[Snyk] Fix for 45 vulnerabilities

[dmitriz]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	619/1000 Why? Has a fix available, CVSS 8.1	Prototype Pollution SNYK-JS-AJV-584908	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-ASYNC-2441827	No	Proof of Concept
	706/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.7	Remote Memory Exposure SNYK-JS-BL-608877	No	Proof of Concept
	584/1000 Why? Has a fix available, CVSS 7.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-HAWK-2808852	Yes	No Known Exploit
	626/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.1	Man-in-the-Middle (MitM) SNYK-JS-HTTPSPROXYAGENT-469131	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ISMYJSONVALID-597165	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Arbitrary Code Execution SNYK-JS-ISMYJSONVALID-597167	No	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-JSONPOINTER-1577288	No	Proof of Concept
	811/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 9.8	Prototype Pollution SNYK-JS-JSONPOINTER-598804	No	Proof of Concept
	644/1000 Why? Has a fix available, CVSS 8.6	Prototype Pollution SNYK-JS-JSONSCHEMA-1920922	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	Yes	Proof of Concept
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	Yes	Proof of Concept
	541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	No	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Poisoning SNYK-JS-QS-3153490	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Insecure Randomness npm:cryptiles:20180710	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Yes	Proof of Concept
	579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution npm:extend:20180424	Yes	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:hawk:20160119	No	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:hoek:20180212	Yes	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Timing Attack npm:http-signature:20150122	No	No Known Exploit
	796/1000 Why? Mature exploit, Has a fix available, CVSS 8.2	Uninitialized Memory Exposure npm:https-proxy-agent:20180402	Yes	Mature
	571/1000 Why? Mature exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:is-my-json-valid:20180214	No	Mature
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	Yes	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) npm:qs:20140806	No	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Denial of Service (DoS) npm:qs:20140806-1	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Override Protection Bypass npm:qs:20170213	No	No Known Exploit
	469/1000 Why? Has a fix available, CVSS 5.1	Remote Memory Exposure npm:request:20160119	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:sshpk:20180409	Yes	Proof of Concept
	646/1000 Why? Mature exploit, Has a fix available, CVSS 5.2	Uninitialized Memory Exposure npm:stringstream:20180511	Yes	Mature
	509/1000 Why? Has a fix available, CVSS 5.9	Regular Expression Denial of Service (ReDoS) npm:tough-cookie:20170905	No	No Known Exploit
	576/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.1	Uninitialized Memory Exposure npm:tunnel-agent:20170305	No	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Insecure Randomness npm:ws:20160920	No	No Known Exploit
	761/1000 Why? Mature exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) npm:ws:20171108	Yes	Mature

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @slack/client

The new version differs by 250 commits.

• 35b40af Publish
• f18a3ba Merge pull request Isolation of backtests askmike/gekko#840 from clavin/increase-test-timeout-scalars
• a7f44c7 Incrase test timeout multipliers
• 8d56368 Merge pull request Errors when run simultaneous backtests askmike/gekko#839 from aoberoi/feat-remote-files
• 162b489 synchronize arguments and requiredness with public API docs
• 76a7aee jk the method is cursor pagination enabled
• cc2ef48 apply traditional paging interface instead of repeating arguments
• 0295088 simplify type definitions to make them generatable in the future
• 135b0b9 adds support for the Remote Files API
• bf4f18d Merge pull request Error with Developing for the Gekko UI frontend askmike/gekko#832 from seratch/response_metadata.messages
• 885b680 Merge pull request Some noob questions askmike/gekko#795 from slackapi/add_code_of_conduct_file
• 673aaf3 Merge pull request Cannot import data askmike/gekko#835 from clavin/api-call-extra-debug
• f4f0a30 Merge branch 'master' into add_code_of_conduct_file
• 86e2e89 Resolving linter line-length error
• 267647c Merge branch 'master' into api-call-extra-debug
• 7d36254 Merge branch 'master' into response_metadata.messages
• dd26e23 Merge pull request Serious problem about BTCC trader askmike/gekko#797 from deremer/patch-1
• 96b1b39 Merge pull request Define backtest period askmike/gekko#836 from clavin/fix-integration-test-types
• 54b9661 Level up: verbositiy, clarity, readability
• 2a7c135 Fix ye olde integration type tests
• d903789 Merge pull request mailer error (authorization.failed) askmike/gekko#799 from clavin/convert-typescript
• b806e32 Merge branch 'master' into convert-typescript
• 3eabc38 Fix documentation & typos, better respond resolved type
• a6b22bc Remove unneeded condition

See the full diff

Package name: btc-markets

The new version differs by 11 commits.

• e86d022 Updated npm dependencies
• 1cf70b9 Got withdrawHistory working which uses a GET instead of a POST. The message signature is also different
• 6100c26 Moved @ types from devDependencies to dependencies
• d160644 Added OrderBookTuple to type definition as it restricts the length to 2 numbers which number[][] does not
• 8c27dd0 Bump version
• fed2725 Updated license
• 8feffa2 Fixes to the README
• d5b9f11 Bump version
• a808993 Added generated type definitions for BTCMarkets class
• ab899f9 Now using promises!
• 4c2c1be Converted library to TypeScript including typings

See the full diff

Package name: gdax

The new version differs by 117 commits.

• f380764 0.9.0
• 58fff5f Update husky & lint-staged
• 05468eb More s/GDAX/Coinbase Pro
• 8bdd1cc GDAX deprecation: switch mock HTTP header cookie domain to Coinbase Pro's.
• 04adf49 GDAX depreciation: update API key URL.
• 35bf523 GDAX deprecation: switch sandbox Websocket feed to sandbox Coinbase Pro URL.
• 896f190 GDAX deprecation: switch sandbox REST API to sandbox Coinbase Pro URL.
• 8b14262 GDAX deprecation: switch Websocket feed to Coinbase Pro URL.
• 39f1a92 GDAX deprecation: switch REST API to Coinbase Pro URL.
• 6db4a94 GDAX deprecation: switch docs URLs to docs.pro.coinbase.com.
• adfc380 Add stablecoin conversion (hi mike,help me askmike/gekko#347)
• 95bf7ec Add optional order_id param to getFills as supported by the API (Bitfinex: Updated module, updated wrapper, updated exchange.js askmike/gekko#344)
• 8633292 Update README.md (Kraken requires "my-secret" to be set in the config askmike/gekko#342)
• 0e32d35 Add ETC to CurrencyType (Error - return Gekko version: v${util.getVersion()} askmike/gekko#332)
• e9624bb Add payment method withdrawal functionality (Poloniex: BTC-ETH pair not saving to SQLite database askmike/gekko#325)
• 715dda4 Add clarification info to README for cancelOrders and cancelAllOrders
• daaeae3 Fix build and test dependencies (Fix incorrect file existence check and fix npm test askmike/gekko#324)
• 1a79817 Fix build matrix (Update exchanges.js askmike/gekko#323)
• b4d9902 Add depositPayment method to support /deposits/payment-method (Fix links to point current (0.2) branch instead of master branch askmike/gekko#314)
• 5d8cc18 Fix Typescript types for getProductTradeStream (Error: Unsupported exchange askmike/gekko#319)
• a836283 TypeScript: Add options for clients (Update kraken.js askmike/gekko#322)
• bf347b1 0.8.0
• a773dac Point Changelog at GitHub Releases (New Pairs for kraken? askmike/gekko#318)
• 906b82d CircleCI Build Matrix (Fix syntax error in exchanges/kraken.js askmike/gekko#316)

See the full diff

Package name: poloniex.js

The new version differs by 19 commits.

• aa41c1f Increase version number, 0.0.9
• 38629b8 Update request package
• 42c4a7e Merge pull request [Snyk] Security upgrade sqlite3 from 3.1.13 to 5.0.3 #31 from askmike/master
• 69f5e25 Only ETIMEDOUT after 60 sec
• 99dd1ae Improve spacing
• aeedab5 Merge branch 'Jabbath-master': support returnOrderBook('all')
• 0072b65 Merge returnOrderBook('all')
• 4774961 Update returnOpenOrders(all) and README
• 5c60446 Fix call to returnOpenOrders for 'all' currencies
• 2fa1a7f Fix generateNewAddress call, closes Configure Renovate - autoclosed #28
• 3e88df8 Merge pull request [Snyk] Security upgrade sqlite3 from 3.1.13 to 4.0.0 #17 from askmike/patch-2
• 6661529 Merge pull request [Snyk] Security upgrade btc-markets from 0.0.10 to 1.0.0 #25 from KoryNunn/fix-returnTradeHistory
• 86452de Fixed returnTradeHistory
• 5f82a99 Merge pull request [Snyk] Security upgrade moment from 2.20.1 to 2.29.2 #19 from anders94/bump-version
• 91f5e6a bump to version 0.0.8
• b79fc60 Merge pull request [Snyk] Security upgrade pushbullet from 1.4.3 to 3.0.0 #18 from anders94/add-returnLendingHistory
• 5690d1f add returnLendingHistory
• b1a92c2 Timeout the request after 10 seconds
• 1dc32e2 Added functionality to fetch order books for all markets

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Arbitrary Code Execution
🦉 More lessons are available in Snyk Learn

[guardrails]

⚠️ We detected 4 security issues in this pull request:

Vulnerable Libraries (4)

Severity	Details
Critical	pkg:npm/btc-markets@1.0.6 upgrade to: > 1.0.6
Critical	pkg:npm/gdax@0.9.0 upgrade to: > 0.9.0
Medium	pkg:npm/@slack/client@5.0.2 upgrade to: > 5.0.2
Critical	pkg:npm/poloniex.js@0.0.9 upgrade to: > 0.0.9

More info on how to fix Vulnerable Libraries in JavaScript.

---

👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.