[Snyk] Fix for 1 vulnerabilities

[nithincvpoyyil]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	461/1000 Why? Recently disclosed, Has a fix available, CVSS 3.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-DEBUG-3227433	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: debug

The new version differs by 43 commits.

• f073e05 Release 3.1.0
• 2c0df9b rename `DEBUG_HIDE_TTY_DATE` to `DEBUG_HIDE_DATE`
• dcb37b2 Merge branch '2.x'
• 56a3853 Add `DEBUG_HIDE_TTY_DATE` env var (#486)
• bdb7e01 remove "component" from package.json
• c38a016 remove ReDoS regexp in %o formatter (#504)
• 47747f3 remove `component.json`
• a0601e5 fix
• e7e568a ignore package-lock.json
• fdfa0f5 Fix browser detection
• 7cd9e53 examples: fix colors printout
• 8d76196 Merge pull request #496 from EdwardBetts/spelling
• daf1a7c correct spelling mistake
• 3e1849d Release 3.0.1
• b3ea123 Disable colors in Edge and Internet Explorer (#489)
• 13e1d06 remove v3 discussion note for now
• 52b894c Release 3.0.0
• d2dd80a component: update "ms" to v2.0.0
• 6752953 fix browser test 😵
• f6f6213 remove `make coveralls` from travis
• f178d86 attempt to separate the Node and Browser tests in Travis
• d73c4ae fix `make test`
• 402c856 fix lint
• 87e7399 readme++

See the full diff

Package name: engine.io

The new version differs by 46 commits.

• b3f3590 [chore] Release 3.1.5
• 0d4e79e [chore] Bump dependencies (#549)
• ea318b8 [chore] Bump accepts to version 1.3.4 (#548)
• d7aaf2b [docs] Update test command in README (#547)
• c107ffe [chore] Bump uws to version 9.14.0 (#545)
• 8d0ce5f [refactor] Add some checks to prevent usage of undefined properties (#540)
• 1a685c0 [chore] Release 3.1.4
• b3f1d35 [chore] Bump ws to version 3.3.1 (#543)
• 3ee803a [chore] Release 3.1.3
• 49362ab [fix] Fix undefined remoteAddress when using uws (#533)
• 3c77780 [chore] Bump debug to version 2.6.9 (#532)
• bf24359 [chore] Release 3.1.2
• a8ff89c [chore] Release 3.1.1
• e0d720c [fix] Check whether 'Origin' header has invalid characters (#531)
• 38d639a [fix] Use explicit require of wsEngine (#523)
• f9d3f06 [docs] Fix wsEngine default value in README (#526)
• fd20b91 [test] Use npm scripts instead of gulp (#530)
• 7f63d38 [fix] Fix undeterministic error in polling buffer processing (#529)
• 3dcc2d5 [fix] Use workaround for setEncoding bug in node 0.10+ (#527)
• e76e035 [fix] Fix null payload when aborting connection (#503)
• 935b155 [chore] Release 3.1.0
• 82ed65f [test] Add test for maxHttpBufferSize option with websocket (#499)
• 519fb8d [chore] Bump uws to version 0.14.4 (#501)
• 7edb34e [chore] Bump dependencies (#500)

See the full diff

Package name: engine.io-client

The new version differs by 46 commits.

• 0071fdf [chore] Release 3.1.5
• 64ce480 fix: use try/catch when setting xhr.responseType (#592)
• 3039017 [chore] Bump debug to version 3.1.0
• 90f4d17 [chore] Release 3.1.4
• 7fab005 [chore] Bump ws to version 3.3.1 (#587)
• 4558b25 [chore] Release 3.1.3
• a28776e [refactor] Update entry point in webpack configuration (#586)
• 42501c6 [revert] [refactor] Remove usuless indexof dependency (#582)
• 8ce2432 [chore] Bump xmlhttprequest-ssl to version 1.5.4 (#585)
• 4a551a1 [chore] Bump debug to version 2.6.9 (#584)
• d8fdf9b [refactor] Remove useless entry point (#583)
• 6043c49 [refactor] Remove usuless indexof dependency (#582)
• 5d29c1c [test] Remove IE6 and IE7 tests (#581)
• 1cbab34 [chore] Release 3.1.2
• 0b26bc3 [fix] Remove parsejson dependency (#580)
• b949abc [chore] Release 3.1.1
• 11f3fdd [test] Launch browser tests on localhost by default (#571)
• 753c180 [chore] Unpin debug version (#568)
• fce140a [chore] Release 3.1.0
• 32fe4e5 [chore] Bump engine.io-parser to version 2.1.1 (#566)
• be73a9c [chore] Pin debug to version 2.6.4 (#567)
• 7aad0d6 [chore] Bump engine.io-parser to version 2.1.0 (#565)
• cfb2775 [chore] Bump ws to version 2.3.1 (#564)
• f7be578 [chore] Bump debug to version 2.6.4 (#563)

See the full diff

Package name: karma

The new version differs by 195 commits.

• a4d5bdc chore: release v3.0.0
• 75f466d chore: release v2.0.6
• 5db9399 chore: update contributors
• eb3b1b4 chore(deps): update mime -> 2.3.1 (#3107)
• 732396a fix(travis): Up the socket timeout 2->20s. (#3103)
• 173848e Remove erroneous change log entries for 2.0.3
• 1002569 chore(ci): drop node 9 from travis tests (#3100)
• 02f54c6 fix(server): Exit clean on unhandledRejections. (#3092)
• 0fdd8f9 chore(deps): update socket.io -> 2.1.1 (#3099)
• 90f5546 fix(travis): use the value not the key name. (#3097)
• fba5d36 fix(travis): validate TRAVIS_COMMIT if TRAVIS_PULL_REQUEST_SHA is not set. (#3094)
• 56fda53 fix(init): add "ChromeHeadless" to the browsers' options (#3096)
• f6d2f0e fix(config): Wait 30s for browser activity per Travis. (#3091)
• a58fa45 fix(travis): Validate TRAVIS_PULL_REQUEST_SHA rather than TRAVIS_COMMIT. (#3093)
• 88b977f fix(config): wait 20s for browser activity. (#3087)
• 94a6728 chore: remove support for node 4, update log4js (#3082)
• c5dc62d docs: better clarity for API usage
• 0018947 chore: release v2.0.5
• 02dc1f4 chore: update contributors
• dc7265b fix(browser): ensure browser state is EXECUTING when tests start (#3074)
• 7617279 refactor(filelist): rename promise -> lastCompletedRefresh and remove unused promise (#3060)
• a701732 fix(doc): Document release steps for admins (#3063)
• 93ba05a fix(middleware): Obey the Promise API.
• 518cb11 fix: remove circular reference in Browser

See the full diff

Package name: micromatch

The new version differs by 29 commits.

• 89efcff 4.0.0
• f3238cb Merge pull request [Snyk] Fix for 1 vulnerabilities #151 from micromatch/dev
• 7c78f9a ensure args are strings
• 2e42796 bump picomatch
• 09f8260 windows, it's time we had a talk...
• a49f94c fix slashes in tests
• a6ab670 use braces patch, build readme
• 976d956 upgrade braces and picomatch
• a6596da add benchmarks
• 11168b1 rename unixify to windows
• 5bf40fe package.json: Use github versions of deps to test the env.
• 5d78d48 Drop node v6 since picomatch doesnt support it.
• 96ac3ba Remove duplicate node. Remove unsupported node v7.
• bf44408 Merge branch 'master' into dev
• b8abcf9 Merge remote-tracking branch 'origin/dev'
• e07df11 rebuild docs
• 47340ad Merge remote-tracking branch 'origin/master' into dev
• 52df06d refactor
• 09bd55c Merge pull request [Snyk] Fix for 3 vulnerabilities #149 from Glazy/hotfix/issue-template-update
• c32543d Add myself to package.json contributors list
• 86858bf Update issue template w/ typo and question change
• f2ce9d2 Merge pull request [Snyk] Fix for 1 vulnerabilities #130 from wtgtybhertgeghgtwtg/unescape
• 677f127 Merge pull request [Snyk] Security upgrade webdriver-js-extender from 1.0.0 to 2.0.0 #134 from Tvrqvoise/v3-changelog
• 4a70a66 Merge pull request [Snyk] Security upgrade copy-webpack-plugin from 4.6.0 to 9.0.1 #141 from simlu/patch-1

See the full diff

Package name: readdirp

The new version differs by 94 commits.

• bbfca38 Release 3.0.0.
• 6bf5a99 Add license info.
• ad8ed9a Update packages.
• 282bda2 Update types.
• 1039e47 Update package.json
• 48669a5 Update README.md
• 2c36d4b Update readme.
• c1932bd Update readme.
• 39c8adf Naming adjustment.
• e0e16f6 Move example
• 34e8ded Move example.
• 644aade Merge pull request [Snyk] Fix for 2 vulnerabilities #72 from JSMonk/master
• 0e16b6c fix(Windows): add variant when windows throw EPERM instead ENOENT.
• 823c307 Fix tests.
• fadc9c8 Fix.
• 5b5df14 Improve performance twice! Don’t emit `stats` by default.
• 9bf1e9a Improve example.
• b24fb92 Make this.parents an array, may be faster a bit.
• 445e836 Test.
• 3f98dde 466201.
• 26feda5 Add another this.readable check.
• a0558f9 Add symlink test.
• c5c6ae0 Improve tests.
• 25f454a Clarify async iter.

See the full diff

Package name: socket.io

The new version differs by 77 commits.

• db831a3 [chore] Release 2.1.0
• ac945d1 [feat] Add support for dynamic namespaces (#3195)
• ad0c052 [docs] Add note in docs for `origins(fn)` about `error` needing to be a string. (#2895)
• 1f1d64b [fix] Include the protocol in the origins check (#3198)
• f4fc517 [fix] Properly emit 'connect' when using a custom namespace (#3197)
• be61ba0 [docs] Add link to a Dart client implementation (#2940)
• c0c79f0 [feat] Add support for dynamic namespaces (#3187)
• dea5214 [chore] Bump superagent and supertest versions (#3186)
• b1941d5 [chore] Bump engine.io to version 3.2.0
• a23007a [docs] Update license year (#3153)
• f48a06c [feat] Add a 'binary' flag (#3185)
• 0539a2c [test] Update travis configuration
• c06ac07 [docs] Fix typo (#3157)
• 52b0960 [chore] Bump debug to version 3.1.0
• 1c108a3 [chore] Release 2.0.4
• f333479 [test] Use npm scripts instead of gulp (#3078)
• 3f61165 [docs] Fix a grammar mistake in the API docs (#3076)
• e26b71c [docs] Fix typo in API docs (#3066)
• 3386e15 [docs] Actually prevent input from having injected markup in chat example (#2987)
• 3684d59 [docs] Use path.join instead of concatenating paths (#3014)
• dd69abb [fix] Reset rooms object before broadcasting from namespace (#3039)
• 1f0e64a [fix] Do not throw when receiving an unhandled error packet (#3038)
• 9d170a7 [docs] Add io.emit in the cheat sheet (#2992)
• 7199d1b [docs] Fix misnamed 'Object.keys' in API docs (#2979)

See the full diff

Package name: socket.io-adapter

The new version differs by 7 commits.

• 6874ea4 [chore] release 1.1.1
• bdb015a [chore] remove unused 'debug' dependency (Bump lodash from 3.10.1 to 4.17.19 #52)
• c6f7bae [chore] Release 1.1.0 ([Snyk] Security upgrade webpack-dev-server from 2.11.5 to 3.11.0 #50)
• f627cd2 [feat] Add addAll method ([Snyk] Security upgrade copy-webpack-plugin from 4.6.0 to 6.0.0 #49)
• b983377 [chore] Release 1.0.0 ([Snyk] Security upgrade webpack-dev-server from 2.11.5 to 3.11.0 #48)
• 40764bb [feat] Remove the socket.io-parser dependency ([Snyk] Fix for 2 vulnerabilities #47)
• fd086d7 [refactor] Remove useless self var (Bump qs from 5.2.1 to 6.9.3 #45)

See the full diff

Package name: socket.io-client

The new version differs by 44 commits.

• 3eb047f [chore] Release 2.1.0
• afb952d [docs] Add a note about reconnecting after a server-side disconnection
• 74893d5 [feat] Add a 'binary' flag (#1194)
• 9701611 [chore] Bump engine.io-client to version 3.2.0 (#1192)
• 3d8f24e [test] Update travis configuration
• e27f38b [chore] Restore unminified distribution files (#1191)
• bb743c4 [docs] Document connected and disconnected socket properties (#1155)
• f31837f [chore] Bump debug to version 3.1.0
• ebb0596 [chore] Release 2.0.4
• 57cee21 [test] Remove IE6 and IE7 tests (#1164)
• c58ecfc [docs] Add code examples for registered events (#1139)
• e9ebe36 [docs] Add an example with ES6 import in the README (#1138)
• 19f2b19 [chore] Release 2.0.3
• 83fedf5 [docs] Add explicit documentation for websocket transport (#1128)
• c0da119 [docs] Update documentation (#1124)
• c3c0270 [chore] Release 2.0.2
• d864486 [chore] Bump debug to version 2.6.8 (#1123)
• 214a57f [test] Launch browser tests on localhost by default (#1122)
• 8091591 [fix] Do not update the opts.query reference (#1121)
• 4f71bd2 [chore] Release 2.0.1
• d30914d [chore] Release 2.0.0
• 9e7b543 [chore] Bump engine.io to version 3.1.0 (#1109)
• 442587e [chore] Bump dev dependencies (#1108)
• ff4cb3e [feat] Move binary detection to the parser (#1103)

See the full diff

Package name: socket.io-parser

The new version differs by 15 commits.

• f9c0625 [chore] Release 3.1.3
• f0a7df1 [fix] Ensure packet data is an array ([Snyk] Fix for 1 vulnerabilities #83)
• 8822578 [fix] Use ArrayBuffer.isView to check for typed arrays ([Snyk] Security upgrade multicast-dns from 6.2.3 to 7.2.3 #82)
• dd164e6 [chore] Bump debug to version 3.1.0
• f9c3549 [chore] Release 3.1.2
• 425391a [chore] Bump has-binary2 to version 1.0.2 ([Snyk] Fix for 1 vulnerabilities #70)
• b4f849a [fix] Fix Blob detection for iOS 8/9 ([Snyk] Fix for 2 vulnerabilities #69)
• eaee5d5 [chore] Release 3.1.1
• 2f31a4e [fix] Ensure globals are functions before running `instanceof` ([Snyk] Security upgrade adm-zip from 0.4.16 to 0.5.2 #68)
• 8e5465d [chore] Release 3.1.0
• 403b858 [chore] Bump debug to version 2.6.4 ([Snyk] Security upgrade karma from 1.7.1 to 6.0.0 #67)
• f44256c [feat] Move binary detection to the parser ([Snyk] Security upgrade karma from 1.7.1 to 5.0.8 #66)
• 817adca [chore] Release 3.0.0
• e295b9b [chore] Bump isarray to version 2.0.1 ([Snyk] Fix for 2 vulnerabilities #65)
• e39f5a8 [chore] Use native JSON and drop support for older nodejs versions ([Snyk] Fix for 1 vulnerabilities #64)

See the full diff

Package name: spdy

The new version differs by 12 commits.

• 1c1a9ad 4.0.0
• 9f96629 chore: make travis run only LTS node versions
• b829c46 chore: update package lock
• 4909e12 chore: update deps
• f67bd62 chore: fix tests
• 374b331 chore: update deps
• 7483363 test: use ALPNProtocols instead of NPNProtocols
• dbead9c chore: test new versions
• 0be3040 chore: update Travis versions
• 1d9680c chore: add package lock
• 4209f1f chore: update depdendencies
• f454ebb fix: update insecure deps

See the full diff

Package name: spdy-transport

The new version differs by 9 commits.

• f177937 3.0.0
• 3b3f534 fix: dont emit an error on close if there wasnt one
• d259f1c chore: update travis to node LTS versions
• 9c3a628 fix: respect stream.push
• a2c260f fix: add updates from https://github.com/Fix memory leak when removing nodes spdy-http2/spdy-transport#48
• 065e1fa fix: apply changes from https://github.com/Don't automatically send push response headers if disabled spdy-http2/spdy-transport#50
• 7e4f934 fix: dont override stream.destroy
• c781d96 chore: update package lock
• 007c4d3 chore: update dependencies

See the full diff

Package name: webpack-dev-server

The new version differs by 94 commits.

• fe3219f chore(release): 3.1.10
• c12def3 fix(Server): set `tls.DEFAULT_ECDH_CURVE` to `'auto'` (#1531)
• e719959 fix(package): update `sockjs-client` v1.1.5...1.3.0 (`url-parse` vulnerability) (#1537)
• d2f4902 fix(options): add `writeToDisk` option to schema (#1520)
• bb484ad chore(release): 3.1.9
• 8b8b087 chore(package): update `webpack-dev-middleware` v3.3.0...3.4.0 (`dependencies`)
• d0725c9 chore(package): update `webpack-dev-middleware` v3.2.0...3.3.0 (`dependencies`) (#1499)
• cbe6813 refactor(package): cross-platform `prepare` script (`scripts`) (#1498)
• 3d37cc5 chore(release): 3.1.8
• 8fb67c9 fix(package): `yargs` security vulnerability (`dependencies`) (#1492)
• b9d11ca docs: fix typos (#1487)
• 7a6ca47 fix(utils/createLogger): ensure `quiet` always takes precedence (`options.quiet`) (#1486)
• 065978f chore(package): update `import-local` v1.0.0...2.0.0 (`dependencies`) (#1484)
• f37f0a2 chore(release): 3.1.7
• 2d35287 style(utils/addEntries): cleaner variable naming (#1478)
• 8ab9eb6 fix(Server): don't use `spdy` on `node >= v10.0.0` (#1451)
• 4740224 refactor(package): migrate to `schema-utils` (`dependencies`) (#1464)
• 2e1e23a ci(appveyor): add windows testing (#1468)
• 418493d refactor(package): update `internal-ip` v1.2.0...3.0.0 (`dependencies`) (#1471)
• 2d0999d style(Server): update code style
• 4789ac3 refactor(Server): move certificate generation to it's own file
• 1896fcf refactor(bin): move options and helpers into separate files (#1470)
• 2ee13ab refactor(lib/utils): move `createLog` && rename files (#1465)
• 0e1f0c1 chore(release): 3.1.6

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)