[Snyk] Fix for 11 vulnerabilities

[domsavatta2]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • script/vsts/package.json
  • script/vsts/package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	165/1000 Why? Confidentiality impact: High, Integrity impact: High, Availability impact: High, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Network, EPSS: 0.00303, Social Trends: No, Days since published: 1194, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 9.79, Likelihood: 1.68, Score Version: V5	Prototype Pollution SNYK-JS-AJV-584908	No	No Known Exploit
	159/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00299, Social Trends: No, Days since published: 771, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.65, Score Version: V5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	63/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00182, Social Trends: No, Days since published: 980, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 2.35, Likelihood: 2.64, Score Version: V5	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	No	Proof of Concept
	239/1000 Why? Confidentiality impact: High, Integrity impact: High, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): High, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00606, Social Trends: No, Days since published: 980, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 9.79, Likelihood: 2.43, Score Version: V5	Command Injection SNYK-JS-LODASH-1040724	No	Proof of Concept
	151/1000 Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.01362, Social Trends: No, Days since published: 1574, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.62, Likelihood: 2.67, Score Version: V5	Prototype Pollution SNYK-JS-LODASH-450202	No	Proof of Concept
	150/1000 Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 1158, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.62, Likelihood: 2.67, Score Version: V5	Prototype Pollution SNYK-JS-LODASH-608086	No	Proof of Concept
	149/1000 Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00117, Social Trends: No, Days since published: 1724, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.62, Likelihood: 2.64, Score Version: V5	Prototype Pollution SNYK-JS-LODASH-73638	No	Proof of Concept
	133/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): High, Attack Complexity: High, Attack Vector: Network, EPSS: 0.00317, Social Trends: No, Days since published: 1662, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.2, Score Version: V5	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	No	Proof of Concept
	169/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00091, Social Trends: No, Days since published: 125, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.81, Score Version: V5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	No	Proof of Concept
	137/1000 Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Network, EPSS: 0.00044, Social Trends: No, Days since published: 1316, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 5.62, Likelihood: 2.42, Score Version: V5	Prototype Pollution SNYK-JS-YARGSPARSER-560381	Yes	Proof of Concept
	140/1000 Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): Low, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00097, Social Trends: No, Days since published: 2077, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 5.62, Likelihood: 2.48, Score Version: V5	Prototype Pollution npm:lodash:20180130	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: publish-release

The new version differs by 3 commits.

• f909327 chore(gitignore): ignore .env
• a2ec3c5 fix(lodash): upgrade package to avoid vulnerabilities
• 7abcea6 chore(release): 1.6.0 [skip ci]

See the full diff

Package name: request

The new version differs by 13 commits.

• 6420240 2.88.0
• bd22e21 fix: massive dependency upgrade, fixes all production vulnerabilities
• 925849a Merge pull request Add grammar scope to EditorView atom/atom#2996 from kwonoj/fix-uuid
• 7b68551 fix(uuid): import versioned uuid
• 5797963 Merge pull request support ctrl-shift-home/end on Windows atom/atom#2994 from dlecocq/oauth-sign-0.9.0
• 628ff5e Update to oauth-sign 0.9.0
• 10987ef Merge pull request Opening file via command line does not work properly atom/atom#2993 from simov/fix-header-tests
• cd848af These are not going to fail if there is a server listening on those ports
• a92e138 atom command only works if Atom.app is in /Applications atom/atom#515, Move to beginning and end of lines uses screen lines atom/atom#2894 Strip port suffix from Host header if the protocol is known. (Fix typo atom/atom#2904)
• 45ffc4b Improve AWS SigV4 support. (Error on launching - Cannot read property 'length' of undefined atom/atom#2791)
• a121270 Merge pull request Support multiple separators in context menu atom/atom#2977 from simov/update-cert
• bd16414 Update test certificates
• 536f0e7 2.87.1

See the full diff

Package name: semver

The new version differs by 69 commits.

• 63169c1 chore: release 5.7.2
• 2f8fd41 fix: better handling of whitespace (Copy paste does not work when you select a different keyboard language atom/atom#585)
• deb5ad5 chore: @ npmcli/template-oss@4.16.0
• c83c18c 5.7.1
• 956e228 Correct typo in README
• 8055dda 5.7.0
• 604e73d auto-publishing scripts
• bed01e2 remove the nomin comments, since we don't minify any more anyway
• 9cb68f1 document parse method
• 38d42ca 5.7 changelog
• da8a771 Fix code style and get to 100% coverage
• 4d8306b drop windows testing
• 1af213f next-gen tap for testing
• b99ae3b Add semver.minVersion function.
• 6086e5a remove node 4
• a462bec Document `includePrerelease` flag more
• c529221 Use https when possible. (Move matching bracket insertion to bracket-matcher package atom/atom#246)
• a1b6cb8 Add changelog, fix A better dot atom atom/atom#220
• 347d4a0 Move 'standard' from scripts.test to .posttest
• a4ff4ff Apply 'standard' to bin/semver, add to npm test
• a34ca82 Add 'standard' to dev dependencies and npm test
• b30f2ce Apply 'standard' auto-fixes to remainder of tests
• 42e765b Apply 'standard' to test/index.js
• 824e08a Apply 'standard' to test/cli.js

See the full diff

Package name: yargs

The new version differs by 250 commits.

• a6e67f1 chore(release): 13.2.4
• fc13476 chore: update standard-verison dependency
• bf46813 fix(i18n): rename unclear 'implication failed' to 'missing dependent arguments' (Incrementally load packages with activation events atom/atom#1317)
• a3a5d05 docs: fix a broken link to MS Terminology Search (Attempting to launch atom while it's updating should give me a nice message atom/atom#1341)
• b4f8018 build: add .versionrc that hides test/build
• 0c39183 chore(release): 13.2.3
• 08e0746 chore: update deps (Add the ability to cancel project.scan atom/atom#1340)
• 843e939 docs: make `--no-` boolean prefix easier to find in the docs (Provide a way to trigger a check for available updates. atom/atom#1338)
• 84cac07 docs: restore removed changelog of v13.2.0 (Fix mini editor leak atom/atom#1337)
• b20db65 fix(deps): upgrade cliui for compatibility with latest chalk. (The cursor's really hard to see when it's to the left of a matched search term. It's pretty hard to atom/atom#1330)
• c294d1b test: accept differently formatted output (Run atom CI on windows atom/atom#1327)
• ac3f10c chore: move .hbs templates into .js to facilitate webpacking (Handle native commands in render process atom/atom#1320)
• 0295132 fix: address issues with dutch translation (cmd-w shouldn't be able to close the tree-view. atom/atom#1316)
• 9f2468e doc: clarify parserConfiguration object structure (Add clean script atom/atom#1309)
• e7f2937 chore(release): 13.2.2
• edd0bb5 test: correct test description
• 03a9523 chore: forgoing dropping Node 6 until yargs@14 (Common core commands to workspaceView atom/atom#1308)
• 14920d1 docs: remove --save option as it isn't required anymore (Text Aliasing atom/atom#1301)
• 545c7f1 test: slightly reworded one test
• 4375680 chore(release): 13.2.1
• dfcaa68 test: slight edit to test wording
• 3180224 fix: add zsh script to files array
• 0a96394 fix: support options/sub-commands in zsh completion
• 48249a2 chore(release): 13.2.0

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Regular Expression Denial of Service (ReDoS)