[Snyk] Fix for 20 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-GETOBJECT-1054932	Yes	No Known Exploit
	569/1000 Why? Has a fix available, CVSS 7.1	Arbitrary Code Execution SNYK-JS-GRUNT-597546	Yes	No Known Exploit
	619/1000 Why? Has a fix available, CVSS 8.1	Arbitrary Code Execution SNYK-JS-JSYAML-174129	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	Yes	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-LODASH-567746	Yes	Proof of Concept
	704/1000 Why? Has a fix available, CVSS 9.8	Prototype Pollution SNYK-JS-LODASH-590103	Yes	No Known Exploit
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
	579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	Yes	No Known Exploit
	434/1000 Why? Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-1019388	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:clean-css:20180306	Yes	Proof of Concept
	354/1000 Why? Has a fix available, CVSS 2.8	Insecure use of /tmp folder npm:cli:20160615	No	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Yes	No Known Exploit
	529/1000 Why? Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:ms:20151024	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:uglify-js:20151024	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: grunt-injector

The new version differs by 43 commits.

• 78fae78 release 1.1.0
• fd24984 Update README.md with Release history
• 51de37b Merge pull request [Snyk] Security upgrade salt from 2015.8.1 to 3004.2 #52 from ptitgraig/pr51
• 0b299e0 fix bug in guessing line ending
• 845d8fc remove console.log
• 7764246 Merge pull request Configure Mend Bolt for GitHub #50 from rogozhka/develop
• a0afd26 Merge pull request Bump lxml from 4.6.3 to 4.9.1 #48 from spremi/update-deps
• 5919890 Fix [Snyk] Security upgrade grunt-injector from 0.6.1 to 1.1.0 #51
• 787aed5 Update Readme
• 8981116 Add 'postfix' option
• 2758b86 Update README with dependency changes
• 129bcad Update the compatible node engine
• 06143a3 Update dev dependencies
• f6dc681 Update dependencies
• 32eacbd release 1.0.1
• b01796c Merge pull request [Snyk] Security upgrade lxml from 4.4.1 to 4.9.1 #46 from klei/pr
• 3ed8bf5 fix Bump salt from 2015.8.1 to 3003.5 in /salt #45
• d92d8b8 1.0.0 release
• 0f53834 Merge pull request [Snyk] Security upgrade salt from 2015.8.1 to 3004.2 #44 from klei/pr
• aa5e77b update readme with travis badge
• bb34cd3 Merge pull request Bump salt from 2015.8.1 to 3003.3 in /salt #42 from Hobart2967/master
• f214a5a Update Gruntfile.js
• 23ac3dc Update Gruntfile.js
• 55b8fe9 Update prefix.html

See the full diff

Package name: grunt-usemin

The new version differs by 42 commits.

• d82f57a 3.1.0
• 6b3c0a9 readme tweaks
• fab250e package.json tweaks
• ba1f635 bump `chalk`
• 7f9edaf Merge pull request #580 from TrevorS/patch-1
• 4295995 Typo, an -> and.
• 52166c2 Use `path-exists`
• 0a89f03 Merge pull request #541 from stephanebachelier/master
• e20368a add gitter badge and information about dev branch
• 191d180 Lint tweaks found with ESLint.
• 7bf1442 Remove duplicate function.
• da91838 Update dependencies.
• 3a95d72 Update appveyor.yml.
• 1797026 Fix typo.
• 3b9d37d Update appveyor.yml.
• e68470f Update dependencies.
• e0520a7 Fix tests after #520.
• eb73f98 Close Bump urllib3 from 1.25.3 to 1.26.5 lyft/confidant#323 PR: fix Bump cryptography from 2.7 to 3.2 lyft/confidant#307 - grunt-watch spawn:false compatibility fix.
• 17e99b2 Merge pull request #517 from stephanebachelier/assetsdirs-explanation-498
• cf73586 Merge pull request #520 from stephanebachelier/uglify-flow-rename-409
• e65885c doc(README): add assetsDirs explanations
• 7482614 feat(uglifyjs): renamed flow to uglify for consistency
• 4d1593a Merge pull request #483 from stephanebachelier/jscs-update
• 62876f7 chore(jscs): update jscs rule on top of future grunt preset

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	539/1000 Why? Has a fix available, CVSS 6.5	Denial of Service (DoS) npm:qs:20140806-1	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the effected dependencies could be upgraded.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

[pull-request-quantifier-deprecated]

This PR has 30 quantified lines of changes. In general, a change size of upto 200 lines is ideal for the best PR experience!

---

Quantification details

Label      : Extra Small
Size       : +21 -9
Percentile : 12%

Total files changed: 2

Change summary by file extension:
.snyk : +8 -0
.json : +13 -9

Change counts above are quantified counts, based on the PullRequestQuantifier customizations.

Why proper sizing of changes matters

Optimal pull request sizes drive a better predictable PR flow as they strike a
balance between between PR complexity and PR review overhead. PRs within the
optimal size (typical small, or medium sized PRs) mean:

• Fast and predictable releases to production:
  • Optimal size changes are more likely to be reviewed faster with fewer
    iterations.
  • Similarity in low PR complexity drives similar review times.
• Review quality is likely higher as complexity is lower:
  • Bugs are more likely to be detected.
  • Code inconsistencies are more likely to be detetcted.
• Knowledge sharing is improved within the participants:
  • Small portions can be assimilated better.
• Better engineering practices are exercised:
  • Solving big problems by dividing them in well contained, smaller problems.
  • Exercising separation of concerns within the code changes.

What can I do to optimize my changes

• Use the PullRequestQuantifier to quantify your PR accurately
  • Create a context profile for your repo using the context generator
  • Exclude files that are not necessary to be reviewed or do not increase the review complexity. Example: Autogenerated code, docs, project IDE setting files, binaries, etc. Check out the Excluded section from your prquantifier.yaml context profile.
  • Understand your typical change complexity, drive towards the desired complexity by adjusting the label mapping in your prquantifier.yaml context profile.
  • Only use the labels that matter to you, see context specification to customize your prquantifier.yaml context profile.
• Change your engineering behaviors
  • For PRs that fall outside of the desired spectrum, review the details and check if:
    • Your PR could be split in smaller, self-contained PRs instead
    • Your PR only solves one particular issue. (For example, don't refactor and code new features in the same PR).

How to interpret the change counts in git diff output

• One line was added: +1 -0
• One line was deleted: +0 -1
• One line was modified: +1 -1 (git diff doesn't know about modified, it will
  interpret that line like one addition plus one deletion)
• Change percentiles: Change characteristics (addition, deletion, modification)
  of this PR in relation to all other PRs within the repository.

---

Was this comment helpful? 👍  :ok_hand:  :thumbsdown: (Email)
Customize PullRequestQuantifier for this repository.