[Snyk] Fix for 28 vulnerabilities

[mobilist]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	679/1000 Why? Has a fix available, CVSS 9.3	Incomplete List of Disallowed Inputs SNYK-JS-BABELTRAVERSE-5962463	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-COLORSTRING-1082939	Yes	Proof of Concept
	579/1000 Why? Has a fix available, CVSS 7.3	Arbitrary File Overwrite SNYK-JS-FSTREAM-174725	No	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	429/1000 Why? Has a fix available, CVSS 4.3	Reverse Tabnabbing SNYK-JS-ISTANBULREPORTS-2328088	Yes	No Known Exploit
	641/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.4	Prototype Pollution SNYK-JS-JSON5-3182856	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	Yes	Proof of Concept
	541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASHTEMPLATE-1088054	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-1019388	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	No	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-POSTCSS-1255640	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Improper Input Validation SNYK-JS-POSTCSS-5926692	Yes	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Improper Input Validation SNYK-JS-XMLDOM-1534562	No	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Prototype Pollution SNYK-JS-XMLDOM-3042242	No	No Known Exploit
	811/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 9.8	Improper Input Validation SNYK-JS-XMLDOM-3092935	No	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:content-type-parser:20170905	Yes	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: babel-eslint

The new version differs by 70 commits.

• a0fbd50 8.0.2
• 2004b91 require correct deps
• fa56d21 Always use unpad (react router issue with clonning element in App.render este/este#535)
• 295091d Allow ^ version for babel dependencies (react-dom-stream este/este#534)
• d3b8519 fix(package): update babylon to version 7.0.0-beta.31 (server side render fetching & nested routes este/este#533)
• 54ab4ac 8.0.1
• c1a7882 Update README.md support (Add example of universal data fetching este/este#531) [skip ci]
• 51100c9 chore(package): update mocha to version 4.0.0 (Test Android este/este#524)
• 5742b71 Adding optionalCatchBinding to plugins. (Check Windows este/este#521)
• 905887c 8.0.0
• 49493e4 update to beta.0
• 42d0c5b Remove already fixed workaround (Add cross-platform scripts este/este#508)
• 25bd208 8.0.0-alpha.17
• 1468905 alpha.17
• 57c133e 8.0.0-alpha.15
• 1e41162 update (Update babel-plugin-react-transform version este/este#504)
• c31b577 Readme update usage section (accept cookies from server, for authentication este/este#501) [skip ci]
• c2626f9 Update eslint to the latest version 🚀 (Compress during build este/este#500)
• 3c6b2de chore(package): update husky to version 0.14.0 (batchedUpdates? este/este#498)
• e052d5a Update install instructions to use latest stable release (Waiting for side effects during server rendering este/este#497) [skip ci]
• 8e3e088 8.0.0-alpha.13
• f757e22 Merge pull request Redux DevTools este/este#493 from danez/regression-test
• 5736be6 Update babylon
• 37f9242 Add Prettier (multi entry split este/este#491)

See the full diff

Package name: css-loader

The new version differs by 75 commits.

• 43179a8 chore(release): 1.0.0
• 3d53968 Merge remote-tracking branch 'origin/master'
• 240db53 version 1.0 (Universal favicon este/este#742)
• 1b7acf7 Merge remote-tracking branch 'origin/master'
• 1703721 docs(README): add more context to `localIdentName` (Showcase of open-source projects using este este/este#711)
• 1c51265 docs(README): fix malformed emoji (Android Todo list not updating este/este#701)
• 50f8ec0 Merge remote-tracking branch 'origin/master'
• 07444ad tests: css custom variables (Replace Express with Koa 2 este/este#709)
• 3de8aa7 tests: css custom variables (Replace Express with Koa 2 este/este#709)
• df497db chore(release): 0.28.11
• c788450 fix(lib/processCss): don't check `mode` for `url` handling (`options.modules`) ("...because actions have access to app state." este/este#698)
• c35d8bd chore(release): 0.28.10
• 9f876d2 fix(getLocalIdent): add `rootContext` support (`webpack >= v4.0.0`) (Change props.route to correct value este/este#681)
• 0452f26 test: hashes inside `@ font-face` url (add example for redux-storage este/este#678)
• 630579d chore(release): 0.28.9
• 604bd4b chore(package): update dependencies
• d1d8221 fix: ignore invalid URLs (`url()`) (Command /bin/sh failed with exit code 1 este/este#663)
• 0fc46c7 chore(release): 0.28.8
• 333a2ce chore(package): update `dependencies`
• 39773aa ci(travis): use `npm`
• 8897d44 fix: proper URL escaping and wrapping (`url()`) (async configureStore este/este#627)
• 0dccfa9 fix(loader): correctly check if source map is `undefined` (Use stateTransformer instead of deprecated transformer in redux-logger este/este#641)
• d999f4a docs: Update importLoaders documentation (config pattern este/este#646)
• 05c36db test: removed redundant `modules` argument (Polyfill Promise only for IE este/este#599)

See the full diff

Package name: gulp

The new version differs by 134 commits.

• 55eb23a Release: 4.0.0
• 173a532 Docs: Fix the installation instructions
• ec54d09 Docs: Improve note about out-of-date docs
• 03b7c98 Docs: Update recipes to install gulp@next
• 2eba29e Docs: Remove run-sequence from recipes
• 76eb4d6 Docs: Add installation instructions & update badges
• fbc162f Docs: Remove references to gulp-util
• 3011cf9 Scaffold: Normalize repository
• f27be05 Update: Remove graceful-fs from test suite
• 361ab63 Upgrade: Update glob-watcher
• 064d100 Build: Avoid broken node 9
• 057df59 Release: 4.0.0-alpha.3
• c1ba80c Breaking: Upgrade major versions of glob-watcher, gulp-cli & vinyl-fs
• 89acc5c Docs: Improve ES2015 task exporting examples (#1999)
• 0ac9e04 Docs: Add "Project structure" section to CONTRIBUTING.md (#1859)
• 723cbc4 Docs: Fix syntax in recipe example (#1715)
• d420a6a Docs: Have gulp.lastRun take a function to avoid task registration (#1828)
• 29ece6f Upgrade: Update undertaker
• e931cb0 Docs: Fix changelog typos (passwordless email only auth este/este#1696)
• 477db84 Docs: Add a "BrowserSync with Gulp 4" recipe (Add Electron este/este#1659)
• d4ed3c7 Docs: Add options.cwd for gulp.src API (Monorepo issues este/este#1645)
• 5dc3b07 Docs: Update gulp.watch API to align with glob-watcher
• 0c66069 Breaking: Replace chokidar as gulp.watch with glob-watcher wrapper
• c3dbc10 Docs: Clarify incremental builds example (Use react-intl native hook este/este#1609)

See the full diff

Package name: gulp-eslint

The new version differs by 14 commits.

• 1d79ed0 4.0.1
• 8f7e966 replace all HTTP protocols with HTTPS
• b48a04a remove deprecated gulp-util dependency (Buttons are not a page este/este#213)
• 35eae57 update devDependencies (Observables as state instead of Flux este/este#207)
• 47bd269 use npx to simplify after_script
• 29dbab5 inherit autofix-related props even if `quiet` option is enabled
• a398838 4.0.0
• 18a4299 emit an error when it fails to load an ESLint plugin
• b8bf261 update ESLint from v3 to v4 (Add inline edit component este/este#198)
• c0e82ce use `Buffer.from` instead of `new Buffer`
• e6c67a2 drop support for linting `Stream` contents
• 132d5cc Fix formatting issues in README.md (Purification of the whole application este/este#194)
• 7f65378 remove link to config file `globals` doc
• 8ddfb84 correct the type of `globals` option in README

See the full diff

Package name: gulp-real-favicon

The new version differs by 13 commits.

• dbc8dcd Version 0.3.2
• c323e9f Merge branch 'edoardolincetto-master'
• 1d3dbb4 Updated rfg-api to fix compatibility issues with Node
• e29a727 Version 0.3.1
• 33755b7 Update rimraf to fix all vulnerabilities
• fd859a3 File regenerated
• a52623c Latest Mocha
• 1702ce6 Do not commit npm-debug.log
• 576a092 Update rfg-api to fix vulnerabilities
• c9f36e0 Increase timeout to prevent false negative
• c28de7c v0.3.0
• a64fa39 Merge pull request [Snyk] Security upgrade jest from 19.0.2 to 24.0.0 #18 from TheDancingCode/replace-gutil
• a456bba Replace deprecated gulp-util

See the full diff

Package name: nodemon

The new version differs by 121 commits.

• 4be493c fix: don't ignore dot-directories
• 60d1add docs: add context to fences
• 9d49852 fix: update deps - chokidar@2.0.0 in particular
• e90f15a fix: node < 6.4.0 causing crash on 'rs' trigger
• e95ea6f fix: ignorePermissionErrors in chokidar
• c121187 refactor: indexOf > includes (in node4)
• 8cec0fc chore: fix linting issue
• 718a9ad fix: correctly pass ignored rules to chokidar
• 64a82ff fix: fail gracefully if postinstall fails
• 2582d96 fix: clarify which config files are actually used
• 8cb26bf refactor: small tweaks to ES6-ish
• 6e7ce4b fix: swallow child.stdin err
• d78bf3d fix: watch both js and mjs files if main file is JavaScript
• 0d9a892 fix: don't use fork with `node inspect`
• de66c6b refactor: fix scoping issue in node@4
• 5a914cb fix: handle exit(2) better
• 6333fa5 chore: fix linting
• 6e839d4 fix: support implicit filename extension
• 48048aa fix: properly handle --no-update-notifier
• c637717 fix: expose no update flag
• f711537 chore: fix linting
• 7a04e2c fix: incorrect count of watch files being reported
• 7052648 docs: add SparkPost for their sponsorship ❤️
• 369eb11 chore: update issue template

See the full diff

Package name: regenerator

The new version differs by 91 commits.

• 0365266 Remove Node 4 and 5 from Travis and add Node 10.
• 6123ce2 Revert "Stop using Lerna to bootstrap regenerator-* packages before Travis CI tests."
• 652e743 Update regenerator-preset version to 0.12.1.
• d258899 Update regenerator-transform dependency of regenerator-preset to v0.13.0.
• d619b2a Bump npm version to 0.13.0 in preparation for publishing.
• 97ebc09 Update package-lock.json.
• 04f64dc Move parameters and spread transforms back to devDependencies.
• 72876ec Switch from babylon to @ babel/parser.
• 5c5ed02 Update regenerator-transform version to 0.13.0.
• 93d44ff Update regenerator-transform to use Babel 7 npm packages.
• 8714080 Update regenerator-preset version to 0.12.0.
• 5db35eb Add function.sent proposal to regenerator-preset.
• cb42750 Update regenerator-preset to use Babel 7 plugins.
• 3ccd00d Update Babel dependencies in regenerator/package.json.
• 07174ec Replace babel-core with @ babel/core.
• 0b3bc5f Update package-lock.json.
• 19fe117 Upgrade mocha to address critical vulnerability.
• f2b7bbf Update package-lock.json.
• e7548ff Stop using Lerna to bootstrap regenerator-* packages before Travis CI tests.
• 76498d8 Install the right version of lerna in .travis.yml.
• 3db5564 Update lerna to latest version.
• b3409d8 Regenerate docs/bundle.js with latest implementation.
• 98f7f43 Publish
• d22f3a7 Add a package-lock.json file.

See the full diff

Package name: run-sequence

The new version differs by 15 commits.

• 31103da 2.2.1
• 209e46c Drop dependency on deprecated `gulp-util` (state change event could include path este/este#100)
• 37e17be 2.2.0
• c450122 Changelog, cleanup for orchestration events change
• 2155560 handle orchestration aborted events (Module file structure este/este#97)
• 066b8c6 2.1.0
• dada3f4 Added date to v1 in changelog
• f2b1635 Added options, code cleanup
• 578d017 Added a changelog, Closes Add login with redirect example este/este#82
• 9fd7783 2.0.0
• d80ddf5 Specify chalk version (Maintain appstate across reloads? este/este#89)
• 59515cf Fixed typo
• 7e263af Ignore yarn lock when publishing
• b83cc34 Adding Yarn lockfile
• ee04d48 Added modern node versions to travis ci ([Snyk] Fix for 1 vulnerabilities #73)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Improper Input Validation
🦉 More lessons are available in Snyk Learn