[Snyk] Fix for 1 vulnerabilities

[bobby-lin]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	768/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-LODASH-6139239	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: babel-eslint

The new version differs by 250 commits.

• 4bd049e 10.1.0
• 2c754a8 Update Babel to ^7.7.0 and enable Flow enums parsing (personality freeCodeCamp/freeCodeCamp#812)
• 183d13e 10.0.3
• 354953d fix: require eslint dependencies from eslint base (Typos in Step 4 of Bonfire Style Guide Field Guide freeCodeCamp/freeCodeCamp#794)
• 48f6d78 10.0.2
• 0241b48 removed unused file reference (Challenge doesn't accept CSS shorthand freeCodeCamp/freeCodeCamp#773)
• 4cf0a21 10.0.1
• 98c1f13 Revert Challenge http://www.freecodecamp.com/challenges/waypoint-create-a-set-of-radio-buttons has an issue  freeCodeCamp/freeCodeCamp#584 (Challenge http://www.freecodecamp.com/challenges/waypoint-wrap-an-anchor-element-within-a-paragraph has an issue  freeCodeCamp/freeCodeCamp#697)
• 8f78e28 10.0.0
• 717fba7 test value should be switched
• 020d012 Treat type alias declarationlike function declaration (Challenge http://www.freecodecamp.com/challenges/waypoint-create-a-set-of-radio-buttons has an issue  freeCodeCamp/freeCodeCamp#584)
• b400cb1 Test eslint5, update peerDep (Challenge http://www.freecodecamp.com/challenges/waypoint-check-radio-buttons-and-checkboxes-by-default has an issue  freeCodeCamp/freeCodeCamp#690)
• c333bd6 Drop old monkeypatching behavior (Challenge http://www.freecodecamp.com/challenges/waypoint-use-clockwise-notation-to-specify-the-margin-of-an-element has an issue  freeCodeCamp/freeCodeCamp#689)
• 6aa8b6f 9.0.0
• c7ee9ae Bump to babel@7.0.0 🎉 (Challenge http://www.freecodecamp.com/challenges/waypoint-use-clockwise-notation-to-specify-the-margin-of-an-element has an issue  freeCodeCamp/freeCodeCamp#676)
• 3ece549 Docs: Make the default parserOptions more explicit (Challenge http://www.freecodecamp.com/challenges/waypoint-wrap-an-anchor-element-within-a-paragraph has an issue  freeCodeCamp/freeCodeCamp#673)
• 0b36951 Add logical assignment plugin (Challenge http://www.freecodecamp.com/challenges/waypoint-use-html5-to-require-a-field has an issue  freeCodeCamp/freeCodeCamp#674)
• 5856ff5 Bump some devDeps
• 45938d9 build(deps): upgrade @ babel/* to 7.0.0-rc.2 (Challenge http://www.freecodecamp.com/challenges/waypoint-scope-your-variables has an issue  freeCodeCamp/freeCodeCamp#668)
• bc97875 9.0.0-beta.3
• 74c5d62 update lock
• 6a45632 chore - fixing eslint-scope to a safe version; resolves Challenge http://www.freecodecamp.com/challenges/bonfire-chunky-monkey has an issue  freeCodeCamp/freeCodeCamp#656. (Provisional fix to issue #655 freeCodeCamp/freeCodeCamp#657)
• e0119e0 9.0.0-beta.2
• 198964b Merge pull request Challenge http://www.freecodecamp.com/challenges/waypoint-create-an-ordered-list has an issue  freeCodeCamp/freeCodeCamp#645 from rubennorte/support-new-flow-syntax-in-scope-analysis

See the full diff

Package name: babel-loader

The new version differs by 13 commits.

• 321852e Merge branch 'release/6.0.0'
• e7565ee Add @ malyw 's guide to upgrade babel
• 862b7b1 Update travis badge url
• ff3bc7a Update dependencies.
• fc2bfe4 Merge branch 'shinnn-travis-ci' into develop
• a6f3fc0 Change options to query. Increase timeout interval
• 94d6308 Merge remote-tracking branch 'werk85/master' into develop
• f4e40c5 README updated
• 0823f6a Upgraded to Babel 6
• bb110a8 set up Travis CI
• f84ef50 Merge branch 'develop' of github.com:babel/babel-loader into develop
• 719eb70 Merge branch 'hotfix/5.3.1' into develop
• 6b33020 Merge branch 'release/5.3.0' into develop

See the full diff

Package name: cheerio

The new version differs by 56 commits.

• c3ec1cd Release 0.20.0
• ef848ca Add coveralls badge, remove link to old report
• dbcbe90 Merge pull request Bootstrap css link is not on the tutorial description freeCodeCamp/freeCodeCamp#808 from leifhanack/lodash4
• c04ead1 Merge pull request Challenge http://www.freecodecamp.com/challenges/waypoint-scope-your-variables has an issue  freeCodeCamp/freeCodeCamp#668 from rwaldin/prop-method
• b5531bb Merge pull request Challenge http://www.freecodecamp.com/challenges/waypoint-use-clockwise-notation-to-specify-the-margin-of-an-element has an issue  freeCodeCamp/freeCodeCamp#671 from twolfson/dev/fallback.select.content.sqwished
• 9d98bd7 Merge pull request Challenge http://www.freecodecamp.com/challenges/waypoint-add-borders-around-your-elements has an issue  freeCodeCamp/freeCodeCamp#704 from Rycochet/master
• 1b9c5c9 Merge pull request Basic Javascript waypoints translated into ES [WIP] freeCodeCamp/freeCodeCamp#797 from Delgan/641-appendTo_prependTo
• b12cbe8 Update lodash dependeny to 4.1.0
• 8c9b2e0 Merge pull request Blacklist usernames freeCodeCamp/freeCodeCamp#796 from Delgan/fix_780
• b09db31 Fix PR fixed bug where the 'next challenge' button in tablet view couldn't… freeCodeCamp/freeCodeCamp#726 adding 'appendTo()' and 'prependTo()'
• ce8829d Added appendTo and prependTo with tests Fix to issue #633 and a hand full of the other issues related to the challenge freeCodeCamp/freeCodeCamp#641
• 4779762 Fix Set font-family: "Monospace" renders as serif freeCodeCamp/freeCodeCamp#780 by changing options context in '.find()'
• 8dc1cc9 Add an unit test checking the query of child
• b27bed6 fix Minor typo: Challenge http://www.freecodecamp.com/challenges/waypoint-responsively-style-a-radio-buttons has an issue  freeCodeCamp/freeCodeCamp#667: attr({foo: null}) removes attribute foo, like attr('foo', null)
• 70c5608 Include reference to dedicated "Loading" section
• fa70a84 Added load method to $
• 4e8483a update css-select to 1.2.0
• 5f2777a Merge pull request Example app freeCodeCamp/freeCodeCamp#732 from jugglinmike/reinstate-toarray
• 106e42a Merge pull request Challenge isn't checking where code is added freeCodeCamp/freeCodeCamp#776 from dYale/master
• 97149d3 Fixing Grammatical Error
• a1367ee Merge pull request class not working freeCodeCamp/freeCodeCamp#739 from TrySound/npm-files
• 6c73b7a Merge pull request Challenge doesn't accept CSS shorthand freeCodeCamp/freeCodeCamp#773 from JaKXz/patch-1
• 48bb22d Test against node v0.12 --> v4.2
• ec2414d Correct output in example

See the full diff

Package name: express-validator

The new version differs by 44 commits.

• cdfb5dc Upgrade to 3.0.0
• fa25f11 Specify fail message of optional when using schema
• d99417f Ignore tests and other dotfiles from npm package
• f3c0a40 Move optional flag after other validation in optionalSchemaTest
• 417a653 Merge pull request Move Bonfires into Coursewares freeCodeCamp/freeCodeCamp#285 from ctavan/errors-result
• ebdd10d readme: rename non existing variable in Usage
• 6d96a97 readme: add missing regex routes section
• 5e204dc readme: readd docs about deprecated methods
• 8f10fa6 readme: add a table of contents
• bbb9b4e Rename #getValidationErrors() to #getValidationResult()
• 40e966f readme: update docs for usage of #getValidationErrors()
• d054608 JSHint: set expr rule to true
• 5db0b0f getValidationErrors(): return a result object instead of errors directly
• d6b666a Merge branch 'pr-280'
• 1db8f0d Improve IDE autocomplete for methods
• 2551e9c Separate utils from the main file
• 6ec3bd8 Switch README badges to Shields.io
• 4e0d126 Merge pull request Create dynamic named routes for resources freeCodeCamp/freeCodeCamp#282 from IOAyman/patch-optional-schema
• 1afe320 Bug Fix: Optional validate method may not be applied when using a schema
• 42c065d Fix branch of the coverage badge in the README
• 0ffd03d Add missing tests for #checkHeaders()
• 17cb82e Make headers validation and sanitization case insensitive
• 8c2f536 Merge branch 'pr-232'
• 1694cda Add tests for #checkCookies()

See the full diff

Package name: gulp

The new version differs by 134 commits.

• 55eb23a Release: 4.0.0
• 173a532 Docs: Fix the installation instructions
• ec54d09 Docs: Improve note about out-of-date docs
• 03b7c98 Docs: Update recipes to install gulp@next
• 2eba29e Docs: Remove run-sequence from recipes
• 76eb4d6 Docs: Add installation instructions & update badges
• fbc162f Docs: Remove references to gulp-util
• 3011cf9 Scaffold: Normalize repository
• f27be05 Update: Remove graceful-fs from test suite
• 361ab63 Upgrade: Update glob-watcher
• 064d100 Build: Avoid broken node 9
• 057df59 Release: 4.0.0-alpha.3
• c1ba80c Breaking: Upgrade major versions of glob-watcher, gulp-cli & vinyl-fs
• 89acc5c Docs: Improve ES2015 task exporting examples (errors on waypoint-comment-your-javascript-code freeCodeCamp/freeCodeCamp#1999)
• 0ac9e04 Docs: Add "Project structure" section to CONTRIBUTING.md (typo mistake. #111111 is dark grey, not light grey freeCodeCamp/freeCodeCamp#1859)
• 723cbc4 Docs: Fix syntax in recipe example (Onboarding freeCodeCamp/freeCodeCamp#1715)
• d420a6a Docs: Have gulp.lastRun take a function to avoid task registration (Text "[object Object]" found on the Learning Map freeCodeCamp/freeCodeCamp#1828)
• 29ece6f Upgrade: Update undertaker
• e931cb0 Docs: Fix changelog typos (Beta: Waypoint: Modify Array Data With Indexes freeCodeCamp/freeCodeCamp#1696)
• 477db84 Docs: Add a "BrowserSync with Gulp 4" recipe (spam freeCodeCamp/freeCodeCamp#1659)
• d4ed3c7 Docs: Add options.cwd for gulp.src API (Fix for #1644 freeCodeCamp/freeCodeCamp#1645)
• 5dc3b07 Docs: Update gulp.watch API to align with glob-watcher
• 0c66069 Breaking: Replace chokidar as gulp.watch with glob-watcher wrapper
• c3dbc10 Docs: Clarify incremental builds example (Beta: Waypoint: Use Hex Code for Specific Colors - wording on 2nd checkpoint freeCodeCamp/freeCodeCamp#1609)

See the full diff

Package name: gulp-babel

The new version differs by 3 commits.

• 8392545 6.0.0
• 39e81e0 tweaks
• 94addac Close [Snyk] Fix for 1 vulnerabilities #46 PR: chore: update babel-core to 6.0.2.

See the full diff

Package name: gulp-eslint

The new version differs by 15 commits.

• 639e388 2.0.0
• 55f0c29 Update ESLint dependency;
• c11bba6 Remove rules that have been removed in ESLint@2.0.0-rc.0;
• 7f01da7 2.0.0-rc-3
• 5851668 Rename .eslintrc to .eslintrc.yml;
• e7ba0f2 2.0.0-rc-2
• 90841cb Tighten various test case configs;
• 3536eeb Update changeling;
• cbe6731 2.0.0-rc-1
• dcdfff7 Update to ESLint next/2.0.0-rc-* dependency;
• 7f190a6 Fix listing error;
• adf2180 Fix path in comment
• 9378eef Simplify the cached-lint watch.js example;
• 6def722 Merge pull request test waffle issues freeCodeCamp/freeCodeCamp#121 from 5im0n/update-readme
• 67fcd75 Update eslint.results in README.md

See the full diff

Package name: rev-del

The new version differs by 22 commits.

• de7ddcf 2.0.0
• a53017b Merge pull request [Snyk] Fix for 1 vulnerabilities #20 from jakezatecky/master
• f95803a Merge pull request [Snyk] Security upgrade cheerio from 0.19.0 to 0.20.0 #16 from joostdekeijzer/deleteMapExtensions-issue-10
• c58cf53 Update dependencies
• cf4592b deleteMapExtensions help text
• bb0647a deleteMapExtensions option defaults to false
• 3e6352a Update travis test version
• be9d676 Merge pull request [Snyk] Security upgrade forever from 0.15.3 to 4.0.0 #13 from nickescallon/add-range-dep-for-lodash
• 6cb4e66 Merge pull request [Snyk] Security upgrade forever from 0.15.3 to 4.0.0 #12 from piotr-cz/patch-1
• 6083c07 Merge pull request [Snyk] Fix for 1 vulnerabilities #14 from silverbackdan/master
• 099fc8c Remove statSync from secondary potential map file path
• ce37d62 Coding style whitespace update
• ab3a318 Change existsSync to statSync and coding style update
• 9929902 Conflict resolve
• dae8438 First local to remote commit
• 218f09d .map find fixes
• b9e10b6 Lookup key for file to locate .map
• 9ab2b0c Respect deleteMapExtensions option
• a0a913e .map extension check
• aa4db05 Option for checking and deleting .map extenions
• acea599 increase lodash dependency version range
• bd6105e Fix path resolution on windwos

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution

[socket-security]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/babel-core@6.9.0	environment, filesystem, unsafe Transitive: eval	+42	4.45 MB	hzoo
npm/babel-eslint@10.1.0	Transitive: environment, eval, filesystem, shell, unsafe	+107	16.8 MB	kaicataldo
npm/babel-loader@6.0.0	filesystem	+2	58.5 kB	couto
npm/babel@6.23.0	None	0	1.26 kB	loganfsmyth
npm/cheerio@0.20.0	Transitive: filesystem, network, shell, unsafe	+14	1.41 MB	feedic
npm/eslint@2.1.0	filesystem Transitive: environment, eval, shell	+76	8.28 MB	nzakas
npm/express-validator@3.2.1	Transitive: environment, eval, unsafe	+15	3.18 MB	gustavohenke
npm/gulp-babel@6.1.3	unsafe Transitive: environment, eval, filesystem	+58	4.41 MB	demurgos
npm/gulp-eslint@2.1.0	Transitive: environment, eval, filesystem, shell	+84	9.1 MB	shinnn
npm/loopback-boot@2.28.0	environment, filesystem, unsafe	+2	250 kB	rfeng
npm/loopback-component-explorer@2.7.0	Transitive: environment, eval	+1	89.2 kB	0candy
npm/loopback-component-passport@1.6.0	None	0	246 kB	rfeng
npm/loopback-connector-mongodb@1.13.0	Transitive: eval, filesystem, network	+6	2.25 MB	rfeng
npm/loopback-testing@1.4.0	None	+1	574 kB	bajtos
npm/loopback@2.42.0	filesystem, network Transitive: environment, eval	+2	1.24 MB	jannyhou2016
npm/merge-stream@1.0.1	None	+6	56.9 kB	shinnn
npm/method-override@2.3.10	Transitive: network	+3	39.6 kB	dougwilson
npm/mocha@2.5.3	environment, filesystem Transitive: shell	+13	812 kB	dasilvacontin
npm/moment@2.30.1	None	0	4.35 MB	ichernev
npm/mongodb@2.2.36	filesystem, network Transitive: eval	+5	1.93 MB	mbroadst
npm/morgan@1.10.0	eval Transitive: environment	+3	70.6 kB	dougwilson
npm/node-uuid@1.4.8	None	0	38.3 kB	broofa
npm/nodemailer@1.11.0	filesystem	0	53.8 kB	andris
npm/normalize-url@1.9.1	None	+1	14.8 kB	sindresorhus
npm/object.assign@4.1.5	None	0	72.7 kB	ljharb
npm/passport-facebook@2.1.1	None	0	20.6 kB	jaredhanson
npm/passport-github@1.1.0	None	0	14.2 kB	jaredhanson
npm/passport-google-oauth2@0.1.6	None	0	16.7 kB	mstade
npm/passport-linkedin-oauth2@1.6.1	None	0	28 kB	glenaauth0
npm/passport-local@1.0.0	None	0	8.07 kB	jaredhanson
npm/passport-oauth@1.0.0	None	0	4.47 kB	jaredhanson
npm/passport-twitter@1.0.4	None	0	14.7 kB	jaredhanson
npm/pmx@0.5.9	environment, filesystem, network, unsafe	0	72.6 kB	tknew
npm/ramda@0.18.0	None	0	595 kB	davidchambers
npm/react-bootstrap@0.28.5	environment Transitive: eval, filesystem	+4	4.64 MB	taion
npm/react-dom@0.14.10	None	0	8.92 kB	gaearon
npm/react-motion@0.3.1	None	0	80.6 kB	chenglou
npm/react-router@1.0.3	environment, filesystem, shell	+1	418 kB	ryanflorence
npm/react-vimeo@0.0.3	None	0	601 kB	berkeleytrue
npm/react@0.14.10	environment	0	2.67 MB	gaearon
npm/request@2.88.2	environment, filesystem, network	+5	706 kB	mikeal
npm/rev-del@2.0.0	filesystem	+8	79.9 kB	callumacrae
npm/rx@4.1.0	eval	0	6.6 MB	mattpodwysocki
npm/sanitize-html@2.13.0	Transitive: network	+11	398 kB	boutell
npm/sort-keys@1.1.2	None	0	3.58 kB	sindresorhus
npm/tap-nyan@0.0.2	Transitive: environment	+15	114 kB	cwmma
npm/tape@4.17.0	environment, filesystem	+10	656 kB	ljharb
npm/thundercats-react@0.4.0	environment, network	+1	93.8 kB	berkeleytrue
npm/thundercats@3.1.0	environment	+1	127 kB	berkeleytrue
npm/twit@2.2.11	filesystem Transitive: environment, eval, unsafe	+2	1.33 MB	ttezel
npm/uglify-js@2.8.29	eval, filesystem	+1	1.39 MB	alexlamsl
npm/url-regex@3.2.0	None	0	3.54 kB	kevva
npm/validator@4.9.0	Transitive: environment, eval	+1	184 kB	cohara87
npm/webpack-stream@2.3.0	None	+6	858 kB	shama
npm/webpack@1.15.0	filesystem, unsafe Transitive: environment	+10	1.25 MB	sokra
npm/xss-filters@1.2.7	None	0	252 kB	adon
npm/yargs@3.32.0	environment, filesystem Transitive: shell	+13	286 kB	bcoe

🚮 Removed packages: npm/babel-core@5.8.34, npm/babel-eslint@4.1.8, npm/babel-loader@5.4.0, npm/babel@5.8.34, npm/cheerio@0.19.0, npm/eslint@1.10.3, npm/express-validator@2.21.0, npm/gulp-babel@5.3.0, npm/gulp-eslint@1.1.1, npm/gulp@3.9.1

View full report↗︎

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	Source
Install scripts	npm/core-js@2.6.12	Install script: postinstall Source: node -e "try{require('./postinstall')}catch(e){}"	package.json
Install scripts	npm/react-router@1.0.3	Install script: postinstall Source: node ./npm-scripts/postinstall.js	package.json

View full report↗︎

Next steps

What is an install script?

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore npm/core-js@2.6.12
• @SocketSecurity ignore npm/react-router@1.0.3