[Snyk] Fix for 21 vulnerabilities

[hixio-mh]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • aspnetcore/data/ef-rp/intro/samples/cu/wwwroot/lib/bootstrap/package.json
  • aspnetcore/data/ef-rp/intro/samples/cu/wwwroot/lib/bootstrap/.snyk

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	569/1000 Why? Has a fix available, CVSS 7.1	Arbitrary Code Execution SNYK-JS-GRUNT-597546	No	No Known Exploit
	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	Yes	Proof of Concept
	422/1000 Why? Proof of Concept exploit, CVSS 6.3	Prototype Pollution SNYK-JS-LODASH-567746	Yes	Proof of Concept
	490/1000 Why? CVSS 9.8	Prototype Pollution SNYK-JS-LODASH-590103	Yes	No Known Exploit
	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
	365/1000 Why? CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	Yes	No Known Exploit
	220/1000 Why? CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKDOWNIT-459438	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:clean-css:20180306	Yes	Proof of Concept
	641/1000 Why? Mature exploit, Has a fix available, CVSS 5.1	Uninitialized Memory Exposure npm:concat-stream:20160901	Yes	Mature
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	No	No Known Exploit
	315/1000 Why? CVSS 6.3	Prototype Pollution npm:lodash:20180130	Yes	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	No	No Known Exploit
	375/1000 Why? CVSS 7.5	Prototype Override Protection Bypass npm:qs:20170213	No	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:semver:20150403	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: grunt

The new version differs by 40 commits.

• 6f49017 1.3.0
• faab6be Merge pull request remove angular 2 dates and info dotnet/AspNetCore.Docs#1720 from gruntjs/update-changelog-deps
• 520fedb Update Changelog and legacy-util dependency
• 7e669ac Merge pull request QueryString---->query string. dotnet/AspNetCore.Docs#1719 from gruntjs/yaml-refactor
• e350cea Switch to use `safeLoad` for loading YML files via `file.readYAML`.
• 7125f49 Merge pull request Query string fixes dotnet/AspNetCore.Docs#1718 from gruntjs/legacy-log-bumo
• 00d5907 Bump legacy-log
• 3b75085 1.2.1
• ae11839 Changelog update
• 9d23cb6 Merge pull request Small Correction dotnet/AspNetCore.Docs#1715 from sibiraj-s/remove-path-is-absolute
• e789b1f Remove path-is-absolute dependency
• 27bc5d9 Merge pull request ID parameter corrected to Id dotnet/AspNetCore.Docs#1714 from gruntjs/release-1.2.0
• 64a3cf4 Release v1.2.0
• 0d23eff Merge pull request ANCM schema changes dotnet/AspNetCore.Docs#1570 from bhldev/feature-options-keys
• ee70306 Merge pull request see line #18 dotnet/AspNetCore.Docs#1697 from philz/1696
• 05c0634 Merge pull request Angular 2.0 release date fix dotnet/AspNetCore.Docs#1712 from gruntjs/fix-lint
• cdd1c19 fix lint in file.js
• bc168e3 Merge pull request Update Facebook auth Package Name dotnet/AspNetCore.Docs#1283 from greglittlefield-wf/recognize-relative-links
• 5f16b5a Merge pull request add link dotnet/AspNetCore.Docs#1675 from STRML/remove-coffeescript
• 58f80ae Merge pull request Localization dotnet/AspNetCore.Docs#1677 from micellius/monorepo-support
• 1f61427 Add CODE_OF_CONDUCT.md
• 4c6fcd9 Merge pull request test dotnet/AspNetCore.Docs#1709 from NotMoni/patch-1
• 169d496 add link to license
• 288ea76 add license link

See the full diff

Package name: grunt-contrib-csslint

The new version differs by 11 commits.

• def72ff v2.0.0.
• ce67536 Reduce lodash usage.
• f387bb9 Merge pull request Configure Authentication with ASP.NET Identity dotnet/AspNetCore.Docs#73 from danpoltawski/show-line-numbers
• 888c0e1 Merge pull request Setting up Two Factor Authentication with ASP.NET Identity dotnet/AspNetCore.Docs#74 from gruntjs/update-csslint r=vladikoff
• 099cc12 Update CSSLint to v1.0.0.
• d220e09 Show line numbers with lint issues
• 7a02ddf Merge pull request Working with Multiple Environments dotnet/AspNetCore.Docs#70 from gruntjs/deps
• 930ceee Update dependencies.
• 49d8c8a Upgrade grunt and devDeps to 1.0
• 8e1fde7 Update CHANGELOG.
• d001050 Add Appveyor for Windows testing.

See the full diff

Package name: grunt-contrib-cssmin

The new version differs by 6 commits.

• 5404a77 Update clean-css to v4.1.1.
• f3e3987 Set required Node.js version to >=4 since clean-css 4.x requires that.
• 22471fe Update URL to clean-css repo.
• e6b2d72 Merge pull request Update installing-on-linux.rst dotnet/AspNetCore.Docs#281 from gruntjs/cleancss4
• c4aa531 v2.0.0.
• 47e6ed6 Update clean-css to ~4.0.3.

See the full diff

Package name: grunt-contrib-htmlmin

The new version differs by 14 commits.

• d1bd316 Update html-minifier to v3.5.0.
• ce5d713 Update html-minifier to v3.4.0.
• 7e79402 v2.2.0.
• 16e092d Update html-minifier to v3.3.0.
• 4ad1943 v2.1.0.
• 165adf2 Update CI configs.
• 556c63d Update docs.
• a3ab8d5 Merge pull request Defining Your CORS Policy  dotnet/AspNetCore.Docs#136 from fassetar/patch-1
• fc0c121 forget cwd example
• 94d4897 example for Anti-Request Forgery dotnet/AspNetCore.Docs#134 in docs
• d41bf39 v.2.0.0.
• b8db17a Merge pull request HTML Helpers dotnet/AspNetCore.Docs#131 from gruntjs/deps
• 69f06f4 Update dependencies.
• 43c64f9 Fix typo in CHANGELOG.

See the full diff

Package name: grunt-contrib-qunit

The new version differs by 17 commits.

• 0a92929 Update changelog
• b8267e8 Fix tests with phantomjs 2.1.1
• 88557ff Update grunt-lib-phantomjs to 2.0.0, bump major version
• d2960fb Update devDependencies
• 0f0a74c Point main to task
• 37d7347 Remove peerDeps. Ref Remove peerDependencies from plugins gruntjs/grunt#1116
• 6417dec Update copyright to 2016
• b7f0e6f Merge pull request Publish to a Windows Virtual Machine on Azure  dotnet/AspNetCore.Docs#107 from ntwb/patch-1
• e96b4b0 Add NodeJS v5.x.x to AppVeyor CI build matrix
• 18af6d0 Add NodeJS v5.x.x to Travis CI build matrix
• 048cf31 Merge pull request Publish to an Azure Web App With Continuous Deployment dotnet/AspNetCore.Docs#104 from XhmikosR/master
• 633dfed CI: test node.js 4.0.
• 662b38b Merge pull request Tag Helpers for CDNs dotnet/AspNetCore.Docs#102 from jeroanan/patch-1
• d1bb823 Correct phantomjs.org link
• abc5844 Fix deprecated package.json licenses
• c6c0200 Merge pull request Migrating from ASP.NET Identity 2.x to 3.x dotnet/AspNetCore.Docs#99 from XhmikosR/master
• b451577 Update appveyor.yml.

See the full diff

Package name: grunt-contrib-watch

The new version differs by 4 commits.

• 3b7ddf4 v1.1.0
• 72b1214 Updating dependencies, async, lodash and tiny-lr
• 5adb27c Merge pull request The "Working with DNX projects" article should document all nuspec metadata related properties dotnet/AspNetCore.Docs#543 from digitalbazaar/master
• f07311b Update tiny-lr dependency to 1.x

See the full diff

Package name: markdown-it

The new version differs by 115 commits.

• b5d7ea5 10.0.0 released
• 26eacad Browser files rebuild
• 3d24bda Deps bump
• 33dfd12 Changelog format update
• 07a62c6 Move nested delimiter info to opening token instead of inline state
• 3c67c8f Add funding info
• 9e5015f 9.1.0 released
• 5093920 Browser files rebuild
• 39a35f4 Remove extra chars from line breaks check (match CM spec)
• faecae0 Match CommonMark spec exactly
• d9cb3cc Don’t recognize U+2028 as a newline character
• 9bbefc1 Create issue templates
• 28cec6d 9.0.1 released
• 7961e5a Browser files rebuild
• a1c9381 Fix incorrect level recalculation in text_collapse
• d08c7c3 Add an example related to case-insensitive comparisons
• bd43aae 9.0.0 released
• cb4f862 Browser files rebuild
• c36309e Bump eslint & update CS
• a52d724 Deps bump
• c93ad3a jade => pug
• 1ba6def Deps: coverall bump
• 457f471 Travis-CI: refresh node versions to actual
• fa7a419 Fix edge case for list indents

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	No Known Exploit
	529/1000 Why? Has a fix available, CVSS 6.3	Prototype Pollution npm:hoek:20180212	No Known Exploit
	315/1000 Why? CVSS 6.3	Prototype Pollution npm:lodash:20180130	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	No Known Exploit
	469/1000 Why? Has a fix available, CVSS 5.1	Remote Memory Exposure npm:request:20160119	No Known Exploit
	509/1000 Why? Has a fix available, CVSS 5.9	Regular Expression Denial of Service (ReDoS) npm:tough-cookie:20170905	No Known Exploit
	576/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.1	Uninitialized Memory Exposure npm:tunnel-agent:20170305	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the effected dependencies could be upgraded.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic