[Snyk] Fix for 21 vulnerabilities

[jalfaro1]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json
  • package-lock.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	706/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.7	Remote Memory Exposure SNYK-JS-BL-608877	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-BROWSERSLIST-1090194	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	671/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7	Remote Code Execution (RCE) SNYK-JS-HANDLEBARS-1056767	No	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-HANDLEBARS-1279029	No	Proof of Concept
	579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-HANDLEBARS-173692	No	No Known Exploit
	579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-HANDLEBARS-174183	No	No Known Exploit
	579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-HANDLEBARS-469063	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-HANDLEBARS-480388	No	No Known Exploit
	619/1000 Why? Has a fix available, CVSS 8.1	Arbitrary Code Execution SNYK-JS-HANDLEBARS-534478	No	No Known Exploit
	704/1000 Why? Has a fix available, CVSS 9.8	Prototype Pollution SNYK-JS-HANDLEBARS-534988	No	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-HANDLEBARS-567742	No	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-LODASHDEFAULTSDEEP-450198	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASHDEFAULTSDEEP-450199	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-2342073	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-2342082	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-451341	No	No Known Exploit
	520/1000 Why? Has a fix available, CVSS 5.9	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-584281	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-POSTCSS-1255640	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: autoprefixer-stylus

The new version differs by 7 commits.

• 5d1e74f 1.0.0
• 51f9a83 remove engines
• 3b2dace update travis
• fbc4023 update a lot of things
• 54067de Adding collaborators nodejs/nodejs.org#181 Remove deprecated packages, update test logic
• c3d34b9 Add colon back
• 91edfcc Update dependencies and tests

See the full diff

Package name: chokidar

The new version differs by 113 commits.

• 7b8e02a Release 3.0.0.
• e7bfe2f Move stuff.
• df7f22e Remove changelog from npm, move to hidden dir.
• 3df7692 Improve naming.
• 6e94ca2 Clean-up.
• 2de2f9c test: Add testing of Node.js v12 in Travis pipeline. (add release post for v6.3.1 nodejs/nodejs.org#833)
• 9e0965a Fix Windows tests in Travis CI (Evangelism: Weekly Update for July ~ nodejs/nodejs.org#832)
• c95a98f Update stuff.
• 187ff2b test: Trying to fix blinked tests for Travis CI. (Always translate header & footer templates? nodejs/nodejs.org#825)
• db99076 fix(Windows): Add converting from windows to unix path for all ignored paths. (Seems, 'url.parse' isn't working properly nodejs/nodejs.org#824)
• 41f8782 fix(FsEvents): Remove situation with NaN depth. (Update dependencies nodejs/nodejs.org#823)
• 7cf3f7e Update readdirp to stable.
• 0927a62 Bump packages.
• 11cd857 Update nyc.
• 99c14d7 Uncomment fsevents.
• cf330a5 Update fsevents.
• 0e4fca5 Fix deps.
• 9c575d4 Fix Windows version (Bithound.metalsmith stylus.2.0.0 nodejs/nodejs.org#821)
• 3323d59 fix(Linux): Make event loop hack for keep testing valid. (Add weekly update 2016-07-08 nodejs/nodejs.org#820)
• 06214c5 Update to latest readdirp.
• 793639f Rename osxfswatch.
• 078bc2d Refactor and fix freaking tests.
• 2b9bb41 Try node 11.
• 3fe3d4e Test travis.

See the full diff

Package name: handlebars

The new version differs by 169 commits.

• a9a8e40 v4.7.7
• e66aed5 Update release notes
• 7d4d170 disable IE in Saucelabs tests
• eb860c0 fix weird error in integration tests
• b6d3de7 fix: check prototype property access in strict-mode ([Fix] Fix typo error of Stack Overflow nodejs/nodejs.org#1736)
• f058970 fix: escape property names in compat mode ([Fix] Fix typo error of Stack Overflow nodejs/nodejs.org#1736)
• 77825f8 refator: In spec tests, use expectTemplate over equals and shouldThrow (Better GitHub issue templates nodejs/nodejs.org#1683)
• 3789a30 chore: start testing on Node.js 12 and 13
• e6ad93e v4.7.6
• 2bf4fc6 Update release notes
• b64202b Update release-notes.md
• c2f1e62 Switch cmd parser to latest minimist
• 08e9a11 Revert "chore: set Node.js compatibility to v6+"
• 1fd2ede v4.7.5
• 3c9c2f5 Update release notes
• 16487a0 chore: downgrade yargs to v14
• 309d2b4 chore: set Node.js compatibility to v6+
• 645ac73 test: fix integration tests
• b454b02 docs: update release-docs in CONTRIBUTING.md
• 7adc19a v4.7.4
• 9dd8d10 Update release notes
• 4671c4b Use tmp directory for files written during tests
• e46baa1 tasks/test-bin.js: Delete duplicate test
• c491b4e Revert "Update release-notes.md"

See the full diff

Package name: marked

The new version differs by 250 commits.

• ae01170 chore(release): 4.0.10 [skip ci]
• fceda57 🗜️ build [skip ci]
• 8f80657 fix(security): fix redos vulnerabilities
• c4a3ccd Merge pull request from GHSA-rrrm-qjm4-v8hf
• d7212a6 chore(deps-dev): Bump jasmine from 4.0.0 to 4.0.1 (Blog: v12.7.0 release post nodejs/nodejs.org#2352)
• 5a84db5 chore(deps-dev): Bump rollup from 2.62.0 to 2.63.0 (AR : Fix structure of get-involved section and delete tatbi3 .. nodejs/nodejs.org#2350)
• 2bc67a5 chore(deps-dev): Bump markdown-it from 12.3.0 to 12.3.2 (Add an lts download link in the dist nodejs/nodejs.org#2351)
• 98996b8 chore(deps-dev): Bump @ babel/preset-env from 7.16.5 to 7.16.7 (Blog: add #28630 to "notable" section of v12.7.0 release nodejs/nodejs.org#2353)
• ebc2c95 chore(deps-dev): Bump highlight.js from 11.3.1 to 11.4.0 (chore: Add Markdownlint nodejs/nodejs.org#2354)
• e5171a9 chore(release): 4.0.9 [skip ci]
• 41990a5 🗜️ build [skip ci]
• a9696e2 fix: retain line breaks in tokens properly (KO : Update es6.md nodejs/nodejs.org#2341)
• 6aacd13 chore(deps-dev): Bump jasmine from 3.10.0 to 4.0.0 (AR : Fix event model translation .. nodejs/nodejs.org#2343)
• 55e5df9 chore(deps-dev): Bump @ babel/core from 7.16.5 to 7.16.7 (Configuration file for Crowdin integration nodejs/nodejs.org#2344)
• 4f4cab4 chore(deps-dev): Bump eslint-plugin-import from 2.25.3 to 2.25.4 (AR : Missing part in about/releases.md  nodejs/nodejs.org#2345)
• 97ea9f2 chore(deps-dev): Bump eslint from 8.5.0 to 8.6.0 (AR : Update about/releases.md & index.md AR nodejs/nodejs.org#2346)
• 4c3b853 chore(deps-dev): Bump rollup-plugin-license from 2.6.0 to 2.6.1 (AR : Fix micro-bug ( lowercase to uppercase ) 🔬 .. nodejs/nodejs.org#2347)
• 9396896 chore(deps-dev): Bump rollup from 2.61.1 to 2.62.0 (AR : Fix missing part & some translate in site.json nodejs/nodejs.org#2338)
• 103a56c chore(deps-dev): Bump @ babel/preset-env from 7.16.4 to 7.16.5 (AR : Fix the bug in debugging-getting-started.md nodejs/nodejs.org#2333)
• be771c9 chore(deps-dev): Bump eslint from 8.4.1 to 8.5.0 (fix: make Hamburg a separate state nodejs/nodejs.org#2334)
• 67d5a65 chore(deps-dev): Bump @ babel/core from 7.16.0 to 7.16.5 (chore: Update dev dependency stylint to 2.0.0 nodejs/nodejs.org#2335)
• 991493a chore(deps-dev): Bump eslint-plugin-promise from 5.2.0 to 6.0.0 (Ru: blocking vs non-blocking guide nodejs/nodejs.org#2336)
• 59375fb chore(release): 4.0.8 [skip ci]
• 4734c82 🗜️ build [skip ci]

See the full diff

Package name: metalsmith

The new version differs by 154 commits.

• 3a0517c Release 2.5.0
• e988eaa chore: Final JSDoc updates & changelog fixes
• c44edb2 chore: prepare changelog for 2.5.x
• 366dae1 chore: npm update
• 3a11a24 feat: add org migration notification to postinstall script
• 09f5bbd dev: Update devDependencies
• 7df9157 chore: Remove accidentally included local test files
• 880c5d7 fix: remove stray this._files assignment, cfr release 2.4.3 compat
• 63d784c Security: npm audit fix
• 0a53007 chore: update supported Node versions & CI to >=12
• 8ca017f chore: enable ESlint for tests & fix issues
• 1eea24b Merge branch 'docs/readme-examples' into release/2.5.x
• 91e2f46 Merge branch 'feature/Update handlebars to version 4.0.3 🚀 nodejs/nodejs.org#259-debug-method' into release/2.5.x
• 7d39a76 Finalize Update handlebars to version 4.0.3 🚀 nodejs/nodejs.org#259: Metalsmith#debug first implementation
• c21026a docs: update README.md for 2.5
• 7bd37eb docs: Update examples package.json & syntax
• b8b05cc Updates README.md with relevant links, restructured sections
• 5d75539 Resolves Travis PR integration broken nodejs/nodejs.org#355: proper path resolution for edge-cases using CLI
• 1dae1cb Reworks CLI logging, removes chalk dependency
• 4c483a3 Implements env in CLI with var expansion; sets metalsmith.env('CLI', true) flag; part of adding collaborators, Nov 2015 nodejs/nodejs.org#354
• a753b51 Merge branch 'release/2.5.x' into feature/Update handlebars to version 4.0.3 🚀 nodejs/nodejs.org#259-debug-method
• 2666846 Merge master into release/2.5.x & fix conflicts
• 40a7de8 Release 2.4.3
• cec2ce4 chore: Update changelog

See the full diff

Package name: metalsmith-markdown

The new version differs by 5 commits.

• 082f13f 1.3.0
• d05756c Updated history with latest version
• 8fd54b0 Merge pull request Download matrix on the downloads page nodejs/nodejs.org#44 from segmentio/maintenance
• da9bcb0 Updated Packages and history
• c72799c History listing updated with comparisons

See the full diff

Package name: node-version-data

The new version differs by 2 commits.

• 4ea0395 1.1.0
• 396346a update deps, fix tests, add node-downloads.js to git (whoops)

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Regular Expression Denial of Service (ReDoS)
🦉 More lessons are available in Snyk Learn