[Snyk] Fix for 16 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-MERGE-1040469	Yes	No Known Exploit
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-MERGE-1042987	Yes	Proof of Concept
	661/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.8	Arbitrary Code Injection SNYK-JS-MORGAN-72579	Yes	Proof of Concept
	520/1000 Why? Has a fix available, CVSS 5.9	Denial of Service SNYK-JS-NODEFETCH-674311	Yes	No Known Exploit
	619/1000 Why? Has a fix available, CVSS 8.1	Remote Code Execution (RCE) SNYK-JS-SHELLQUOTE-1766506	No	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-UGLIFYJS-1727251	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	Yes	Proof of Concept
	484/1000 Why? Has a fix available, CVSS 5.4	XML External Entity (XXE) Injection SNYK-JS-XMLDOM-1084960	Yes	No Known Exploit
	816/1000 Why? Mature exploit, Has a fix available, CVSS 8.6	Uninitialized Memory Exposure npm:base64-url:20180512	Yes	Mature
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:fresh:20170908	Yes	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:hoek:20180212	Yes	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	Yes	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	Yes	No Known Exploit
	676/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.1	Regular Expression Denial of Service (ReDoS) npm:plist:20180219	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: connect

The new version differs by 250 commits.

• e96d53a 3.6.5
• 9c5e609 deps: finalhandler@1.0.6
• 32da5af deps: debug@2.6.9
• 5689353 3.6.4
• 8878b59 docs: add security policy
• 61b8084 docs: add expanded People section to README
• 5fc91dd docs: remove trailing whitespace in README
• dc861fc deps: utils-merge@1.0.1
• 1ba8fab deps: finalhandler@1.0.5
• a63e416 build: mocha@3.5.3
• a971f2a build: Node.js@8.5
• 863b9d7 lint: add editorconfig and eslint to enforce
• 5010822 deps: parseurl@~1.3.2
• f686ab2 build: Node.js@8.4
• 777b09a 3.6.3
• b800916 build: mocha@3.5.0
• 0b6279d deps: finalhandler@1.0.4
• ad2c288 docs: fix typo in app.use example text
• b15a29c build: Node.js@8.2
• d0aa681 build: use nyc for coverage
• 8311a45 build: support Node.js 8.x
• adcafdf build: simplify gitignore to minimum
• 8ceedaa build: Node.js@6.11
• 89f3058 build: mocha@3.4.2

See the full diff

Package name: joi

The new version differs by 82 commits.

• 97221cd 8.1.0
• 6ba9191 Merge branch 'error' into v8
• e3e72c5 Support error override per rule. Closes I use require in Image tag，but it does not work。 facebook/react-native#882
• 4f8ef50 Update hoek and travis
• c4fd0b2 Merge pull request View shifts down and breaks when StatusBar changes size (not compensating for enlarged StatusBar) facebook/react-native#871 from cesine/test/string-rejects-integer
• 3a674c3 Merge pull request deepDiffer causing lots of Array iteration logspew facebook/react-native#868 from RoberMac/patch-1
• ed983c7 Fix: `schema` can't call `validate()` method
• ec28a70 added test fail string validation if integer is passed
• 93f9140 8.0.5
• 258e505 Revert "Refs can now generate default even when found"
• e5b5293 Fix alternatives description (Bundle script instead of curl facebook/react-native#851)
• e60b712 Refs can now generate default even when found
• 2d9431e Merge pull request npm start error facebook/react-native#839 from DavidTPate/ip-literals-uri-brackets
• 266ee56 Add tests for IP literals within a URI that don't have brackets which are required for URIs. These should not validate, but currently they do due to the changes in [Haste] @provides -> @providesModule StaticRenderer facebook/react-native#837
• cc33e4b Merge pull request Can't find variable: document facebook/react-native#838 from ThomasR/patch-1
• 6a23c86 More tests for IPv6
• 093da6f 8.0.4
• 1bb38d4 Merge pull request [Haste] @provides -> @providesModule StaticRenderer facebook/react-native#837 from ThomasR/master
• 2b41923 Fix RegEx translation of IP6 BNF, where [] denotes an option
• e146eaf Drop node 4.0 tests
• 15a3631 8.0.3
• b1f8dc5 Update lab
• c0ae6bd Fix path of array().single() errors (fixes Fix typo in PanResponder documentation facebook/react-native#834)
• 0f83d52 8.0.2

See the full diff

Package name: node-fetch

The new version differs by 233 commits.

• b5e2e41 update version number
• 2358a6c Honor the `size` option after following a redirect and revert data uri support
• 8c197f8 docs: Fix typos and grammatical errors in README.md (Contacts API facebook/react-native#686)
• 1e99050 fix: Change error message thrown with redirect mode set to error ([Headers] Add an umbrella header for the library facebook/react-native#653)
• 244e6f6 docs: Show backers in README
• 6a5d192 fix: Properly parse meta tag when parameters are reversed (Xcode build failed because of missing library (RCTGeolocation) facebook/react-native#682)
• 47a24a0 chore: Add opencollective badge
• 7b13662 chore: Add funding link
• 5535c2e fix: Check for global.fetch before binding it (Missing comma facebook/react-native#674)
• 1d5778a docs: Add Discord badge
• eb3a572 feat: Data URI support ((docs) Resubmitted PR - Update docs for grammar and punctuation facebook/react-native#659)
• 086be6f Remove --save option as it isn't required anymore (Updates from Wed 1 Apr facebook/react-native#581)
• 95286f5 v2.6.0 (UICollectionView? facebook/react-native#638)
• bf8b4e8 Allow agent option to be a function (Can not see the images on the web page facebook/react-native#632)
• 0c2294e 2.5.0 release ((update) Install watchman w/ --HEAD to avoid error facebook/react-native#630)
• 0fc414c Allow third party blob implementation ((update) Typo in Watchman facebook/react-native#629)
• d8f5ba0 build: disable generation of package-lock since it is not used (missing require('RCTDeviceEventEmitter'); facebook/react-native#623)
• 1fe1358 test: enable --throw-deprecation for tests (Add docs about running on device facebook/react-native#625)
• a35dcd1 chore(deps): address deprecated url-search-params package (unify use of password and secureTextEntry for TextInput facebook/react-native#622)
• b3ecba5 2.4.1 release (WebSocket API Polyfill facebook/react-native#619)
• 1a88481 Fix Blob for older node versions and webpack. (fontWeight should support the wording as in Xcode facebook/react-native#618)
• c9805a2 2.4.0 release (Preview: Introduce reactNativeComponent facebook/react-native#616)
• 49d7760 Pass custom timeout to subsequent requests on redirect (Changing layer.zPosition prevent touches on sticky header facebook/react-native#615)
• cfc8e5b Swap packagephobia badge for flat style (Remove false annotation facebook/react-native#592)

See the full diff

Package name: plist

The new version differs by 52 commits.

• 276c657 3.0.2
• 9b6af11 revert mocha because newer versions don't run on node versions this old
• e828f84 update deps
• e7b0394 removing safari because I can't get it to run in sauce with zuul
• c33edbe try an older version of safari
• 1f13bd7 revert sauce connect
• 6fa1022 specify specific tunnel id for sauce
• ee3c545 revert zuul dependency to see if that fixes saucelabs build
• e538eb4 reduce travis testing matrix size
• eb28b45 adding sauceconnect to see if that solves the local tunnel problem
• 3a8004a update saucelabs credentials in travis file
• 56c5a74 travis: revert config
• eaf1ca7 move saucelabs credentials to travis env variables
• eaf1af8 update minor deps
• 3821f55 update travis config to fix all warnings
• 9ec848e update sauce labs integration using my account
• af45b08 give credit to sauce labs for providing free open source testing resources
• 1628c6e 3.0.1
• a7d03aa avoid using Buffer constructor https://github.com/Tracking Issue for Runtime Deprecation of Buffer constructor nodejs/node#19079
• a85b9d3 3.0.0 closes [Image] Old images on Movies example app listings facebook/react-native#89
• cb0d8f1 update Makefile, rebuild dist/
• 6840f12 added 3.0 to HISTORY
• 9dfeffe remove unsupported browser versions from travis
• c962bfe updated deps. remove support for node < 6

See the full diff

Package name: sane

The new version differs by 51 commits.

• c4d5b7f Upgrade insecure dependencies (Widget suggestion : Carousel facebook/react-native#132)
• 756bafa release v4.0.1 🎉
• 472a546 Remove from . (Possibility for Z-Indexing (layers)? facebook/react-native#131)
• 348b6ef release v4.0.0 🎉
• b4c4f03 remove fsevents (Custom animations for RKNavigator or View (Slide up/down/right/left) facebook/react-native#130)
• dedc549 release v3.1.0 🎉
• 802f5a7 Enables Watchexec as a sane watcher (ListView component easily displays performance issues facebook/react-native#127)
• 49f251a release v3.0.0 🎉
• 26cd9b8 Modernize codebase (Query for child components [JS -> ObjC binding] facebook/react-native#126)
• 0c439f0 [fixes Small improvement on the website readme.md facebook/react-native#123] Drop support for unsupported versions of node (CMD + D in iOS coupled with CMD + R in safari debugger causes critical exception: facebook/react-native#125)
• e3beaf8 release v2.5.2 🎉
• e6b679a adding handler to clear local state on exit using capture-exit (Multiple Class prefixes: RCT, RK facebook/react-native#119)
• 5d60d85 release v2.5.1 🎉
• 0ab296e bump minimum fsevents [fixes Fix some synchronization issues with RCTImageDownloader facebook/react-native#117] (Examples fail on linking step in linking with Pods-RCTNetworkImage facebook/react-native#118)
• 6324f3a release v2.5.0 🎉
• a419f94 Use `micromatch` and bump `anymatch`. (Adds bridging header helper to facilitate importing to swift facebook/react-native#115)
• ec657e4 release v2.4.1 🎉
• adf6305 release v2.4.0 🎉
• f051102 fixed test failure - closing WatchmanWatcher instance was not passing the instance to close into WatchmanClient, resulted in spurious events (Guide on extending React for iOS facebook/react-native#114)
• 14fbf09 Fix node 4 support ([Packager] Add "dev" option to CLI facebook/react-native#112)
• 8be8b96 Fix issues: (RCTImageDownloader doesn't seem to be threadsafe facebook/react-native#111)
• cd7d33d Updated to WatchmanWatcher, created singleton WatchmanClient using promises ([TextInput] returnKeyType, enablesReturnKeyAutomatically, more keyboardTypes facebook/react-native#109)
• d9158e9 fix sane signatures ([Touchable] Support hit test slop for touchable components facebook/react-native#110)
• c07724b 2.3.0

See the full diff

Package name: shell-quote

The new version differs by 43 commits.

• 6a8a899 1.7.3
• 5799416 fix for security issue with windows drive letter regex
• c7de931 Add security.md
• 414853f Update readme.markdown (Native Wrapping - Geolocation API Spike facebook/react-native#43)
• 0fc4a97 use Github Actions (Pattern for interacting with the main thread facebook/react-native#42)
• 89a1993 1.7.2
• df7e4c7 add test for Updating privacy note facebook/react-native#37
• 144e1c2 revert windows path unescaping, fixes Updating privacy note facebook/react-native#37
• c24f3aa ci: nvs does not have iojs
• c2950fb 1.7.1
• 8f6a1cc fix: do not remove $ when env variable not found (npm start fails with FSEventStreamStart: register_with_server: ERROR: f2d_register_rpc() => (null) (-21) facebook/react-native#32)
• 8b70a68 add tests
• faaa452 Merge branch 'master' of github.com:Adman/node-shell-quote into Adman-master
• 729a5a8 fix: updated parsing non existing var
• 79f2932 Merge branch 'master' into Adman-master
• 09ed4df 1.7.0
• 5183496 Add Process Substitution parsing (Carousel component facebook/react-native#36)
• 2e9eecf Merge branch 'master' into pr-15
• 4bd33ca Merge pull request Improve error when forgetting to npm install facebook/react-native#16 from forivall/improved-parsing
• 7dee51c ci: add a bunch of node.js versions
• 286e849 Clean up package.json
• c90d2c6 1.6.3
• c5b7ca4 Support windows (How does calling from JS to Obj-C work? facebook/react-native#34)
• 0e4fafa ci: whatever, just exclude node 0.8 on windows

See the full diff

Package name: uglify-js

The new version differs by 250 commits.

• bca83cb v3.14.3
• a841d45 fix corner case in `awaits` ([Android] Add support for split build per architecture facebook/react-native#5160)
• eb93d92 fix corner case in `awaits` (Implement defaultSource for Image on Android facebook/react-native#5158)
• a0250ec fix corner case in `dead_code` (console.warn shows two times in yellowBox and once in console facebook/react-native#5154)
• 2580162 parse `let` as symbol names correctly (Cannot use "Api" as folder name when require modules facebook/react-native#5151)
• 32ae994 fix issues in tests flagged by LGTM (Move tests to Xcode 7.2 facebook/react-native#5150)
• 03aec89 fix corner cases in `strings` & `templates` (ToolbarAndroid doesn't play well with DrawerLayoutAndroid with app RTL facebook/react-native#5147)
• faf0190 document ECMAScript quirks (Allow View containers to specify custom measure functions facebook/react-native#5148)
• c8b0f68 fix corner case in `merge_vars` ([WebView] WebView on android can`t execute javascript facebook/react-native#5143)
• 87b9916 fix corner case in `inline` (v 0.18 flex 1.0 doesn't work if the height of parent is indirectly determined by parent's siblings facebook/react-native#5141)
• 940887f fix corner case in `evaluate` (ViewManager is different between iOS and Android, why? facebook/react-native#5139)
• 0b2573c fix corner case in `templates` (Added reference to Frappé (for OS X Android) facebook/react-native#5137)
• 1575210 avoid potential RegExp denial-of-service (v0.18 doesn't play nice with react-native-cli? facebook/react-native#5135)
• f766bab enhance `templates` (Extended icon and selectedIcon propType to include scale facebook/react-native#5131)
• 436a293 enhance `dead_code` ([iOS] [MapView] Make the region prop only an initial region facebook/react-native#5130)
• 55418fd fix corner case in `rests` (small hack to have circle.yml in gh-pages generated branch facebook/react-native#5129)
• 8578688 v3.14.2
• 4b88dfb tweak test & warnings ([Android] Method for pausing application/Activity, and lifecycle hooks facebook/react-native#5123)
• c3aef23 fix corner case in `reduce_vars` (Can't open Chrome Debugger due to RCTBatchedBridge.m error facebook/react-native#5121)
• db94d21 fix corner case in `side_effects` (Updated ExplorerPage to use static title field facebook/react-native#5118)
• 9634a9d fix corner cases in `optional_chains` (app crash on startup : libc++abi.dylib: terminating with uncaught exception of type NSException facebook/react-native#5110)
• befb99b fix corner case in `inline` (UnableToResolveError for spaces in path? facebook/react-native#5115)
• 02eb8ba fix corner case in `collapse_vars` (ImageEditingManager.cropImage does not work correctly after upgrading from 0.15 to 0.17 facebook/react-native#5113)
• c09f63a fix corner case in `rests` (added branch to ignore for CI tests facebook/react-native#5109)

See the full diff

Package name: ws

The new version differs by 250 commits.

• 6dd88e7 [dist] 5.2.3
• 76d47c1 [security] Fix ReDoS vulnerability
• 5d55e52 [dist] 5.2.2
• 8aba871 [fix] Fix use after invalidation bug
• 175ce46 [dist] 5.2.1
• 307be7a [fix] Remove the `'data'` listener when the receiver emits an error
• 6046a28 [fix] Do not prematurely remove the listener of the `'data'` event
• bf9b2ec chore(package): update nyc to version 12.0.2 (Add doc warning stating that TouchableOpacity can only support a single child facebook/react-native#1395)
• bcab531 chore(package): update eslint-plugin-promise to version 3.8.0 (Question : Is it possible to call ScrollTo_Y on <ListView/> Component? facebook/react-native#1389)
• e4d032c [dist] 5.2.0
• e7bfe5f chore(package): update mocha to version 5.2.0 ([Layout] Regression with paddingTop facebook/react-native#1385)
• 6dae94b chore(package): update eslint-plugin-import to version 2.12.0 ([CLI] Validation check for "React" package name facebook/react-native#1384)
• aebda2b chore(package): update nyc to version 11.8.0 ([Tests] Update tests to run on io.js with the latest version of jest facebook/react-native#1382)
• d871bdf [feature] Add `headers` argument to `verifyClient()` callback ([ListView] Cryptic errors from renderHeader and renderSectionHeader facebook/react-native#1379)
• bb9c21c [test] Fix failing test on node 10
• 6d8f1f4 [ci] Test on node 10
• 4385c78 [doc] Add `request` to emit arguments in shared server example ([Touches] Let only the nearest ancestor root view process touches facebook/react-native#1372)
• 690b3f2 [minor] Replace bound function with arrow function
• 9dc25a3 chore(package): update nyc to version 11.7.1 (App process is a steady 130% CPU immediately on launch facebook/react-native#1364)
• a81e580 chore(package): update mocha to version 5.1.0 (Custom Pagination on ScrollView Horizontal facebook/react-native#1362)
• 3215cf3 chore(package): update eslint-plugin-import to version 2.11.0 ([Navigator] Support the ref prop on scene roots facebook/react-native#1361)
• 0100d82 [doc] Improve FAQ example for X-Forwarded-For header ([ListView & Image] Loading 100 big images into a ListView not only crashes the app, but also crashes the os facebook/react-native#1360)
• c801e99 [doc] Improve docs and examples ([WebView] Support opening WebView links in external browser on iOS facebook/react-native#1355)
• 10c92ff [dist] 5.1.1

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic