[Snyk] Fix for 3 vulnerabilities

[ekmixon]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • syft/pkg/cataloger/javascript/test-fixtures/pkg-json/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: node-gyp

The new version differs by 131 commits.

• 989abc7 v8.0.0: bump version and update changelog
• 0da2e01 gyp: update gyp to v0.8.1 (syft some-jar.jar fails to find packages if PWD is a symlink anchore/syft#2355)
• 0093ec8 gyp: Improve our flake8 linting tests
• 06ddde2 deps: sync mutual dependencies with npm
• a5fd1f4 doc: add downloads badge (Syft's license not listed for Grype image anchore/syft#2352)
• 0d8a6f1 ci: update actions/setup-node to v2 (Check maven central as well for licenses in parents poms for nested jars anchore/syft#2302)
• 1bd18f3 lib: drop Python 2 support in find-python.js (syft attest broken since 0.85.0 anchore/syft#2333)
• e81602e lib: migrate requests to fetch (Account for maven bundle plugin and fix filename matching anchore/syft#2220)
• a78b584 gyp: remove support for Python 2 (SPDX file has duplicate sha256 tag in versionInfo anchore/syft#2300)
• 392b776 lib: avoid changing process.config (Add dotnet-portable-executable-cataloger to README anchore/syft#2322)
• c3c510d gyp: update gyp to v0.8.0 (chore(deps): update tools to latest versions anchore/syft#2318)
• cc1cbce doc: update macOS_Catalina.md (chore(deps): bump github.com/spf13/cobra from 1.7.0 to 1.8.0 anchore/syft#2293)
• 9e1397c gyp: update gyp to v0.7.0 (feat: rather than have a hard max recursive depth - syft should detect parent pom cycles anchore/syft#2284)
• 6287118 doc: updated README.md to copy easily (Syft generates incorrect CPEs which leads to issue when scanning for vulnerabilities anchore/syft#2281)
• 15a5c7d ci: migrate deprecated grammar (Syft cli.Command() panics when invoked multiple times anchore/syft#2285)
• 66c0f04 doc: add missing `sudo` to Catalina doc
• 19e0f3c v7.1.1: bump version and update changelog
• 096e3ad gyp: update gyp to 0.6.2
• 54f97cd doc: add cmd to reset `xcode-select` to initial state
• b9e3ad2 v7.1.1: bump version and update changelog
• 18bf2d1 deps: update deps to match npm@7
• ee6a837 gyp: update gyp to 0.6.1
• 3e7f8cc lib: better log message when ps fails
• 7fb3143 test: GitHub Actions: Test on Python 3.9

See the full diff

Package name: standard

The new version differs by 197 commits.

• 9c505a9 13.0.0
• 7f3dd5d eslint-config-standard-jsx@7.0.0
• 8cfb0ee eslint-config-standard@13.0.0
• e235cb5 changelog 13.0.0
• f125f0c add link to security disclosure policy
• bd44694 add nodejs logo; change logos to 4 per row
• f7f98bf Update CHANGELOG.md
• 5e6315c remove badge
• e3862be Update AUTHORS.md
• f796995 13.0.0-0
• 16ffaef Update CHANGELOG.md
• c1f817e bump deps
• ffb0b8e travis: drop node 6, add node 12
• d5565b5 Update CHANGELOG.md
• 4dcd00a add Nuxt.js logo
• ee3104d compress logos
• 6e077d7 standard
• d33bfe9 Merge pull request Port javascript cataloger to new generic cataloger pattern anchore/syft#1308 from munierujp/update_japanese_documents
• dd8fe00 Create FUNDING.yml
• 318bfac readme/changelog: global installation changes
• 329a2e0 readme: fix typescript instructions
• db61e3f Update CHANGELOG.md
• 7c661eb Automatically pass on Node 6 or earlier
• 0cfc932 Update Japanese document for 40d1d5e

See the full diff

Package name: tap

The new version differs by 250 commits.

• 8f2baa7 16.0.0
• 65e599e drop support for node v10
• 84fc6df docs: changelog for v16
• e6acf7b update coveralls documentation to say to install it
• 3c7b3ef document coveralls removal in the cli help output
• 43bf1df undocument synonyms
• 1ff75a4 make coveralls an optional peer dep
• 3f1ae47 Add eslint for linting
• 162c1a8 Support Typescript for --before and --after
• 28d2d03 Fix script on using node-tap with codecov
• 3a0e81c docs: fix broken link
• 1b636b2 Add jsonpath-faster
• c4bdeef fix typo `than` to `that`
• 20fbd40 Update Node.js min version to 10.x in CONTRIBUTING
• 90dda0b update cli doc
• 636ab18 15.2.3
• e609d8f docs: changelog for 15.2
• c182328 tap-parser@11.0.1
• f576a60 docs: setting t.snapshotFile
• d9fa241 libtap@1.3.0
• a02f33e update cli doc
• d1500b6 15.2.2
• b784d77 tap-parser@11
• 567384e update cli doc

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Server-side Request Forgery (SSRF)
🦉 Prototype Pollution

[secure-code-warrior-for-github]

Micro-Learning Topic: Regular expression denial of service (Detected by phrase)

Matched on "Regular Expression Denial of Service"

What is this? (2min video)

Denial of Service (DoS) attacks caused by Regular Expression which causes the system to hang or cause them to work very slowly when attacker sends a well-crafted input(exponentially related to input size).Denial of service attacks significantly degrade the service quality experienced by legitimate users. These attacks introduce large response delays, excessive losses, and service interruptions, resulting in direct impact on availability.

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Denial of service (Detected by phrase)

Matched on "Denial of Service"

The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Prototype pollution (Detected by phrase)

Matched on "Prototype Pollution"

What is this? (2min video)

By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf).

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Server-side request forgery (Detected by phrase)

Matched on "Server-side Request Forgery"

What is this? (2min video)

Server-Side Request Forgery (SSRF) vulnerabilities are caused when an attacker can supply or modify a URL that reads or sends data to the server. The attacker can create a malicious request with a manipulated URL, when this request reaches the server, the server-side code executes the exploit URL causing the attacker to be able to read data from services that shouldn't be exposed.

Try a challenge in Secure Code Warrior