[Snyk] Security upgrade axios from 0.18.1 to 0.20.0

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • remix-url-resolver/package.json
  • remix-url-resolver/package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	658/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 5.3	Information Exposure SNYK-JS-FOLLOWREDIRECTS-2332181	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: axios

The new version differs by 217 commits.

• 0d87655 Releasing 0.20.0
• cd27741 Updating changelog for 0.20.0 release
• ffea034 Releasing 0.20.0-0
• fe147fb Updating changlog for 0.20.0 beta release
• 16aa2ce Fixing response with utf-8 BOM can not parse to json (#2419)
• c4300a8 Adding support for URLSearchParams in node (#1900)
• bed6783 add table of content (preview) (#3050)
• c70fab9 Fix stale bot config (#3049)
• 5b08fc4 Add days and change name to work (#3035)
• 1768c23 Update close-issues.yml (#3031)
• 3dbf6a1 Add GitHub actions to close stale issues/prs (#3029)
• a9010e4 Add GitHub actions to close invalid issues (#3022)
• 36f0ad2 Replace 'blacklist' with 'blocklist' (#3006)
• 0d69a79 Refactor mergeConfig without utils.deepMerge (#2844)
• 4879416 Allow unsetting headers by passing null (#382) (#1845)
• 4b3947a Add test with Node.js 12 (#2860)
• 0077205 Adding console log on sandbox server startup (#2210)
• ee46dff docs(): Detailed config options environment. (#2088)
• 17a6886 Include axios-data-unpacker in ECOSYSTEM.md (#2080)
• 3f2ef03 Allow opening examples in Gitpod (#1958)
• f3cc053 Fixing overwrite Blob/File type as Content-Type in browser. (#1773)
• f2b478f Revert "Fixing default transformRequest with buffer pools (Bump lodash from 4.17.15 to 4.17.19 in /remix-debugger ethereum/remix#1511)" (#2982)
• d35b5b5 Remove axios.all() and axios.spread() from Readme.md (#2727)
• 6d36dbe Update README.md (#2887)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

[guardrails]

⚠️ We detected 120 security issues in this pull request:

Mode: paranoid | Total findings: 120 | Considered vulnerability: 120

Insecure Use of Regular Expressions (14)

Docs	Details
💡	Title: Regex DOS (ReDOS), Severity: Medium remix/remix-analyzer/src/solidity-analyzer/modules/staticAnalysisCommon.ts Line 235 in c38ca9d if (!isExternalDirectCall(extDirectCall)) throw new Error('staticAnalysisCommon.js: not an external direct call Node')
💡	Title: Regex DOS (ReDOS), Severity: Medium remix/remix-analyzer/src/solidity-analyzer/modules/staticAnalysisCommon.ts Line 250 in c38ca9d if (!isThisLocalCall(thisLocalCall.expression)) throw new Error('staticAnalysisCommon.js: not a this local call Node')
💡	Title: Regex DOS (ReDOS), Severity: Medium remix/remix-analyzer/src/solidity-analyzer/modules/staticAnalysisCommon.ts Line 399 in c38ca9d if (!isLibraryCall(node.expression)) throw new Error('staticAnalysisCommon.js: not a library call Node')
💡	Title: Regex DOS (ReDOS), Severity: Medium remix/remix-analyzer/src/solidity-analyzer/modules/staticAnalysisCommon.ts Line 587 in c38ca9d function isStorageVariableDeclaration (node: VariableDeclarationAstNode): boolean {
💡	Title: Regex DOS (ReDOS), Severity: Medium remix/remix-analyzer/src/solidity-analyzer/modules/staticAnalysisCommon.ts Line 1002 in c38ca9d function expressionTypeDescription (node: any, typeRegex: string): boolean {
💡	Title: Regex DOS (ReDOS), Severity: Medium remix/remix-analyzer/src/solidity-analyzer/modules/staticAnalysisCommon.ts Line 1006 in c38ca9d function typeDescription (node: any, typeRegex: string): boolean {
💡	Title: Regex DOS (ReDOS), Severity: Medium remix/remix-analyzer/src/solidity-analyzer/modules/staticAnalysisCommon.ts Line 1010 in c38ca9d function nodeType (node: any, typeRegex: string): boolean {
💡	Title: Regex DOS (ReDOS), Severity: Medium remix/remix-analyzer/src/solidity-analyzer/modules/staticAnalysisCommon.ts Line 1018 in c38ca9d function memName (node: any, memNameRegex: any): boolean {
💡	Title: Regex DOS (ReDOS), Severity: Medium remix/remix-analyzer/src/solidity-analyzer/modules/staticAnalysisCommon.ts Line 1022 in c38ca9d function operator (node: any, opRegex: string): boolean {
💡	Title: Regex DOS (ReDOS), Severity: Medium remix/remix-url-resolver/src/resolve.ts Line 87 in c38ca9d type: 'github',
💡	Title: Regex DOS (ReDOS), Severity: Medium remix/remix-analyzer/src/solidity-analyzer/modules/staticAnalysisCommon.ts Line 1007 in c38ca9d return new RegExp(typeRegex).test(node.typeDescriptions.typeString)
💡	Title: Regex DOS (ReDOS), Severity: Medium remix/remix-analyzer/src/solidity-analyzer/modules/staticAnalysisCommon.ts Line 1011 in c38ca9d return new RegExp(typeRegex).test(node.nodeType)
💡	Title: Regex DOS (ReDOS), Severity: Medium remix/remix-analyzer/src/solidity-analyzer/modules/staticAnalysisCommon.ts Line 1019 in c38ca9d return (node && !memNameRegex) || new RegExp(memNameRegex).test(node.name) || new RegExp(memNameRegex).test(node.memberName)
💡	Title: Regex DOS (ReDOS), Severity: Medium remix/remix-analyzer/src/solidity-analyzer/modules/staticAnalysisCommon.ts Line 1023 in c38ca9d return new RegExp(opRegex).test(node.operator)

More info on how to fix Insecure Use of Regular Expressions in TypeScript and JavaScript.

---

Insecure File Management (12)

Docs	Details
💡	Title: Use of non-literal fs filename, Severity: High remix/gulpfile.js Line 28 in c38ca9d const latestChangelog = fs.readFileSync(__dirname + '/changes.md', 'utf8')
💡	Title: Use of non-literal fs filename, Severity: High remix/gulpfile.js Line 29 in c38ca9d const oldChangelog = fs.readFileSync(__dirname + '/CHANGELOG.md', 'utf8')
💡	Title: Use of non-literal fs filename, Severity: High remix/gulpfile.js Line 33 in c38ca9d fs.unlinkSync(__dirname + '/CHANGELOG.md');
💡	Title: Use of non-literal fs filename, Severity: High remix/gulpfile.js Line 35 in c38ca9d fs.unlinkSync(__dirname + '/changes.md');
💡	Title: Use of non-literal fs filename, Severity: High remix/gulpfile.js Line 37 in c38ca9d fs.writeFileSync(__dirname + '/CHANGELOG.md', data);
💡	Title: Use of non-literal fs filename, Severity: High remix/remix-debug/test.js Line 29 in c38ca9d inputJson.sources[shortFilename] = {content: fs.readFileSync(filename).toString()}
💡	Title: Use of non-literal fs filename, Severity: High remix/remix-debug/test/init.js Line 16 in c38ca9d fs.readFile(filename, 'utf8', callback)
💡	Title: Use of non-literal fs filename, Severity: High remix/remix-debug/test/init.js Line 18 in c38ca9d return fs.readFileSync(filename, 'utf8')
💡	Title: Use of non-literal fs filename, Severity: High remix/remix-debug/test/resources/testWeb3.js Line 6 in c38ca9d var data = init.readFile(require('path').resolve(__dirname, 'testWeb3.json'))
💡	Title: Use of non-literal fs filename, Severity: High remix/remix-lib/test/init.js Line 16 in c38ca9d fs.readFile(filename, 'utf8', callback)
💡	Title: Use of non-literal fs filename, Severity: High remix/remix-lib/test/init.js Line 18 in c38ca9d return fs.readFileSync(filename, 'utf8')
💡	Title: Use of non-literal fs filename, Severity: High remix/remix-lib/test/resources/testWeb3.js Line 6 in c38ca9d let data = init.readFile(require('path').resolve(__dirname, 'testWeb3.json'))

More info on how to fix Insecure File Management in JavaScript.

---

Vulnerable Libraries (94)

Severity	Details
Medium	acorn@5.7.3 (t) upgrade to: >5.7.3 || >6.4.0 || >7.1.0
High	bl@2.2.0 (t) upgrade to: >1.2.2 || >2.2.0 || 3.0.0 || >4.0.2
Low	onchange@3.3.0 upgrade to: >=7.1.0
Low	debug@2.6.9 (t) - no patch available
High	diff@1.4.0 (t) upgrade to: >=3.5.0
High	http-server@0.9.0 upgrade to: >=0.12.3
High	remix-solidity@0.1.12 upgrade to: >=0.0.1
Critical	growl@1.9.2 (t) upgrade to: >=1.10.2
Medium	hosted-git-info@2.7.1 (t) upgrade to: >=2.8.9 || >=3.0.8
High	http-proxy@1.17.0 (t) upgrade to: >=1.18.1
High	http-proxy-agent@1.0.0 (t) upgrade to: >2.0.0
High	https-proxy-agent@1.0.0 (t) upgrade to: >2.2.2
Low	ini@1.3.5 (t) upgrade to: >=1.3.6
Low	kind-of@3.2.2 (t) upgrade to: >6.0.2
Medium	browserslist@4.12.1 (t) upgrade to: >4.16.4
High	elliptic@6.5.3 (t) - no patch available
Low	ini@1.3.5 (t) upgrade to: >=1.3.6
High	lodash@4.17.15 (t) upgrade to: >4.17.20
High	underscore@1.9.1 (t) - no patch available
High	web3@1.2.9 - no patch available
High	ethers@4.0.47 upgrade to: >=5.3.1
High	underscore@1.9.1 (t) - no patch available
High	web3@1.2.9 - no patch available
Medium	brace-expansion@1.1.11 (t) upgrade to: >1.1.6
High	npm-install-version@6.0.2 upgrade to: >=5.0.5
Low	deep-extend@unknown (t) upgrade to: >0.5.0
High	dot-prop@unknown (t) upgrade to: >=4.2.1 || >=5.1.1
Medium	extend@unknown (t) upgrade to: >=2.0.2 || >=3.0.2
High	lodash@4.17.15 (t) upgrade to: >4.17.20
High	sshpk@unknown (t) upgrade to: >1.13.1
Medium	stringstream@unknown (t) upgrade to: >0.0.5
High	tough-cookie@unknown (t) upgrade to: >=2.3.3
Medium	browserslist@4.12.1 (t) upgrade to: >4.16.4
High	elliptic@6.5.3 (t) upgrade to: >6.5.3
High	lodash@4.17.15 (t) upgrade to: >4.17.20
Low	mocha@5.2.0 upgrade to: >=9.0.0
High	normalize-url@4.5.0 (t) upgrade to: >4.5.0 || >5.3.0 || 6.0.0
High	underscore@1.9.1 (t) - no patch available
High	web3@1.2.9 - no patch available
Critical	handlebars@unknown (t) upgrade to: >4.7.6
Medium	hosted-git-info@unknown (t) upgrade to: >=2.8.9 || >=3.0.8
High	lodash@4.17.15 (t) upgrade to: >4.17.20
Low	minimist@1.2.5 (t) upgrade to: >=0.2.1 || >=1.2.3
High	tap-spec@5.0.0 upgrade to: >=2.2.2
High	y18n@unknown (t) upgrade to: >=5.0.5
Low	nyc@13.3.0 upgrade to: >=15.1.0
High	lerna@2.11.0 upgrade to: >=4.0.0
Critical	handlebars@4.7.6 (t) upgrade to: >=4.7.7
Medium	hosted-git-info@2.8.8 (t) upgrade to: >=2.8.9 || >=3.0.8
Low	ini@1.3.5 (t) upgrade to: >=1.3.6
High	lodash@4.17.15 (t) upgrade to: >4.17.20
Low	gulp@4.0.2 upgrade to: >=3.9.1
High	y18n@3.2.1 (t) upgrade to: >=5.0.5
High	lodash@4.17.15 (t) upgrade to: >4.17.20
High	lodash.defaultsdeep@4.3.2 (t) upgrade to: >=4.6.1
Low	marked@0.6.3 (t) upgrade to: >0.6.3
High	netmask@1.0.6 (t) upgrade to: >=2.0.1
High	parsejson@0.0.3 (t) - no patch available
Medium	socket.io@1.7.4 (t) - no patch available
High	tree-kill@1.2.1 (t) upgrade to: >=1.2.2
Critical	xmlhttprequest-ssl@1.5.3 (t) - no patch available
Medium	browserslist@4.12.1 (t) upgrade to: >4.16.4
High	lodash@4.17.15 (t) upgrade to: >4.17.20
High	axios@0.20.0 upgrade to: >=0.24.0
Medium	hosted-git-info@2.8.8 (t) upgrade to: >=2.8.9
High	lodash@4.17.15 (t) upgrade to: >4.17.20
Medium	mocha@5.2.0 upgrade to: >=9.1.3
Medium	path-parse@1.0.6 (t) upgrade to: >=1.0.7
Medium	standard@12.0.1 upgrade to: >=16.0.4
High	axios@0.20.0 (t) upgrade to: >=0.24.0
Medium	hosted-git-info@2.8.8 (t) upgrade to: >=2.8.9
High	lodash@4.17.15 (t) upgrade to: >4.17.20
Medium	mocha@5.2.0 upgrade to: >=9.1.3
Medium	path-parse@1.0.6 (t) upgrade to: >=1.0.7
Medium	standard@12.0.1 upgrade to: >=16.0.4
Medium	string-width@2.1.1 (t) upgrade to: >4.1.0
Medium	@ethersproject/signing-key@5.0.1 (t) upgrade to: >5.0.9
Medium	browserslist@4.12.1 (t) upgrade to: >4.16.4
Medium	ethers@4.0.48 (t) upgrade to: >4.0.48
Medium	is-my-json-valid@2.20.0 (t) upgrade to: >2.20.5
Medium	jsprim@1.4.1 (t) upgrade to: >1.4.1 || >2.0.1
High	tar@4.4.13 (t) upgrade to: >4.4.17
High	web3@1.2.9 upgrade to: >1.5.2 || >3.0.0-rc.4
High	web3-core-method@1.2.9 (t) upgrade to: >1.3.6-rc.2 || >3.0.0-rc.4
High	web3-core-requestmanager@1.2.9 (t) upgrade to: >1.3.5 || >3.0.0-rc.4
High	web3-eth-abi@1.2.9 (t) upgrade to: >1.3.6-rc.2 || >3.0.0-rc.4
High	web3-eth-accounts@1.2.9 (t) upgrade to: >1.3.5 || >3.0.0-rc.4
High	web3-eth-contract@1.2.9 (t) upgrade to: >1.3.6-rc.2 || >3.0.0-rc.4
High	web3-eth-iban@1.2.9 (t) upgrade to: >1.3.5 || >3.0.0-rc.4
High	web3-eth-personal@1.2.9 (t) upgrade to: >1.3.5 || >3.0.0-rc.4
High	web3-providers-http@1.2.9 (t) upgrade to: >1.0.0 || >1.3.5 || >3.0.0-rc.4
High	web3-providers-ipc@1.2.9 (t) upgrade to: >1.3.6-rc.2 || >=1.7.0-rc.0
High	web3-providers-ws@1.2.9 (t) upgrade to: >1.3.6-rc.2 || >3.0.0-rc.4
High	web3-shh@1.2.9 (t) upgrade to: >1.3.5

More info on how to fix Vulnerable Libraries in JavaScript.

---

👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.