[Snyk] Fix for 11 vulnerabilities

[ekmixon]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

⚠️ Warning

Failed to update the package-lock.json, please update manually before merging.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	584/1000 Why? Has a fix available, CVSS 7.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-HAWK-2808852	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-TRIMNEWLINES-1298042	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:hoek:20180212	Yes	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	No	No Known Exploit
	324/1000 Why? Has a fix available, CVSS 2.2	Uninitialized Memory Exposure npm:utile:20180614	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: forever

The new version differs by 13 commits.

• b2120f9 Remove utile (#1099)
• 071cc04 Update changelog
• c1bcbff Remove dependency on broadway (#1098)
• 3586afe Prepare 3.0.1 for release
• 67cc950 Prepare 3.0.1 for release
• 877d93a Replaced optimist with yargs (#1093)
• a36330a Update forever-monitor (#1081)
• 0c5d32a Update dependencies and test Node 14 (#1080)
• 9e85c59 Fix argument type of fs.writeFileSync (#1075)
• 58eb131 Add CLI test for starting/stopping from a directory with space (#1068)
• 437ca4a Remove unnecessary path-is-absolute dependency (#1062)
• 8f739b0 Execute Mocha tests (#1054)
• ceb235c Update changelog

See the full diff

Package name: grunt

The new version differs by 34 commits.

• 27bc5d9 Merge pull request #1714 from gruntjs/release-1.2.0
• 64a3cf4 Release v1.2.0
• 0d23eff Merge pull request #1570 from bhldev/feature-options-keys
• ee70306 Merge pull request #1697 from philz/1696
• 05c0634 Merge pull request #1712 from gruntjs/fix-lint
• cdd1c19 fix lint in file.js
• bc168e3 Merge pull request #1283 from greglittlefield-wf/recognize-relative-links
• 5f16b5a Merge pull request #1675 from STRML/remove-coffeescript
• 58f80ae Merge pull request #1677 from micellius/monorepo-support
• 1f61427 Add CODE_OF_CONDUCT.md
• 4c6fcd9 Merge pull request #1709 from NotMoni/patch-1
• 169d496 add link to license
• 288ea76 add license link
• d5cdac0 Merge pull request #1706 from gruntjs/tag-neew
• 4674c59 v1.1.0
• 6124409 Merge pull request #1705 from gruntjs/mkdirp-update
• 0a66968 Fix up Buffer usage
• 4bfa98e Support versions of node >= 8
• f1898eb Update to mkdirp ~1.0.3
• 7985b19 Avoiding infinite loop on very long command names.
• 75da17b HTTPS link to gruntjs.com (#1683)
• 5a0a02b support monorepo (relative path)
• 6795d31 Update js-yaml dependecy to ~3.13.1 (#1680)
• 66fc8fa support monorepo (test case)

See the full diff

Package name: grunt-cli

The new version differs by 5 commits.

• 2293dc5 1.4.0
• bbc4400 Update changelog
• 3fa5bf6 Ignore package-lock
• c271173 Update deps, switch to actions (I fixed some regex and eval() OWASP/NodeGoat#141)
• 84ebcb8 Bump deps, required node version and ci (Remove caret on needle dependency (^2.2.4) OWASP/NodeGoat#137)

See the full diff

Package name: grunt-contrib-jshint

The new version differs by 9 commits.

• 2fce871 v2.0.0.
• d9212b7 Document `reporterOutputRelative` option (Feature/1001 OWASP/NodeGoat#268)
• d4fe674 Merge pull request fix: mongodb 4.4 is compatible OWASP/NodeGoat#283 from gruntjs/dev
• 35036cc Update deps, use https, fix failing test.
• f1114ed Update mgol's name in AUTHORS, add .mailmap (Develop OWASP/NodeGoat#276)
• 39daf69 Removing reference to dead jslinterrors.com site (change packages OWASP/NodeGoat#279)
• debd964 v1.2.0 (fix: revert marked changes back to make sure we use the vulnerable version OWASP/NodeGoat#281)
• 1f3519f Update deps (Create hello1.js OWASP/NodeGoat#280)
• 2d237ee updated package grunt-contrib-internal from 1.1.0 to 1.2.3 (Tutorial Guide page is not working OWASP/NodeGoat#273)

See the full diff

Package name: grunt-retire

The new version differs by 15 commits.

• fa87c6f 1.0.4
• b31f054 Merge pull request [Snyk] Fix for 2 vulnerabilities #37 from deiga/patch-1
• 84c75c1 Removes request dependency
• c0e84d0 Fixes security vulnerability
• 2cd0ee9 Add "retirejs" to keywords in package.json to align with keywords used in retirejs
• 97b2f46 Formatting in README.md
• 6bc27f8 1.0.3
• ddc76ca Merge pull request [Snyk] Fix for 1 vulnerabilities #36 from RetireJS/master
• 6f4a644 Removing .find() to support older versions of node.js
• c3320ed 1.0.2
• b9c115e Merge pull request [Snyk] Security upgrade cypress from 3.3.1 to 5.0.0 #33 from szarouski/feature/improve-vulnerability-ignoring
• 3e0ce68 Improve vulnerability ignoring (https://snyk.io/redirect/github/Improve Vulnerability Ignoring RetireJS/retire.js#67). This change updates retirejs to 1.2.x which now supports vulnerability ignoring based on library version or even issue number. Note that retirejs only implements those features for .retireignore.json, so if you want extra ignoring, you'll need to update your .retireignore to use following format: https://github.com/RetireJS/retire.js/blob/master/example.retireignore.json.
• d3901b7 Released 1.0.1. Removed grunt-contrib-nodeunit as it was not used. Fixes [Snyk] Security upgrade mongodb from 2.2.36 to 3.1.3 #27.
• e980e0a Release 1.0.0. Dropped support for Grunt 0.4, we now require Grunt 1.0 or newer. Upgrading to Grunt 1.0 removes the graceful-fs warning. Fixes [Snyk] Security upgrade zaproxy from 0.2.0 to 1.0.1 #32
• 854d503 Added license field to package.json

See the full diff

Package name: nodemon

The new version differs by 14 commits.

• 9a67f36 feat: update chokidar to v3
• 6781b40 docs: add license file
• 0e6ba3c fix: wait for all subprocesses to terminate (fixes issue #1476)
• b58cf7d chore: Merge branch 'master'
• 95a4c09 docs: add to faq
• 3a2eaf7 choe: merge master
• 3d90879 chore: add logo to site
• 7d6c1a8 fix: Replace `jade` references by `pug`
• 74c8749 chore: test funding.yml change
• c1a8b75 chore: update funding
• d5b9891 test: ensure ignore relative paths
• eead311 fix: to avoid confusion like in #1528, always report used extension
• 12b66cd fix: langauge around "watching" (#1591)
• 2e6e2c4 docs: README Grammar (#1601)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Server-side Request Forgery (SSRF)

[secure-code-warrior-for-github]

Micro-Learning Topic: Regular expression denial of service (Detected by phrase)

Matched on "Regular Expression Denial of Service"

What is this? (2min video)

Denial of Service (DoS) attacks caused by Regular Expression which causes the system to hang or cause them to work very slowly when attacker sends a well-crafted input(exponentially related to input size).Denial of service attacks significantly degrade the service quality experienced by legitimate users. These attacks introduce large response delays, excessive losses, and service interruptions, resulting in direct impact on availability.

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Denial of service (Detected by phrase)

Matched on "Denial of Service"

The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Prototype pollution (Detected by phrase)

Matched on "Prototype Pollution"

What is this? (2min video)

By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf).

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Server-side request forgery (Detected by phrase)

Matched on "Server-side Request Forgery"

What is this? (2min video)

Server-Side Request Forgery (SSRF) vulnerabilities are caused when an attacker can supply or modify a URL that reads or sends data to the server. The attacker can create a malicious request with a manipulated URL, when this request reaches the server, the server-side code executes the exploit URL causing the attacker to be able to read data from services that shouldn't be exposed.

Try a challenge in Secure Code Warrior