[Snyk] Fix for 31 vulnerabilities

[baby636]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

⚠️ Warning

Failed to update the package-lock.json, please update manually before merging.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	679/1000 Why? Has a fix available, CVSS 9.3	Incomplete List of Disallowed Inputs SNYK-JS-BABELTRAVERSE-5962463	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-GETOBJECT-1054932	No	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	No	Proof of Concept
	641/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.4	Prototype Pollution SNYK-JS-JSON5-3182856	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	No	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	No	Proof of Concept
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	No	Proof of Concept
	541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	No	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Out-of-Bounds SNYK-JS-NODESASS-535498	Yes	Proof of Concept
	761/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.8	NULL Pointer Dereference SNYK-JS-NODESASS-535500	Yes	Proof of Concept
	536/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.3	Out-of-bounds Read SNYK-JS-NODESASS-540958	Yes	Proof of Concept
	536/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.3	Uncontrolled Recursion SNYK-JS-NODESASS-540964	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Denial of Service (DoS) SNYK-JS-NODESASS-540978	Yes	Proof of Concept
	536/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.3	NULL Pointer Dereference SNYK-JS-NODESASS-540992	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Out-of-Bounds SNYK-JS-NODESASS-540998	Yes	Proof of Concept
	654/1000 Why? Has a fix available, CVSS 8.8	Use After Free SNYK-JS-NODESASS-541000	Yes	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Out-of-bounds Read SNYK-JS-NODESASS-541002	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Poisoning SNYK-JS-QS-3153490	No	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-TRIMNEWLINES-1298042	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	No	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	No	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Override Protection Bypass npm:qs:20170213	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:underscore.string:20170908	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: grunt

The new version differs by 82 commits.

• 6f49017 1.3.0
• faab6be Merge pull request Slow Scroll with collection inside modal Dogfalo/materialize#1720 from gruntjs/update-changelog-deps
• 520fedb Update Changelog and legacy-util dependency
• 7e669ac Merge pull request Docs Italian Translation Dogfalo/materialize#1719 from gruntjs/yaml-refactor
• e350cea Switch to use `safeLoad` for loading YML files via `file.readYAML`.
• 7125f49 Merge pull request Fix #1610: Correct javascript source in templates Dogfalo/materialize#1718 from gruntjs/legacy-log-bumo
• 00d5907 Bump legacy-log
• 3b75085 1.2.1
• ae11839 Changelog update
• 9d23cb6 Merge pull request Responsively hiding prefix icons in forms is buggy Dogfalo/materialize#1715 from sibiraj-s/remove-path-is-absolute
• e789b1f Remove path-is-absolute dependency
• 27bc5d9 Merge pull request documentation for Card Reveal has error Dogfalo/materialize#1714 from gruntjs/release-1.2.0
• 64a3cf4 Release v1.2.0
• 0d23eff Merge pull request Material Select remaining caret icon on destroy Dogfalo/materialize#1570 from bhldev/feature-options-keys
• ee70306 Merge pull request Materialize is randomly adding caret icons on top of my drop downs  Dogfalo/materialize#1697 from philz/1696
• 05c0634 Merge pull request icon font on BlackBerry 10 browser Dogfalo/materialize#1712 from gruntjs/fix-lint
• cdd1c19 fix lint in file.js
• bc168e3 Merge pull request Slider crashing with jQuery UI Dogfalo/materialize#1283 from greglittlefield-wf/recognize-relative-links
• 5f16b5a Merge pull request Icons not loading on windows phone Dogfalo/materialize#1675 from STRML/remove-coffeescript
• 58f80ae Merge pull request nav .brand-logo (Line 5268) Dogfalo/materialize#1677 from micellius/monorepo-support
• 1f61427 Add CODE_OF_CONDUCT.md
• 4c6fcd9 Merge pull request fix for #1708 Dogfalo/materialize#1709 from NotMoni/patch-1
• 169d496 add link to license
• 288ea76 add license link

See the full diff

Package name: grunt-babel

The new version differs by 12 commits.

• 3fee421 7.0.0
• 4c89e7e add missing peerDep
• 79450ee Merge pull request hamburger icon has no hover state Dogfalo/materialize#79 from babel/b7-alpha
• 59ffa73 remove node 0.10/0.12 from travis
• 75bc67f fix readme [skip ci]
• 5e7fdd5 make peerDep on babel-core v7
• cf4f0c7 lock down XO
• 97120ca ES6 → ES2015
• 44e9762 meta tweaks
• a7874fd bump dev deps
• ce3bbc3 bump dev deps
• 766123a fix docs

See the full diff

Package name: grunt-concurrent

The new version differs by 5 commits.

• 8c7183c 3.0.0
• 2c8a189 Upgrade dependencies
• f8e1fd9 Add `indent` option (css file without index styles Dogfalo/materialize#101)
• 468aec3 Require Node.js 8 and Grunt 1
• a672f19 Create funding.yml

See the full diff

Package name: grunt-contrib-compress

The new version differs by 14 commits.

• bd9fc8e v2.0.0
• b8565a9 Update Archiver (Styled input file button Dogfalo/materialize#232)
• f6815bf Update deps and remove nodeunit loading (Date picker string translation with weekdaysShort parameter is not working Dogfalo/materialize#231)
• b70c1d9 Update tests and dependencies (Date picker opens up after switching tabs  Dogfalo/materialize#230)
• 5759edd Bump ini from 1.3.5 to 1.3.7 (Many selects in same form Dogfalo/materialize#228)
• 0603886 v1.6.0
• ea2bb69 Update deps (Fixed a typo Dogfalo/materialize#218)
• 1cfa1f1 update iltorb to 2.4.3 (Merge pull request #1 from Dogfalo/master Dogfalo/materialize#216)
• a8998ec 1.5.0
• e7cb371 Update changelog
• f6e95ab Add package lock (Is there a center align ? Dogfalo/materialize#213)
• 050ae41 Updated iltorb to latest minor version for v1.* (sidebar on both sides Dogfalo/materialize#209)
• fd055e9 update tar to 4.4.8 (Integrate alexk111's SVG-Morpheus? Dogfalo/materialize#211)
• b8ed0cc package.json: minimum node.js version is 4 since the Brotli patch.

See the full diff

Package name: grunt-contrib-concat

The new version differs by 8 commits.

• 9e0f72f 2.0.0
• de2b0e9 Merge pull request Custom color of input underline Dogfalo/materialize#192 from gruntjs/release-2
• 2f2aeff Release docs
• 63a42a8 Merge pull request Navbar Theme/Hover Dogfalo/materialize#191 from gruntjs/update-deps-oct
• 4c4fab8 Update CI
• 71d6edd Update dependencies
• 9054b14 Merge pull request Form labels dissapear within card-panel Dogfalo/materialize#176 from alexjking/fix-browserify-sourcemap-regex
• b1cf785 fix(sourcemap-regex): fix regex to match browserify sorucemap charset

See the full diff

Package name: grunt-contrib-jasmine

The new version differs by 20 commits.

• 201bb2a Release v2.0.3
• 9b18221 Upgrade npm dependencies
• d0e2572 fix: build only should pass if the buildSpecrunner runs without error
• 74855ed Update dependencies
• d65dd20 v2.0.2
• d7f652f Fix typo
• 55a5f1f Wait for spec runner before larunching browser
• 408a233 Set the startTime before calling sendMessage
• a30f731 Create new optional 'noSandbox' option to launching Puppeteer with no-sandbox arg.
• a88f31b Launching Puppeteer with no-sandbox arg.
• de29770 v2.0.1
• a71cc54 Use the grunt current working directory to find the jasmine core folder (Wish to clear date field value Dogfalo/materialize#277)
• f3c320c Deals with Code Clean :) Dogfalo/materialize#274 (Select box doesn't render if added dynamically! Dogfalo/materialize#275)
• a21b0b1 Implement options.version (Do a special dropdown for the small devices Dogfalo/materialize#273)
• 7d3dbdc update template usage (Dropdown Hover:false Dogfalo/materialize#272)
• 51feacb Update deps (Does SideNav also work other than on mobile? Dogfalo/materialize#271)
• 02e72f3 Switch from PhantomJS to Chrome Headless via Puppeteer (Input-field class documentation Dogfalo/materialize#269)
• 55594d0 1.2.0
• 5fc2536 Update ci (Add Sidebar Naviagation Dogfalo/materialize#268)
• cc8572c Fix deprecation warning in Node.js 7 (Increased z-index of dropdown menu Dogfalo/materialize#262)

See the full diff

Package name: grunt-contrib-uglify

The new version differs by 36 commits.

• a3f3f34 5.2.1
• 3c8d904 Update Readme
• 0850dcd update dependencies (Material Box inside card Dogfalo/materialize#568)
• c27ad5f Bump minimist from 1.2.5 to 1.2.6 (Bug fix expandable functionality in collapsible. Dogfalo/materialize#567)
• 98b4c5f Fix documentation in relation to issue Datepicker consistency Dogfalo/materialize#565 (Navbar Search Misaligned Dogfalo/materialize#566)
• 7228446 Bump minimist from 1.2.5 to 1.2.6 (I have a relevant Sass function you might want to include. Dogfalo/materialize#563)
• e410511 Update deps, v5.1.0 (Indeterminate Preloader breaks down the iOS WebApp (tap functions) Dogfalo/materialize#564)
• 2cb31be Update uglify-js to v3.15.2 (SideNav left offset Dogfalo/materialize#562)
• 12ca0f2 Fix wording in README.md (Option to display dropdown below origin Dogfalo/materialize#560)
• 1f6a012 Bump path-parse from 1.0.6 to 1.0.7 (Radio buttons not working Dogfalo/materialize#558)
• 0e4b1a0 Update uglify-js (Slider lazy loading of images fix Dogfalo/materialize#557)
• 9ccf10d Bump hosted-git-info from 2.8.8 to 2.8.9 (Sidebar active state highlighting not full width / offset Dogfalo/materialize#556)
• 4e83e45 Update UglifyJS to 3.13.3 (Range slider in Chrome for Android broken Dogfalo/materialize#554)
• 8674feb Bump ini from 1.3.5 to 1.3.8 (checkbox label's color Dogfalo/materialize#552)
• 14b71da v5.0.0
• 9259448 Bump lodash from 4.17.11 to 4.17.19 (Card Image Bug Dogfalo/materialize#550)
• 4645446 Bump js-yaml from 3.5.5 to 3.14.0 (Form label animation does not fire on password fields when form is auto filled by the browser. Dogfalo/materialize#551)
• b7bcde4 Delete .travis.yml
• cba2631 Delete appveyor.yml
• 3dc53f0 ini github workflow
• f65dbb9 v4.0.1. (Mixin keyframe fix Dogfalo/materialize#535)
• b33a071 upgrade devDependencies (Modal footer for buttons Dogfalo/materialize#536)
• 1e40037 upgrade to uglify-js 3.5.0 (Card Reveal Not Covering Entire Image Dogfalo/materialize#534)
• 33724cd update links to uglifyJS documentation (Navbar not collapsing (only sometimes) Dogfalo/materialize#530)

See the full diff

Package name: grunt-contrib-watch

The new version differs by 20 commits.

• 3b7ddf4 v1.1.0
• 72b1214 Updating dependencies, async, lodash and tiny-lr
• 5adb27c Merge pull request Material Boxed doesn't work with Slider images Dogfalo/materialize#543 from digitalbazaar/master
• 6ec71e9 v1.0.1
• 7d20933 Update copyright year
• e3d19df Update ci configs
• d117574 Updating ci configs
• 99410a7 README.md: Fixed typos (Modal footer for buttons Dogfalo/materialize#536)
• f07311b Update tiny-lr dependency to 1.x
• 7f8cf80 Add local grunt-cli
• ab6771e Drop back to grunt@0.4.5 until the bad test helper can be sorted
• 2e2daa5 Update to gaze@1.1.0
• 3d7fa3a Avoid timing issue in tests because of the bad test helper
• 0130a16 Merge pull request Sidebar and long titles Dogfalo/materialize#500 from gruntjs/deps
• 5289845 Update devDependencies.
• fd3ed7a Lint tweaks.
• e42386a Merge pull request Date picker broken on Android phone Dogfalo/materialize#501 from cepko33/master
• 8c93077 Updated lodash and changed outdated 'contains' to 'includes'
• 986b8a9 Update CHANGELOG.
• 5e155ec Add AppVeyor for Windows testing.

See the full diff

Package name: grunt-postcss

The new version differs by 11 commits.

• a9f4009 0.9.0
• cebb239 fix and test for pull request Working on Latest Commit Ajax call Dogfalo/materialize#99
• c7af14b Merge pull request Working on Latest Commit Ajax call Dogfalo/materialize#99 from soul-wish/master
• a258eb7 travis CI: drop node 0.12, add new LTS and current
• 175aa25 update dependencies
• b0881ce formatting
• ca91992 remove unnecessary check
• dce9fe7 update dependencies
• 10c5c57 add ability to use options.processor as a function
• a279c65 Merge pull request Add a getting started button to the homepage Dogfalo/materialize#89 from danyshaanan/patch-1
• 455d29a Add npm version badge

See the full diff

Package name: grunt-sass

The new version differs by 9 commits.

• 2b662db 3.0.0
• 64f6444 Add support for Dart Sass (reattach events Dogfalo/materialize#283)
• 683ad07 Meta tweaks
• 12138d1 Fix linting
• 26c31c0 Require Node.js 8
• 276257e 2.1.0
• cfb6b53 Force the latest verison of node-sass
• b7087c6 Travis CI: Add Node.js 7 (Updated the range input code sample Dogfalo/materialize#270)
• e9187e2 Lock the XO dependency

See the full diff

Package name: lint-staged

The new version differs by 250 commits.

• 885a644 Merge pull request Support :indeterminate checkboxes Dogfalo/materialize#852 from okonet/listr2
• aba3421 fix: all lint-staged output respects the `quiet` option
• b8df31a fix: do not show incorrect error when verbose and no output
• eed6198 style: simplify eslint and prettier config
• b746290 ci: replace Node.js 13 with 14, since 14 will be next LTS
• 2c6f3ad docs: improve `verbose` description
• e749a0b test: remove redundant, misbehaving test
• 16848d8 fix: use test renderer during tests and when TERM=dumb
• efffa22 test: cover `--verbose` option usage
• 1b18550 test: restore variable in test output
• 6aede38 test: add test for error during merge state restoration
• b565481 test: integration test targets the full Node.js API instead of just `runAll`
• a3bd9d7 feat: allow specifying `cwd` using the Node.js API
• 85de3a3 feat: add `--verbose` to show output even when tasks succeed
• d69c65b fix: log task output after running listr to keep everything
• e95d1b0 refactor: move skip and enable cheks of listr tasks to separate file
• 6da7667 refactor: move messages to separate file
• 6392480 refactor: use symbols for errors
• 8f32a3e feat: replace listr with listr2 and print errors inline
• c9adca5 fix: use stash create/store to prevent files from disappearing from disk
• e093b1d fix(deps): update dependencies
• 6066b07 fix: pass correct path to unstaged patch during cleanup
• 0bf1fb0 fix: allow lint-staged to run on empty git repo by disabling backup
• 1ac6863 Merge pull request Dropdown not hiding properly with hover option Dogfalo/materialize#837 from okonet/serial-git-add

See the full diff

Package name: node-sass

The new version differs by 227 commits.

• 3b556c1 7.0.2
• c716359 Bump sass-graph@^4.0.1 (send event to Modal completion event Dogfalo/materialize#3292)
• 24741b3 docs(readme): fix docpad plugin link
• 1523330 feat: Drop Node 12
• 365d357 update https://registry.npm.taobao.org to https://registry.npmmirror.com
• 1456114 build(deps): bump actions/upload-artifact from 2 to 3
• b465b69 chore: bump GitHub Actions to Windows 2019 (Merge pull request #1 from Dogfalo/master Dogfalo/materialize#3254)
• e6194b1 build(deps): bump make-fetch-happen from 9.1.0 to 10.0.4
• 4edf594 build(deps): bump node-gyp from 8.4.1 to 9.0.0
• 29e2344 build(deps): bump actions/checkout from 2 to 3
• 85b0d22 build(deps): bump actions/setup-node from 2 to 3
• 3bb51da Use make-fetch-happen instead of request (How to start wave effect? Dogfalo/materialize#3193)
• adc2f8b build(deps): bump true-case-path from 1.0.3 to 2.2.1 (dropdown not working properly Dogfalo/materialize#3000)
• 77d12f0 chore: disable Apline for Node 16/17 builds
• 308d533 ci: use Python 3 for Node 12
• c818907 ci: unpin actions/setup-node to v2
• 99242d7 7.0.1
• 77049d1 build(deps): bump sass-graph from 2.2.5 to 4.0.0 (material_select option's class Dogfalo/materialize#3224)
• c929f25 build(deps): bump node-gyp from 7.1.2 to 8.4.1 (Mobile version of nav not working a all in latest release (chrome) Dogfalo/materialize#3209)
• 918dcb3 Lint fix
• 0a21792 Set rejectUnauthorized to true by default (Remove hidden options from UI Dogfalo/materialize#3149)
• e80d4af chore: Drop EOL Node 15 (Datepicker closeOnSelect Workaround Breaks Date Formatting Dogfalo/materialize#3122)
• d753397 feat: Add Node 17 support (Invalid bower.json Dogfalo/materialize#3195)
• dcf2e75 build(deps-dev): bump eslint from 7.32.0 to 8.0.0

See the full diff

Package name: phantomjs-prebuilt

The new version differs by 4 commits.

• a98231b Merge pull request Fullscreen Slider Dogfalo/materialize#733 from avindra/patch-1
• 19c6d4c Bump package.json version
• 65b57f7 Merge pull request Syntax Error on navbar.html page Dogfalo/materialize#732 from Ilshidur/patch-1
• cc52482 Dependencies update : fix security issues

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 NULL Pointer Dereference
🦉 More lessons are available in Snyk Learn