #1453 from testem/dependabot/npm_and_yarn/underscore-1.13.1
• 18e4f9a Bump underscore from 1.8.3 to 1.13.1
• 6d2b9aa 3.4.1
• 38fb6fb Merge pull request [Snyk] Security upgrade madge from 3.12.0 to 4.0.0 #1421 from artemgurzhii/fix/CVE-2021-21366
• ad93bb3 fix: CVE-2021-21366
• 8528142 Merge pull request [Snyk] Security upgrade python from 3.9-slim to 3.12.0b1-slim #1451 from testem/dependabot/github_actions/GabrielBB/xvfb-action-v1.5
• db71529 Bump GabrielBB/xvfb-action from v1.4 to v1.5
• 50ca9c2 Merge pull request [Snyk] Security upgrade django from 1.6.1 to 1.8.16 #1448 from testem/dependabot/npm_and_yarn/sinon-10.0.0
• 0e3eb15 Bump sinon from 7.3.2 to 10.0.0
• ad7d326 3.4.0
• 3361ce5 Merge pull request [Snyk] Security upgrade django from 1.6.1 to 2.2.28 #1446 from testem/dependabot/npm_and_yarn/sinon-chai-3.6.0
• a8a3d9a Bump sinon-chai from 3.5.0 to 3.6.0

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Prototype Override Protection Bypass
🦉 More lessons are available in Snyk Learn